1GPGSM(1) GNU Privacy Guard GPGSM(1)
2
6 gpgsm - CMS encryption and signing tool
7
9 gpgsm [--homedir dir] [--options file] [options] command [args]
10
14 gpgsm is a tool similar to gpg to provide digital encryption and sign‐
15 ing servicesd on X.509 certificates and the CMS protocol. It is mainly
16 used as a backend for S/MIME mail processing. gpgsm includes a full
17 features certificate management and complies with all rules defined for
18 the German Sphinx project.
19
25 Commands are not distinguished from options execpt for the fact that
26 only one command is allowed.
27 Commands not specific to the function
33 --version
37 Print the program version and licensing information. Not that
38 you can abbreviate this command.
39 --help, -h
42 Print a usage message summarizing the most usefule command-line
43 options. Not that you can abbreviate this command.
44 --warranty
47 Print warranty information.
48 --dump-options
51 Print a list of all available options and commands. Not that
52 you can abbreviate this command.
53 Commands to select the type of operation
58 --encrypt
62 Perform an encryption. The keys the data is encrypted too must
63 be set using the option --recipient.
64 --decrypt
67 Perform a decryption; the type of input is automatically deter‐
68 mined. It may either be in binary form or PEM encoded; auto‐
69 matic determination of base-64 encoding is not done.
70 --sign Create a digital signature. The key used is either the fist one
73 found in the keybox or those set with the --local-user option.
74 --verify
77 Check a signature file for validity. Depending on the arguments
78 a detached signatrue may also be checked.
79 --server
82 Run in server mode and wait for commands on the stdin.
83 --call-dirmngr command [args]
86 Behave as a Dirmngr client issuing the request command with the
87 optional list of args. The output of the Dirmngr is printed
88 stdout. Please note that file names given as arguments should
89 have an absulte file name (i.e. commencing with / because they
90 are passed verbatim to the Dirmngr and the working directory of
91 the Dirmngr might not be the same as the one of this client.
92 Currently it is not possible to pass data via stdin to the Dirm‐
93 ngr. command should not contain spaces.
94 This is command is required for certain maintaining tasks of the
96 dirmngr where a dirmngr must be able to call back to gpgsm. See
97 the Dirmngr manual for details.
98 --call-protect-tool arguments
101 Certain maintenance operations are done by an external program
102 call gpg-protect-tool; this is usually not installed in a direc‐
103 tory listed in the PATH variable. This command provides a sim‐
104 ple wrapper to access this tool. arguments are passed verbatim
105 to this command; use '--help' to get a list of supported opera‐
106 tions.
107 How to manage the certificates and keys
114 --gen-key
118 This command allows the interactive creation of a certifcate
119 signing request. It is commonly used along with the --output
120 option to save the created CSR into a file.
121 --list-keys
124 -k List all available certificates stored in the local key data‐
126 base. Note that the displayed data might be reformatted for
127 better human readability and illegal characters are replaced by
128 safe substitutes.
129 --list-secret-keys
132 -K List all available certificates for which a corresponding a
134 secret key is available.
135 --list-external-keys pattern
138 List certificates matching pattern using an external server.
139 This utilizes the dirmngr service.
140 --list-chain
143 Same as --list-keys but also prints all keys making up the
144 chain.
145 --dump-cert
149 --dump-keys
151 List all available certificates stored in the local key database
152 using a format useful mainly for debugging.
153 --dump-chain
156 Same as --dump-keys but also prints all keys making up the
157 chain.
158 --dump-secret-keys
161 List all available certificates for which a corresponding a
162 secret key is available using a format useful mainly for debug‐
163 ging.
164 --dump-external-keys pattern
167 List certificates matching pattern using an external server.
168 This utilizes the dirmngr service. It uses a format useful
169 mainly for debugging.
170 --keydb-clear-some-cert-flags
173 This is a debugging aid to reset certain flags in the key data‐
174 base which are used to cache certain certificate stati. It is
175 especially useful if a bad CRL or a weird running OCSP reponder
176 did accidently revoke certificate. There is no security issue
177 with this command because gpgsm always make sure that the valid‐
178 ity of a certificate is checked right before it is used.
