diff options
| author | Werner Koch <[email protected]> | 2006-12-04 13:51:18 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2006-12-04 13:51:18 +0000 |
| commit | 68629647f3dfd29345dc4244cfebb1f85cf503c6 (patch) | |
| tree | 1ef645500654351db6ffae8a950fa01db6c46c78 | |
| parent | * ksutil.c (classify_ks_search): Try and recognize a key ID even (diff) | |
| download | gnupg-68629647f3dfd29345dc4244cfebb1f85cf503c6.tar.gz gnupg-68629647f3dfd29345dc4244cfebb1f85cf503c6.zip | |
Changing the way man pages are build.
| -rw-r--r-- | doc/ChangeLog | 4 | ||||
| -rw-r--r-- | doc/Makefile.am | 58 | ||||
| -rw-r--r-- | doc/gpg.sgml | 3366 | ||||
| -rw-r--r-- | doc/gpg.texi | 2231 | ||||
| -rw-r--r-- | doc/gpgv.sgml | 225 | ||||
| -rw-r--r-- | doc/gpgv.texi | 114 | ||||
| -rw-r--r-- | doc/yat2m.c | 1325 |
7 files changed, 1366 insertions, 5957 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog index c6d73976f..a0c0343c3 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,7 @@ +2006-12-04 Werner Koch <[email protected]> + + * yat2m.c: New. + 2006-06-22 David Shaw <[email protected]> * gpg.sgml: Document --enable-dsa2, --disable-dsa2, and diff --git a/doc/Makefile.am b/doc/Makefile.am index 34b9ddf65..71c76275c 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -20,13 +20,19 @@ AUTOMAKE_OPTIONS = no-texinfo.tex -EXTRA_DIST = DETAILS gpg.sgml gpg.1 gpgv.sgml gpgv.1 faq.raw FAQ faq.html \ +EXTRA_DIST = DETAILS gpg.1 gpgv.1 faq.raw FAQ faq.html \ HACKING OpenPGP README.W32 samplekeys.asc gnupg.7 \ TRANSLATE gpg.ru.sgml gpg.ru.1 highlights-1.4.txt -man_MANS = gpg.1 gpgv.1 gnupg.7 gpg.ru.1 +noinst_PROGRAMS = yat2m + +myman_sources = gpg.texi +myman_pages = gpg.1 + +info_TEXINFOS = gpg.texi + +man_MANS = $(myman_pages) gnupg.7 gpg.ru.1 -info_TEXINFOS = gpg.texi gpgv.texi # Need this to avoid building of dvis with automake 1.4 DVIS = @@ -38,26 +44,36 @@ BUILT_SOURCES = FAQ faq.html # be built files. CLEANFILES = faq.raw.xref gpg.xml gpgv.xml gpg.ru.xml +DISTCLEANFILES = yat2m-stamp.tmp yat2m-stamp $(myman_pages) +YAT2M_OPTIONS = -I $(srcdir) -D gpgone \ + --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard" + +yat2m_SOURCES = yat2m.c + +yat2m-stamp: $(myman_sources) + @rm -f yat2m-stamp.tmp + @touch yat2m-stamp.tmp + for file in $(myman_sources) ; do \ + ./yat2m $(YAT2M_OPTIONS) --store \ + `test -f '$$file' || echo '$(srcdir)/'`$$file ; done + @mv -f yat2m-stamp.tmp $@ + +yat2m-stamp: yat2m + +$(myman_pages) : yat2m-stamp + @if test -f $@; then :; else \ + trap 'rm -rf yat2m-stamp yat2m-lock' 1 2 13 15; \ + if mkdir yat2m-lock 2>/dev/null; then \ + rm -f yat2m-stamp; \ + $(MAKE) $(AM_MAKEFLAGS) yat2m-stamp; \ + rmdir yat2m-lock; \ + else \ + while test -d yat2m-lock; do sleep 1; done; \ + test -f yat2m-stamp; exit $$?; \ + fi; \ + fi -# We better build the texi versions manually. -#%.texi : %.xml -#if HAVE_DOCBOOK_TO_TEXI -# docbook2texi $< | sed 's,--,---,' \ -# | $(top_srcdir)/scripts/fix-db-texi $@ >$@ -#else -# : Warning: missing docbook to texinfo tools, cannot make $@ -# touch $@ -#endif -# -#%.xml : %.sgml -#if HAVE_DOCBOOK_TO_TEXI -# sgml2xml -x lower $< >$@ -#else -# : Warning: missing docbook to texinfo tools, cannot make $@ -# touch $@ -#endif -# %.1 : %.sgml if HAVE_DOCBOOK_TO_MAN diff --git a/doc/gpg.sgml b/doc/gpg.sgml deleted file mode 100644 index c3adc6ad4..000000000 --- a/doc/gpg.sgml +++ /dev/null @@ -1,3366 +0,0 @@ -<!-- gpg.sgml - the man page for GnuPG - Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, - 2006 Free Software Foundation, Inc. - - This file is part of GnuPG. - - GnuPG is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - GnuPG is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - 02110-1301, USA ---> -<!-- This file should be processed by docbook-to-man to - create a manual page. This program has currently the bug - not to remove leading white space. So this source file does - not look very pretty - - FIXME: generated a file with entity (e.g. pathnames) from the - configure scripts and include it here ---> - - -<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [ -<!entity ParmDir "<parameter>directory</parameter>"> -<!entity ParmFile "<parameter>file</parameter>"> -<!entity OptParmFile "<optional>&ParmFile;</optional>"> -<!entity ParmFiles "<parameter>files</parameter>"> -<!entity OptParmFiles "<optional>&ParmFiles;</optional>"> -<!entity ParmName "<parameter>name</parameter>"> -<!entity OptParmName "<optional>&ParmName;</optional>"> -<!entity ParmNames "<parameter>names</parameter>"> -<!entity OptParmNames "<optional>&ParmNames;</optional>"> -<!entity ParmKeyIDs "<parameter>key IDs</parameter>"> -<!entity OptParmKeyIDs "<optional>&ParmKeyIDs</optional>"> -<!entity ParmN "<parameter>n</parameter>"> -<!entity ParmFlags "<parameter>flags</parameter>"> -<!entity ParmString "<parameter>string</parameter>"> -<!entity ParmURIs "<parameter>URIs</parameter>"> -<!entity ParmValue "<parameter>value</parameter>"> -<!entity ParmNameValue "<parameter>name=value</parameter>"> -<!entity ParmNameValues "<parameter>name=value1 <optional>value2 value3 ...</optional></parameter>"> -<!entity OptParmNameValues "<optional>name=value1 value2 value3 ...</optional>"> -<!entity OptEqualsValue "<optional>=value</optional>"> -]> - -<refentry id="gpg"> -<refmeta> - <refentrytitle>gpg</refentrytitle> - <manvolnum>1</manvolnum> - <refmiscinfo class="gnu">GNU Tools</refmiscinfo> -</refmeta> -<refnamediv> - <refname/gpg/ - <refpurpose>encryption and signing tool</> -</refnamediv> -<refsynopsisdiv> - <synopsis> -<command>gpg</command> - <optional>--homedir <parameter/name/</optional> - <optional>--options <parameter/file/</optional> - <optional><parameter/options/</optional> - <parameter>command</parameter> - <optional><parameter/args/</optional> - </synopsis> -</refsynopsisdiv> - -<refsect1> - <title>DESCRIPTION</title> - <para> -<command/gpg/ is the main program for the GnuPG system. - </para> - <para> -This man page only lists the commands and options available. For more -verbose documentation get the GNU Privacy Handbook (GPH) or one of the -other documents at http://www.gnupg.org/documentation/ . -</para> -<para> -Please remember that option parsing stops as soon as a non option is -encountered, you can explicitly stop option parsing by using the -special option "--". -</para> -</refsect1> - -<refsect1> -<title>COMMANDS</title> - -<para> -<command/gpg/ may be run with no commands, in which case it will -perform a reasonable action depending on the type of file it is given -as input (an encrypted message is decrypted, a signature is verified, -a file containing keys is listed). -</para> - -<para> -<command/gpg/ recognizes these commands: -</para> - -<variablelist> - -<varlistentry> -<term>-s, --sign &OptParmFile;</term> -<listitem><para> -Make a signature. This command may be combined with --encrypt (for a -signed and encrypted message), --symmetric (for a signed and -symmetrically encrypted message), or --encrypt and --symmetric -together (for a signed message that may be decrypted via a secret key -or a passphrase). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--clearsign &OptParmFile;</term> -<listitem><para> -Make a clear text signature. The content in a clear text signature is -readable without any special software. OpenPGP software is only -needed to verify the signature. Clear text signatures may modify -end-of-line whitespace for platform independence and are not intended -to be reversible. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-b, --detach-sign &OptParmFile;</term> -<listitem><para> -Make a detached signature. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-e, --encrypt &OptParmFile;</term> -<listitem><para> -Encrypt data. This option may be combined with --sign (for a signed -and encrypted message), --symmetric (for a message that may be -decrypted via a secret key or a passphrase), or --sign and --symmetric -together (for a signed message that may be decrypted via a secret key -or a passphrase). -</para></listitem></varlistentry> - - -<varlistentry> -<term>-c, --symmetric &OptParmFile;</term> -<listitem><para> -Encrypt with a symmetric cipher using a passphrase. The default -symmetric cipher used is CAST5, but may be chosen with the ---cipher-algo option. This option may be combined with --sign (for a -signed and symmetrically encrypted message), --encrypt (for a message -that may be decrypted via a secret key or a passphrase), or --sign and ---encrypt together (for a signed message that may be decrypted via a -secret key or a passphrase). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--store &OptParmFile;</term> -<listitem><para> -Store only (make a simple RFC1991 packet). -</para></listitem></varlistentry> - - -<varlistentry> -<term>-d, --decrypt &OptParmFile;</term> -<listitem><para> -Decrypt &ParmFile; (or stdin if no file is specified) and -write it to stdout (or the file specified with ---output). If the decrypted file is signed, the -signature is also verified. This command differs -from the default operation, as it never writes to the -filename which is included in the file and it -rejects files which don't begin with an encrypted -message. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--verify <optional><optional><parameter/sigfile/</optional> - <optional><parameter/signed-files/</optional></optional></term> -<listitem><para> -Assume that <parameter/sigfile/ is a signature and verify it -without generating any output. With no arguments, -the signature packet is read from stdin. If -only a sigfile is given, it may be a complete -signature or a detached signature, in which case -the signed stuff is expected in a file without the -".sig" or ".asc" extension. -With more than -1 argument, the first should be a detached signature -and the remaining files are the signed stuff. To read the signed -stuff from stdin, use <literal>-</literal> as the second filename. -For security reasons a detached signature cannot read the signed -material from stdin without denoting it in the above way. -</para></listitem></varlistentry> - -<varlistentry> -<term>--multifile</term> -<listitem><para> -This modifies certain other commands to accept multiple files for -processing on the command line or read from stdin with each filename -on a separate line. This allows for many files to be processed at -once. --multifile may currently be used along with --verify, ---encrypt, and --decrypt. Note that `--multifile --verify' may not be -used with detached signatures. -</para></listitem></varlistentry> - -<varlistentry> -<term>--verify-files <optional><parameter/files/</optional></term> -<listitem><para> -Identical to `--multifile --verify'. -</para></listitem></varlistentry> - -<varlistentry> -<term>--encrypt-files <optional><parameter/files/</optional></term> -<listitem><para> -Identical to `--multifile --encrypt'. -</para></listitem></varlistentry> - -<varlistentry> -<term>--decrypt-files <optional><parameter/files/</optional></term> -<listitem><para> -Identical to `--multifile --decrypt'. -</para></listitem></varlistentry> - -<!-- -B<-k> [I<username>] [I<keyring>] - Kludge to be somewhat compatible with PGP. - Without arguments, all public keyrings are listed. - With one argument, only I<keyring> is listed. - Special combinations are also allowed, but they may - give strange results when combined with more options. - B<-kv> Same as B<-k> - B<-kvv> List the signatures with every key. - B<-kvvv> Additionally check all signatures. - B<-kvc> List fingerprints - B<-kvvc> List fingerprints and signatures - - B<This command may be removed in the future!> ---> - -<varlistentry> -<term>--list-keys &OptParmNames;</term> -<term>--list-public-keys &OptParmNames;</term> -<listitem><para> -List all keys from the public keyrings, or just the ones given on the -command line. -</para><para> -Avoid using the output of this command in scripts or other programs as -it is likely to change as GnuPG changes. See --with-colons for a -machine-parseable key listing command that is appropriate for use in -scripts and other programs. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-K, --list-secret-keys &OptParmNames;</term> -<listitem><para> -List all keys from the secret keyrings, or just the ones given on the -command line. A '#' after the letters 'sec' means that the secret key -is not usable (for example, if it was created via ---export-secret-subkeys). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--list-sigs &OptParmNames;</term> -<listitem><para> -Same as --list-keys, but the signatures are listed too. -</para><para> -For each signature listed, there are several flags in between the -"sig" tag and keyid. These flags give additional information about -each signature. From left to right, they are the numbers 1-3 for -certificate check level (see --ask-cert-level), "L" for a local or -non-exportable signature (see --lsign-key), "R" for a nonRevocable -signature (see the --edit-key command "nrsign"), "P" for a signature -that contains a policy URL (see --cert-policy-url), "N" for a -signature that contains a notation (see --cert-notation), "X" for an -eXpired signature (see --ask-cert-expire), and the numbers 1-9 or "T" -for 10 and above to indicate trust signature levels (see the ---edit-key command "tsign"). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--check-sigs &OptParmNames;</term> -<listitem><para> -Same as --list-sigs, but the signatures are verified. -</para></listitem></varlistentry> - -<varlistentry> -<term>--fingerprint &OptParmNames;</term> -<listitem><para> -List all keys with their fingerprints. This is the -same output as --list-keys but with the additional output -of a line with the fingerprint. May also be combined -with --list-sigs or --check-sigs. -If this command is given twice, the fingerprints of all -secondary keys are listed too. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--list-packets</term> -<listitem><para> -List only the sequence of packets. This is mainly -useful for debugging. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--gen-key</term> -<listitem><para> -Generate a new key pair. This command is normally only used -interactively. -</para> -<para> -There is an experimental feature which allows you to create keys -in batch mode. See the file <filename>doc/DETAILS</filename> -in the source distribution on how to use this. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--edit-key &ParmName;</term> -<listitem><para> -Present a menu which enables you to do all key -related tasks:</para> - <variablelist> - - <varlistentry> - <term>sign</term> - <listitem><para> -Make a signature on key of user &ParmName; If the key is not yet -signed by the default user (or the users given with -u), the program -displays the information of the key again, together with its -fingerprint and asks whether it should be signed. This question is -repeated for all users specified with --u.</para></listitem></varlistentry> - <varlistentry> - <term>lsign</term> - <listitem><para> -Same as "sign" but the signature is marked as non-exportable and will -therefore never be used by others. This may be used to make keys -valid only in the local environment.</para></listitem></varlistentry> - <varlistentry> - <term>nrsign</term> - <listitem><para> -Same as "sign" but the signature is marked as non-revocable and can -therefore never be revoked.