GnuPG - Advanced / General / Misc
GPG is the main program
for the GnuPG system.
This man page only lists the commands and options available. For
more verbose documentation get the GNU Privacy Handbook (GPH) or one of
the other documents at http://www.gnupg.org/documentation/ .
Please remember that option parsing stops as soon as a non
option is encountered, you can explicitly stop option parsing by
using the special option "--". |
|
|
GPG recognizes these commands: |
|
|
|
|
Advanced
|
|
|
|
|
|
|
|
|
|
|
|
--list-packets |
|
|
|
|
|
|
|
|
|
|
List only the sequence
of packets. This is mainly useful for debugging. |
|
|
|
|
|
|
|
|
--store |
|
|
|
|
|
|
|
|
|
|
Store only (make a
simple RFC1991 packet). |
|
|
|
|
|
|
|
|
--print-md algo files
--print-mds files |
|
|
|
|
|
|
|
|
|
|
Print message digest of
algorithm ALGO for all given files or stdin. With the second
form (or a deprecated "*" as algo) digests for all
available algorithms are printed. |
|
|
|
|
|
|
|
|
--gen-random 0|1|2 count |
|
|
|
|
|
|
|
|
|
|
Emit COUNT random bytes
of the given quality level. If count is not given or zero, an
endless sequence of random bytes will be emitted. PLEASE, don't
use this command unless you know what you are doing; it may
remove precious entropy from the system! |
|
|
|
|
|
|
|
|
--gen-prime mode bits qbits |
|
|
|
|
|
|
|
|
|
|
Use the source, Luke
:-). The output format is still subject to change. |
|
|
|
|
|
|
|
|
General
|
|
|
|
|
|
|
|
|
|
|
|
--version |
|
|
|
|
|
|
|
|
|
|
Print version
information along with a list of supported algorithms. |
|
|
|
|
|
|
|
|
--warranty |
|
|
|
|
|
|
|
|
|
|
Print warranty
information. |
|
|
|
|
|
|
|
|
-h, --help |
|
|
|
|
|
|
|
|
|
|
Print usage
information. This is a really long list even though it doesn't
list all options. |
|
|
|
|
|
|
|
|
Starting with GnuPG 1.1.92
(incl. GnuPG 1.2.1, 1.2.0 and 1.1.92), long options can be put
in an options file (default "~/.gnupg/gpg.conf"). In
GnuPG versions up through GnuPG 1.1.91 (incl. 1.0.6,
1.0.7, and 1.1.91), long options can be put in an "old
style" configuration file (default
"~/.gnupg/options").
Short option names will not work -- for
example, armor is a valid option for
the options file, while a is not. Do
not write the 2 dashes, but simply the name of the option and
any required arguments. Lines with a hash as the first
non-white-space character are ignored. Commands may be put in
this file too, but that does not make sense.
GPG recognizes these options: |
|
|
|
|
Advanced
|
|
|
|
|
|
|
|
|
|
|
|
--debug flags |
|
|
|
|
|
|
|
|
|
|
Set debugging flags.
All flags are or-ed and flags may be given in C syntax
(e.g. 0x0042). |
|
|
|
|
|
|
|
|
--debug-all |
|
|
|
|
|
|
|
|
|
|
Set all useful
debugging flags. |
|
|
|
|
|
|
|
|
--status-fd
n |
|
|
|
|
|
|
|
|
|
|
Write special status
strings to the file descriptor n. See the file DETAILS in
the documentation for a listing of them. |
|
|
|
|
|
|
|
 |
--attribute-fd
n |
|
|
|
|
|
|
|
|
|
|
Write attribute subpackets to the file descriptor
n. This is most useful for use with --status-fd, since the status messages are needed to separate out the various subpackets from the stream delivered to the file descriptor. |
|
|
|
|
|
|
|
|
--logger-fd n |
|
|
|
|
|
|
|
|
|
|
Write log output to
file descriptor n and not to stderr. |
|
|
|
|
|
|
|
|
--passphrase-fd n |
|
|
|
|
|
|
|
|
|
|
Read the passphrase
from file descriptor n. If you use 0 for n, the
passphrase will be read from stdin. This can only be used if
only one passphrase is supplied. Don't use this option if you
can avoid it. |
|
|
|
|
|
|
|
|
--command-fd n |
|
|
|
|
|
|
|
|
|
|
This is a replacement
for the deprecated shared-memory IPC mode. If this option is
enabled, user input on questions is not expected from the TTY
but from the given file descriptor. It should be used together
with --status-fd. See the file
doc/DETAILS in the source distribution for details on how to use
it. |
|
|
|
|
|
|
|
|
--emulate-md-encode-bug |
|
|
|
|
|
|
|
|
|
|
GnuPG versions prior to
1.0.2 had a bug in the way a signature was encoded. This options
enables a workaround by checking faulty signatures again with
the encoding used in old versions. This may only happen for
ElGamal signatures which are not widely used. |
|
|
|
|
|
|
|
|
--show-session-key |
|
|
|
|
|
|
|
|
|
|
Display the session key
used for one message. See --override-session-key
for the counterpart of this option.
