1DIRMNGR(8) GNU Privacy Guard 2.4 DIRMNGR(8)
2
6 dirmngr - GnuPG's network access daemon
7
9 dirmngr [options] command [args]
10
13 Since version 2.1 of GnuPG, dirmngr takes care of accessing the OpenPGP
14 keyservers. As with previous versions it is also used as a server for
15 managing and downloading certificate revocation lists (CRLs) for X.509
16 certificates, downloading X.509 certificates, and providing access to
17 OCSP providers. Dirmngr is invoked internally by gpg, gpgsm, or via
18 the gpg-connect-agent tool.
19
26 Commands are not distinguished from options except for the fact that
27 only one command is allowed.
28 --version
31 Print the program version and licensing information. Note that
32 you cannot abbreviate this command.
33 --help, -h
36 Print a usage message summarizing the most useful command-line
37 options. Note that you cannot abbreviate this command.
38 --dump-options
41 Print a list of all available options and commands. Note that
42 you cannot abbreviate this command.
43 --server
46 Run in server mode and wait for commands on the stdin. The de‐
47 fault mode is to create a socket and listen for commands there.
48 This is only used for testing.
49 --daemon
52 Run in background daemon mode and listen for commands on a
53 socket. This is the way dirmngr is started on demand by the
54 other GnuPG components. To force starting dirmngr it is in gen‐
55 eral best to use gpgconf --launch dirmngr.
56 --supervised
59 Run in the foreground, sending logs to stderr, and listening on
60 file descriptor 3, which must already be bound to a listening
61 socket. This option is deprecated and not supported on Windows.
62 --list-crls
65 List the contents of the CRL cache on stdout. This is probably
66 only useful for debugging purposes.
67 --load-crl file
70 This command requires a filename as additional argument, and it
71 will make Dirmngr try to import the CRL in file into it's cache.
72 Note, that this is only possible if Dirmngr is able to retrieve
73 the CA's certificate directly by its own means. In general it
74 is better to use gpgsm's --call-dirmngr loadcrl filename command
75 so that gpgsm can help dirmngr.
76 --fetch-crl url
79 This command requires an URL as additional argument, and it will
80 make dirmngr try to retrieve and import the CRL from that url
81 into it's cache. This is mainly useful for debugging purposes.
82 The dirmngr-client provides the same feature for a running dirm‐
83 ngr.
84 --shutdown
87 This commands shuts down an running instance of Dirmngr. This
88 command has currently no effect.
89 --flush
92 This command removes all CRLs from Dirmngr's cache. Client re‐
93 quests will thus trigger reading of fresh CRLs.
94
97 Note that all long options with the exception of --options and --home‐
98 dir may also be given in the configuration file after stripping off the
99 two leading dashes.
100 --options file
104 Reads configuration from file instead of from the default per-
105 user configuration file. The default configuration file is
106 named ‘dirmngr.conf’ and expected in the home directory.
107 --homedir dir
110 Set the name of the home directory to dir. This option is only
111 effective when used on the command line. The default is the di‐
112 rectory named ‘.gnupg’ directly below the home directory of the
113 user unless the environment variable GNUPGHOME has been set in
114 which case its value will be used. Many kinds of data are
115 stored within this directory.
116 -v
120 --verbose
122 Outputs additional information while running. You can increase
123 the verbosity by giving several verbose commands to dirmngr,
124 such as -vv.
125 --log-file file
129 Append all logging output to file. This is very helpful in see‐
130 ing what the agent actually does. Use ‘socket://’ to log to
131 socket.
132 --compatibility-flags flags
135 Set compatibility flags to work around certain problems or to
136 emulate bugs. The flags are given as a comma separated list of
137 flag names and are OR-ed together. The special flag "none"
138 clears the list and allows to start over with an empty list. To
139 get a list of available flags the sole word "help" can be used.
140 --debug-level level
143 Select the debug level for investigating problems. level may be
144 a numeric value or by a keyword:
145 none No debugging at all. A value of less than 1 may be used
148 instead of the keyword.
149 basic Some basic debug messages. A value between 1 and 2 may
151 be used instead of the keyword.
152 advanced
154 More verbose debug messages. A value between 3 and 5 may
155 be used instead of the keyword.
156 expert Even more detailed messages. A value between 6 and 8 may
158 be used instead of the keyword.