179 --delete-keys pattern
182 Delete the keys matching pattern.
183 --export [pattern]
186 Export all certificates stored in the Keybox or those specified
187 by the optional pattern. Those pattern consist of a list of user
188 ids (see: [how-to-specify-a-user-id]). When used along with the
189 --armor option a few informational lines are prepended before
190 each block. There is one limitation: As there is no commonly
191 agreed upon way to pack more than one certificate into an ASN.1
192 structure, the binary export (i.e. without using armor) works
193 only for the export of one certificate. Thus it is required to
194 specify a pattern which yields exactly one certificate.
195 --export-secret-key-p12 key-id
198 Export the private key and the certificate identified by key-id
199 in a PKCS#12 format. When using along with the --armor option a
200 few informational lines are prepended to the output. Note, that
201 the PKCS#12 format is not very secure and this command is only
202 provided if there is no other way to exchange the private key.
203 (see: [option --p12-charset])
204 --import [files]
207 Import the certificates from the PEM or binary encoded files as
208 well as from signed-only messages. This command may also be
209 used to import a secret key from a PKCS#12 file.
210 --learn-card
213 Read information about the private keys from the smartcard and
214 import the certificates from there. This command utilizes the
215 gpg-agent and in turn the scdaemon.
216 --passwd user_id
219 Change the passphrase of the private key belonging to the cer‐
220 tificate specified as user_id. Note, that changing the
221 passphrase/PIN of a smartcard is not yet supported.
222
228 GPGSM comes features a bunch ofoptions to control the exact behaviour
229 and to change the default configuration.
230 How to change the configuration
236 These options are used to change the configuraton and are usually found
239 in the option file.
240 --options file
244 Reads configuration from file instead of from the default per-
245 user configuration file. The default configuration file is
246 named `gpgsm.conf' and expected in the `.gnupg' directory
247 directly below the home directory of the user.
248 --homedir dir
251 Set the name of the home directory to dir. If his option is not
252 used, the home directory defaults to `~/.gnupg'. It is only
253 recognized when given on the command line. It also overrides
254 any home directory stated through the environment variable
255 `GNUPGHOME' or (on W32 systems) by means on the Registry entry
256 HKCU\Software\GNU\GnuPG:HomeDir.
257 -v
261 --verbose
263 Outputs additional information while running. You can increase
264 the verbosity by giving several verbose commands to gpgsm, such
265 as '-vv'.
266 --policy-file filename
269 Change the default name of the policy file to filename.
270 --agent-program file
273 Specify an agent program to be used for secret key operations.
274 The default value is the `/usr/local/bin/gpg-agent'. This is
275 only used as a fallback when the envrionment variable
276 GPG_AGENT_INFO is not set or a running agent can't be connected.
277 --dirmngr-program file
280 Specify a dirmngr program to be used for CRL checks. The
281 default value is `/usr/sbin/dirmngr'. This is only used as a
282 fallback when the environment variable DIRMNGR_INFO is not set
283 or a running dirmngr can't be connected.
284 --prefer-system-dirmngr
287 If a system wide dirmngr is running in daemon mode, first try to
288 connect to this one. Fallback to a pipe based server if this
289 does not work. Under Windows this option is ignored because the
290 system dirmngr is always used.
291 --no-secmem-warning
294 Don't print a warning when the so called "secure memory" can't
295 be used.
296 --log-file file
299 When running in server mode, append all logging output to file.
300 Certificate related options
306 --enable-policy-checks
311 --disable-policy-checks
313 By default policy checks are enabled. These options may be used
314 to change it.
315 --enable-crl-checks
318 --disable-crl-checks
320 By default the CRL checks are enabled and the DirMngr is used to
321 check for revoked certificates. The disable option is most use‐
322 ful with an off-line network connection to suppress this check.
323 --enable-trusted-cert-crl-check
326 --disable-trusted-cert-crl-check
328 By default the CRL for trusted root certificates are checked
329 like for any other certificates. This allows a CA to revoke its
330 own certificates voluntary without the need of putting all ever
331 issued certificates into a CRL. The disable option may be used
332 to switch this extra check off. Due to the caching done by the
333 Dirmngr, there won't be any noticeable performance gain. Note,
334 that this also disables possible OCSP checks for trusted root
335 certificates. A more specific way of disabling this check is by
336 adding the ``relax'' keyword to the root CA line of the
337 `trustlist.txt'
338 --force-crl-refresh
342 Tell the dirmngr to reload the CRL for each request. For better
343 performance, the dirmngr will actually optimize this by sup‐
344 pressing the loading for short time intervalls (e.g. 30 min‐
345 utes). This option is useful to make sure that a fresh CRL is
346 available for certificates hold in the keybox. The suggested
347 way of doing this is by using it along with the option --with-
348 validation for a key listing command. This option should not be
349 used in a configuration file.