We think that Key-Escrow is a Bad Thing; however the user should
have the freedom to decide whether to go to prison or to reveal
the content of one specific message without compromising all
messages ever encrypted for one secret key. DON'T USE IT UNLESS
YOU ARE REALLY FORCED TO DO SO. |
|
|
|
|
|
|
|
|
--override-session-key
string |
|
|
|
|
|
|
|
|
|
|
Don't use the public
key but the session key string. The format of this string
is the same as the one printed by --show-session-key.
This option is normally not used but comes handy in case someone
forces you to reveal the content of an encrypted message; using
this option you can do this without handing out the secret key. |
|
|
|
|
|
|
|
|
General Operations
|
|
|
|
|
|
|
|
|
|
|
|
-v, --verbose |
|
|
|
|
|
|
|
|
|
|
Give more information
during processing. If used twice, the input data is listed in
detail. |
|
|
|
|
|
|
|
|
-q, --quiet |
|
|
|
|
|
|
|
|
|
|
Try to be as quiet as
possible. |
|
|
|
|
|
|
|
|
-n,
--dry-run |
|
|
|
|
|
|
|
|
|
|
Don't make any changes
(this is not completely implemented). |
|
|
|
|
|
|
|
|
-i, --interactive |
|
|
|
|
|
|
|
|
|
|
Prompt before
overwriting any files. |
|
|
|
|
|
|
|
|
--no-tty |
|
|
|
|
|
|
|
|
|
|
Make sure that the TTY
(terminal) is never used for any output. This option is needed
in some cases because GnuPG sometimes prints warnings to the TTY
if --batch is used. |
|
|
|
|
|
|
|
|
--batch |
|
|
|
|
|
|
|
|
|
|
Use batch mode. Never
ask, do not allow interactive commands. |
|
|
|
|
|
|
|
|
--no-batch |
|
|
|
|
|
|
|
|
|
|
Disable batch mode.
This may be of use if --batch is
enabled from an options file. |
|
|
|
|
|
|
|
|
--no-greeting |
|
|
|
|
|
|
|
|
|
|
Suppress the initial
copyright message but do not enter batch mode. |
|
|
|
|
|
|
|
|
--yes |
|
|
|
|
|
|
|
|
|
|
Assume "yes"
on most questions. |
|
|
|
|
|
|
|
|
--no |
|
|
|
|
|
|
|
|
|
|
Assume "no"
on most questions. |
|
|
|
|
|
|
|
|
Misc
|
|
|
|
|
|
|
|
|
|
|
|
--lock-once |
|
|
|
|
|
|
|
|
|
|
Lock the databases the
first time a lock is requested and do not release the lock until
the process terminates. |
|
|
|
|
|
|
|
|
--lock-multiple |
|
|
|
|
|
|
|
|
|
|
Release the locks every
time a lock is no longer needed. Use this to override a previous
--lock-once from a config file. |
|
|
|
|
|
|
|
|
--lock-never |
|
|
|
|
|
|
|
|
|
|
Disable locking
entirely. This option should be used only in very special
environments, where it can be assured that only one process is
accessing those files. A bootable floppy with a stand-alone
encryption system will probably use this. Improper usage of this
option may lead to data and key corruption. |
|
|
|
|
|
|
|
|
--no-random-seed-file |
|
|
|
|
|
|
|
|
|
|
GnuPG uses a file to
store its internal random pool over invocations. This makes
random generation faster; however sometimes write operations are
not desired. This option can be used to achieve that with the
cost of slower random generation. |
|
|
|
|
|
|
|
|
--no-secmem-warning |
|
|
|
|
|
|
|
|
|
|
Suppress the warning
about "using insecure memory." |
|
|
|
|
|
|
|
 |
--no-permission-warning |
|
|
|
|
|
|
|
|
|
|
Suppress the warning
about unsafe file permissions. |
|
|
|
|
|
|
|
|
--no-literal |
|
|
|
|
|
|
|
|
|
|
This is not for normal