159 guru All of the debug messages you can get. A value greater
161 than 8 may be used instead of the keyword. The creation
162 of hash tracing files is only enabled if the keyword is
163 used.
164 How these messages are mapped to the actual debugging flags is not
166 specified and may change with newer releases of this program. They are
167 however carefully selected to best aid in debugging.
168 --debug flags
171 Set debug flags. All flags are or-ed and flags may be given in
172 C syntax (e.g. 0x0042) or as a comma separated list of flag
173 names. To get a list of all supported flags the single word
174 "help" can be used. This option is only useful for debugging
175 and the behavior may change at any time without notice.
176 --debug-all
179 Same as --debug=0xffffffff
180 --tls-debug level
183 Enable debugging of the TLS layer at level. The details of the
184 debug level depend on the used TLS library and are not set in
185 stone.
186 --debug-wait n
189 When running in server mode, wait n seconds before entering the
190 actual processing loop and print the pid. This gives time to
191 attach a debugger.
192 --disable-check-own-socket
195 On some platforms dirmngr is able to detect the removal of its
196 socket file and shutdown itself. This option disable this self-
197 test for debugging purposes.
198 -s
201 --sh
202 -c
203 --csh Format the info output in daemon mode for use with the standard
204 Bourne shell respective the C-shell. The default is to guess it
205 based on the environment variable SHELL which is in almost all
206 cases sufficient.
207 --force
210 Enabling this option forces loading of expired CRLs; this is
211 only useful for debugging.
212 --use-tor
215 --no-use-tor
216 The option --use-tor switches Dirmngr and thus GnuPG into ``Tor
217 mode'' to route all network access via Tor (an anonymity net‐
218 work). Certain other features are disabled in this mode. The
219 effect of --use-tor cannot be overridden by any other command or
220 even by reloading dirmngr. The use of --no-use-tor disables the
221 use of Tor. The default is to use Tor if it is available on
222 startup or after reloading dirmngr. The test on the availabil‐
223 ity of Tor is done by trying to connect to a SOCKS proxy at ei‐
224 ther port 9050 or 9150; if another type of proxy is listening on
225 one of these ports, you should use --no-use-tor.
226 --standard-resolver
229 This option forces the use of the system's standard DNS resolver
230 code. This is mainly used for debugging. Note that on Windows
231 a standard resolver is not used and all DNS access will return
232 the error ``Not Implemented'' if this option is used. Using
233 this together with enabled Tor mode returns the error ``Not En‐
234 abled''.
235 --recursive-resolver
238 When possible use a recursive resolver instead of a stub re‐
239 solver.
240 --resolver-timeout n
243 Set the timeout for the DNS resolver to N seconds. The default
244 are 30 seconds.
245 --connect-timeout n
248 --connect-quick-timeout n
250 Set the timeout for HTTP and generic TCP connection attempts to
251 N seconds. The value set with the quick variant is used when
252 the --quick option has been given to certain Assuan commands.
253 The quick value is capped at the value of the regular connect
254 timeout. The default values are 15 and 2 seconds. Note that
255 the timeout values are for each connection attempt; the connec‐
256 tion code will attempt to connect all addresses listed for a
257 server.
258 --listen-backlog n
261 Set the size of the queue for pending connections. The default
262 is 64.
263 --allow-version-check
266 Allow Dirmngr to connect to https://versions.gnupg.org to get
267 the list of current software versions. If this option is en‐
268 abled the list is retrieved in case the local copy does not ex‐
269 ist or is older than 5 to 7 days. See the option --query-swdb
270 of the command gpgconf for more details. Note, that regardless
271 of this option a version check can always be triggered using
272 this command:
273 gpg-connect-agent --dirmngr 'loadswdb --force' /bye
275 --keyserver name
279 Use name as your keyserver. This is the server that gpg commu‐
280 nicates with to receive keys, send keys, and search for keys.
281 The format of the name is a URI: `scheme:[//]keyserver‐
282 name[:port]' The scheme is the type of keyserver: "hkp" for the
283 HTTP (or compatible) keyservers or "ldap" for the LDAP key‐
284 servers. Note that your particular installation of GnuPG may
285 have other keyserver types available as well. Keyserver schemes
286 are case-insensitive. After the keyserver name, optional key‐
287 server configuration options may be provided. These are the
288 same as the --keyserver-options of gpg, but apply only to this
289 particular keyserver.