350 --enable-ocsp
353 --disable-ocsp
355 Be default OCSP checks are disabled. The enable option may be
356 used to enable OCSP checks via Dirmngr. If CRL checks are also
357 enabled, CRLs will be used as a fallback if for some reason an
358 OCSP request won't succeed. Note, that you have to allow OCSP
359 requests in Dirmngr's configuration too (option --allow-ocsp and
360 configure dirmngr properly. If you don't do so you will get the
361 error code 'Not supported'.
362 --auto-issuer-key-retrieve
365 If a required certificate is missing while validating the chain
366 of certificates, try to load that certificate from an external
367 location. This usually means that Dirmngr is employed t search
368 for the certificate. Note that this option makes a "web bug"
369 like behavior possible. LDAP server operators can see which
370 keys you request, so by sending you a message signed by a brand
371 new key (which you naturally will not have on your local key‐
372 box), the operator can tell both your IP address and the time
373 when you verified the signature.
374 --validation-model name
378 This option changes the default validation model. The only pos‐
379 sible values are "shell" (which is the default) and "chain"
380 which forces the use of the chain model. The chain model is
381 also used if an option in the `trustlist.txt' or an attribute of
382 the certificate requests it. However the standard model (shell)
383 is in that case always tried first.
384 Input and Output
391 --armor
395 -a Create PEM encoded output. Default is binary output.
397 --base64
400 Create Base-64 encoded output; i.e. PEM without the header
401 lines.
402 --assume-armor
405 Assume the input data is PEM encoded. Default is to autodetect
406 the encoding but this is may fail.
407 --assume-base64
410 Assume the input data is plain base-64 encoded.
411 --assume-binary
414 Assume the input data is binary encoded.
415 --p12-charset name
419 gpgsm uses the UTF-8 encoding when encoding passphrases for
420 PKCS#12 files. This option may be used to force the passphrase
421 to be encoded in the specified encoding name. This is useful if
422 the application used to import the key uses a different encoding
423 and thus won't be able to import a file generated by gpgsm.
424 Commonly used values for name are Latin1 and CP850. Note that
425 gpgsm itself automagically imports any file with a passphrase
426 encoded to the most commonly used encodings.
427 --default-key user_id
431 Use user_id as the standard key for signing. This key is used
432 if no other key has been defined as a signing key. Note, that
433 the first --local-users option also sets this key if it has not
434 yet been set; however --default-key always overrides this.
435 --local-user user_id
439 -u user_id
441 Set the user(s) to be used for signing. The default is the
442 first secret key found in the database.
443 --recipient name
447 -r Encrypt to the user id name. There are several ways a user id
449 may be given (see: [how-to-specify-a-user-id]).
450 --output file
454 -o file
456 Write output to file. The default is to write it to stdout.
457 --with-key-data
461 Displays extra information with the --list-keys commands. Espe‐
462 cially a line tagged grp is printed which tells you the keygrip
463 of a key. This string is for example used as the file name of
464 the secret key.
465 --with-validation
468 When doing a key listing, do a full validation check for each
469 key and print the result. This is usually a slow operation
470 because it requires a CRL lookup and other operations.
471 When used along with --import, a validation of the certificate
473 to import is done and only imported if it succeeds the test.
474 Note that this does not affect an already available cwertificate
475 in the DB. This option is therefore useful to simply verify a
476 certificate.
477 --with-md5-fingerprint
481 For standard key listings, also print the MD5 fingerprint of the
482 certificate.
483 How to change how the CMS is created.
488 --include-certs n
492 Using n of -2 includes all certificate except for the root cert,
493 -1 includes all certs, 0 does not include any certs, 1 includes
494 only the signers cert (this is the default) and all other posi‐
495 tive values include up to n certificates starting with the
496 signer cert.
497 --cipher-algo oid
501 Use the cipher algorithm with the ASN.1 object identifier oid
502 for encryption. For convenience the strings 3DES, AES and
503 AES256 may be used instead of their OIDs. The default is 3DES
504 (1.2.840.113549.3.7).
505 Doing things one usually don't want to do.
512 --extra-digest-algo name
518 Sometimes signatures are broken in that they announce a differ‐
519 ent digest algorithm than actually used. gpgsm uses a one-pass
520 data processing model and thus needs to rely on the announcde
521 digest algorithms to properly hash the data. As a workaround
522 this option may be used to tell gpg to also hash the data using
523 the algorithm name; this slows processing down a little bit but
524 allows to verify such broken signatures. If gpgsm prints an
525 error like ``digest algo 8 has not been enabled'' you may want
526 to try this option, with 'SHA256' for name.
