GnuPG - Key Management
GPG is the main program
for the GnuPG system.
This man page only lists the commands and options available. For
more verbose documentation get the GNU Privacy Handbook (GPH) or one of
the other documents at http://www.gnupg.org/documentation/ .
Please remember that option parsing stops as soon as a non
option is encountered, you can explicitly stop option parsing by
using the special option "--". |
|
|
| GPG recognizes these commands: |
|
| |
|
|
|
Key Generation
|
(Options
| Options) |
|
|
| |
|
|
|
|
|
| |
--gen-key |
|
Example |
|
|
| |
|
|
|
|
| |
Generate a new key
pair. This command is normally only used interactively.
There is an experimental feature which allows you to create keys
in batch mode. See the file
doc/DETAILS in the source
distribution on how to use this. |
|
| |
|
|
|
|
|
|
|
Exporting & Importing
Keys
|
(Options
| Options | Options | Options) |
|
|
| |
|
|
|
|
|
| |
--export names |
|
Example |
|
|
| |
|
|
|
|
| |
Either export all keys
from all keyrings (default keyrings and those registered via
option --keyring), or if at least
one name is given, those of the given name. The new keyring is
written to stdout or to the file given with option
"output". Use together with --armor
to mail those keys. |
|
| |
|
|
|
|
|
| |
--export-all names |
|
|
|
|
| |
|
|
|
|
| |
Same as --export,
but also exports keys which are not compatible with OpenPGP. |
|
| |
|
|
|
|
|
| |
--export-secret-keys
names
--export-secret-subkeys names |
Example |
|
|
| |
|
|
|
|
| |
Same as --export,
but exports the secret keys instead. This is normally not very
useful and a security risk. The second form of the command has
the special property to render the secret part of the primary
key useless; this is a GNU extension to OpenPGP and other
implementations can not be expected to successfully import such
a key. See the option --simple-sk-checksum
if you want to import such an exported key with an older OpenPGP
implementation. |
|
| |
|
|
|
|
|
 |
--import files
--fast-import files |
|
Example
| Example | Example |
|
|
| |
|
|
|
|
| |
Import/merge keys. This
adds the given keys to the keyring. The fast version is
currently just a synonym.
There are a few other options which control how this command
works. Most notable here is the --merge-only
option which does not insert new keys but does only the merging
of new signatures, user-IDs and subkeys. |
|
| |
|
|
|
|
|
|
|
Editing Keys
|
(Options) |
|
|
| |
|
|
|
|
|
| |
--edit-key
name |
|
Example |
|
|
| |
|
|
|
|
| |
Present a menu which
enables you to do all key related tasks: |
|
| |
|
|
|
|
|
| |
|
toggle |
Toggle between public and secret key listing. |
Example |
|
fpr |
List key with its fingerprint. (See
also --fingerprint) |
Example |
|
check |
Check all selected user ids. (See also --check-sigs) |
Example
|
|
sign |
Make a signature on key of user
name If the key is not yet
signed by the default user (or the users given with -u), the program displays the information of the key again, together
with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with
-u. (See also --sign-key) |
Example |
|
lsign |
Same as --sign but the signature is marked as non-exportable
and will therefore never be used by others. This may be used to make keys valid only in the local environment.
(See also --lsign-key) |
|
 |
nrsign |
Same as --sign but the signature is marked as non-revocable
and can therefore never be revoked. (See also --nrsign-key) |
|
|
nrlsign |
Combines the functionality of nrsign and
lsign to make a
signature that is both non-revocable and non-exportable. |
|
|
revsig |
Revoke a signature. GnuPG asks for every signature which has
been done by one of the secret keys, whether a revocation certificate should be generated. |
Example |
|
trust |
Change the owner trust value. This updates the trust-db
immediately and no save is required. |
Example |
|
adduid |
Create an alternate user id. |
Example |
|
deluid |
Delete a user id. |
Example |
|
primary |
Flag the current user id as the primary one, removes the primary user id flag from all other user ids and sets the timestamp of all affected self-signatures one second ahead. Note that setting a photo user ID as primary makes it primary over other photo user IDs, and setting a regular user ID as primary makes it primary over other regular user IDs. |
Example |
|
uid n |
Toggle selection of user id with index
n. Use 0 to deselect all. |
|
|
addkey |
Add a subkey to this key. |
Example |
|
delkey |
Remove a subkey. |
Discussion |
|
revkey |
Revoke a subkey. |
Discussion |
|
key n |
Toggle selection of subkey with index
n. Use 0 to deselect all. |
|
|
expire |
Change the key expiration time. If a key is selected, the time of this key will be changed. With no selection the key expiration of the primary key is changed. |
Discussion |
 |
addrevoker |
Add a designated revoker. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options).