290 Some keyservers synchronize with each other, so there is not al‐
292 ways a need to send keys to more than one server. Some key‐
293 servers use round robin DNS to give a different keyserver each
294 time you use it.
295 If exactly two keyservers are configured and only one is a Tor
297 hidden service (.onion), Dirmngr selects the keyserver to use
298 depending on whether Tor is locally running or not. The check
299 for a running Tor is done for each new connection.
300 If no keyserver is explicitly configured, dirmngr will use the
302 built-in default of https://keyserver.ubuntu.com.
303 Windows users with a keyserver running on their Active Directory
305 may use the short form ldap:/// for name to access this direc‐
306 tory.
307 For accessing anonymous LDAP keyservers name is in general just
309 a ldaps://ldap.example.com. A BaseDN parameter should never be
310 specified. If authentication is required things are more com‐
311 plicated and two methods are available:
312 The modern method (since version 2.2.28) is to use the very same
314 syntax as used with the option --ldapserver. Please see over
315 there for details; here is an example:
316 keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
318 dc=example,dc=com:PASSWORD::starttls
319 The other method is to use a full URL for name; for example:
321 keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
323 %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
324 Put this all on one line without any spaces and keep the '%2C'
326 as given. Replace USERNAME, PASSWORD, and the 'dc' parts
327 according to the instructions received from your LDAP
328 administrator. Note that only simple authentication
329 (i.e. cleartext passwords) is supported and thus using ldaps is
330 strongly suggested (since 2.2.28 "ldaps" defaults to port 389
331 and uses STARTTLS). On Windows authentication via AD can be
332 requested by adding gpgNtds=1 after the fourth question
333 mark instead of the bindname and password parameter.
334 --nameserver ipaddr
339 In ``Tor mode'' Dirmngr uses a public resolver via Tor to re‐
340 solve DNS names. If the default public resolver, which is
341 8.8.8.8, shall not be used a different one can be given using
342 this option. Note that a numerical IP address must be given
343 (IPv6 or IPv4) and that no error checking is done for ipaddr.
344 --disable-ipv4
347 --disable-ipv6
349 Disable the use of all IPv4 or IPv6 addresses.
350 --disable-ldap
353 Entirely disables the use of LDAP.
354 --disable-http
357 Entirely disables the use of HTTP.
358 --ignore-http-dp
361 When looking for the location of a CRL, the to be tested cer‐
362 tificate usually contains so called CRL Distribution Point (DP)
363 entries which are URLs describing the way to access the CRL.
364 The first found DP entry is used. With this option all entries
365 using the HTTP scheme are ignored when looking for a suitable
366 DP.
367 --ignore-ldap-dp
370 This is similar to --ignore-http-dp but ignores entries using
371 the LDAP scheme. Both options may be combined resulting in ig‐
372 noring DPs entirely.
373 --ignore-ocsp-service-url
376 Ignore all OCSP URLs contained in the certificate. The effect
377 is to force the use of the default responder.
378 --honor-http-proxy
381 If the environment variable ‘http_proxy’ has been set, use its
382 value to access HTTP servers.
383 --http-proxy host[:port]
386 Use host and port to access HTTP servers. The use of this op‐
387 tion overrides the environment variable ‘http_proxy’ regardless
388 whether --honor-http-proxy has been set.
389 --ldap-proxy host[:port]
393 Use host and port to connect to LDAP servers. If port is omit‐
394 ted, port 389 (standard LDAP port) is used. This overrides any
395 specified host and port part in a LDAP URL and will also be used
396 if host and port have been omitted from the URL.
397 --only-ldap-proxy
400 Never use anything else but the LDAP "proxy" as configured with
401 --ldap-proxy. Usually dirmngr tries to use other configured
402 LDAP server if the connection using the "proxy" failed.
403 --ldapserverlist-file file
407 Read the list of LDAP servers to consult for CRLs and X.509 cer‐
408 tificates from file instead of the default per-user ldap server
409 list file. The default value for file is ‘dirm‐
410 ngr_ldapservers.conf’.