527 --faked-system-time epoch
531 This option is only useful for testing; it sets the system time
532 back or forth to epoch which is the number of seconds elapsed
533 since the year 1970. Alternativly epoch may be given as a full
534 ISO time string (e.g. "20070924T154812").
535 --with-ephemeral-keys
538 Include ephemeral flagged keys in the output of key listings.
539 --debug-level level
542 Select the debug level for investigating problems. level may be
543 one of:
544 none no debugging at all.
547 basic some basic debug messages
549 advanced
551 more verbose debug messages
552 expert even more detailed messages
554 guru all of the debug messages you can get
556 How these messages are mapped to the actual debugging flags is not
558 specified and may change with newer releaes of this program. They are
559 however carefully selected to best aid in debugging.
560 --debug flags
563 This option is only useful for debugging and the behaviour may
564 change at any time without notice; using --debug-levels is the
565 preferred method to select the debug verbosity. FLAGS are bit
566 encoded and may be given in usual C-Syntax. The currently
567 defined bits are:
568 0 (1) X.509 or OpenPGP protocol related data
571 1 (2) values of big number integers
573 2 (4) low level crypto operations
575 5 (32) memory allocation
577 6 (64) caching
579 7 (128)
581 show memory statistics.
582 9 (512)
584 write hashed data to files named dbgmd-000*
585 10 (1024)
587 trace Assuan protocol
588 Note, that all flags set using this option may get overriden by
590 --debug-level.
591 --debug-all
594 Same as --debug=0xffffffff
595 --debug-allow-core-dump
598 Usually gpgsm tries to avoid dumping core by well written code
599 and by disabling core dumps for security reasons. However, bugs
600 are pretty durable beasts and to squash them it is sometimes
601 useful to have a core dump. This option enables core dumps
602 unless the Bad Thing happened before the option parsing.
603 --debug-no-chain-validation
606 This is actually not a debugging option but only useful as such.
607 It lets gpgsm bypass all certificate chain validation checks.
608 --debug-ignore-expiration
611 This is actually not a debugging option but only useful as such.
612 It lets gpgsm ignore all notAfter dates, this is used by the
613 regresssion tests.
614 --fixed-passphrase string
617 Supply the passphrase string to the gpg-protect-tool. This
618 option is only useful for the regression tests included with
619 this package and may be revised or removed at any time without
620 notice.
621 All the long options may also be given in the configuration file
624 after stripping off the two leading dashes.
625
629 There are different ways to specify a user ID to GnuPG. Some of them
630 are only valid for gpg others are only good for gpgsm. Here is the
631 entire list of ways to specify a key:
632 By key Id.
636 This format is deduced from the length of the string and its
637 content or 0x prefix. The key Id of an X.509 certificate are the
638 low 64 bits of its SHA-1 fingerprint. The use of key Ids is
639 just a shortcut, for all automated processing the fingerprint
640 should be used.
641 When using gpg an exclamation mark (!) may be appended to force
643 using the specified primary or secondary key and not to try and
644 calculate which primary or secondary key to use.
645 The last four lines of the example give the key ID in their long
647 form as internally used by the OpenPGP protocol. You can see the
648 long key ID using the option --with-colons.
649 234567C4
651 0F34E556E
652 01347A56A
653 0xAB123456
654 234AABBCC34567C4
656 0F323456784E56EAB
657 01AB3FED1347A5612
658 0x234AABBCC34567C4
659 By fingerprint.
664 This format is deduced from the length of the string and its
665 content or the 0x prefix. Note, that only the 20 byte version
666 fingerprint is available with gpgsm (i.e. the SHA-1 hash of the
667 certificate).
668 When using gpg an exclamation mark (!) may be appended to force
670 using the specified primary or secondary key and not to try and
671 calculate which primary or secondary key to use.
672 The best way to specify a key Id is by using the fingerprint.
674 This avoids any ambiguities in case that there are duplicated
675 key IDs.
676 1234343434343434C434343434343434
678 123434343434343C3434343434343734349A3434
679 0E12343434343434343434EAB3484343434343434
680 0xE12343434343434343434EAB3484343434343434
681 (gpgsm also accepts colons between each pair of hexadecimal digits
684 because this is the de-facto standard on how to present X.509 finger‐
685 prints.)