(See also --desig-revoke) [Note: new in 1.0.7a] |
|
|
passwd |
Change the passphrase of the secret key. |
Example |
|
disable / enable |
Disable or enable an entire key. A disabled key can normally
not be used for encryption. |
|
|
pref |
List preferences from the selected user ID. This shows the actual preferences, without including any implied preferences. |
Example |
|
showpref |
More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list. |
Example | Example |
|
setpref string |
Set the list of user ID preferences to
string. This should be a string similar to the one printed by
pref. Using an empty string will set the default preference string, using "none" will set the preferences to nil. Use
gpg -v --version to get a list of available algorithms. (See
also default-preference-list
for a table of acceptable preferences.) This command just initializes an internal list and does not change anything unless another command (such as
updpref) which changes the self-signatures is used.
(The MDC feature flag is also supported and can be set -- see GnuPG
1.0.7 released.) |
Example |
|
updpref |
Change the preferences of all
user IDs (or just of the selected ones) to the current list of
preferences. The timestamp of all affected self-signatures will be
advanced by one second. Note that while you can change the preferences
on an attribute user ID (aka "photo ID"), GnuPG does not
select keys via attribute user IDs so these preferences will not be used
by GnuPG. |
Example |
|
addphoto |
Create a photographic user id. |
|
|
showphoto |
Display the selected photographic user id. |
|
|
save |
Save all changes to the key rings and quit. |
Discussion |
|
quit |
Quit the program without updating the key rings. |
Example |
|
|
| |
|
|
|
|
|
| |
The
listing shows you the key with its secondary keys and all user
ids. Selected keys or user ids are indicated by an asterisk. The
trust value is displayed with the primary key: the first is the
assigned owner trust and the second is the calculated trust
value. Letters are used for the values: |
|
| |
|
|
|
|
|
| |
| - |
No ownertrust assigned / not yet calculated. |
|
| e |
Trust calculation has failed; probably due to an expired key. |
|
| q |
Not enough information for calculation. |
|
| n |
Never trust this key. |
|
| m |
Marginally trusted. |
|
| f |
Fully trusted. |
|
| u |
Ultimately trusted. |
|
|
|
| |
|
|
|
|
|
|
|
Signing Keys
|
(Options
| Options | Options | Options) |
|
|
| |
|
|
|
|
|
| |
--sign-key
name |
|
Example
| Example |
|
|
| |
|
|
|
|
| |
Signs a public key with
your secret key. This is a shortcut version of the subcommand sign
from --edit-key. |
|
| |
|
|
|
|
|
| |
--lsign-key
name |
|
|
|
|
| |
|
|
|
|
| |
Signs a public key with
your secret key but marks it as non-exportable. This is a
shortcut version of the subcommand lsign
from --edit-key. |
|
| |
|
|
|
|
|
| |
--nrsign-key
name |
|
|
|
|
| |
|
|
|
|
| |
Signs a public key with
your secret key but marks it as non-revocable. This is a
shortcut version of the subcommand nrsign
from --edit-key. |
|
| |
|
|
|
|
|
|
|
Keyservers
|
(Options
| Options | Options) |
|
|
| |
|
|
|
|
|
| |
--send-keys
names |
|
|
|
|
| |
|
|
|
|
| |
Same as --export
but sends the keys to a keyserver. Option --keyserver
must be used to give the name of this keyserver. Don't send your
complete keyring to a keyserver. Select only those keys which
are new or changed by you. |
|
| |
|
|
|
|
|
| |
--recv-keys
key_IDs |
|
|
|
|
| |
|
|
|
|
| |
Import the keys with
the given key_IDs from a keyserver. Option --keyserver
must be used to give the name of this keyserver. |
|
| |
|
|
|
|
|
| |
--search-keys
names |
|
|
|
|
| |
|
|
|
|
| |
Search the keyserver
for the given names. Multiple names given here will be joined
together to create the search string for the keyserver. Option --keyserver
must be used to give the name of this keyserver. |
|
| |
|
|
|
|
|
|
| Starting with GnuPG 1.1.92
(incl. GnuPG 1.2.1, 1.2.0 and 1.1.92), long options can be put
in an options file (default "~/.gnupg/gpg.conf"). In
GnuPG versions up through GnuPG 1.1.91 (incl. 1.0.6,
1.0.7, and 1.1.91), long options can be put in an "old
style" configuration file (default
"~/.gnupg/options").