</para></listitem></varlistentry> - <varlistentry> - <term>tsign</term> - <listitem><para> -Make a trust signature. This is a signature that combines the notions -of certification (like a regular signature), and trust (like the -"trust" command). It is generally only useful in distinct communities -or groups. -</para></listitem></varlistentry> -</variablelist> - -<para> -Note that "l" (for local / non-exportable), "nr" (for non-revocable, -and "t" (for trust) may be freely mixed and prefixed to "sign" to -create a signature of any type desired. -</para> - -<variablelist> - <varlistentry> - <term>revsig</term> - <listitem><para> -Revoke a signature. For every signature which has been generated by -one of the secret keys, GnuPG asks whether a revocation certificate -should be generated. -</para></listitem></varlistentry> - <varlistentry> - <term>trust</term> - <listitem><para> -Change the owner trust value. This updates the -trust-db immediately and no save is required.</para></listitem></varlistentry> - <varlistentry> - <term>disable</term> - <term>enable</term> - <listitem><para> -Disable or enable an entire key. A disabled key can not normally be -used for encryption.</para></listitem></varlistentry> - <varlistentry> - <term>adduid</term> - <listitem><para> -Create an alternate user id.</para></listitem></varlistentry> - <varlistentry> - <term>addphoto</term> - <listitem><para> -Create a photographic user id. This will prompt for a JPEG file that -will be embedded into the user ID. Note that a very large JPEG will -make for a very large key. Also note that some programs will display -your JPEG unchanged (GnuPG), and some programs will scale it to fit in -a dialog box (PGP). -</para></listitem></varlistentry> - <varlistentry> - <term>deluid</term> - <listitem><para> -Delete a user id.</para></listitem></varlistentry> - <varlistentry> - <term>delsig</term> - <listitem><para> -Delete a signature.</para></listitem></varlistentry> - <varlistentry> - <term>revuid</term> - <listitem><para> -Revoke a user id.</para></listitem></varlistentry> - <varlistentry> - <term>addkey</term> - <listitem><para> -Add a subkey to this key.</para></listitem></varlistentry> - <varlistentry> - <term>addcardkey</term> - <listitem><para> -Generate a key on a card and add it -to this key.</para></listitem></varlistentry> - <varlistentry> - <term>keytocard</term> - <listitem><para> -Transfer the selected secret key (or the primary key if no key has -been selected) to a smartcard. The secret key in the keyring will be -replaced by a stub if the key could be stored successfully on the card -and you use the save command later. Only certain key types may be -transferred to the card. A sub menu allows you to select on what card -to store the key. Note that it is not possible to get that key back -from the card - if the card gets broken your secret key will be lost -unless you have a backup somewhere.</para></listitem></varlistentry> - <varlistentry> - <term>bkuptocard &ParmFile;</term> - <listitem><para> -Restore the given file to a card. This command -may be used to restore a backup key (as generated during card -initialization) to a new card. In almost all cases this will be the -encryption key. You should use this command only -with the corresponding public key and make sure that the file -given as argument is indeed the backup to restore. You should -then select 2 to restore as encryption key. -You will first be asked to enter the passphrase of the backup key and -then for the Admin PIN of the card.</para></listitem></varlistentry> - <varlistentry> - <term>delkey</term> - <listitem><para> -Remove a subkey.</para></listitem></varlistentry> - <varlistentry> - <term>addrevoker <optional>sensitive</optional></term> - <listitem><para> -Add a designated revoker. This takes one optional argument: -"sensitive". If a designated revoker is marked as sensitive, it will -not be exported by default (see -export-options).</para></listitem></varlistentry> - <varlistentry> - <term>revkey</term> - <listitem><para> -Revoke a subkey.</para></listitem></varlistentry> - <varlistentry> - <term>expire</term> - <listitem><para> -Change the key expiration time. If a subkey is selected, the -expiration time of this subkey will be changed. With no selection, -the key expiration of the primary key is changed. -</para></listitem></varlistentry> - <varlistentry> - <term>passwd</term> - <listitem><para> -Change the passphrase of the secret key.</para></listitem></varlistentry> - <varlistentry> - <term>primary</term> - <listitem><para> -Flag the current user id as the primary one, removes the primary user -id flag from all other user ids and sets the timestamp of all affected -self-signatures one second ahead. Note that setting a photo user ID -as primary makes it primary over other photo user IDs, and setting a -regular user ID as primary makes it primary over other regular user -IDs. -</para></listitem></varlistentry> - <varlistentry> - <term>uid &ParmN;</term> - <listitem><para> -Toggle selection of user id with index &ParmN;. -Use 0 to deselect all.</para></listitem></varlistentry> - <varlistentry> - <term>key &ParmN;</term> - <listitem><para> -Toggle selection of subkey with index &ParmN;. -Use 0 to deselect all.</para></listitem></varlistentry> - <varlistentry> - <term>check</term> - <listitem><para> -Check all selected user ids.</para></listitem></varlistentry> - <varlistentry> - <term>showphoto</term> - <listitem><para> -Display the selected photographic user -id.</para></listitem></varlistentry> - <varlistentry> - <term>pref</term> - <listitem><para> -List preferences from the selected user ID. This shows the actual -preferences, without including any implied preferences. -</para></listitem></varlistentry> - <varlistentry> - <term>showpref</term> - <listitem><para> -More verbose preferences listing for the selected user ID. This shows -the preferences in effect by including the implied preferences of 3DES -(cipher), SHA-1 (digest), and Uncompressed (compression) if they are -not already included in the preference list. In addition, the -preferred keyserver and signature notations (if any) are shown. -</para></listitem></varlistentry> - <varlistentry> - <term>setpref &ParmString;</term> - <listitem><para> -Set the list of user ID preferences to &ParmString; for all (or just -the selected) user IDs. Calling setpref with no arguments sets the -preference list to the default (either built-in or set via ---default-preference-list), and calling setpref with "none" as the -argument sets an empty preference list. Use "gpg --version" to get a -list of available algorithms. Note that while you can change the -preferences on an attribute user ID (aka "photo ID"), GnuPG does not -select keys via attribute user IDs so these preferences will not be -used by GnuPG. -</para></listitem></varlistentry> - <varlistentry> - <term>keyserver</term> - <listitem><para> -Set a preferred keyserver for the specified user ID(s). This allows -other users to know where you prefer they get your key from. See ---keyserver-options honor-keyserver-url for more on how this works. -Setting a value of "none" removes an existing preferred keyserver. -</para></listitem></varlistentry> - <varlistentry> - <term>notation</term> - <listitem><para> -Set a name=value notation for the specified user ID(s). See ---cert-notation for more on how this works. Setting a value of "none" -removes all notations, setting a notation prefixed with a minus sign -(-) removes that notation, and setting a notation name (without the -=value) prefixed with a minus sign removes all notations with that -name. -</para></listitem></varlistentry> - <varlistentry> - <term>toggle</term> - <listitem><para> -Toggle between public and secret key listing.</para></listitem></varlistentry> - -<varlistentry> -<term>clean</term> -<listitem><para> -Compact (by removing all signatures except the selfsig) any user ID -that is no longer usable (e.g. revoked, or expired). Then, remove any -signatures that are not usable by the trust calculations. -Specifically, this removes any signature that does not validate, any -signature that is superseded by a later signature, revoked signatures, -and signatures issued by keys that are not present on the keyring. -</para></listitem></varlistentry> - -<varlistentry> -<term>minimize</term> -<listitem><para> -Make the key as small as possible. This removes all signatures from -each user ID except for the most recent self-signature. -</para></listitem></varlistentry> - -<varlistentry> -<term>cross-certify</term> -<listitem><para> -Add cross-certification signatures to signing subkeys that may not -currently have them. Cross-certification signatures protect against a -subtle attack against signing subkeys. See ---require-cross-certification. -</para></listitem></varlistentry> - - <varlistentry> - <term>save</term> - <listitem><para> -Save all changes to the key rings and quit.</para></listitem></varlistentry> - <varlistentry> - <term>quit</term> - <listitem><para> -Quit the program without updating the -key rings.</para></listitem></varlistentry> - </variablelist> - <para> -The listing shows you the key with its secondary -keys and all user ids. Selected keys or user ids -are indicated by an asterisk. The trust value is -displayed with the primary key: the first is the -assigned owner trust and the second is the calculated -trust value. Letters are used for the values:</para> - <variablelist> - <varlistentry><term>-</term><listitem><para>No ownertrust assigned / not yet calculated.</para></listitem></varlistentry> - <varlistentry><term>e</term><listitem><para>Trust -calculation has failed; probably due to an expired key.</para></listitem></varlistentry> - <varlistentry><term>q</term><listitem><para>Not enough information for calculation.</para></listitem></varlistentry> - <varlistentry><term>n</term><listitem><para>Never trust this key.</para></listitem></varlistentry> - <varlistentry><term>m</term><listitem><para>Marginally trusted.</para></listitem></varlistentry> - <varlistentry><term>f</term><listitem><para>Fully trusted.</para></listitem></varlistentry> - <varlistentry><term>u</term><listitem><para>Ultimately trusted.</para></listitem></varlistentry> - </variablelist> -</listitem></varlistentry> - - -<varlistentry> -<term>--card-edit</term> -<listitem><para> -Present a menu to work with a smartcard. The subcommand "help" provides -an overview on available commands. For a detailed description, please -see the Card HOWTO at -http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO . -</para></listitem></varlistentry> - -<varlistentry> -<term>--card-status</term> -<listitem><para> -Show the content of the smart card. -</para></listitem></varlistentry> - -<varlistentry> -<term>--change-pin</term> -<listitem><para> -Present a menu to allow changing the PIN of a smartcard. This -functionality is also available as the subcommand "passwd" with the ---card-edit command. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--sign-key &ParmName;</term> -<listitem><para> -Signs a public key with your secret key. This is a shortcut version of -the subcommand "sign" from --edit. -</para></listitem></varlistentry> - -<varlistentry> -<term>--lsign-key &ParmName;</term> -<listitem><para> -Signs a public key with your secret key but marks it as -non-exportable. This is a shortcut version of the subcommand "lsign" -from --edit. -</para></listitem></varlistentry> - -<varlistentry> -<term>--delete-key &ParmName;</term> -<listitem><para> -Remove key from the public keyring. In batch mode either --yes is -required or the key must be specified by fingerprint. This is a -safeguard against accidental deletion of multiple keys. -</para></listitem></varlistentry> - -<varlistentry> -<term>--delete-secret-key &ParmName;</term> -<listitem><para> -Remove key from the secret and public keyring. In batch mode the key -must be specified by fingerprint. -</para></listitem></varlistentry> - -<varlistentry> -<term>--delete-secret-and-public-key &ParmName;</term> -<listitem><para> -Same as --delete-key, but if a secret key exists, it will be removed -first. In batch mode the key must be specified by fingerprint. -</para></listitem></varlistentry> - -<varlistentry> -<term>--gen-revoke &ParmName;</term> -<listitem><para> -Generate a revocation certificate for the complete key. To revoke -a subkey or a signature, use the --edit command. -</para></listitem></varlistentry> - -<varlistentry> -<term>--desig-revoke &ParmName;</term> -<listitem><para> -Generate a designated revocation certificate for a key. This allows a -user (with the permission of the keyholder) to revoke someone else's -key. -</para></listitem></varlistentry> - -<varlistentry> -<term>--export &OptParmNames;</term> -<listitem><para> -Either export all keys from all keyrings (default -keyrings and those registered via option --keyring), -or if at least one name is given, those of the given -name. The new keyring is written to stdout or to -the file given with option "output". Use together -with --armor to mail those keys. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--send-keys &OptParmNames;</term> -<listitem><para> -Same as --export but sends the keys to a keyserver. -Option --keyserver must be used to give the name -of this keyserver. Don't send your complete keyring -to a keyserver - select only those keys which are new -or changed by you. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--export-secret-keys &OptParmNames;</term> -<term>--export-secret-subkeys &OptParmNames;</term> -<listitem><para> -Same as --export, but exports the secret keys instead. -This is normally not very useful and a security risk. -The second form of the command has the special property to -render the secret part of the primary key useless; this is -a GNU extension to OpenPGP and other implementations can -not be expected to successfully import such a key. - -See the option --simple-sk-checksum if you want to import such an -exported key with an older OpenPGP implementation. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--import &OptParmFiles;</term> -<term>--fast-import &OptParmFiles;</term> -<listitem><para> -Import/merge keys. This adds the given keys to the -keyring. The fast version is currently just a synonym. -</para> -<para> -There are a few other options which control how this command works. -Most notable here is the --keyserver-options merge-only option which -does not insert new keys but does only the merging of new signatures, -user-IDs and subkeys. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--recv-keys &ParmKeyIDs;</term> -<listitem><para> -Import the keys with the given key IDs from a keyserver. Option ---keyserver must be used to give the name of this keyserver. -</para></listitem></varlistentry> - -<varlistentry> -<term>--refresh-keys &OptParmKeyIDs;</term> -<listitem><para> -Request updates from a keyserver for keys that already exist on the -local keyring. This is useful for updating a key with the latest -signatures, user IDs, etc. Calling this with no arguments will -refresh the entire keyring. Option --keyserver must be used to give -the name of the keyserver for all keys that do not have preferred -keyservers set (see --keyserver-options honor-keyserver-url). -</para></listitem></varlistentry> - -<varlistentry> -<term>--search-keys &ParmNames;</term> -<listitem><para> -Search the keyserver for the given names. Multiple names given here -will be joined together to create the search string for the keyserver. -Option --keyserver must be used to give the name of this keyserver. -Keyservers that support different search methods allow using the -syntax specified in "How to specify a user ID" below. Note that -different keyserver types support different search methods. Currently -only LDAP supports them all. -</para></listitem></varlistentry> - -<varlistentry> -<term>--fetch-keys &ParmURIs;</term> -<listitem><para> -Retrieve keys located at the specified URIs. Note that different -installations of GnuPG may support different protocols (HTTP, FTP, -LDAP, etc.) -</para></listitem></varlistentry> - -<varlistentry> -<term>--update-trustdb</term> -<listitem><para> -Do trust database maintenance. This command iterates over all keys -and builds the Web of Trust. This is an interactive command because it -may have to ask for the "ownertrust" values for keys. The user has to -give an estimation of how far she trusts the owner of the displayed -key to correctly certify (sign) other keys. GnuPG only asks for the -ownertrust value if it has not yet been assigned to a key. Using the ---edit-key menu, the assigned value can be changed at any time. -</para></listitem></varlistentry> - -<varlistentry> -<term>--check-trustdb</term> -<listitem><para> -Do trust database maintenance without user interaction. From time to -time the trust database must be updated so that expired keys or -signatures and the resulting changes in the Web of Trust can be -tracked. Normally, GnuPG will calculate when this is required and do -it automatically unless --no-auto-check-trustdb is set. This command -can be used to force a trust database check at any time. The -processing is identical to that of --update-trustdb but it skips keys -with a not yet defined "ownertrust". -</para> -<para> -For use with cron jobs, this command can be used together with --batch -in which case the trust database check is done only if a check is -needed. To force a run even in batch mode add the option --yes. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--export-ownertrust</term> -<listitem><para> -Send the ownertrust values to stdout. This is useful for backup -purposes as these values are the only ones which can't be re-created -from a corrupted trust DB. -</para></listitem></varlistentry> - -<varlistentry> -<term>--import-ownertrust &OptParmFiles;</term> -<listitem><para> -Update the trustdb with the ownertrust values stored -in &ParmFiles; (or stdin if not given); existing -values will be overwritten. -</para></listitem></varlistentry> - -<varlistentry> -<term>--rebuild-keydb-caches</term> -<listitem><para> -When updating from version 1.0.6 to 1.0.7 this command should be used -to create signature caches in the keyring. It might be handy in other -situations too. -</para></listitem></varlistentry> - -<varlistentry> -<term>--print-md <parameter>algo</parameter> &OptParmFiles;</term> -<term>--print-mds &OptParmFiles;</term> -<listitem><para> -Print message digest of algorithm ALGO for all given files or stdin. -With the second form (or a deprecated "*" as algo) digests for all -available algorithms are printed. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--gen-random <parameter>0|1|2</parameter> - <optional><parameter>count</parameter></optional></term> -<listitem><para> -Emit COUNT random bytes of the given quality level. If count is not given -or zero, an endless sequence of random bytes will be emitted. -PLEASE, don't use this command unless you know what you are doing; it may -remove precious entropy from the system! -</para></listitem></varlistentry> - -<varlistentry> -<term>--gen-prime <parameter>mode</parameter> - <parameter>bits</parameter> - <optional><parameter>qbits</parameter></optional></term> -<listitem><para> -Use the source, Luke :-). The output format is still subject to change. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--version</term> -<listitem><para> -Print version information along with a list -of supported algorithms. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--warranty</term> -<listitem><para> -Print warranty information. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-h, --help</term> -<listitem><para> -Print usage information. This is a really long list even though it -doesn't list all options. For every option, consult this manual. -</para></listitem></varlistentry> - -</variablelist> -</refsect1> - -<refsect1> -<title>OPTIONS</title> -<para> -Long options can be put in an options file (default -"~/.gnupg/gpg.conf"). Short option names will not work - for example, -"armor" is a valid option for the options file, while "a" is not. Do -not write the 2 dashes, but simply the name of the option and any -required arguments. Lines with a hash ('#') as the first -non-white-space character are ignored. Commands may be put in this -file too, but that is not generally useful as the command will execute -automatically with every execution of gpg. -</para> -<para> -<command/gpg/ recognizes these options: -</para> - -<variablelist> - - -<varlistentry> -<term>-a, --armor</term> -<listitem><para> -Create ASCII armored output. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-o, --output &ParmFile;</term> -<listitem><para> -Write output to &ParmFile;. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--max-output &ParmN;</term> -<listitem><para> -This option sets a limit on the number of bytes that will be generated -when processing a file. Since OpenPGP supports various levels of -compression, it is possible that the plaintext of a given message may -be significantly larger than the original OpenPGP message. While -GnuPG works properly with such messages, there is often a desire to -set a maximum file size that will be generated before processing is -forced to stop by the OS limits. Defaults to 0, which means "no -limit". -</para></listitem></varlistentry> - -<varlistentry> -<term>--mangle-dos-filenames</term> -<term>--no-mangle-dos-filenames</term> -<listitem><para> -Older version of Windows cannot handle filenames with more than one -dot. --mangle-dos-filenames causes GnuPG to replace (rather than add -to) the extension of an output filename to avoid this problem. This -option is off by default and has no effect on non-Windows platforms. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-u, --local-user &ParmName;</term> -<listitem><para> -Use &ParmName; as the key to sign with. Note that this option -overrides --default-key. -</para></listitem></varlistentry> - -<varlistentry> -<term>--default-key &ParmName;</term> -<listitem><para> -Use &ParmName; as the default key to sign with. If this option is not -used, the default key is the first key found in the secret keyring. -Note that -u or --local-user overrides this option. -</para></listitem></varlistentry> - -<varlistentry> -<term>-r, --recipient &ParmName;</term> -<listitem><para> -Encrypt for user id &ParmName;. If this option or --hidden-recipient -is not specified, GnuPG asks for the user-id unless ---default-recipient is given. -</para></listitem></varlistentry> - -<varlistentry> -<term>-R, --hidden-recipient &ParmName;</term> -<listitem><para> -Encrypt for user ID &ParmName;, but hide the key ID of this user's -key. This option helps to hide the receiver of the message and is a -limited countermeasure against traffic analysis. If this option or ---recipient is not specified, GnuPG asks for the user ID unless ---default-recipient is given. -</para></listitem></varlistentry> - -<varlistentry> -<term>--default-recipient &ParmName;</term> -<listitem><para> -Use &ParmName; as default recipient if option --recipient is not used and -don't ask if this is a valid one. &ParmName; must be non-empty. -</para></listitem></varlistentry> - -<varlistentry> -<term>--default-recipient-self</term> -<listitem><para> -Use the default key as default recipient if option --recipient is not used and -don't ask if this is a valid one. The default key is the first one from the -secret keyring or the one set with --default-key. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--no-default-recipient</term> -<listitem><para> -Reset --default-recipient and --default-recipient-self. -</para></listitem></varlistentry> - -<varlistentry> -<term>--encrypt-to &ParmName;</term> -<listitem><para> -Same as --recipient but this one is intended for use -in the options file and may be used with -your own user-id as an "encrypt-to-self". These keys -are only used when there are other recipients given -either by use of --recipient or by the asked user id. -No trust checking is performed for these user ids and -even disabled keys can be used. -</para></listitem></varlistentry> - -<varlistentry> -<term>--hidden-encrypt-to &ParmName;</term> -<listitem><para> -Same as --hidden-recipient but this one is intended for use in the -options file and may be used with your own user-id as a hidden -"encrypt-to-self". These keys are only used when there are other -recipients given either by use of --recipient or by the asked user id. -No trust checking is performed for these user ids and even disabled -keys can be used. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-encrypt-to</term> -<listitem><para> -Disable the use of all --encrypt-to and --hidden-encrypt-to keys. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-v, --verbose</term> -<listitem><para> -Give more information during processing. If used -twice, the input data is listed in detail. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-q, --quiet</term> -<listitem><para> -Try to be as quiet as possible. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-z &ParmN;</term> -<term>--compress-level &ParmN;</term> -<term>--bzip2-compress-level &ParmN;</term> -<listitem><para> -Set compression level to &ParmN; for the ZIP and ZLIB compression -algorithms. The default is to use the default compression level of -zlib (normally 6). --bzip2-compress-level sets the compression level -for the BZIP2 compression algorithm (defaulting to 6 as well). This -is a different option from --compress-level since BZIP2 uses a -significant amount of memory for each additional compression level. --z sets both. A value of 0 for &ParmN; disables compression. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--bzip2-decompress-lowmem</term> -<listitem><para> -Use a different decompression method for BZIP2 compressed files. This -alternate method uses a bit more than half the memory, but also runs -at half the speed. This is useful under extreme low memory -circumstances when the file was originally compressed at a high ---bzip2-compress-level. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-t, --textmode</term> -<term>--no-textmode</term> -<listitem><para> -Treat input files as text and store them in the OpenPGP canonical text -form with standard "CRLF" line endings. This also sets the necessary -flags to inform the recipient that the encrypted or signed data is -text and may need its line endings converted back to whatever the -local system uses. This option is useful when communicating between -two platforms that have different line ending conventions (UNIX-like -to Mac, Mac to Windows, etc). --no-textmode disables this option, and -is the default. -</para><para> -If -t (but not --textmode) is used together with armoring and signing, -this enables clearsigned messages. This kludge is needed for -command-line compatibility with command-line versions of PGP; normally -you would use --sign or --clearsign to select the type of the -signature. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-n, --dry-run</term> -<listitem><para> -Don't make any changes (this is not completely implemented). -</para></listitem></varlistentry> - - -<varlistentry> -<term>-i, --interactive</term> -<listitem><para> -Prompt before overwriting any files. -</para></listitem></varlistentry> - -<varlistentry> -<term>--batch</term> -<term>--no-batch</term> -<listitem><para> -Use batch mode. Never ask, do not allow interactive commands. ---no-batch disables this option. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--no-tty</term> -<listitem><para> -Make sure that the TTY (terminal) is never used for any output. -This option is needed in some cases because GnuPG sometimes prints -warnings to the TTY if --batch is used. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--yes</term> -<listitem><para> -Assume "yes" on most questions. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--no</term> -<listitem><para> -Assume "no" on most questions. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--ask-cert-level</term> -<term>--no-ask-cert-level</term> -<listitem><para> -When making a key signature, prompt for a certification level. If -this option is not specified, the certification level used is set via ---default-cert-level. See --default-cert-level for information on the -specific levels and how they are used. --no-ask-cert-level disables -this option. This option defaults to no. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--default-cert-level &ParmN;</term> -<listitem><para> -The default to use for the check level when signing a key. -</para><para> -0 means you make no particular claim as to how carefully you verified -the key. -</para><para> -1 means you believe the key is owned by the person who claims to own -it but you could not, or did not verify the key at all. This is -useful for a "persona" verification, where you sign the key of a -pseudonymous user. -</para><para> -2 means you did casual verification of the key. For example, this -could mean that you verified that the key fingerprint and checked the -user ID on the key against a photo ID. -</para><para> -3 means you did extensive verification of the key. For example, this -could mean that you verified the key fingerprint with the owner of the -key in person, and that you checked, by means of a hard to forge -document with a photo ID (such as a passport) that the name of the key -owner matches the name in the user ID on the key, and finally that you -verified (by exchange of email) that the email address on the key -belongs to the key owner. -</para><para> -Note that the examples given above for levels 2 and 3 are just that: -examples. In the end, it is up to you to decide just what "casual" -and "extensive" mean to you. -</para><para> -This option defaults to 0 (no particular claim). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--min-cert-level</term> -<listitem><para> -When building the trust database, treat any signatures with a -certification level below this as invalid. Defaults to 2, which -disregards level 1 signatures. Note that level 0 "no particular -claim" signatures are always accepted. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--trusted-key <parameter>long key ID</parameter></term> -<listitem><para> -Assume that the specified key (which must be given -as a full 8 byte key ID) is as trustworthy as one of -your own secret keys. This option is useful if you -don't want to keep your secret keys (or one of them) -online but still want to be able to check the validity of a given -recipient's or signator's key. -</para></listitem></varlistentry> - -<varlistentry> -<term>--trust-model <parameter>pgp|classic|direct|always|auto</parameter></term> -<listitem><para> - -Set what trust model GnuPG should follow. The models are: - -<variablelist> - -<varlistentry><term>pgp</term><listitem><para> -This is the Web of Trust combined with trust signatures as used in PGP -5.x and later. This is the default trust model when creating a new -trust database. -</para></listitem></varlistentry> - -<varlistentry><term>classic</term><listitem><para> -This is the standard Web of Trust as used in PGP 2.x and earlier. -</para></listitem></varlistentry> - -<varlistentry><term>direct</term><listitem><para> -Key validity is set directly by the user and not calculated via the -Web of Trust. -</para></listitem></varlistentry> - -<varlistentry><term>always</term><listitem><para> -Skip key validation and assume that used keys are always fully -trusted. You generally won't use this unless you are using some -external validation scheme. This option also suppresses the -"[uncertain]" tag printed with signature checks when there is no -evidence that the user ID is bound to the key. -</para></listitem></varlistentry> - -<varlistentry><term>auto</term><listitem><para> -Select the trust model depending on whatever the internal trust -database says. This is the default model if such a database already -exists. -</para></listitem></varlistentry> - -</variablelist></para></listitem></varlistentry> - -<varlistentry> -<term>--always-trust</term> -<listitem><para> -Identical to `--trust-model always'. This option is deprecated. -</para></listitem></varlistentry> - -<varlistentry> -<term>--auto-key-locate <parameter>parameters</parameter></term> -<term>--no-auto-key-locate</term> -<listitem><para> -GnuPG can automatically locate and retrieve keys as needed using this -option. This happens when encrypting to an email address (in the -"[email protected]" form), and there are no [email protected] keys on -the local keyring. This option takes any number of the following -arguments, in the order they are to be tried: - -<variablelist> - -<varlistentry><term>cert</term><listitem><para> -locate a key using DNS CERT, as specified in 2538bis (currently in -draft): http://www.josefsson.org/rfc2538bis/ -</para></listitem></varlistentry> - -<varlistentry><term>pka</term><listitem><para> -locate a key using DNS PKA. -</para></listitem></varlistentry> - -<varlistentry><term>ldap</term><listitem><para> -locate a key using the PGP Universal method of checking -"ldap://keys.