686 By exact match on OpenPGP user ID.
689 This is denoted by a leading equal sign. It does not make sense
690 for X.509 certificates.
691 =Heinrich Heine <heinrichh@uni-duesseldorf.de>
693 By exact match on an email address.
696 This is indicated by enclosing the email address in the usual
697 way with left and right angles.
698 <heinrichh@uni-duesseldorf.de>
700 By word match.
704 All words must match exactly (not case sensitive) but can appear
705 in any order in the user ID or a subjects name. Words are any
706 sequences of letters, digits, the underscore and all characters
707 with bit 7 set.
708 +Heinrich Heine duesseldorf
710 By exact match on the subject's DN.
713 This is indicated by a leading slash, directly followed by the
714 RFC-2253 encoded DN of the subject. Note that you can't use the
715 string printed by "gpgsm --list-keys" because that one as been
716 reordered and modified for better readability; use --with-colons
717 to print the raw (but standard escaped) RFC-2253 string
718 /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
720 By exact match on the issuer's DN.
723 This is indicated by a leading hash mark, directly followed by a
724 slash and then directly followed by the rfc2253 encoded DN of
725 the issuer. This should return the Root cert of the issuer.
726 See note above.
727 #/CN=Root Cert,O=Poets,L=Paris,C=FR
729 By exact match on serial number and issuer's DN.
733 This is indicated by a hash mark, followed by the hexadecimal
734 representation of the serial number, then followed by a slash
735 and the RFC-2253 encoded DN of the issuer. See note above.
736 #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
738 By keygrip
741 This is indicated by an ampersand followed by the 40 hex digits
742 of a keygrip. gpgsm prints the keygrip when using the command
743 --dump-cert. It does not yet work for OpenPGP keys.
744 &D75F22C3F86E355877348498CDC92BD21010A480
746 By substring match.
750 This is the default mode but applications may want to explicitly
751 indicate this by putting the asterisk in front. Match is not
752 case sensitive.
753 Heine
755 *Heine
756 Please note that we have reused the hash mark identifier which was used
760 in old GnuPG versions to indicate the so called local-id. It is not
761 anymore used and there should be no conflict when used with X.509
762 stuff.
763 Using the RFC-2253 format of DNs has the drawback that it is not possi‐
765 ble to map them back to the original encoding, however we don't have to
766 do this because our key database stores this encoding as meta data.
767
774 $ gpgsm -er goo@bar.net <plaintext >ciphertext
775 gpgsm is often used as a backend engine by other software. To help
781 with this a machine interface has been defined to have an unambiguous
782 way to do this. This is most likely used with the --server command but
783 may also be used in the standard operation mode by using the --status-
784 fd option.
785 It is very important to understand the semantics used with signature
789 verification. Checking a signature is not as simple as it may sound
790 and so the ooperation si a bit complicated. In mosted cases it is
791 required to look at several status lines. Here is a table of all cases
792 a signed message may have:
793 The signature is valid
796 This does mean that the signature has been successfully veri‐
797 fied, the certificates are all sane. However there are two sub‐
798 cases with important information: One of the certificates may
799 have expired or a signature of a message itself as expired. It
800 is a sound practise to consider such a signature still as valid
801 but additional information should be displayed. Depending on
802 the subcase gpgsm will issue these status codes:
803 .RS
804 .TP signature valid and nothing did expire
805 GOODSIG, VALIDSIG, TRUST_FULLY
806 .TP signature valid but at least one certificate has expired
807 EXPKEYSIG, VALIDSIG, TRUST_FULLY
808 .TP signature valid but expired
809 EXPSIG, VALIDSIG, TRUST_FULLY
810 Note, that this case is currently not implemented.
811 .RE
812 The signature is invalid
815 This means that the signature verification failed (this is an
816 indication of af a transfer error, a programm error or tampering
817 with the message). gpgsm issues one of these status codes
818 sequences:
819 .RS
820 .TP BADSIG
821 .TP GOODSIG, VALIDSIG TRUST_NEVER
822 .RE
823 Error verifying a signature
826 For some reason the signature could not be verified, i.e. it
827 can't be decided whether the signature is valid or invalid. A
828 common reason for this is a missing certificate.
829
835 There are a few configuration files to control certain aspects of
836 gpgsm's operation. Unless noted, they are expected in the current home
837 directory (see: [option --homedir]).