411 This server list file contains one LDAP server per line in the
413 format
414 hostname:port:username:password:base_dn:flags
416 Lines starting with a ‘#’ are comments.
418 Note that as usual all strings entered are expected to be UTF-8
420 encoded. Obviously this will lead to problems if the password
421 has originally been encoded as Latin-1. There is no other solu‐
422 tion here than to put such a password in the binary encoding
423 into the file (i.e. non-ascii characters won't show up read‐
424 able). ([The gpgconf tool might be helpful for frontends as it
425 enables editing this configuration file using percent-escaped
426 strings.])
427 --ldapserver spec
431 This is an alternative way to specify LDAP servers for CRL and
432 X.509 certificate retrieval. If this option is used the servers
433 configured in ‘dirmngr_ldapservers.conf’ (or the file given by
434 --ldapserverlist-file) are cleared. Note that ‘dirm‐
435 ngr_ldapservers.conf’ is not read again by a reload signal. How‐
436 ever, --ldapserver options are read again.
437 spec is either a proper LDAP URL or a colon delimited list of
439 the form
440 hostname:port:username:password:base_dn:flags:
442 with an optional prefix of ldap: (but without the two slashes
444 which would turn this into a proper LDAP URL). flags is a list
445 of one or more comma delimited keywords:
446 plain The default: Do not use a TLS secured connection at all;
448 the default port is 389.
449 starttls
451 Use STARTTLS to secure the connection; the default port
452 is 389.
453 ldaptls
455 Tunnel LDAP through a TLS connection; the default port is
456 636.
457 ntds On Windows authenticate the LDAP connection using the Ac‐
459 tive Directory with the current user.
460 areconly
462 On Windows use only the A or AAAA record when resolving
463 the LDAP server name.
464 Note that in an URL style specification the scheme ldaps:// refers to
466 STARTTLS and _not_ to LDAP-over-TLS.
467 --ldaptimeout secs
471 Specify the number of seconds to wait for an LDAP query before
472 timing out. The default are 15 seconds. 0 will never timeout.
473 --add-servers
477 This option makes dirmngr add any servers it discovers when val‐
478 idating certificates against CRLs to the internal list of
479 servers to consult for certificates and CRLs. This option
480 should in general not be used.
481 This option might be useful when trying to validate a certifi‐
483 cate that has a CRL distribution point that points to a server
484 that is not already listed in the ldapserverlist. Dirmngr will
485 always go to this server and try to download the CRL, but
486 chances are high that the certificate used to sign the CRL is
487 located on the same server. So if dirmngr doesn't add that new
488 server to list, it will often not be able to verify the signa‐
489 ture of the CRL unless the --add-servers option is used.
490 Caveat emptor: Using this option may enable denial-of-service
492 attacks and leak search requests to unknown third parties. This
493 is because arbitrary servers are added to the internal list of
494 LDAP servers which in turn is used for all unspecific LDAP
495 queries as well as a fallback for queries which did not return a
496 result.
497 --allow-ocsp
501 This option enables OCSP support if requested by the client.
502 OCSP requests are rejected by default because they may violate
504 the privacy of the user; for example it is possible to track the
505 time when a user is reading a mail.
506 --ocsp-responder url
510 Use url as the default OCSP Responder if the certificate does
511 not contain information about an assigned responder. Note, that
512 --ocsp-signer must also be set to a valid certificate.
513 --ocsp-signer fpr|file
516 Use the certificate with the fingerprint fpr to check the re‐
517 sponses of the default OCSP Responder. Alternatively a filename
518 can be given in which case the response is expected to be signed
519 by one of the certificates described in that file. Any argument
520 which contains a slash, dot or tilde is considered a filename.
521 Usual filename expansion takes place: A tilde at the start fol‐
522 lowed by a slash is replaced by the content of ‘HOME’, no slash
523 at start describes a relative filename which will be searched at
524 the home directory. To make sure that the file is searched in
525 the home directory, either prepend the name with "./" or use a
526 name which contains a dot.
527 If a response has been signed by a certificate described by
529 these fingerprints no further check upon the validity of this
530 certificate is done.
531 The format of the FILE is a list of SHA-1 fingerprint, one per
533 line with optional colons between the bytes. Empty lines and
534 lines prefix with a hash mark are ignored.
535 --ocsp-max-clock-skew n
539 The number of seconds a skew between the OCSP responder and them
540 local clock is accepted. Default is 600 (10 minutes).