Short option names will not work -- for
example, armor is a valid option for
the options file, while a is not. Do
not write the 2 dashes, but simply the name of the option and
any required arguments. Lines with a hash as the first
non-white-space character are ignored. Commands may be put in
this file too, but that does not make sense.
GPG recognizes these options: |
|
| |
|
|
|
General
|
|
|
|
|
| |
|
|
|
|
|
| |
-a, --armor |
|
|
|
|
| |
|
|
|
|
| |
Create ASCII armored
output. |
|
| |
|
|
|
|
|
| |
-o,
--output file |
|
|
|
|
| |
|
|
|
|
| |
Write output to file. |
|
| |
|
|
|
|
|
| |
-u,
--local-user name |
|
|
|
|
| |
|
|
|
|
| |
Use name as the
user ID to sign. This option is silently ignored for the list
commands, so that it can be used in an options file. |
|
| |
|
|
|
|
|
|
|
Keys & Keyrings
|
|
|
|
|
| |
|
|
|
|
|
| |
--show-keyring |
|
|
|
|
| |
|
|
|
|
| |
Causes --list-keys,
--list-public-keys, and --list-secret-keys
to display the name of the keyring a given key resides on. This
is only useful when you're listing a specific key or set of
keys. It has no effect when listing all keys. |
|
| |
|
|
|
|
|
| |
--keyring file |
|
|
|
|
| |
|
|
|
|
| |
Add file to the
list of keyrings. If file begins with a tilde and a
slash, these are replaced by the HOME directory. If the filename
does not contain a slash, it is assumed to be in the
home-directory ("~/.gnupg" if --homedir
is not used). The filename may be prefixed with a scheme:
"gnupg-ring:" is the default one.
It might make sense to use it together with --no-default-keyring. |
|
| |
|
|
|
|
|
| |
--secret-keyring file |
|
|
|
|
| |
|
|
|
|
| |
Same as --keyring
but for the secret keyrings. |
|
| |
|
|
|
|
|
| |
--no-default-keyring |
|
|
|
|
| |
|
|
|
|
| |
Do not add the default
keyrings to the list of keyrings. |
|
| |
|
|
|
|
|
| |
--merge-only |
|
|
|
|
| |
|
|
|
|
| |
Don't insert new keys
into the keyrings while doing an import. |
|
| |
|
|
|
|
|
| |
--allow-secret-key-import |
|
Discussion |
|
|
| |
|
|
|
|
| |
This is an obsolete
option and is not used anywhere. |
|
| |
|
|
|
|
|
 |
--import-options parameters |
|
|
|
|
| |
|
|
|
|
| |
This is a space or comma delimited string that gives options for importing keys. Options can be prepended with a
"no-" to give the opposite meaning. The options are: |
|
| |
|
|
|
|
|
| |
| |
allow-local-sigs |
Allow importing key signatures marked as "local". This is not generally useful unless a shared keyring scheme is being used. Defaults to
no. |
|
| |
repair-hkp-subkey-bug |
During import, attempt to repair the HKP keyserver mangling multiple subkeys bug. Note that this cannot completely repair the damaged key as some crucial data is removed by the keyserver, but it does at least give you back one subkey. Defaults to
no for regular --import and to yes for keyserver
--recv-keys. |
|
|
|
| |
|
|
|
|
|
| |
--export-options parameters |
|
|
|
|
| |
|
|
|
|
| |
This is a space or comma delimited string that gives options for exporting keys. Options can be prepended with a
"no-" to give the opposite meaning. The options are: |
|
| |
|
|
|
|
|
| |
| |
include-non-rfc |
Include non-RFC compliant keys in the export. Defaults to
yes. |
|
| |
include-local-sigs |
Allow exporting key signatures marked as
"local." This is not generally useful unless a shared keyring scheme is being used. Defaults to
no. |
|
| |
include-attributes |
Include attribute user IDs (photo IDs) while exporting. This is useful to export keys if they are going to be used by an OpenPGP program that does not accept attribute user IDs. Defaults to
yes. |
|
| |
include-sensitive-revkeys |
Include designated revoker information that was marked as
"sensitive." Defaults to no. |
|
|
|
| |
|
|
|
|
|
| |
--preserve-permissions |
|
|
|
|
| |
|
|
|
|
| |
Don't change the
permissions of a secret keyring back to user read/write only.