use. Use the source to see for what it might be useful. |
|
|
|
|
|
|
|
|
--set-filesize |
|
|
|
|
|
|
|
|
|
|
This is not for normal
use. Use the source to see for what it might be useful. |
|
|
|
|
|
|
|
|
Agent
|
|
|
|
|
|
|
|
|
|
|
|
--use-agent |
|
|
|
|
|
|
|
|
|
|
Try to use the
GnuPG-Agent. Please note that this agent is still under
development. With this option, GnuPG first tries to connect to
the agent before it asks for a passphrase. |
|
|
|
|
|
|
|
 |
--gpg-agent-info |
|
|
|
|
|
|
|
|
|
|
Override the value of
the environment variable `GPG_AGENT_INFO'. This is only used
when --use-agent has been given. |
|
|
|
|
|
|
|
|
How to Specify a User ID
|
|
|
|
|
|
|
|
|
|
|
|
There are different
ways on how to specify a user ID to GnuPG; here are some
examples: |
|
|
|
|
234567C4
0F34E556E
01347A56A
0xAB123456
|
|
|
Here the key ID is
given in the usual short form. |
|
|
|
|
234AABBCC34567C4
0F323456784E56EAB
01AB3FED1347A5612
0x234AABBCC34567C4
|
|
|
Here the key ID is
given in the long form as used by OpenPGP (you can get the long
key ID using the option --with-colons). |
|
|
|
|
1234343434343434C434343434343434
123434343434343C3434343434343734349A3434
0E12343434343434343434EAB3484343434343434
0xE12343434343434343434EAB3484343434343434
|
|
|
The best way to specify
a key ID is by using the fingerprint of the key. This avoids any
ambiguities in case that there are duplicated key IDs (which are
really rare for the long key IDs). |
|
|
|
|
=Heinrich Heine
<heinrichh@uni-duesseldorf.de>
|
|
|
Using an exact to match
string. The equal sign indicates this. |
|
|
|
|
<heinrichh@uni-duesseldorf.de>
|
|
|
Using the email address
part which must match exactly. The left angle bracket indicates
this email address mode. |
|
|
|
|
+Heinrich Heine
duesseldorf
|
|
|
All words must match
exactly (not case sensitive) but can appear in any order in the
user ID. Words are any sequences of letters, digits, the
underscore and all characters with bit 7 set. |
|
|
|
|
Heine
*Heine
|
|
|
By case insensitive
substring matching. This is the default mode but applications
may want to explicitly indicate this by putting the asterisk in
front.
Note that you can append an exclamation mark to key IDs or fingerprints. This flag tells GnuPG to use exactly the given primary or secondary key and not to try to figure out which secondary or primary key to
use. |
|
|
|
|
|
Return Value
|
|
|
|
|
|
|
|
|
|
|
|
The program returns 0
if everything was fine, 1 if at least a signature was
bad, and other error codes for fatal errors. |
|
|
|
|
|
|
|
|
Examples
|
|
|
|
|
|
|
|
|
|
|
|
gpg -se -r `Bob' file |
|
|
|
|
|
|
|
|
|
|
sign and encrypt for
user Bob |
|
|
|
|
|
|
|
|
gpg --clearsign file |
|
|
|
|
|
|
|
|
|
|
make a clear text
signature |
|
|
|
|
|
|
|
|
gpg -sb file |
|
|
|
|
|
|
|
|
|
|
make a detached
signature |
|
|
|
|
|
|
|
|
gpg --list-keys user_ID |
|
|
|
|
|
|
|
|
|
|
show keys |
|
|
|
|
|
|
|
|
gpg --fingerprint user_ID |
|
|
|
|
|
|
|
|
|
|
show fingerprint |
|
|
|
|
|
|
|
|
gpg --verify pgpfile
gpg --verify sigfile files |
|
|
|
|
|
|
|
|
|
|
Verify the signature of
the file but do not output the data. The second form is used for
detached signatures, where `sigfile' is the detached signature
(either ASCII armored of binary) and files are the signed