(thedomain)". -</para></listitem></varlistentry> - -<varlistentry><term>keyserver</term><listitem><para> -locate a key using whatever keyserver is defined using the --keyserver -option. -</para></listitem></varlistentry> - -<varlistentry><term>(keyserver URL)</term><listitem><para> -In addition, a keyserver URL as used in the --keyserver option may be -used here to query that particular keyserver. -</para></listitem></varlistentry> - -</variablelist> -</para></listitem></varlistentry> - - -<varlistentry> -<term>--keyid-format <parameter>short|0xshort|long|0xlong</parameter></term> -<listitem><para> -Select how to display key IDs. "short" is the traditional 8-character -key ID. "long" is the more accurate (but less convenient) -16-character key ID. Add an "0x" to either to include an "0x" at the -beginning of the key ID, as in 0x99242560. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--keyserver &ParmName; &OptParmNameValues;</term> -<listitem><para> -Use &ParmName; as your keyserver. This is the server that ---recv-keys, --send-keys, and --search-keys will communicate with to -receive keys from, send keys to, and search for keys on. The format -of the &ParmName; is a URI: `scheme:[//]keyservername[:port]' The -scheme is the type of keyserver: "hkp" for the HTTP (or compatible) -keyservers, "ldap" for the LDAP keyservers, or "mailto" for the Graff -email keyserver. Note that your particular installation of GnuPG may -have other keyserver types available as well. Keyserver schemes are -case-insensitive. After the keyserver name, optional keyserver -configuration options may be provided. These are the same as the -global --keyserver-options from below, but apply only to this -particular keyserver. -</para><para> -Most keyservers synchronize with each other, so there is generally no -need to send keys to more than one server. The keyserver -"hkp://subkeys.pgp.net" uses round robin DNS to give a different -keyserver each time you use it. -</para></listitem></varlistentry> - -<varlistentry> -<term>--keyserver-options &ParmNameValues;</term> -<listitem><para> -This is a space or comma delimited string that gives options for the -keyserver. Options can be prepended with a `no-' to give the opposite -meaning. Valid import-options or export-options may be used here as -well to apply to importing (--recv-key) or exporting (--send-key) a -key from a keyserver. While not all options are available for all -keyserver types, some common options are: -<variablelist> - -<varlistentry> -<term>include-revoked</term> -<listitem><para> -When searching for a key with --search-keys, include keys that are -marked on the keyserver as revoked. Note that not all keyservers -differentiate between revoked and unrevoked keys, and for such -keyservers this option is meaningless. Note also that most keyservers -do not have cryptographic verification of key revocations, and so -turning this option off may result in skipping keys that are -incorrectly marked as revoked. -</para></listitem></varlistentry> - -<varlistentry> -<term>include-disabled</term> -<listitem><para> -When searching for a key with --search-keys, include keys that are -marked on the keyserver as disabled. Note that this option is not -used with HKP keyservers. -</para></listitem></varlistentry> - -<varlistentry> -<term>auto-key-retrieve</term> -<listitem><para> -This option enables the automatic retrieving of keys from a keyserver -when verifying signatures made by keys that are not on the local -keyring. -</para><para> -Note that this option makes a "web bug" like behavior possible. -Keyserver operators can see which keys you request, so by sending you -a message signed by a brand new key (which you naturally will not have -on your local keyring), the operator can tell both your IP address and -the time when you verified the signature. -</para></listitem></varlistentry> - -<varlistentry> -<term>honor-keyserver-url</term> -<listitem><para> -When using --refresh-keys, if the key in question has a preferred -keyserver URL, then use that preferred keyserver to refresh the key -from. In addition, if auto-key-retrieve is set, and the signature -being verified has a preferred keyserver URL, then use that preferred -keyserver to fetch the key from. Defaults to yes. -</para></listitem></varlistentry> - -<varlistentry> -<term>honor-pka-record</term> -<listitem><para> -If auto-key-retrieve is set, and the signature being verified has a -PKA record, then use the PKA information to fetch the key. Defaults -to yes. -</para></listitem></varlistentry> - -<varlistentry> -<term>include-subkeys</term> -<listitem><para> -When receiving a key, include subkeys as potential targets. Note that -this option is not used with HKP keyservers, as they do not support -retrieving keys by subkey id. -</para></listitem></varlistentry> - -<varlistentry> -<term>use-temp-files</term> -<listitem><para> -On most Unix-like platforms, GnuPG communicates with the keyserver -helper program via pipes, which is the most efficient method. This -option forces GnuPG to use temporary files to communicate. On some -platforms (such as Win32 and RISC OS), this option is always enabled. -</para></listitem></varlistentry> - -<varlistentry> -<term>keep-temp-files</term> -<listitem><para> -If using `use-temp-files', do not delete the temp files after using -them. This option is useful to learn the keyserver communication -protocol by reading the temporary files. -</para></listitem></varlistentry> - -<varlistentry> -<term>verbose</term> -<listitem><para> -Tell the keyserver helper program to be more verbose. This option can -be repeated multiple times to increase the verbosity level. -</para></listitem></varlistentry> - -<varlistentry> -<term>timeout&OptEqualsValue;</term> -<listitem><para> -Tell the keyserver helper program how long (in seconds) to try and -perform a keyserver action before giving up. Note that performing -multiple actions at the same time uses this timeout value per action. -For example, when retrieving multiple keys via --recv-keys, the -timeout applies separately to each key retrieval, and not to the ---recv-keys command as a whole. Defaults to 30 seconds. -</para></listitem></varlistentry> - -<varlistentry> -<term>http-proxy&OptEqualsValue;</term> -<listitem><para> -For HTTP-like keyserver schemes that (such as HKP and HTTP itself), -try to access the keyserver over a proxy. If a &ParmValue; is -specified, use this as the HTTP proxy. If no &ParmValue; is -specified, the value of the environment variable "http_proxy", if any, -will be used. -</para></listitem></varlistentry> - -<varlistentry> -<term>max-cert-size&OptEqualsValue;</term> -<listitem><para> -When retrieving a key via DNS CERT, only accept keys up to this size. -Defaults to 16384 bytes. -</para></listitem></varlistentry> - -</variablelist> -</para></listitem></varlistentry> - -<varlistentry> -<term>--import-options <parameter>parameters</parameter></term> -<listitem><para> -This is a space or comma delimited string that gives options for -importing keys. Options can be prepended with a `no-' to give the -opposite meaning. The options are: -<variablelist> - -<varlistentry> -<term>import-local-sigs</term> -<listitem><para> -Allow importing key signatures marked as "local". This is not -generally useful unless a shared keyring scheme is being used. -Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>repair-pks-subkey-bug</term> -<listitem><para> -During import, attempt to repair the damage caused by the PKS -keyserver bug (pre version 0.9.6) that mangles keys with multiple -subkeys. Note that this cannot completely repair the damaged key as -some crucial data is removed by the keyserver, but it does at least -give you back one subkey. Defaults to no for regular --import and to -yes for keyserver --recv-keys. -</para></listitem></varlistentry> - -<varlistentry> -<term>merge-only</term> -<listitem><para> -During import, allow key updates to existing keys, but do not allow -any new keys to be imported. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>import-clean</term> -<listitem><para> -After import, compact (remove all signatures except the -self-signature) any user IDs from the new key that are not usable. -Then, remove any signatures from the new key that are not usable. -This includes signatures that were issued by keys that are not present -on the keyring. This option is the same as running the --edit-key -command "clean" after import. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>import-minimal</term> -<listitem><para> -Import the smallest key possible. This removes all signatures except -the most recent self-signature on each user ID. This option is the -same as running the --edit-key command "minimize" after import. -Defaults to no. -</para></listitem></varlistentry> - -</variablelist> -</para></listitem></varlistentry> - -<varlistentry> -<term>--export-options <parameter>parameters</parameter></term> -<listitem><para> -This is a space or comma delimited string that gives options for -exporting keys. Options can be prepended with a `no-' to give the -opposite meaning. The options are: -<variablelist> - -<varlistentry> -<term>export-local-sigs</term> -<listitem><para> -Allow exporting key signatures marked as "local". This is not -generally useful unless a shared keyring scheme is being used. -Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>export-attributes</term> -<listitem><para> -Include attribute user IDs (photo IDs) while exporting. This is -useful to export keys if they are going to be used by an OpenPGP -program that does not accept attribute user IDs. Defaults to yes. -</para></listitem></varlistentry> - -<varlistentry> -<term>export-sensitive-revkeys</term> -<listitem><para> -Include designated revoker information that was marked as -"sensitive". Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>export-reset-subkey-passwd</term> -<listitem><para> -When using the "--export-secret-subkeys" command, this option resets -the passphrases for all exported subkeys to empty. This is useful -when the exported subkey is to be used on an unattended machine where -a passphrase doesn't necessarily make sense. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>export-clean</term> -<listitem><para> -Compact (remove all signatures from) user IDs on the key being -exported if the user IDs are not usable. Also, do not export any -signatures that are not usable. This includes signatures that were -issued by keys that are not present on the keyring. This option is -the same as running the --edit-key command "clean" before export -except that the local copy of the key is not modified. Defaults to -no. -</para></listitem></varlistentry> - -<varlistentry> -<term>export-minimal</term> -<listitem><para> -Export the smallest key possible. This removes all signatures except -the most recent self-signature on each user ID. This option is the -same as running the --edit-key command "minimize" before export except -that the local copy of the key is not modified. Defaults to no. -</para></listitem></varlistentry> - -</variablelist> -</para></listitem></varlistentry> - -<varlistentry> -<term>--list-options <parameter>parameters</parameter></term> -<listitem><para> -This is a space or comma delimited string that gives options used when -listing keys and signatures (that is, --list-keys, --list-sigs, ---list-public-keys, --list-secret-keys, and the --edit-key functions). -Options can be prepended with a `no-' to give the opposite meaning. -The options are: -<variablelist> - -<varlistentry> -<term>show-photos</term> -<listitem><para> -Causes --list-keys, --list-sigs, --list-public-keys, and ---list-secret-keys to display any photo IDs attached to the key. -Defaults to no. See also --photo-viewer. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-policy-urls</term> -<listitem><para> -Show policy URLs in the --list-sigs or --check-sigs listings. -Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-notations</term> -<term>show-std-notations</term> -<term>show-user-notations</term> -<listitem><para> -Show all, IETF standard, or user-defined signature notations in the ---list-sigs or --check-sigs listings. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-keyserver-urls</term> -<listitem><para> -Show any preferred keyserver URL in the --list-sigs or --check-sigs -listings. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-uid-validity</term> -<listitem><para> -Display the calculated validity of user IDs during key listings. -Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-unusable-uids</term> -<listitem><para> -Show revoked and expired user IDs in key listings. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-unusable-subkeys</term> -<listitem><para> -Show revoked and expired subkeys in key listings. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-keyring</term> -<listitem><para> -Display the keyring name at the head of key listings to show which -keyring a given key resides on. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-sig-expire</term> -<listitem><para> -Show signature expiration dates (if any) during --list-sigs or ---check-sigs listings. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-sig-subpackets</term> -<listitem><para> -Include signature subpackets in the key listing. This option can take -an optional argument list of the subpackets to list. If no argument -is passed, list all subpackets. Defaults to no. This option is only -meaningful when using --with-colons along with --list-sigs or ---check-sigs. -</para></listitem></varlistentry> - -</variablelist> -</para></listitem></varlistentry> - -<varlistentry> -<term>--verify-options <parameter>parameters</parameter></term> -<listitem><para> -This is a space or comma delimited string that gives options used when -verifying signatures. Options can be prepended with a `no-' to give -the opposite meaning. The options are: -<variablelist> - -<varlistentry> -<term>show-photos</term> -<listitem><para> -Display any photo IDs present on the key that issued the signature. -Defaults to no. See also --photo-viewer. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-policy-urls</term> -<listitem><para> -Show policy URLs in the signature being verified. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-notations</term> -<term>show-std-notations</term> -<term>show-user-notations</term> -<listitem><para> -Show all, IETF standard, or user-defined signature notations in the -signature being verified. Defaults to IETF standard. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-keyserver-urls</term> -<listitem><para> -Show any preferred keyserver URL in the signature being verified. -Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-uid-validity</term> -<listitem><para> -Display the calculated validity of the user IDs on the key that issued -the signature. Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>show-unusable-uids</term> -<listitem><para> -Show revoked and expired user IDs during signature verification. -Defaults to no. -</para></listitem></varlistentry> - -<varlistentry> -<term>pka-lookups</term> -<listitem><para> -Enable PKA lookups to verify sender addresses. Note that PKA is based -on DNS, and so enabling this option may disclose information on when -and what signatures are verified or to whom data is encrypted. This -is similar to the "web bug" described for the auto-key-retrieve -feature. -</para></listitem></varlistentry> - -<varlistentry> -<term>pka-trust-increase</term> -<listitem><para> -Raise the trust in a signature to full if the signature passes PKA -validation. This option is only meaningful if pka-lookups is set. -</para></listitem></varlistentry> - -</variablelist> -</para></listitem></varlistentry> - -<varlistentry> -<term>--enable-dsa2</term> -<term>--disable-dsa2</term> -<listitem><para> -Enables new-style DSA keys which (unlike the old style) may be larger -than 1024 bit and use hashes other than SHA-1 and RIPEMD/160. Note -that very few programs currently support these keys and signatures -from them. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--show-photos</term> -<term>--no-show-photos</term> -<listitem><para> -Causes --list-keys, --list-sigs, --list-public-keys, ---list-secret-keys, and verifying a signature to also display the -photo ID attached to the key, if any. See also --photo-viewer. These -options are deprecated. Use `--list-options [no-]show-photos' and/or -`--verify-options [no-]show-photos' instead. -</para></listitem></varlistentry> - -<varlistentry> -<term>--photo-viewer &ParmString;</term> -<listitem><para> -This is the command line that should be run to view a photo ID. "%i" -will be expanded to a filename containing the photo. "%I" does the -same, except the file will not be deleted once the viewer exits. -Other flags are "%k" for the key ID, "%K" for the long key ID, "%f" -for the key fingerprint, "%t" for the extension of the image type -(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"), -and "%%" for an actual percent sign. If neither %i or %I are present, -then the photo will be supplied to the viewer on standard input. -</para><para> -The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k' -stdin". Note that if your image viewer program is not secure, then -executing it from GnuPG does not make it secure. -</para></listitem></varlistentry> - -<varlistentry> -<term>--exec-path &ParmString;</term> -<listitem><para> -Sets a list of directories to search for photo viewers and keyserver -helpers. If not provided, keyserver helpers use the compiled-in -default directory, and photo viewers use the $PATH environment -variable. -Note, that on W32 system this value is ignored when searching for -keyserver helpers. -</para></listitem></varlistentry> - -<varlistentry> -<term>--show-keyring</term> -<listitem><para> -Display the keyring name at the head of key listings to show which -keyring a given key resides on. This option is deprecated: use -`--list-options [no-]show-keyring' instead. -</para></listitem></varlistentry> - -<varlistentry> -<term>--keyring &ParmFile;</term> -<listitem><para> -Add &ParmFile; to the current list of keyrings. If &ParmFile; begins -with a tilde and a slash, these are replaced by the $HOME -directory. If the filename does not contain a slash, it is assumed to -be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME -is not used). -</para><para> -Note that this adds a keyring to the current list. If the intent is -to use the specified keyring alone, use --keyring along with ---no-default-keyring. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--secret-keyring &ParmFile;</term> -<listitem><para> -Same as --keyring but for the secret keyrings. -</para></listitem></varlistentry> - -<varlistentry> -<term>--primary-keyring &ParmFile;</term> -<listitem><para> -Designate &ParmFile; as the primary public keyring. This means that -newly imported keys (via --import or keyserver --recv-from) will go to -this keyring. -</para></listitem></varlistentry> - -<varlistentry> -<term>--trustdb-name &ParmFile;</term> -<listitem><para> -Use &ParmFile; instead of the default trustdb. If &ParmFile; begins -with a tilde and a slash, these are replaced by the $HOME -directory. If the filename does not contain a slash, it is assumed to -be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME -is not used). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--homedir &ParmDir;</term> -<listitem><para> -Set the name of the home directory to &ParmDir; If this option is not -used it defaults to "~/.gnupg". It does not make sense to use this in -a options file. This also overrides the environment variable -$GNUPGHOME. -</para></listitem></varlistentry> - -<varlistentry> -<term>--pcsc-driver &ParmFile;</term> -<listitem><para> -Use &ParmFile; to access the smartcard reader. The current default is -`libpcsclite.so.1' for GLIBC based systems, -`/System/Library/Frameworks/PCSC.framework/PCSC' for MAC OS X, -`winscard.dll' for Windows and `libpcsclite.so' for other systems. -</para></listitem></varlistentry> - -<varlistentry> -<term>--ctapi-driver &ParmFile;</term> -<listitem><para> -Use &ParmFile; to access the smartcard reader. The current default -is `libtowitoko.so'. Note that the use of this interface is -deprecated; it may be removed in future releases. -</para></listitem></varlistentry> - -<varlistentry> -<term>--disable-ccid</term> -<listitem><para> -Disable the integrated support for CCID compliant readers. This -allows to fall back to one of the other drivers even if the internal -CCID driver can handle the reader. Note, that CCID support is only -available if libusb was available at build time. -</para></listitem></varlistentry> - -<varlistentry> -<term>--reader-port <parameter>number_or_string</parameter></term> -<listitem><para> -This option may be used to specify the port of the card terminal. A -value of 0 refers to the first serial device; add 32768 to access USB -devices. The default is 32768 (first USB device). PC/SC or CCID -readers might need a string here; run the program in verbose mode to get -a list of available readers. The default is then the first reader -found. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--display-charset &ParmName;</term> -<listitem><para> -Set the name of the native character set. This is used to convert -some informational strings like user IDs to the proper UTF-8 encoding. -Note that this has nothing to do with the character set of data to be -encrypted or signed; GnuPG does not recode user supplied data. If -this option is not used, the default character set is determined from -the current locale. A verbosity level of 3 shows the chosen set. -Valid values for &ParmName; are:</para> -<variablelist> -<varlistentry> -<term>iso-8859-1</term><listitem><para>This is the Latin 1 set.</para></listitem> -</varlistentry> -<varlistentry> -<term>iso-8859-2</term><listitem><para>The Latin 2 set.</para></listitem> -</varlistentry> -<varlistentry> -<term>iso-8859-15</term><listitem><para>This is currently an alias for -the Latin 1 set.</para></listitem> -</varlistentry> -<varlistentry> -<term>koi8-r</term><listitem><para>The usual Russian set (rfc1489).</para></listitem> -</varlistentry> -<varlistentry> -<term>utf-8</term><listitem><para>Bypass all translations and assume -that the OS uses native UTF-8 encoding.</para></listitem> -</varlistentry> -</variablelist> -</listitem></varlistentry> - - -<varlistentry> -<term>--utf8-strings</term> -<term>--no-utf8-strings</term> -<listitem><para> -Assume that command line arguments are given as UTF8 strings. The -default (--no-utf8-strings) is to assume that arguments are encoded in -the character set as specified by --display-charset. These options -affect all following arguments. Both options may be used multiple -times. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--options &ParmFile;</term> -<listitem><para> -Read options from &ParmFile; and do not try to read -them from the default options file in the homedir -(see --homedir). This option is ignored if used -in an options file. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--no-options</term> -<listitem><para> -Shortcut for "--options /dev/null". This option is -detected before an attempt to open an option file. -Using this option will also prevent the creation of a -"~./gnupg" homedir. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--load-extension &ParmName;</term> -<listitem><para> -Load an extension module. If &ParmName; does not contain a slash it is -searched for in the directory configured when GnuPG was built -(generally "/usr/local/lib/gnupg"). Extensions are not generally -useful anymore, and the use of this option is deprecated. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--debug &ParmFlags;</term> -<listitem><para> -Set debugging flags. All flags are or-ed and &ParmFlags; may -be given in C syntax (e.g. 0x0042). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--debug-all</term> -<listitem><para> - Set all useful debugging flags. -</para></listitem></varlistentry> - -<varlistentry> -<term>--debug-ccid-driver</term> -<listitem><para> -Enable debug output from the included CCID driver for smartcards. -Note that this option is only available on some system. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--enable-progress-filter</term> -<listitem><para> -Enable certain PROGRESS status outputs. This option allows frontends -to display a progress indicator while gpg is processing larger files. -There is a slight performance overhead using it. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--status-fd &ParmN;</term> -<listitem><para> -Write special status strings to the file descriptor &ParmN;. -See the file DETAILS in the documentation for a listing of them. -</para></listitem></varlistentry> - -<varlistentry> -<term>--status-file &ParmFile;</term> -<listitem><para> -Same as --status-fd, except the status data is written to file -&ParmFile;. -</para></listitem></varlistentry> - -<varlistentry> -<term>--logger-fd &ParmN;</term> -<listitem><para> -Write log output to file descriptor &ParmN; and not to stderr. -</para></listitem></varlistentry> - -<varlistentry> -<term>--logger-file &ParmFile;</term> -<listitem><para> -Same as --logger-fd, except the logger data is written to file -&ParmFile;. -</para></listitem></varlistentry> - -<varlistentry> -<term>--attribute-fd &ParmN;</term> -<listitem><para> -Write attribute subpackets to the file descriptor &ParmN;. This is -most useful for use with --status-fd, since the status messages are -needed to separate out the various subpackets from the stream -delivered to the file descriptor. -</para></listitem></varlistentry> - -<varlistentry> -<term>--attribute-file &ParmFile;</term> -<listitem><para> -Same as --attribute-fd, except the attribute data is written to file -&ParmFile;. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--comment &ParmString;</term> -<term>--no-comments</term> -<listitem><para> -Use &ParmString; as a comment string in clear text signatures and -ASCII armored messages or keys (see --armor). The default behavior is -not to use a comment string. --comment may be repeated multiple times -to get multiple comment strings. --no-comments removes all comments. -It is a good idea to keep the length of a single comment below 60 -characters to avoid problems with mail programs wrapping such lines. -Note that comment lines, like all other header lines, are not -protected by the signature. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--emit-version</term> -<term>--no-emit-version</term> -<listitem><para> -Force inclusion of the version string in ASCII armored output. ---no-emit-version disables this option. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--sig-notation &ParmNameValue;</term> -<term>--cert-notation &ParmNameValue;</term> -<term>-N, --set-notation &ParmNameValue;</term> -<listitem><para> -Put the name value pair into the signature as notation data. -&ParmName; must consist only of printable characters or spaces, and -must contain a '@' character in the form [email protected] -(substituting the appropriate keyname and domain name, of course). -This is to help prevent pollution of the IETF reserved notation -namespace. The --expert flag overrides the '@' check. &ParmValue; -may be any printable string; it will be encoded in UTF8, so you should -check that your --display-charset is set correctly. If you prefix -&ParmName; with an exclamation mark (!), the notation data will be -flagged as critical (rfc2440:5.2.3.15). --sig-notation sets a -notation for data signatures. --cert-notation sets a notation for key -signatures (certifications). --set-notation sets both. -</para> - -<para> -There are special codes that may be used in notation names. "%k" will -be expanded into the key ID of the key being signed, "%K" into the -long key ID of the key being signed, "%f" into the fingerprint of the -key being signed, "%s" into the key ID of the key making the -signature, "%S" into the long key ID of the key making the signature, -"%g" into the fingerprint of the key making the signature (which might -be a subkey), "%p" into the fingerprint of the primary key of the key -making the signature, "%c" into the signature count from the OpenPGP -smartcard, and "%%" results in a single "%". %k, %K, and %f are only -meaningful when making a key signature (certification), and %c is only -meaningful when using the OpenPGP smartcard. -</para> - -</listitem></varlistentry> - -<varlistentry> -<term>--show-notation</term> -<term>--no-show-notation</term> -<listitem><para> -Show signature notations in the --list-sigs or --check-sigs listings -as well as when verifying a signature with a notation in it. These -options are deprecated. Use `--list-options [no-]show-notation' -and/or `--verify-options [no-]show-notation' instead. -</para></listitem></varlistentry> - -<varlistentry> -<term>--sig-policy-url &ParmString;</term> -<term>--cert-policy-url &ParmString;</term> -<term>--set-policy-url &ParmString;</term> -<listitem><para> -Use &ParmString; as a Policy URL for signatures (rfc2440:5.2.3.19). -If you prefix it with an exclamation mark (!), the policy URL packet -will be flagged as critical. --sig-policy-url sets a policy url for -data signatures. --cert-policy-url sets a policy url for key -signatures (certifications). --set-policy-url sets both. -</para><para> -The same %-expandos used for notation data are available here as well. -</para></listitem></varlistentry> - -<varlistentry> -<term>--show-policy-url</term> -<term>--no-show-policy-url</term> -<listitem><para> -Show policy URLs in the --list-sigs or --check-sigs listings as well -as when verifying a signature with a policy URL in it. These options -are deprecated. Use `--list-options [no-]show-policy-url' and/or -`--verify-options [no-]show-policy-url' instead. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--sig-keyserver-url &ParmString;</term> -<listitem><para> -Use &ParmString; as a preferred keyserver URL for data signatures. If -you prefix it with an exclamation mark, the keyserver URL packet will -be flagged as critical. </para><para> -The same %-expandos used for notation data are available here as well. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--set-filename &ParmString;</term> -<listitem><para> -Use &ParmString; as the filename which is stored inside messages. -This overrides the default, which is to use the actual filename of the -file being encrypted. -</para></listitem></varlistentry> - -<varlistentry> -<term>--for-your-eyes-only</term> -<term>--no-for-your-eyes-only</term> -<listitem><para> -Set the `for your eyes only' flag in the message. This causes GnuPG -to refuse to save the file unless the --output option is given, and -PGP to use the "secure viewer" with a Tempest-resistant font to -display the message. This option overrides --set-filename. ---no-for-your-eyes-only disables this option. -</para></listitem></varlistentry> - -<varlistentry> -<term>--use-embedded-filename</term> -<term>--no-use-embedded-filename</term> -<listitem><para> -Try to create a file with a name as embedded in the data. This can be -a dangerous option as it allows to overwrite files. Defaults to no. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--completes-needed &ParmN;</term> -<listitem><para> -Number of completely trusted users to introduce a new -key signer (defaults to 1). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--marginals-needed &ParmN;</term> -<listitem><para> -Number of marginally trusted users to introduce a new -key signer (defaults to 3) -</para></listitem></varlistentry> - - -<varlistentry> -<term>--max-cert-depth &ParmN;</term> -<listitem><para> -Maximum depth of a certification chain (default is 5). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--cipher-algo &ParmName;</term> -<listitem><para> -Use &ParmName; as cipher algorithm. Running the program with the -command --version yields a list of supported algorithms. If this is -not used the cipher algorithm is selected from the preferences stored -with the key. In general, you do not want to use this option as it -allows you to violate the OpenPGP standard. ---personal-cipher-preferences is the safe way to accomplish the same -thing. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--digest-algo &ParmName;</term> -<listitem><para> -Use &ParmName; as the message digest algorithm. Running the program -with the command --version yields a list of supported algorithms. In -general, you do not want to use this option as it allows you to -violate the OpenPGP standard. --personal-digest-preferences is the -safe way to accomplish the same thing. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--compress-algo &ParmName;</term> -<listitem><para> -Use compression algorithm &ParmName;. "zlib" is RFC-1950 ZLIB -compression. "zip" is RFC-1951 ZIP compression which is used by PGP. -"bzip2" is a more modern compression scheme that can compress some -things better than zip or zlib, but at the cost of more memory used -during compression and decompression. "uncompressed" or "none" -disables compression. If this option is not used, the default -behavior is to examine the recipient key preferences to see which -algorithms the recipient supports. If all else fails, ZIP is used for -maximum compatibility. -</para><para> -ZLIB may give better compression results than ZIP, as the compression -window size is not limited to 8k. BZIP2 may give even better -compression results than that, but will use a significantly larger -amount of memory while compressing and decompressing. This may be -significant in low memory situations. Note, however, that PGP (all -versions) only supports ZIP compression. Using any algorithm other -than ZIP or "none" will make the message unreadable with PGP. In -general, you do not want to use this option as it allows you to -violate the OpenPGP standard. --personal-compress-preferences is the -safe way to accomplish the same thing. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--cert-digest-algo &ParmName;</term> -<listitem><para> -Use &ParmName; as the message digest algorithm used when signing a -key. Running the program with the command --version yields a list of -supported algorithms. Be aware that if you choose an algorithm that -GnuPG supports but other OpenPGP implementations do not, then some -users will not be able to use the key signatures you make, or quite -possibly your entire key. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--s2k-cipher-algo &ParmName;</term> -<listitem><para> -Use &ParmName; as the cipher algorithm used to protect secret keys. -The default cipher is CAST5. This cipher is also used for -conventional encryption if --personal-cipher-preferences and ---cipher-algo is not given. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--s2k-digest-algo &ParmName;</term> -<listitem><para> -Use &ParmName; as the digest algorithm used to mangle the passphrases. -The default algorithm is SHA-1. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--s2k-mode &ParmN;</term> -<listitem><para> -Selects how passphrases are mangled. If &ParmN; is 0 a plain -passphrase (which is not recommended) will be used, a 1 adds a salt to -the passphrase and a 3 (the default) iterates the whole process a -couple of times. Unless --rfc1991 is used, this mode is also used for -conventional encryption. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--simple-sk-checksum</term> -<listitem><para> -Secret keys are integrity protected by using a SHA-1 checksum. This -method is part of the upcoming enhanced OpenPGP specification but -GnuPG already uses it as a countermeasure against certain attacks. -Old applications don't understand this new format, so this option may -be used to switch back to the old behaviour. Using this option bears -a security risk. Note that using this option only takes effect when -the secret key is encrypted - the simplest way to make this happen is -to change the passphrase on the key (even changing it to the same -value is acceptable). -</para></listitem></varlistentry> - - -<varlistentry> -<term>--disable-cipher-algo &ParmName;</term> -<listitem><para> -Never allow the use of &ParmName; as cipher algorithm. -The given name will not be checked so that a later loaded algorithm -will still get disabled. -</para></listitem></varlistentry> - -<varlistentry> -<term>--disable-pubkey-algo &ParmName;</term> -<listitem><para> -Never allow the use of &ParmName; as public key algorithm. -The given name will not be checked so that a later loaded algorithm -will still get disabled. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-sig-cache</term> -<listitem><para> -Do not cache the verification status of key signatures. -Caching gives a much better performance in key listings. However, if -you suspect that your public keyring is not save against write -modifications, you can use this option to disable the caching. It -probably does not make sense to disable it because all kind of damage -can be done if someone else has write access to your public keyring. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-sig-create-check</term> -<listitem><para> -GnuPG normally verifies each signature right after creation to protect -against bugs and hardware malfunctions which could leak out bits from -the secret key. This extra verification needs some time (about 115% -for DSA keys), and so this option can be used to disable it. -However, due to the fact that the signature creation needs manual -interaction, this performance penalty does not matter in most settings. -</para></listitem></varlistentry> - -<varlistentry> -<term>--auto-check-trustdb</term> -<term>--no-auto-check-trustdb</term> -<listitem><para> -If GnuPG feels that its information about the Web of Trust has to be -updated, it automatically runs the --check-trustdb command internally. -This may be a time consuming process. --no-auto-check-trustdb -disables this option. -</para></listitem></varlistentry> - -<varlistentry> -<term>--throw-keyids</term> -<term>--no-throw-keyids</term> -<listitem><para> -Do not put the recipient key IDs into encrypted messages. This helps -to hide the receivers of the message and is a limited countermeasure -against traffic analysis. On the receiving side, it may slow down the -decryption process because all available secret keys must be tried. ---no-throw-keyids disables this option. This option is essentially -the same as using --hidden-recipient for all recipients. -</para></listitem></varlistentry> - -<varlistentry> -<term>--not-dash-escaped</term> -<listitem><para> -This option changes the behavior of cleartext signatures -so that they can be used for patch files. You should not -send such an armored file via email because all spaces -and line endings are hashed too. You can not use this -option for data which has 5 dashes at the beginning of a -line, patch files don't have this. A special armor header -line tells GnuPG about this cleartext signature option. -</para></listitem></varlistentry> - -<varlistentry> -<term>--escape-from-lines</term> -<term>--no-escape-from-lines</term> -<listitem><para> -Because some mailers change lines starting with "From " to ">From -" it is good to handle such lines in a special way when creating -cleartext signatures to prevent the mail system from breaking the -signature. Note that all other PGP versions do it this way too. -Enabled by default. --no-escape-from-lines disables this option. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--passphrase-fd &ParmN;</term> -<listitem><para> -Read the passphrase from file descriptor &ParmN;. Only the first line -will be read from file descriptor &ParmN;. If you use 0 for &ParmN;, -the passphrase will be read from stdin. This can only be used if only -one passphrase is supplied. -</para></listitem></varlistentry> - -<varlistentry> -<term>--passphrase-file &ParmFile;</term> -<listitem><para> -Read the passphrase from file &ParmFile;. Only the first line will -be read from file &ParmFile;. This can only be used if only one -passphrase is supplied. Obviously, a passphrase stored in a file is -of questionable security if other users can read this file. Don't use -this option if you can avoid it. -</para></listitem></varlistentry> - -<varlistentry> -<term>--passphrase &ParmString;</term> -<listitem><para> -Use &ParmString; as the passphrase. This can only be used if only one -passphrase is supplied. Obviously, this is of very questionable -security on a multi-user system. Don't use this option if you can -avoid it. -</para></listitem></varlistentry> - -<varlistentry> -<term>--command-fd &ParmN;</term> -<listitem><para> -This is a replacement for the deprecated shared-memory IPC mode. -If this option is enabled, user input on questions is not expected -from the TTY but from the given file descriptor. It should be used -together with --status-fd. See the file doc/DETAILS in the source -distribution for details on how to use it. -</para></listitem></varlistentry> - -<varlistentry> -<term>--command-file &ParmFile;</term> -<listitem><para> -Same as --command-fd, except the commands are read out of file -&ParmFile; -</para></listitem></varlistentry> - -<varlistentry> -<term>--use-agent</term> -<term>--no-use-agent</term> -<listitem><para> -Try to use the GnuPG-Agent. Please note that this agent is still under -development. With this option, GnuPG first tries to connect to the -agent before it asks for a passphrase. --no-use-agent disables this -option. -</para></listitem></varlistentry> - -<varlistentry> -<term>--gpg-agent-info</term> -<listitem><para> -Override the value of the environment variable -<literal>GPG_AGENT_INFO</literal>. This is only used when --use-agent has been given -</para></listitem></varlistentry> - -<varlistentry> -<term>Compliance options</term> -<listitem><para> -These options control what GnuPG is compliant to. Only one of these -options may be active at a time. Note that the default setting of -this is nearly always the correct one. See the INTEROPERABILITY WITH -OTHER OPENPGP PROGRAMS section below before using one of these -options. -<variablelist> - -<varlistentry> -<term>--gnupg</term> -<listitem><para> -Use standard GnuPG behavior. This is essentially OpenPGP behavior -(see --openpgp), but with some additional workarounds for common -compatibility problems in different versions of PGP. This is the -default option, so it is not generally needed, but it may be useful to -override a different compliance option in the gpg.conf file. -</para></listitem></varlistentry> - -<varlistentry> -<term>--openpgp</term> -<listitem><para> -Reset all packet, cipher and digest options to strict OpenPGP -behavior. Use this option to reset all previous options like ---rfc1991, --force-v3-sigs, --s2k-*, --cipher-algo, --digest-algo and ---compress-algo to OpenPGP compliant values. All PGP workarounds are -disabled. -</para></listitem></varlistentry> - -<varlistentry> -<term>--rfc2440</term> -<listitem><para> -Reset all packet, cipher and digest options to strict RFC-2440 -behavior. Note that this is currently the same thing as --openpgp. -</para></listitem></varlistentry> - -<varlistentry> -<term>--rfc1991</term> -<listitem><para> -Try to be more RFC-1991 (PGP 2.x) compliant. -</para></listitem></varlistentry> - -<varlistentry> -<term>--pgp2</term> -<listitem><para> -Set up all options to be as PGP 2.x compliant as possible, and warn if -an action is taken (e.g. encrypting to a non-RSA key) that will create -a message that PGP 2.x will not be able to handle. Note that `PGP -2.x' here means `MIT PGP 2.6.2'. There are other versions of PGP 2.x -available, but the MIT release is a good common baseline. -</para><para> -This option implies `--rfc1991 --disable-mdc --no-force-v4-certs ---no-sk-comment --escape-from-lines --force-v3-sigs ---no-ask-sig-expire --no-ask-cert-expire --cipher-algo IDEA ---digest-algo MD5 --compress-algo 1'. It also disables --textmode -when encrypting. -</para></listitem></varlistentry> - -<varlistentry> -<term>--pgp6</term> -<listitem><para> -Set up all options to be as PGP 6 compliant as possible. This -restricts you to the ciphers IDEA (if the IDEA plugin is installed), -3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the -compression algorithms none and ZIP. This also disables ---throw-keyids, and making signatures with signing subkeys as PGP 6 -does not understand signatures made by signing subkeys. -</para><para> -This option implies `--disable-mdc --no-sk-comment --escape-from-lines ---force-v3-sigs --no-ask-sig-expire' -</para></listitem></varlistentry> - -<varlistentry> -<term>--pgp7</term> -<listitem><para> -Set up all options to be as PGP 7 compliant as possible. This is -identical to --pgp6 except that MDCs are not disabled, and the list of -allowable ciphers is expanded to add AES128, AES192, AES256, and -TWOFISH. -</para></listitem></varlistentry> - -<varlistentry> -<term>--pgp8</term> -<listitem><para> -Set up all options to be as PGP 8 compliant as possible. PGP 8 is a -lot closer to the OpenPGP standard than previous versions of PGP, so -all this does is disable --throw-keyids and set --escape-from-lines. -All algorithms are allowed except for the SHA224, SHA384, and SHA512 -digests. -</para></listitem></varlistentry> - -</variablelist></para></listitem></varlistentry> - -<varlistentry> -<term>--force-v3-sigs</term> -<term>--no-force-v3-sigs</term> -<listitem><para> -OpenPGP states that an implementation should generate v4 signatures -but PGP versions 5 through 7 only recognize v4 signatures on key -material. This option forces v3 signatures for signatures on data. -Note that this option overrides --ask-sig-expire, as v3 signatures -cannot have expiration dates. --no-force-v3-sigs disables this -option. -</para></listitem></varlistentry> - -<varlistentry> -<term>--force-v4-certs</term> -<term>--no-force-v4-certs</term> -<listitem><para> -Always use v4 key signatures even on v3 keys. This option also -changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1. ---no-force-v4-certs disables this option. -</para></listitem></varlistentry> - -<varlistentry> -<term>--force-mdc</term> -<listitem><para> -Force the use of encryption with a modification detection