Use this option only if you really know what you are doing. |
|
| |
|
|
|
|
|
| |
--with-colons |
|
|
|
|
| |
|
|
|
|
| |
Print key listings
delimited by colons. Note, that the output will be encoded in
UTF-8 regardless of any --charset
setting. |
|
| |
|
|
|
|
|
| |
--with-key-data |
|
|
|
|
| |
|
|
|
|
| |
Print key listings
delimited by colons (like --with-colons)
and print the public key data. |
|
| |
|
|
|
|
|
| |
--with-fingerprint |
|
|
|
|
| |
|
|
|
|
| |
Same as the command --fingerprint
but changes only the format of the output and may be used
together with another command. |
|
| |
|
|
|
|
|
| |
--fast-list-mode |
|
|
|
|
| |
|
|
|
|
| |
Changes the output of
the list commands to work faster; this is achieved by leaving
some parts empty. Some applications don't need the user ID and
the trust information given in the listings. By using this
option, they can get a faster listing. The exact behaviour of
this option may change in future versions. |
|
| |
|
|
|
|
|
| |
--fixed-list-mode |
|
|
|
|
| |
|
|
|
|
| |
Do not merge user ID
and primary key in --with-colons
listing mode and print all timestamps as seconds since
1970-01-01. |
|
| |
|
|
|
|
|
| |
--list-only |
|
|
|
|
| |
|
|
|
|
| |
Changes the behaviour
of some commands. This is like --dry-run
but different in some cases. The semantic of this
command may be extended in the future. Currently it only skips
the actual decryption pass and therefore enables a fast listing
of the encryption keys. |
|
| |
|
|
|
|
|
 |
--sk-comments |
|
|
|
|
| |
|
|
|
|
| |
Include secret key comment packets when exporting secret keys. This is a GnuPG extension to the OpenPGP standard, and is off by default. Please note that this has nothing to do with the comments in clear text signatures or armor headers. |
|
| |
|
|
|
|
|
| |
--no-sk-comments |
|
|
|
|
| |
|
|
|
|
| |
Resets the --sk-comments option. |
|
| |
|
|
|
|
|
 |
--no-comment |
|
|
|
|
| |
|
|
|
|
| |
See --sk-comments. This option is deprecated and may be removed soon. |
|
| |
|
|
|
|
|
|
|
Algorithms / Hashes
|
|
|
|
|
| |
|
|
|
|
|
| |
--cipher-algo
name |
|
|
|
|
| |
|
|
|
|
| |
Use name as
cipher algorithm. Running the program with the command --version
yields a list of supported algorithms. If this is not used the
cipher algorithm is selected from the preferences stored with
the key. (Default cipher-algo is CAST5 -- see GnuPG
1.0.7 released.) |
|
| |
|
|
|
|
|
| |
--disable-cipher-algo name |
|
|
|
|
| |
|
|
|
|
| |
Never allow the use of name
as cipher algorithm. The given name will not be checked so that
a later loaded algorithm will still get disabled. |
|
| |
|
|
|
|
|
| |
--disable-pubkey-algo name |
|
|
|
|
| |
|
|
|
|
| |
Never allow the use of name
as public key algorithm. The given name will not be checked so
that a later loaded algorithm will still get disabled. |
|
| |
|
|
|
|
|
| |
--digest-algo
name |
|
|
|
|
| |
|
|
|
|
| |
Use name as
message digest algorithm. Running the program with the command --version
yields a list of supported algorithms. (Default digest-algo is
SHA1 -- see GnuPG
1.0.7 released.) |
|
| |
|
|
|
|
|
| |
--cert-digest-algo
name |
|
|
|
|
| |
|
|
|
|
| |
Use name as the message digest algorithm used when signing a key. Running the program with the command
--version
yields a list of supported algorithms. Be aware that if you choose an algorithm that GnuPG supports but other OpenPGP implementations do not, then some users will not be able to use the key signatures you make, or quite possibly your entire key.