541 --ocsp-max-period n
544 Seconds a response is at maximum considered valid after the time
545 given in the thisUpdate field. Default is 7776000 (90 days).
546 --ocsp-current-period n
549 The number of seconds an OCSP response is considered valid after
550 the time given in the NEXT_UPDATE datum. Default is 10800 (3
551 hours).
552 --max-replies n
556 Do not return more that n items in one query. The default is
557 10.
558 --ignore-cert-extension oid
561 Add oid to the list of ignored certificate extensions. The oid
562 is expected to be in dotted decimal form, like 2.5.29.3. This
563 option may be used more than once. Critical flagged certificate
564 extensions matching one of the OIDs in the list are treated as
565 if they are actually handled and thus the certificate won't be
566 rejected due to an unknown critical extension. Use this option
567 with care because extensions are usually flagged as critical for
568 a reason.
569 --ignore-crl-extension oid
572 Add oid to the list of ignored CRL extensions. The oid is ex‐
573 pected to be in dotted decimal form. Critical flagged CRL ex‐
574 tensions matching one of the OIDs in the list are treated as if
575 they are actually handled and thus the certificate won't be re‐
576 jected due to an unknown critical extension. Use this option
577 with care because extensions are usually flagged as critical for
578 a reason.
579 --ignore-cert fpr|file
582 Entirely ignore certificates with the fingerprint fpr. As an
583 alternative to the fingerprint a filename can be given in which
584 case all certificates described in that file are ignored. Any
585 argument which contains a slash, dot or tilde is considered a
586 filename. Usual filename expansion takes place: A tilde at the
587 start followed by a slash is replaced by the content of ‘HOME’,
588 no slash at start describes a relative filename which will be
589 searched at the home directory. To make sure that the file is
590 searched in the home directory, either prepend the name with
591 "./" or use a name which contains a dot. The format of such a
592 file is a list of SHA-1 fingerprint, one per line with optional
593 colons between the bytes. Empty lines and lines prefixed with a
594 hash mark are ignored.
595 This option is useful as a quick workaround to exclude certain
597 certificates from the system store.
598 --hkp-cacert file
602 Use the root certificates in file for verification of the TLS
603 certificates used with hkps (keyserver access over TLS). If the
604 file is in PEM format a suffix of .pem is expected for file.
605 This option may be given multiple times to add more root cer‐
606 tificates. Tilde expansion is supported.
607 If no hkp-cacert directive is present, dirmngr will use the sys‐
609 tem CAs.
610
613 Here is an example on how to show dirmngr's internal table of OpenPGP
614 keyserver addresses. The output is intended for debugging purposes and
615 not part of a defined API.
616 gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
618 To inhibit the use of a particular host you have noticed in one of the
620 keyserver pools, you may use
621 gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye
623 The description of the keyserver command can be printed using
625 gpg-connect-agent --dirmngr 'help keyserver' /bye
627
633 Dirmngr makes use of several directories when running in daemon mode:
634 There are a few configuration files to control the operation of dirm‐
635 ngr. By default they may all be found in the current home directory
636 (see: [option --homedir]).
637 dirmngr.conf
641 This is the standard configuration file read by dirmngr on
642 startup. It may contain any valid long option; the leading two
643 dashes may not be entered and the option may not be abbreviated.
644 This file is also read after a SIGHUP however not all options
645 will actually have an effect. This default name may be changed
646 on the command line (see: [option --options]). You should
647 backup this file.
648 /etc/gnupg/trusted-certs
651 This directory should be filled with certificates of Root CAs
652 you are trusting in checking the CRLs and signing OCSP Re‐
653 sponses.
654 Usually these are the same certificates you use with the appli‐
656 cations making use of dirmngr. It is expected that each of
657 these certificate files contain exactly one DER encoded certifi‐
658 cate in a file with the suffix ‘.crt’ or ‘.der’. dirmngr reads
659 those certificates on startup and when given a SIGHUP. Certifi‐
660 cates which are not readable or do not make up a proper X.509
661 certificate are ignored; see the log file for details.
662 Applications using dirmngr (e.g. gpgsm) can request these cer‐
664 tificates to complete a trust chain in the same way as with the
665 extra-certs directory (see below).
