GnuPG - Message Operations
GPG is the main program
for the GnuPG system.
This man page only lists the commands and options available. For
more verbose documentation get the GNU Privacy Handbook (GPH) or one of
the other documents at http://www.gnupg.org/documentation/.
Please remember that option parsing stops as soon as a non
option is encountered, you can explicitly stop option parsing by
using the special option "--". |
|
|
| GPG recognizes these commands: |
|
| |
|
|
|
Signing / Verifying
|
(Options
| Options | Options | Options) |
|
|
| |
|
|
|
|
|
| |
-s, --sign |
|
Example |
|
|
| |
|
|
|
|
 |
Make a signature. This
command may be combined with --encrypt. (May
also be combined with --symmetric
-- -- see GnuPG
1.0.7 released.) |
|
| |
|
|
|
|
|
| |
--clearsign |
|
Example |
|
|
| |
|
|
|
|
| |
Make a clear text
signature. |
|
| |
|
|
|
|
|
| |
-b,
--detach-sign |
|
Example |
|
|
| |
|
|
|
|
| |
Make a detached
signature. |
|
| |
|
|
|
|
|
| |
--verify sigfile
signed_files |
|
Example |
|
|
| |
|
|
|
|
| |
Assume that sigfile is
a signature and verify it without generating any output. With no
arguments, the signature packet is read from stdin. If only a sigfile
is given, it may be a complete signature or a detached
signature, in which case the signed stuff is expected in a file
without the ".sig" or ".asc" extension. With
more than 1 argument, the first should be a detached signature
and the remaining files are the signed stuff. To read the signed
stuff from stdin, use - as the second filename.
For security reasons a detached signature cannot read the signed
material from stdin without denoting it in the above way. |
|
| |
|
|
|
|
|
| |
--verify-files files |
|
|
|
|
| |
|
|
|
|
| |
This is a special
version of the --verify command
which does not work with detached signatures. The command
expects the files to be verified either on the command line or
reads the filenames from stdin; each name must be on separate
line. The command is intended for quick checking of many files. |
|
| |
|
|
|
|
|
|
| Starting with GnuPG 1.1.92
(incl. GnuPG 1.2.1, 1.2.0 and 1.1.92), long options can be put in an options file (default "~/.gnupg/gpg.conf").
In GnuPG versions up through GnuPG 1.1.91 (incl. 1.0.6,
1.0.7, and 1.1.91), long options can be put in an "old
style" configuration file (default "~/.gnupg/options").
Short option names will not work -- for example, armor is a valid option for the options file, while
a is not. Do not
write the 2 dashes, but simply the name of the option and any
required arguments. Lines with a hash as the first
non-white-space character are ignored. Commands may be put in
this file too, but that does not make sense.
GPG recognizes these options:
|
|
| |
|
|
|
General
|
|
|
|
|
| |
|
|
|
|
|
| |
-a, --armor |
|
|
|
|
| |
|
|
|
|
| |
Create ASCII armored
output. |
|
| |
|
|
|
|
|
| |
--no-armor |
|
|
|
|
| |
|
|
|
|
| |
Assume the input data
is not in ASCII armored format. |
|
| |
|
|
|
|
|
| |
-t, --textmode |
|
|
|
|
| |
|
|
|
|
| |
Use canonical text
mode. If -t (but not --textmode) is used together with armoring
and signing, this enables clearsigned messages. This kludge is
needed for PGP compatibility; normally you would use --sign
or --clearsign to selected the
type of the signature. |
|
| |
|
|
|
|
|
| |
-o,
--output file |
|
|
|
|
| |
|
|
|
|
| |
Write output to file. |
|
| |
|
|
|
|
|
| |
-u,
--local-user name |
|
|
|
|
| |
|
|
|
|
| |
Use name as the
user ID to sign. This option is silently ignored for the list
commands, so that it can be used in an options file. |
|
| |
|
|
|
|
|
| |
-r,
--recipient name |
|
|
|
|
| |
|
|
|
|
| |
Encrypt for user id name.
If this option is not specified, GnuPG asks for the user-id
unless --default-recipient
is given. |
|
| |
|
|
|
|
|
 |
--group name=value |
|
|
|
|
| |
|
|
|
|
| |
Sets up a name group, which is similar to aliases in email programs. Any time the group name is a receipient
(-r or --recipient), it will be expanded to the values specified.
The values are key IDs or fingerprints, but any key description is accepted. Note that a value with spaces in it will be treated as two different values. Note also there is only one level of expansion -- you cannot make
a group that points to another group. |
|
| |
|
|
|
|
|
| |
--default-recipient
name |
|
|
|
|
| |
|
|
|
|
| |
Use name as
default recipient if option --recipient
is not used and don't ask if this is a valid one. name
must be non-empty. |
|
| |
|
|
|
|
|
| |
--default-recipient-self |
|
|
|
|
| |
|
|
|
|
| |
Use the default key as
default recipient if option --recipient
is not used and don't ask if this is a valid one. The default
key is the first one from the secret keyring or the one set with
--default-key. |
|
| |
|
|
|
|
|
| |
--no-default-recipient |
|
|
|
|
| |
|
|
|
|
| |
Reset --default-recipient
and --default-recipient-self. |
|
| |
|
|
|
|
|
| |
--default-key
name |
|
|
|
|
| |
|
|
|
|
| |
Use name as
default user ID for signatures. If this is not used the default
user ID is the first user ID found in the secret keyring. |
|
| |
|
|
|
|
|
| |
--encrypt-to
name |
|
Example |
|
|
| |
|
|
|
|
| |
Same as --recipient
but this one is intended for use in the options file and may be
used with your own user-id as an "encrypt-to-self."