(Default is MD5 for PGP2 keys and SHA1 for all othr keys -- see GnuPG
1.1.90 released.) |
|
| |
|
|
|
|
|
| |
--compress-algo n |
|
|
|
|
| |
|
|
|
|
| |
Use compression
algorithm n. Default is 2 which is RFC
1950 (ZLIB) compression. You may use 1 to use the old
zlib version (RFC
1951, DEFLATE, ZIP)
which is used by PGP. 0 disables compression. The default
algorithm may give better results because the window size is not
limited to 8K. If this is not used the OpenPGP behavior is used,
i.e. the compression algorithm is selected from the preferences;
note, that this can't be done if you do not encrypt the data. |
|
| |
|
|
|
|
|
 |
--personal-cipher-preferences
string |
Discussion |
|
|
| |
|
|
|
|
| |
Set the list of personal cipher preferences to
string. This list should be a string similar to the one printed by the command
pref
in the edit-key menu.
This allows the user to factor in their own preferred algorithms when algorithms are chosen via recipient key preferences. |
|
| |
|
|
|
|
|
| |
--personal-digest-preferences
string |
Discussion |
|
|
| |
|
|
|
|
| |
Set the list of personal digest preferences to
string. This list should be a string similar to the one printed by the command
pref
in the edit-key menu.
This allows the user to factor in their own preferred algorithms when algorithms are chosen via recipient key preferences. |
|
| |
|
|
|
|
|
| |
--personal-compress-preferences
string |
Discussion |
|
|
| |
|
|
|
|
| |
Set the list of personal compression preferences to
string. This list should be a string similar to the one printed by the command
pref
in the edit-key menu.
This allows the user to factor in their own preferred algorithms when algorithms are chosen via recipient key preferences. |
|
| |
|
|
|
|
|
| |
--default-preference-list
string |
Discussion |
|
|
| |
|
|
|
|
| |
Set the list of default preferences to
string. This list should be a string similar to the one printed by the command
pref
in the edit-key
menu. This affects both key generation and
updpref in the edit-key
menu. (See
also edit-key | setpref) |
|
| |
|
|
|
|
|
| |
Symmetric Encryption Algorithms
| Pref Code (n) |
Algorithm (name) |
| s1 * |
IDEA |
| s2 |
3DES |
| s3 |
CAST5 |
| s4 |
Blowfish |
| s7 |
AES (128) |
| s8 |
AES192 |
| s9 |
AES256 |
| s10 |
Twofish |
* only with IDEA
module
Digest (Hash) Algorithms
| Pref Code (n) |
Algorithm (name) |
| h1 |
MD5 |
| h2 |
SHA1 |
| h3 |
RIPEMD160 |
| h6 + |
TIGER192 |
| h8 * |
SHA256 |
| h9 * |
SHA384 |
| h10 * |
SHA512 |
* only with SHA-2
module & SHA-2
patch
+ only with TIGER module
Compression Algorithms
| Pref Code (n) |
Algorithm (name) |
| z0 |
uncompressed |
| z1 |
ZIP (RFC 1951) |
| z2 |
ZLIB (RFC 1950) |
The default preferences for GPG keys are:
| Algorithm Type |
Preferences (in order) |
| Symmetric cipher |
AES (128), CAST5, 3DES, IDEA |
| Hash |
SHA1, RIPEMD160 |
| Compression |
ZLIB, ZIP |
|
|
| |
For more information on
these algorithms, see Werner Koch's commented, HTML version of
RFC2440: RFC2440
& GnuPG. |
|
| |
|
|
|
|
|
| |
--s2k-cipher-algo name |
|
|
|
|
| |
|
|
|
|
| |
Use name as the
cipher algorithm used to protect secret keys. The default cipher
is CAST5. This cipher is also used for conventional
encryption if --cipher-algo is
not given. |
|
| |
|
|
|
|
|
| |
--s2k-digest-algo name |
|
|
|
|
| |
|
|
|
|
| |
Use name as the
digest algorithm used to mangle the passphrases. The default
algorithm is RIPE-MD-160. This digest algorithm is also used for
conventional encryption if --digest-algo
is not given. |
|
| |
|
|
|
|
|
| |
--s2k-mode n |
|
|
|
|
| |
|
|
|
|
| |
Selects how passphrases
are mangled. If n is 0 a plain passphrase (which is not
recommended) will be used, a 1 (default) adds a salt to the
passphrase and a 3 iterates the whole process a couple of times.
Unless --rfc1991 is used, this
mode is also used for conventional encryption. |
|
| |
|
|
|
|
|
| |
--simple-sk-checksum |
|
Example |
|
|
| |
|
|
|
|
| |
Secret keys are integrity protected by using a SHA-1 checksum. This method will be part of an enhanced OpenPGP specification but GnuPG already uses it as a countermeasure against certain attacks. Old applications don't understand this new format, so this option may be used to switch back to the old behaviour. Using this this option bears a security risk. Note that using this option only takes effect when the secret key is encrypted -- the simplest way to make this happen is to change the passphrase on the key (even changing it to the same value is acceptable).