data; if this is not given the name of the file holding the
signed data is constructed by cutting off the extension
(".asc" or ".sig") of `sigfile' or by asking
the user for the filename. |
|
|
|
|
|
|
|
|
Environment
|
|
|
|
|
|
|
|
|
|
|
|
HOME |
|
|
|
|
|
|
|
|
|
|
Used to locate the
default home directory. |
|
|
|
|
|
|
|
|
GNUPGHOME |
|
|
|
|
|
|
|
|
|
|
If set directory used
instead of "~/.gnupg". |
|
|
|
|
|
|
|
 |
GPG_AGENT_INFO |
|
|
|
|
|
|
|
|
|
|
Used to locate the
gpg-agent; only honred when --use-agent is set. The value
constist of 3 colon delimited fields: The first is the path to
the Unix Domain Socket, the second the PID of the gpg-agent and
the protocol version which should be set to 1. When starting the
gpg-agent as described in its documentation, this variable is
set to the correct value. The option --gpg-agent-info can be
used to overide it. |
|
|
|
|
|
|
|
|
http_proxy |
|
|
|
|
|
|
|
|
|
|
Only honored when the
option --honor-http-proxy is set. |
|
|
|
|
|
|
|
|
Files
|
|
|
|
|
|
|
|
|
|
|
|
~/.gnupg/secring.gpg |
|
|
|
|
|
|
|
|
|
|
The secret keyring |
|
|
|
|
|
|
|
|
~/.gnupg/secring.gpg.lock |
|
|
|
|
|
|
|
|
|
|
and the lock file |
|
|
|
|
|
|
|
|
~/.gnupg/pubring.gpg |
|
|
|
|
|
|
|
|
|
|
The public keyring |
|
|
|
|
|
|
|
|
~/.gnupg/pubring.gpg.lock |
|
|
|
|
|
|
|
|
|
|
and the lock file |
|
|
|
|
|
|
|
|
~/.gnupg/trustdb.gpg |
|
|
|
|
|
|
|
|
|
|
The trust database |
|
|
|
|
|
|
|
|
~/.gnupg/trustdb.gpg.lock |
|
|
|
|
|
|
|
|
|
|
and the lock file |
|
|
|
|
|
|
|
|
~/.gnupg/random_seed |
|
|
|
|
|
|
|
|
|
|
used to preserve the
internal random pool |
|
|
|
|
|
|
|
|
~/.gnupg/gpg.conf |
|
|
|
|
|
|
|
|
|
|
Default configuration file
(GnuPG 1.1.92 & later) |
|
|
|
|
|
|
|
|
~/.gnupg/options |
|
|
|
|
|
|
|
|
|
|
Old style configuration file; only used when gpg.conf is not found
(GnuPG 1.1.91 and earlier) |
|
|
|
|
|
|
|
|
/usr[/local]/share/gnupg/options.skel |
|
|
|
|
|
|
|
|
Skeleton options file |
|
|
|
|
|
|
|
|
/usr[/local]/lib/gnupg/ |
|
|
|
|
|
|
|
|
|
|
Default location for
extensions |
|
|
|
|
|
|
|
|
Warnings
|
|
|
|
|
|
|
|
|
|
|
|
Use a *good* password
for your user account and a *good* passphrase to protect your
secret key. This passphrase is the weakest part of the whole
system. Programs to do dictionary attacks on your secret keyring
are very easy to write and so you should protect your
"~/.gnupg/" directory very well.
Keep in mind that, if this program is used over a network
(telnet), it is *very* easy to spy out your passphrase!
If you are going to verify detached signatures, make sure that
the program knows about it; either be giving both filenames on
the commandline or using `-' to specify stdin. |
|
|
|
|
|
|
|
|
Bugs
|
|
|
|
|
|
|
|
|
|
|
|
On many systems this
program should be installed as setuid(root). This is necessary
to lock memory pages. Locking memory pages prevents the
operating system from writing memory pages to disk. If you get
no warning message about insecure memory your operating system
supports locking without being root. The program drops root
privileges as soon as locked memory is allocated. |
|
|
|
|
|
|
|
|
Home
[frames] Home
[no frames]
© 2000, 2001, 2002 Eric L. Howes
(eburger68@myrealbox.com) |