These keys are only used when there are other recipients given
either by use of --recipient or
by the asked user id. No trust checking is performed for these
user ids and even disabled keys can be used. |
|
| |
|
|
|
|
|
| |
--no-encrypt-to |
|
|
|
|
| |
|
|
|
|
| |
Disable the use of all --encrypt-to
keys. |
|
| |
|
|
|
|
|
|
|
Comments & Versions
|
|
|
|
|
| |
|
|
|
|
|
| |
--comment string |
|
|
|
|
| |
|
|
|
|
| |
Use string as
comment string in clear text signatures. The default is not to
write a comment string. |
|
| |
|
|
|
|
|
| |
--default-comment |
|
|
|
|
| |
|
|
|
|
| |
Force to write the
standard comment string in clear text signatures. Use this to
overwrite a --comment from a
config file. This option is now obsolete because there is no
default comment string anymore. |
|
| |
|
|
|
|
|
| |
--no-version |
|
|
|
|
| |
|
|
|
|
| |
Omit the version string
in clear text signatures. |
|
| |
|
|
|
|
|
| |
--emit-version |
|
|
|
|
| |
|
|
|
|
| |
Force to write the
version string in clear text signatures. Use this to overwrite a
previous --no-version from a
config file. |
|
| |
|
|
|
|
|
|
|
Special
|
|
|
|
|
| |
|
|
|
|
|
 |
--for-your-eyes-only |
|
|
|
|
| |
|
|
|
|
| |
Set the "for your
eyes only" flag in the message. This causes GnuPG to refuse
to save the file unless the --output
option is given, and PGP to use the "secure viewer"
with a Tempest-resistant font to display the message. This
option overrides --set-filename. |
|
| |
|
|
|
|
|
| |
--no-for-your-eyes-only |
|
|
|
|
| |
|
|
|
|
| |
Resets the --for-your-eyes-only
flag. |
|
| |
|
|
|
|
|
| |
-z n, --compress n |
|
|
|
|
| |
|
|
|
|
| |
Set compression level
to n. A value of 0 for n disables compression.
Default is to use the default compression level of zlib
(normally 6). |
|
| |
|
|
|
|
|
| |
--skip-verify |
|
|
|
|
| |
|
|
|
|
| |
Skip the signature
verification step. This may be used to make the decryption
faster if the signature verification is not needed. |
|
| |
|
|
|
|
|
| |
--ask-sig-expire |
|
|
|
|
| |
|
|
|
|
| |
When making a data
signature, prompt for an expiration time. If this option is not
specified, the expiration time is "never." |
|
| |
|
|
|
|
|
| |
--no-ask-sig-expire |
|
|
|
|
| |
|
|
|
|
| |
Resets the --ask-sig-expire
option. |
|
| |
|
|
|
|
|
| |
--throw-keyid |
|
|
|
|
| |
|
|
|
|
| |
Do not put the keyid
into encrypted packets. This option hides the receiver of the
message and is a countermeasure against traffic analysis. It may
slow down the decryption process because all available secret
keys are tried. |
|
| |
|
|
|
|
|
| |
--try-all-secrets |
|
|
|
|
| |
|
|
|
|
| |
Don't look at the key
ID as stored in the message but try all secret keys in turn to
find the right decryption key. This option forces the behaviour
as used by anonymous recipients (created by using --throw-keyid)
and might come handy in case where an encrypted message contains
a bogus key ID. |
|
| |
|
|
|
|
|
| |
-N, --notation-data name=value |
|
|
|
| |
|
|
|
|
| |
Put the name value
pair into the signature as notation data. Name must
consist only of alphanumeric characters, digits or the
underscore; the first character must not be a digit. Value
may be any printable string; it will be encoded in UTF8, so you
should check that your --charset
is set correctly. If you prefix name with an exclamation mark,
the notation data will be flagged as critical
(rfc2440:5.2.3.15). |
|
| |
|
|
|
|
|
| |
--not-dash-escaped |
|
|
|
|
| |
|
|
|
|
| |
This option changes the
behavior of cleartext signatures so that they can be used for
patch files. You should not send such an armored file via email
because all spaces and line endings are hashed too. You can not
use this option for data which has 5 dashes at the beginning of
a line, patch files don't have this. A special armor header line
tells GnuPG about this cleartext signature option. |
|
| |
|
|
|
|
|
| |
--escape-from-lines |
|
|
|
|
| |
|
|
|
|
| |
Because some mailers
change lines starting with "From " to "<From
" it is good to handle such lines in a special way when
creating cleartext signatures. All other PGP versions do it this
way too. This option is not enabled by default because it would
violate rfc2440. |
|
| |
|
|
|
|
|
| |
--set-filename
string |
|
|
|
|
| |
|
|
|
|
| |
Use string as
the name of file which is stored in messages. |
|
| |
|
|
|
|
|
| |
--use-embedded-filename |
|
|
|
|
| |
|
|
|
|
| |
Try to create a file
with a name as embedded in the data. This can be a dangerous
option as it allows to overwrite files. |
|
| |
|
|
|
|
|
| |
--enable-special-filenames |
|
|
|
|
| |
|
|
|
|
| |
This options enables a
mode in which filenames of the form "-&n," where n
is a non-negative decimal number, refer to the file descriptor n
and not to a file with that name. |
|
| |
|
|
|
|
|
|
Home
[frames] Home
[no frames]
© 2000, 2001, 2002 Eric L. Howes
(eburger68@myrealbox.com) |