(See --edit-key | passwd) |
|
| |
|
|
|
|
|
|
|
Compatibility
|
|
|
|
|
| |
|
|
|
|
|
| |
--rfc1991 |
|
|
|
|
| |
|
|
|
|
| |
Try to be more
RFC1991
(PGP 2.x) compliant. |
|
| |
|
|
|
|
|
|
--pgp2 |
|
Example |
|
|
| |
|
|
|
|
| |
Set up all options to be as PGP 2.x compliant as possible, and warn if an action is taken (e.g. encrypting to a non-RSA key) that will create a message that PGP 2.x will not be able to handle. Note that `PGP 2.x' here means `MIT PGP 2.6.2'. There are other versions of PGP 2.x available, but the MIT release is a good common baseline.
This option implies "--rfc1991 -no-openpgp -disable-mdc --no-force-v4-certs -no-comment -escape-from-lines -force-v3-sigs --no-ask-sig-expire -no-ask-cert-expire -cipher-algo IDEA --digest-algo MD5 -compress-algo
1." [Note: new in 1.0.7] |
|
| |
|
|
|
|
|
| |
--no-pgp2 |
|
|
|
|
| |
|
|
|
|
| |
Resets the --pgp2
option. |
|
| |
|
|
|
|
|
| |
--pgp6 |
|
|
|
|
| |
|
|
|
|
| |
Set up all options to be as PGP 6 compliant as possible. This restricts you to the ciphers IDEA (if the IDEA plugin is installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the compression algorithms none and ZIP. This also disables making signatures with signing subkeys as PGP 6 does not understand signatures made by signing subkeys.
This option implies "--disable-mdc -no-comment -escape-from-lines --force-v3-sigs -no-ask-sig-expire -compress-algo
1." [Note: new in 1.0.7] |
|
| |
|
|
|
|
|
| |
--no-pgp6 |
|
|
|
|
| |
|
|
|
|
| |
Resets the --pgp6
option. |
|
| |
|
|
|
|
|
| |
--pgp7 |
|
|
|
|
| |
|
|
|
|
| |
Set up all options to be as PGP 7 compliant as possible. This is identical to
--pgp6 except that MDCs are not disabled, and the list of allowable ciphers is expanded to add AES128, AES192, AES256, and TWOFISH.
[Note: new in 1.0.7a] |
|
| |
|
|
|
|
|
| |
--no-pgp7 |
|
|
|
|
| |
|
|
|
|
| |
Resets the --pgp7 option. |
|
| |
|
|
|
|
|
| |
--openpgp |
|
|
|
|
| |
|
|
|
|
| |
Reset all packet,
cipher and digest options to OpenPGP behavior. Use this option
to reset all previous options like --rfc1991, --force-v3-sigs,
--s2k-*, --cipher-algo, --digest-algo and --compress-algo to
OpenPGP compliant values. All PGP workarounds are also disabled. |
|
| |
|
|
|
|
|
| |
--force-v3-sigs |
|
|
|
|
| |
|
|
|
|
| |
OpenPGP states that an implementation should generate v4 signatures but PGP versions 5 and higher only recognize v4 signatures on key material. This option forces v3 signatures for signatures on data. Note that this option overrides --ask-sig-expire, as v3 signatures cannot have expiration dates. |
|
| |
|
|
|
|
|
| |
--no-force-v3-sigs |
|
|
|
|
| |
|
|
|
|
| |
Reset the --force-v3-sigs
option. |
|
| |
|
|
|
|
|
| |
--force-v4-certs |
|
|
|
|
| |
|
|
|
|
| |
Always use v4 key
signatures even on v3 keys. This option also changes the default
hash algorithm for v3 RSA keys from MD5 to SHA-1. |
|
| |
|
|
|
|
|
| |
--no-force-v4-certs |
|
|
|
|
| |
|
|
|
|
| |
Reset the --force-v4-certs
option. |
|
| |
|
|
|
|
|
| |
--force-mdc |
|
|
|
|
| |
|
|
|
|
| |
Force the use of
encryption with appended manipulation code. This is always used
with the newer ciphers (those with a blocksize greater than 64
bit). |
|
| |
|
|
|
|
|
| |
--no-mdc-warning |
|
|
|
|
| |
|
|
|
|
| |