666 Note that for OCSP responses the certificate specified using the
668 option --ocsp-signer is always considered valid to sign OCSP re‐
669 quests.
670 /etc/gnupg/extra-certs
673 This directory may contain extra certificates which are pre‐
674 loaded into the internal cache on startup. Applications using
675 dirmngr (e.g. gpgsm) can request cached certificates to complete
676 a trust chain. This is convenient in cases you have a couple
677 intermediate CA certificates or certificates usually used to
678 sign OCSP responses. These certificates are first tried before
679 going out to the net to look for them. These certificates must
680 also be DER encoded and suffixed with ‘.crt’ or ‘.der’.
681 ~/.gnupg/crls.d
684 This directory is used to store cached CRLs. The ‘crls.d’ part
685 will be created by dirmngr if it does not exists but you need to
686 make sure that the upper directory exists.
687 Several options control the use of trusted certificates for TLS and
690 CRLs. Here is an Overview on the use and origin of those Root CA cer‐
691 tificates:
692 System
695 These System root certificates are used by: FIXME
697 The origin of the system provided certificates depends on the
699 platform. On Windows all certificates from the Windows System
700 Stores ROOT and CA are used.
701 On other platforms the certificates are read from the first file
703 found form this list: ‘/etc/ssl/ca-bundle.pem’,
704 ‘/etc/ssl/certs/ca-certificates.crt’, ‘/etc/pki/tls/cert.pem’,
705 ‘/usr/local/share/certs/ca-root-nss.crt’, ‘/etc/ssl/cert.pem’.
706 GnuPG
709 The GnuPG specific certificates stored in the directory
711 ‘/etc/gnupg/trusted-certs’ are only used to validate CRLs.
712 OpenPGP keyserver
716 For accessing the OpenPGP keyservers the only certificates used
718 are those set with the configuration option hkp-cacert.
719 OpenPGP keyserver pool
722 This is usually only one certificate read from the file
724 ‘/usr/share/gnupg/gnupg/sks-keyservers.netCA.pem’. If this cer‐
725 tificate exists it is used to access the special keyservers
726 hkps.pool.sks-keyservers.net (or ‘hkps://keys.gnupg.net’).
727 Please note that gpgsm accepts Root CA certificates for its own pur‐
730 poses only if they are listed in its file ‘trustlist.txt’. dirmngr
731 does not make use of this list - except FIXME.
732
736 To be able to see diagnostics it is often useful to put at least the
737 following lines into the configuration file ‘~/gnupg/dirmngr.conf’:
738 log-file ~/dirmngr.log
740 verbose
741 You may want to check the log file to see whether all desired root CA
743 certificates are correctly loaded.
744 To be able to perform OCSP requests you probably want to add the line:
746 allow-ocsp
748 To make sure that new options are read or that after the installation
750 of a new GnuPG versions the right dirmngr version is running, you
751 should kill an existing dirmngr so that a new instance is started as
752 needed by the other components:
753 gpgconf --kill dirmngr
755 Direct interfaction with the dirmngr is possible by using the command
757 gpg-connect-agent --dirmngr
759 Enter HELP at the prompt to see a list of commands and enter HELP fol‐
761 lowed by a command name to get help on that command.
762
768 A running dirmngr may be controlled by signals, i.e. using the kill
769 command to send a signal to the process.
770 Here is a list of supported signals:
772 SIGHUP This signal flushes all internally cached CRLs as well as any
776 cached certificates. Then the certificate cache is reinitial‐
777 ized as on startup. Options are re-read from the configuration
778 file. Instead of sending this signal it is better to use
779 gpgconf --reload dirmngr
780 SIGTERM
783 Shuts down the process but waits until all current requests are
784 fulfilled. If the process has received 3 of these signals and
785 requests are still pending, a shutdown is forced. You may also
786 use
787 gpgconf --kill dirmngr
788 instead of this signal
789 SIGINT Shuts down the process immediately.
792 SIGUSR1
796 This prints some caching statistics to the log file.
797
800 gpgsm(1), dirmngr-client(1)
801 The full documentation for this tool is maintained as a Texinfo manual.
803 If GnuPG and the info program are properly installed at your site, the
804 command
805 info gnupg
807 should give you access to the complete manual including a menu struc‐
809 ture and an index.
810GnuPG 2.4.3 2023-06-21 DIRMNGR(8)