838 gpgsm.conf
842 This is the standard configuration file read by gpgsm on
843 startup. It may contain any valid long option; the leading two
844 dashes may not be entered and the option may not be abbreviated.
845 This default name may be changed on the command line (see:
846 [option
847 --options]).
848 policies.txt
851 This is a list of allowed CA policies. This file should list
852 the object identifiers of the policies line by line. Empty
853 lines and lines starting with a hash mark are ignored. Policies
854 missing in this file and not marked as critical in the certifi‐
855 cate will print only a warning; certificates with policies
856 marked as critical and not listed in this file will fail the
857 signature verification.
858 For example, to allow only the policy 2.289.9.9, the file should
860 look like this:
861 # Allowed policies
863 2.289.9.9
864 qualified.txt
867 This is the list of root certificates used for qualified cer‐
868 tificates. They are defined as certificates capable of creating
869 legally binding signatures in the same way as handwritten signa‐
870 tures are. Comments start with a hash mark and empty lines are
871 ignored. Lines do have a length limit but this is not a serious
872 limitation as the format of the entries is fixed and checked by
873 gpgsm: A non-comment line starts with optional white spaces,
874 followed by exactly 40 hex character, white space and a lower‐
875 cased 2 letter country code. Additional data delimited with by
876 a white space is current ignored but might late be used for
877 other purposes.
878 Note that even if a certificate is listed in this file, this
880 does not mean that the certificate is trusted; in general the
881 certificates listed in this file need to be listed also in
882 `trustlist.txt'.
883 This is a global file an installed in the data directory (e.g.
885 `/usr/share/gnupg/qualified.txt'). GnuPG installs a suitable
886 file with root certificates as used in Germany. As new Root-CA
887 certificates may be issued over time, these entries may need to
888 be updated; new distributions of this software should come with
889 an updated list but it is still the responsibility of the Admin‐
890 istrator to check that this list is correct.
891 Everytime gpgsm uses a certificate for signing or verification
893 this file will be consulted to check whether the certificate
894 under question has ultimately been issued by one of these CAs.
895 If this is the case the user will be informed that the verified
896 signature represents a legally binding (``qualified'') signa‐
897 ture. When creating a signature using such a certificate an
898 extra prompt will be issued to let the user confirm that such a
899 legally binding signature shall really be created.
900 Because this software has not yet been approved for use with
902 such certificates, appropriate notices will be shown to indicate
903 this fact.
904 help.txt
907 This is plain text file with a few help entries used with pinen‐
908 try as well as a large list of help items for gpg and gpgsm.
909 The standard file has English help texts; to install localized
910 versions use filenames like `help.LL.txt' with LL denoting the
911 locale. GnuPG comes with a set of predefined help files in the
912 data directory (e.g. `/usr/share/gnupg/help.de.txt') and allows
913 overriding of any help item by help files stored in the system
914 configuration directory (e.g. `/etc/gnupg/help.de.txt'). For a
915 reference of the help file's syntax, please see the installed
916 `help.txt' file.
917 Note that on larger installations, it is useful to put predefined files
921 into the directory `/etc/skel/.gnupg/' so that newly created users
922 start up with a working configuration. For existing users the a small
923 helper script is provided to create these files (see: [addgnupghome]).
924 For internal purposes gpgsm creates and maintaines a few other files;
926 They all live in in the current home directory (see: [option --home‐
927 dir]). Only gpgsm may modify these files.
928 pubring.kbx
932 This a database file storing the certificates as well as meta
933 information. For debugging purposes the tool kbxutil may be
934 used to show the internal structure of this file.
935 random_seed
938 This content of this file is used to maintain the internal state
939 of the random number generator accross invocations. The same
940 file is used by other programs of this software too.
941 S.gpg-agent
944 If this file exists and the environment variable
945 `GPG_AGENT_INFO' is not set, gpgsm will first try to connect to
946 this socket for accessing gpg-agent before starting a new gpg-
947 agent instance. Under Windows this socket (which in reality be
948 a plain file describing a regular TCP litening port) is the
949 standard way of connecting the gpg-agent.
950
956 gpg2(1), gpg-agent(1)
957 The full documentation for this tool is maintained as a Texinfo manual.
959 If GnuPG and the info program are properly installed at your site, the
960 command
961 info gnupg
963 should give you access to the complete manual including a menu struc‐
965 ture and an index.
966GnuPG 2.0.8 2008-01-24 GPGSM(1)