Suppress the warning about missing MDC integrity protection. |
|
| |
|
|
|
|
|
| |
--allow-non-selfsigned-uid |
|
Discussion |
|
|
| |
|
|
|
|
| |
Allow the import and
use of keys with user IDs which are not self-signed. This is not
recommended, as a nonself-signed user ID is trivial to
forge. |
|
| |
|
|
|
|
|
| |
--no-allow-non-selfsigned-uid |
|
|
|
| |
|
|
|
|
| |
Reset the --allow-non-selfsigned-uid
option. |
|
| |
|
|
|
|
|
| |
--allow-freeform-uid |
|
|
|
|
| |
|
|
|
|
| |
Disable all checks on
the form of the user ID while generating a new one. This option
should only be used in very special environments as it does not
ensure the de-facto standard format of user IDs. |
|
| |
|
|
|
|
|
| |
--ignore-time-conflict |
|
|
|
|
| |
|
|
|
|
| |
GnuPG normally checks
that the timestamps associated with keys and signatures have
plausible values. However, sometimes a signature seems to be
older than the key due to clock problems. This option makes
these checks just a warning. |
|
| |
|
|
|
|
|
| |
--ignore-valid-from |
|
|
|
|
| |
|
|
|
|
| |
GnuPG normally does not
select and use subkeys created in the future. This option allows
the use of such keys and thus exhibits the pre-1.0.7 behaviour.
You should not use this option unless you there is some clock
problem. |
|
| |
|
|
|
|
|
| |
--ignore-crc-error |
|
|
|
|
| |
|
|
|
|
| |
The ASCII armor used by
OpenPG is protected by a CRC checksum against transmission
errors. Sometimes it happens that the CRC gets mangled somewhere
on the transmission channel but the actual content (which is
anyway protected by the OpenPGP protocol) is still okay. This
option will let gpg ignore CRC errors. |
|
| |
|
|
|
|
|
 |
--expert |
|
Example
| Example |
|
|
| |
|
|
|
|
| |
Allow the user to do certain nonsensical or "silly" things like signing an expired or revoked key, or certain potentially incompatible things like generating deprecated key types. This also disables certain warning messages about potentially incompatible actions.
(In expert mode, the user can re-sign a v3 key with a v4 self-signature. This does not change the v3 key into a v4 key, but it does allow the user to use preferences, primary ID flags, etc.
-- see GnuPG
1.1.90 released.) As the name implies, this option is for experts only. If you don't fully understand the implications of what it allows you to do, leave this off.
[Note: new in 1.0.7] |
|
| |
|
|
|
|
|
| |
--no-expert |
|
|
|
|
| |
|
|
|
|
| |
Resets the --expert
option. |
|
| |
|
|
|
|
|
|
|
Key Signatures /
Certification
|
|
|
|
|
| |
|
|
|
|
|
| |
--completes-needed
n |
|
|
|
|
| |
|
|
|
|
| |
Number of completely
trusted users to introduce a new key signer (defaults to 1). |
|
| |
|
|
|
|
|
| |
--marginals-needed n |
|
|
|
|
| |
|
|
|
|
| |
Number of marginally
trusted users to introduce a new key signer (defaults to 3). |
|
| |
|
|
|
|
|
| |
--max-cert-depth n |
|
|
|
|
| |
|
|
|
|
| |
Maximum depth of a
certification chain (default is 5). |
|
| |
|
|
|
|
|
| |
--no-sig-cache |
|
|
|
|
| |
|
|
|
|
| |
Do not
cache the verification status of key sig natures. Caching
gives a much better performance in key listings. However, if you
suspect that your public keyring is not save against write
modifications, you can use this option to disable the caching.
It probably does not make sense to disable it because all kind
of damage can be done if someone else has write access to your
public keyring. |
|
| |
|
|
|
|
|
| |
--no-sig-create-check |
|
|
|
|
| |
|
|
|
|
| |
GnuPG normally verifies
each signature right after creation to protect against bugs and
hardware malfunctions which could leak out bits from the secret
key. This extra verification needs some time (about 115% for DSA
keys), and so this option can be used to disable it. However,
due to the fact that the signature creation needs manual
interaction, this performance penalty does not matter in most
settings. |
|
| |
|
|
|
|
|
| |
--ask-cert-expire |
|
|
|
|
| |
|
|
|
|
| |
When making a key
signature, prompt for an expiration time. If this option is not
specified, the expiration time is "never." |
|
| |
|
|
|
|
|
| |
--no-ask-cert-expire |
|
|
|
|
| |
|
|
|
|
| |
Resets the --ask-cert-expire
option. |
|
| |
|
|
|
|
|
|
|
Keyservers
|
|
|
|
|
| |
|
|
|
|
|
| |
--keyserver
name |
|
|
|
|
| |
|
|
|
|
| |
Use name as your
keyserver. This is the server that --recv-keys,
--send-keys, and --search-keys
will communicate with to receive keys from, send keys to, and
search for keys on. The format of the name is a URL:
"scheme:[//]keyservername[:port]" The scheme is the
type of keyserver: "hkp" for the Horowitz (or
compatible) keyservers, "ldap" for the NAI LDAP
keyserver, or "mailto" for the Horowitz email
keyserver. Note that your particular installation of GnuPG may
have other keyserver types available as well.
Most keyservers synchronize with each other, so there is
generally no need to send keys to more than one server. Using
the command "host -l pgp.net | grep wwwkeys" gives you
a list of HKP keyservers. When using one of the wwwkeys servers,
due to load balancing using round-robin DNS you may notice that
you get a different key server each time. |
|
| |
|
|
|
|
|
| |
--keyserver-options parameters |
|
|
|
| |
|
|
|
|
| |
This is a space or comma delimited string that gives options for the keyserver. Options can be prepended with a
"no-" to give the opposite meaning. Valid import-options or export-options may be used here as well to apply to importing
(--recv-keys) or exporting (--send-keys) a key from
or to a keyserver. While not all options are available for all keyserver types, some common options are: |
|
| |
|
|
|
|
|
| |
| include-revoked |
When receiving or searching for a key, include keys that are marked on the keyserver as revoked. Note that this option is always set when using the NAI HKP keyserver, as this keyserver does not differentiate between revoked and unrevoked keys. |
|
| include-disabled |
When receiving or searching for a key, include keys that are marked on the keyserver as disabled. Note that this option is not used with HKP keyservers, as they do not support disabling keys. |
|
| use-temp-files |
On most Unix-like platforms, GnuPG communicates with the keyserver helper program via pipes, which is the most efficient method. This option forces GnuPG to use temporary files to communicate. On some platforms (such as Win32 and RISC OS), this option is always enabled. |
|
| keep-temp-files |
If using use-temp-files, do not delete the temp files after using them. This option is useful to learn the keyserver communication protocol by reading the temporary files. |
|
| verbose |
Tell the keyserver helper program to be more verbose. This option can be repeated multiple times to increase the verbosity level. |
|
| honor-http-proxy |
For keyserver schemes that use HTTP (such as HKP), try to access the keyserver over the proxy set with the environment variable "http_proxy". |
|
| auto-key-retrieve |
This option enables the automatic retrieving of keys from a keyserver when verifying signatures made by keys that are not on the local keyring. |
|
|
|
| |
|
|
|
|
|
|
|
Photo IDs
|
|
|
|
|
| |
|
|
|
|
|
| |
--show-photos |
|
|
|
|
| |
|
|
|
|
| |
Causes --list-keys,
--list-sigs, --list-public-keys,
--list-secret-keys, and verifying a signature
to
also display the photo ID attached to a key, if any. See also --photo-viewer.
[Note: new in 1.0.7] |
|
| |
|
|
|
|
|
| |
--no-show-photos |
|
|
|
|
| |
|
|
|
|
| |
Resets the --show-photos
flag. |
|
| |
|
|
|
|
|
| |
--photo-viewer
string |
|
|
|
|
| |
|
|
|
|
| |
This is the command
line that should be run to view a photo ID. "%i" will
be expanded to a filename containing the photo. "%I"
does the same, except the file will not be deleted once the
viewer exits. Other flags are "%k" for the key ID,
"%K" for the long key ID, "%f" for the key
fingerprint, "%t" for the extension of the image type
(e.g. "jpg"), "%T" for the MIME type of the
image (e.g. "image/jpeg"), and "%%" for an
actual percent sign. If neither %i or %I are present, then the
photo will be supplied to the viewer on standard input.
The default viewer is "xloadimage -fork -quiet -title
'KeyID 0x%k' stdin" |
|
| |
|
|
|
|
|
|
Home
[frames] Home
[no frames]
© 2000, 2001, 2002 Eric L. Howes
(eburger68@myrealbox.com) |