code. This -is always used with the newer ciphers (those with a blocksize greater -than 64 bits), or if all of the recipient keys indicate MDC support in -their feature flags. -</para></listitem></varlistentry> - -<varlistentry> -<term>--disable-mdc</term> -<listitem><para> -Disable the use of the modification detection code. Note that by -using this option, the encrypted message becomes vulnerable to a -message modification attack. -</para></listitem></varlistentry> - -<varlistentry> -<term>--allow-non-selfsigned-uid</term> -<term>--no-allow-non-selfsigned-uid</term> -<listitem><para> -Allow the import and use of keys with user IDs which are not -self-signed. This is not recommended, as a non self-signed user ID is -trivial to forge. --no-allow-non-selfsigned-uid disables. -</para></listitem></varlistentry> - -<varlistentry> -<term>--allow-freeform-uid</term> -<listitem><para> -Disable all checks on the form of the user ID while generating a new -one. This option should only be used in very special environments as -it does not ensure the de-facto standard format of user IDs. -</para></listitem></varlistentry> - -<varlistentry> -<term>--ignore-time-conflict</term> -<listitem><para> -GnuPG normally checks that the timestamps associated with keys and -signatures have plausible values. However, sometimes a signature -seems to be older than the key due to clock problems. This option -makes these checks just a warning. See also --ignore-valid-from for -timestamp issues on subkeys. -</para></listitem></varlistentry> - -<varlistentry> -<term>--ignore-valid-from</term> -<listitem><para> -GnuPG normally does not select and use subkeys created in the future. -This option allows the use of such keys and thus exhibits the -pre-1.0.7 behaviour. You should not use this option unless you there -is some clock problem. See also --ignore-time-conflict for timestamp -issues with signatures. -</para></listitem></varlistentry> - -<varlistentry> -<term>--ignore-crc-error</term> -<listitem><para> -The ASCII armor used by OpenPGP is protected by a CRC checksum against -transmission errors. Occasionally the CRC gets mangled somewhere on -the transmission channel but the actual content (which is protected by -the OpenPGP protocol anyway) is still okay. This option allows GnuPG -to ignore CRC errors. -</para></listitem></varlistentry> - -<varlistentry> -<term>--ignore-mdc-error</term> -<listitem><para> -This option changes a MDC integrity protection failure into a warning. -This can be useful if a message is partially corrupt, but it is -necessary to get as much data as possible out of the corrupt message. -However, be aware that a MDC protection failure may also mean that the -message was tampered with intentionally by an attacker. -</para></listitem></varlistentry> - -<varlistentry> -<term>--lock-once</term> -<listitem><para> -Lock the databases the first time a lock is requested -and do not release the lock until the process -terminates. -</para></listitem></varlistentry> - -<varlistentry> -<term>--lock-multiple</term> -<listitem><para> -Release the locks every time a lock is no longer -needed. Use this to override a previous --lock-once -from a config file. -</para></listitem></varlistentry> - -<varlistentry> -<term>--lock-never</term> -<listitem><para> -Disable locking entirely. This option should be used only in very -special environments, where it can be assured that only one process -is accessing those files. A bootable floppy with a stand-alone -encryption system will probably use this. Improper usage of this -option may lead to data and key corruption. -</para></listitem></varlistentry> - -<varlistentry> -<term>--exit-on-status-write-error</term> -<listitem><para> -This option will cause write errors on the status FD to immediately -terminate the process. That should in fact be the default but it -never worked this way and thus we need an option to enable this, so -that the change won't break applications which close their end of a -status fd connected pipe too early. Using this option along with ---enable-progress-filter may be used to cleanly cancel long running -gpg operations. -</para></listitem></varlistentry> - -<varlistentry> -<term>--limit-card-insert-tries &ParmN;</term> -<listitem><para> -With &ParmN; greater than 0 the number of prompts asking to insert a -smartcard gets limited to N-1. Thus with a value of 1 gpg won't at -all ask to insert a card if none has been inserted at startup. This -option is useful in the configuration file in case an application does -not know about the smartcard support and waits ad infinitum for an -inserted card. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-random-seed-file</term> -<listitem><para> -GnuPG uses a file to store its internal random pool over invocations. -This makes random generation faster; however sometimes write operations -are not desired. This option can be used to achieve that with the cost of -slower random generation. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-verbose</term> -<listitem><para> -Reset verbose level to 0. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-greeting</term> -<listitem><para> -Suppress the initial copyright message. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-secmem-warning</term> -<listitem><para> -Suppress the warning about "using insecure memory". -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-permission-warning</term> -<listitem><para> -Suppress the warning about unsafe file and home directory (--homedir) -permissions. Note that the permission checks that GnuPG performs are -not intended to be authoritative, but rather they simply warn about -certain common permission problems. Do not assume that the lack of a -warning means that your system is secure. -</para><para> -Note that the warning for unsafe --homedir permissions cannot be -suppressed in the gpg.conf file, as this would allow an attacker to -place an unsafe gpg.conf file in place, and use this file to suppress -warnings about itself. The --homedir permissions warning may only be -suppressed on the command line. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-mdc-warning</term> -<listitem><para> -Suppress the warning about missing MDC integrity protection. -</para></listitem></varlistentry> - -<varlistentry> -<term>--require-secmem</term> -<term>--no-require-secmem</term> -<listitem><para> -Refuse to run if GnuPG cannot get secure memory. Defaults to no -(i.e. run, but give a warning). -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-armor</term> -<listitem><para> -Assume the input data is not in ASCII armored format. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--no-default-keyring</term> -<listitem><para> -Do not add the default keyrings to the list of keyrings. Note that -GnuPG will not operate without any keyrings, so if you use this option -and do not provide alternate keyrings via --keyring or ---secret-keyring, then GnuPG will still use the default public or -secret keyrings. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--skip-verify</term> -<listitem><para> -Skip the signature verification step. This may be -used to make the decryption faster if the signature -verification is not needed. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--with-colons</term> -<listitem><para> -Print key listings delimited by colons. Note that the output will be -encoded in UTF-8 regardless of any --display-charset setting. This -format is useful when GnuPG is called from scripts and other programs -as it is easily machine parsed. The details of this format are -documented in the file doc/DETAILS, which is included in the GnuPG -source distribution. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--with-key-data</term> -<listitem><para> -Print key listings delimited by colons (like --with-colons) and print the public key data. -</para></listitem></varlistentry> - -<varlistentry> -<term>--with-fingerprint</term> -<listitem><para> -Same as the command --fingerprint but changes only the format of the output -and may be used together with another command. -</para></listitem></varlistentry> - -<varlistentry> -<term>--fast-list-mode</term> -<listitem><para> -Changes the output of the list commands to work faster; this is achieved -by leaving some parts empty. Some applications don't need the user ID and -the trust information given in the listings. By using this options they -can get a faster listing. The exact behaviour of this option may change -in future versions. -</para></listitem></varlistentry> - -<varlistentry> -<term>--fixed-list-mode</term> -<listitem><para> -Do not merge primary user ID and primary key in --with-colon listing -mode and print all timestamps as seconds since 1970-01-01. -</para></listitem></varlistentry> - -<varlistentry> -<term>--list-only</term> -<listitem><para> -Changes the behaviour of some commands. This is like --dry-run but -different in some cases. The semantic of this command may be extended in -the future. Currently it only skips the actual decryption pass and -therefore enables a fast listing of the encryption keys. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-literal</term> -<listitem><para> -This is not for normal use. Use the source to see for what it might be useful. -</para></listitem></varlistentry> - -<varlistentry> -<term>--set-filesize</term> -<listitem><para> -This is not for normal use. Use the source to see for what it might be useful. -</para></listitem></varlistentry> - -<varlistentry> -<term>--show-session-key</term> -<listitem><para> -Display the session key used for one message. See --override-session-key -for the counterpart of this option. -</para> -<para> -We think that Key Escrow is a Bad Thing; however the user should have -the freedom to decide whether to go to prison or to reveal the content -of one specific message without compromising all messages ever -encrypted for one secret key. DON'T USE IT UNLESS YOU ARE REALLY -FORCED TO DO SO. -</para></listitem></varlistentry> - -<varlistentry> -<term>--override-session-key &ParmString;</term> -<listitem><para> -Don't use the public key but the session key &ParmString;. The format of this -string is the same as the one printed by --show-session-key. This option -is normally not used but comes handy in case someone forces you to reveal the -content of an encrypted message; using this option you can do this without -handing out the secret key. -</para></listitem></varlistentry> - -<varlistentry> -<term>--require-cross-certification</term> -<term>--no-require-certification</term> -<listitem><para> -When verifying a signature made from a subkey, ensure that the cross -certification "back signature" on the subkey is present and valid. -This protects against a subtle attack against subkeys that can sign. -Currently defaults to --no-require-cross-certification, but will be -changed to --require-cross-certification in the future. -</para></listitem></varlistentry> - -<varlistentry> -<term>--ask-sig-expire</term> -<term>--no-ask-sig-expire</term> -<listitem><para> -When making a data signature, prompt for an expiration time. If this -option is not specified, the expiration time set via ---default-sig-expire is used. --no-ask-sig-expire disables this -option. Note that by default, --force-v3-sigs is set which also -disables this option. If you want signature expiration, you must set ---no-force-v3-sigs as well as turning --ask-sig-expire on. -</para></listitem></varlistentry> - -<varlistentry> -<term>--default-sig-expire</term> -<listitem><para> -The default expiration time to use for signature expiration. Valid -values are "0" for no expiration, a number followed by the letter d -(for days), w (for weeks), m (for months), or y (for years) (for -example "2m" for two months, or "5y" for five years), or an absolute -date in the form YYYY-MM-DD. Defaults to "0". -</para></listitem></varlistentry> - -<varlistentry> -<term>--ask-cert-expire</term> -<term>--no-ask-cert-expire</term> -<listitem><para> -When making a key signature, prompt for an expiration time. If this -option is not specified, the expiration time set via ---default-cert-expire is used. --no-ask-cert-expire disables this -option. -</para></listitem></varlistentry> - -<varlistentry> -<term>--default-cert-expire</term> -<listitem><para> -The default expiration time to use for key signature expiration. -Valid values are "0" for no expiration, a number followed by the -letter d (for days), w (for weeks), m (for months), or y (for years) -(for example "2m" for two months, or "5y" for five years), or an -absolute date in the form YYYY-MM-DD. Defaults to "0". -</para></listitem></varlistentry> - -<varlistentry> -<term>--expert</term> -<term>--no-expert</term> -<listitem><para> -Allow the user to do certain nonsensical or "silly" things like -signing an expired or revoked key, or certain potentially incompatible -things like generating unusual key types. This also disables certain -warning messages about potentially incompatible actions. As the name -implies, this option is for experts only. If you don't fully -understand the implications of what it allows you to do, leave this -off. --no-expert disables this option. -</para></listitem></varlistentry> - -<varlistentry> -<term>--allow-secret-key-import</term> -<listitem><para> -This is an obsolete option and is not used anywhere. -</para></listitem></varlistentry> - -<varlistentry> -<term>--try-all-secrets</term> -<listitem><para> -Don't look at the key ID as stored in the message but try all secret -keys in turn to find the right decryption key. This option forces the -behaviour as used by anonymous recipients (created by using ---throw-keyids) and might come handy in case where an encrypted -message contains a bogus key ID. -</para></listitem></varlistentry> - -<varlistentry> -<term>--allow-multisig-verification</term> -<listitem><para> -Allow verification of concatenated signed messages. This will run a -signature verification for each data+signature block. There are some -security issues with this option and thus it is off by default. Note -that versions of GPG prior to version 1.4.3 implicitly allowed this. -</para></listitem></varlistentry> - -<varlistentry> -<term>--enable-special-filenames</term> -<listitem><para> -This options enables a mode in which filenames of the form -<filename>-&n</filename>, where n is a non-negative decimal number, -refer to the file descriptor n and not to a file with that name. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-expensive-trust-checks</term> -<listitem><para> -Experimental use only. -</para></listitem></varlistentry> - -<varlistentry> -<term>--group &ParmNameValues;</term> -<listitem><para> -Sets up a named group, which is similar to aliases in email programs. -Any time the group name is a recipient (-r or --recipient), it will be -expanded to the values specified. Multiple groups with the same name -are automatically merged into a single group. -</para><para> -The values are &ParmKeyIDs; or fingerprints, but any key description -is accepted. Note that a value with spaces in it will be treated as -two different values. Note also there is only one level of expansion -- you cannot make an group that points to another group. When used -from the command line, it may be necessary to quote the argument to -this option to prevent the shell from treating it as multiple -arguments. -</para></listitem></varlistentry> - -<varlistentry> -<term>--ungroup &ParmName;</term> -<listitem><para> -Remove a given entry from the --group list. -</para></listitem></varlistentry> - -<varlistentry> -<term>--no-groups</term> -<listitem><para> -Remove all entries from the --group list. -</para></listitem></varlistentry> - -<varlistentry> -<term>--preserve-permissions</term> -<listitem><para> -Don't change the permissions of a secret keyring back to user -read/write only. Use this option only if you really know what you are doing. -</para></listitem></varlistentry> - -<varlistentry> -<term>--personal-cipher-preferences &ParmString;</term> -<listitem><para> -Set the list of personal cipher preferences to &ParmString;, this list -should be a string similar to the one printed by the command "pref" in -the edit menu. This allows the user to factor in their own preferred -algorithms when algorithms are chosen via recipient key preferences. -The most highly ranked cipher in this list is also used for the ---symmetric encryption command. -</para></listitem></varlistentry> - -<varlistentry> -<term>--personal-digest-preferences &ParmString;</term> -<listitem><para> -Set the list of personal digest preferences to &ParmString;, this list -should be a string similar to the one printed by the command "pref" in -the edit menu. This allows the user to factor in their own preferred -algorithms when algorithms are chosen via recipient key preferences. -The most highly ranked digest algorithm in this list is algo used when -signing without encryption (e.g. --clearsign or --sign). The default -value is SHA-1. -</para></listitem></varlistentry> - -<varlistentry> -<term>--personal-compress-preferences &ParmString;</term> -<listitem><para> -Set the list of personal compression preferences to &ParmString;, this -list should be a string similar to the one printed by the command -"pref" in the edit menu. This allows the user to factor in their own -preferred algorithms when algorithms are chosen via recipient key -preferences. The most highly ranked algorithm in this list is also -used when there are no recipient keys to consider (e.g. --symmetric). -</para></listitem></varlistentry> - -<varlistentry> -<term>--default-preference-list &ParmString;</term> -<listitem><para> -Set the list of default preferences to &ParmString;. This preference -list is used for new keys and becomes the default for "setpref" in the -edit menu. -</para></listitem></varlistentry> - -<varlistentry> -<term>--default-keyserver-url &ParmName;</term> -<listitem><para> -Set the default keyserver URL to &ParmName;. This keyserver will be -used as the keyserver URL when writing a new self-signature on a key, -which includes key generation and changing preferences. -</para></listitem></varlistentry> - -<varlistentry> -<term>--list-config &OptParmNames;</term> -<listitem><para> -Display various internal configuration parameters of GnuPG. This -option is intended for external programs that call GnuPG to perform -tasks, and is thus not generally useful. See the file -<filename>doc/DETAILS</filename> in the source distribution for the -details of which configuration items may be listed. --list-config is -only usable with --with-colons set. -</para></listitem></varlistentry> - -</variablelist> -</refsect1> - - -<refsect1> - <title>How to specify a user ID</title> - <para> -There are different ways to specify a user ID to GnuPG; here are some -examples: - </para> - - <variablelist> -<varlistentry> -<term></term> -<listitem><para></para></listitem> -</varlistentry> - -<varlistentry> -<term>234567C4</term> -<term>0F34E556E</term> -<term>01347A56A</term> -<term>0xAB123456</term> -<listitem><para> -Here the key ID is given in the usual short form. -</para></listitem> -</varlistentry> - -<varlistentry> -<term>234AABBCC34567C4</term> -<term>0F323456784E56EAB</term> -<term>01AB3FED1347A5612</term> -<term>0x234AABBCC34567C4</term> -<listitem><para> -Here the key ID is given in the long form as used by OpenPGP -(you can get the long key ID using the option --with-colons). -</para></listitem> -</varlistentry> - -<varlistentry> -<term>1234343434343434C434343434343434</term> -<term>123434343434343C3434343434343734349A3434</term> -<term>0E12343434343434343434EAB3484343434343434</term> -<term>0xE12343434343434343434EAB3484343434343434</term> -<listitem><para> -The best way to specify a key ID is by using the fingerprint of -the key. This avoids any ambiguities in case that there are duplicated -key IDs (which are really rare for the long key IDs). -</para></listitem> -</varlistentry> - -<varlistentry> -<term>=Heinrich Heine <[email protected]></term> -<listitem><para> -Using an exact to match string. The equal sign indicates this. -</para></listitem> -</varlistentry> - -<varlistentry> -<term><[email protected]></term> -<listitem><para> -Using the email address part which must match exactly. The left angle bracket -indicates this email address mode. -</para></listitem> -</varlistentry> - -<varlistentry> -<term>@heinrichh</term> -<listitem><para> -Match within the <email.address> part of a user ID. The at sign -indicates this email address mode. -</para></listitem> -</varlistentry> - -<!-- we don't do this -<varlistentry> -<term>+Heinrich Heine duesseldorf</term> -<listitem><para> -All words must match exactly (not case sensitive) but can appear in -any order in the user ID. Words are any sequences of letters, -digits, the underscore and all characters with bit 7 set. -</para></listitem> -</varlistentry> ---> - -<varlistentry> -<term>Heine</term> -<term>*Heine</term> -<listitem><para> -By case insensitive substring matching. This is the default mode but -applications may want to explicitly indicate this by putting the asterisk -in front. -</para></listitem> -</varlistentry> - - </variablelist> - - <para> -Note that you can append an exclamation mark (!) to key IDs or -fingerprints. This flag tells GnuPG to use the specified primary or -secondary key and not to try and calculate which primary or secondary -key to use. - </para> - -</refsect1> - - -<refsect1> - <title>RETURN VALUE</title> - <para> -The program returns 0 if everything was fine, 1 if at least -a signature was bad, and other error codes for fatal errors. - </para> -</refsect1> - -<refsect1> - <title>EXAMPLES</title> - <variablelist> - -<varlistentry> -<term>gpg -se -r <parameter/Bob/ &ParmFile;</term> -<listitem><para>sign and encrypt for user Bob</para></listitem> -</varlistentry> - -<varlistentry> -<term>gpg --clearsign &ParmFile;</term> -<listitem><para>make a clear text signature</para></listitem> -</varlistentry> - -<varlistentry> -<term>gpg -sb &ParmFile;</term> -<listitem><para>make a detached signature</para></listitem> -</varlistentry> - -<varlistentry> -<term>gpg --list-keys <parameter/user_ID/</term> -<listitem><para>show keys</para></listitem> -</varlistentry> - -<varlistentry> -<term>gpg --fingerprint <parameter/user_ID/</term> -<listitem><para>show fingerprint</para></listitem> -</varlistentry> - -<varlistentry> -<term>gpg --verify <parameter/pgpfile/</term> -<term>gpg --verify <parameter/sigfile/ &OptParmFiles;</term> -<listitem><para> -Verify the signature of the file but do not output the data. The -second form is used for detached signatures, where <parameter/sigfile/ -is the detached signature (either ASCII armored or binary) and -&OptParmFiles; are the signed data; if this is not given, the name of -the file holding the signed data is constructed by cutting off the -extension (".asc" or ".sig") of <parameter/sigfile/ or by asking the -user for the filename. -</para></listitem></varlistentry> - - </variablelist> -</refsect1> - - -<refsect1> - <title>ENVIRONMENT</title> - - <variablelist> -<varlistentry> -<term>HOME</term> -<listitem><para>Used to locate the default home directory.</para></listitem> -</varlistentry> -<varlistentry> -<term>GNUPGHOME</term> -<listitem><para>If set directory used instead of "~/.gnupg".</para></listitem> -</varlistentry> -<varlistentry> -<term>GPG_AGENT_INFO</term> -<listitem><para>Used to locate the gpg-agent; only honored when ---use-agent is set. The value consists of 3 colon delimited fields: -The first is the path to the Unix Domain Socket, the second the PID of -the gpg-agent and the protocol version which should be set to 1. When -starting the gpg-agent as described in its documentation, this -variable is set to the correct value. The option --gpg-agent-info can -be used to override it.</para></listitem> -</varlistentry> -<varlistentry> -<term>COLUMNS</term> -<term>LINES</term> -<listitem><para> -Used to size some displays to the full size of the screen. -</para></listitem></varlistentry> - - </variablelist> - -</refsect1> - -<refsect1> - <title>FILES</title> - <variablelist> - -<varlistentry> -<term>~/.gnupg/secring.gpg</term> -<listitem><para>The secret keyring</para></listitem> -</varlistentry> - -<varlistentry> -<term>~/.gnupg/secring.gpg.lock</term> -<listitem><para>and the lock file</para></listitem> -</varlistentry> - -<varlistentry> -<term>~/.gnupg/pubring.gpg</term> -<listitem><para>The public keyring</para></listitem> -</varlistentry> - -<varlistentry> -<term>~/.gnupg/pubring.gpg.lock</term> -<listitem><para>and the lock file</para></listitem> -</varlistentry> - -<varlistentry> -<term>~/.gnupg/trustdb.gpg</term> -<listitem><para>The trust database</para></listitem> -</varlistentry> - -<varlistentry> -<term>~/.gnupg/trustdb.gpg.lock</term> -<listitem><para>and the lock file</para></listitem> -</varlistentry> - -<varlistentry> -<term>~/.gnupg/random_seed</term> -<listitem><para>used to preserve the internal random pool</para></listitem> -</varlistentry> - -<varlistentry> -<term>~/.gnupg/gpg.conf</term> -<listitem><para>Default configuration file</para></listitem> -</varlistentry> - -<varlistentry> -<term>~/.gnupg/options</term> -<listitem><para>Old style configuration file; only used when gpg.conf -is not found</para></listitem> -</varlistentry> - -<varlistentry> -<term>/usr[/local]/share/gnupg/options.skel</term> -<listitem><para>Skeleton options file</para></listitem> -</varlistentry> - -<varlistentry> -<term>/usr[/local]/lib/gnupg/</term> -<listitem><para>Default location for extensions</para></listitem> -</varlistentry> - - </variablelist> -</refsect1> - -<!-- SEE ALSO not yet needed--> - -<refsect1> - <title>WARNINGS</title> - <para> -Use a *good* password for your user account and a *good* passphrase -to protect your secret key. This passphrase is the weakest part of the -whole system. Programs to do dictionary attacks on your secret keyring -are very easy to write and so you should protect your "~/.gnupg/" -directory very well. -</para> -<para> -Keep in mind that, if this program is used over a network (telnet), it -is *very* easy to spy out your passphrase! -</para> -<para> -If you are going to verify detached signatures, make sure that the -program knows about it; either give both filenames on the command line -or use <literal>-</literal> to specify stdin. -</para> -</refsect1> - -<refsect1> - <title>INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS</title> -<para> -GnuPG tries to be a very flexible implementation of the OpenPGP -standard. In particular, GnuPG implements many of the optional parts -of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2 -compression algorithms. It is important to be aware that not all -OpenPGP programs implement these optional algorithms and that by -forcing their use via the --cipher-algo, --digest-algo, ---cert-digest-algo, or --compress-algo options in GnuPG, it is -possible to create a perfectly valid OpenPGP message, but one that -cannot be read by the intended recipient. -</para> - -<para> -There are dozens of variations of OpenPGP programs available, and each -supports a slightly different subset of these optional algorithms. -For example, until recently, no (unhacked) version of PGP supported -the BLOWFISH cipher algorithm. A message using BLOWFISH simply could -not be read by a PGP user. By default, GnuPG uses the standard -OpenPGP preferences system that will always do the right thing and -create messages that are usable by all recipients, regardless of which -OpenPGP program they use. Only override this safe default if you -really know what you are doing. -</para> - -<para> -If you absolutely must override the safe default, or if the -preferences on a given key are invalid for some reason, you are far -better off using the --pgp6, --pgp7, or --pgp8 options. These options -are safe as they do not force any particular algorithms in violation -of OpenPGP, but rather reduce the available algorithms to a "PGP-safe" -list. -</para> - -</refsect1> - - -<refsect1> - <title>BUGS</title> - <para> -On many systems this program should be installed as setuid(root). This -is necessary to lock memory pages. Locking memory pages prevents the -operating system from writing memory pages (which may contain -passphrases or other sensitive material) to disk. If you get no -warning message about insecure memory your operating system supports -locking without being root. The program drops root privileges as soon -as locked memory is allocated. -</para> -</refsect1> - -</refentry> diff --git a/doc/gpg.texi b/doc/gpg.texi deleted file mode 100644 index aca21a0cb..000000000 --- a/doc/gpg.texi +++ /dev/null @@ -1,2231 +0,0 @@ -\input texinfo -@setfilename gpg.info -@dircategory GnuPG -@direntry -* gpg: (gpg). GnuPG encryption and signing tool. -@end direntry - -@node Top, , , (dir) -@top gpg -@chapheading Name - -gpg --- encryption and signing tool -@chapheading Synopsis - -@example -gpg - --homedir name - --options file - options - command - args - -@end example -@chapheading DESCRIPTION - -@code{gpg} is the main program for the GnuPG system. - -This man page only lists the commands and options available. For more -verbose documentation get the GNU Privacy Handbook (GPH) or one of the -other documents at http://www.gnupg.org/documentation/ . - -Please remember that option parsing stops as soon as a non option is -encountered, you can explicitly stop option parsing by using the -special option "--". -@chapheading COMMANDS - -@code{gpg} may be run with no commands, in which case it will -perform a reasonable action depending on the type of file it is given -as input (an encrypted message is decrypted, a signature is verified, -a file containing keys is listed). - -@code{gpg} recognizes these commands: - -@table @asis - -@item -s, --sign -Make a signature. This command may be combined with --encrypt (for a -signed and encrypted message), --symmetric (for a signed and -symmetrically encrypted message), or --encrypt and --symmetric -together (for a signed message that may be decrypted via a secret key -or a passphrase). - -@item --clearsign -Make a clear text signature. The content in a clear text signature is -readable without any special software. OpenPGP software is only -needed to verify the signature. Clear text signatures may modify -end-of-line whitespace for platform independence and are not intended -to be reversible. - -@item -b, --detach-sign -Make a detached signature. - -@item -e, --encrypt -Encrypt data. This option may be combined with --sign (for a signed -and encrypted message), --symmetric (for a message that may be -decrypted via a secret key or a passphrase), or --sign and --symmetric -together (for a signed message that may be decrypted via a secret key -or a passphrase). - -@item -c, --symmetric -Encrypt with a symmetric cipher using a passphrase. The default -symmetric cipher used is CAST5, but may be chosen with the ---cipher-algo option. This option may be combined with --sign (for a -signed and symmetrically encrypted message), --encrypt (for a message -that may be decrypted via a secret key or a passphrase), or --sign and ---encrypt together (for a signed message that may be decrypted via a -secret key or a passphrase). - -@item --store -Store only (make a simple RFC1991 packet). - -@item -d, --decrypt -Decrypt @code{file} (or stdin if no file is specified) and -write it to stdout (or the file specified with ---output). If the decrypted file is signed, the -signature is also verified. This command differs -from the default operation, as it never writes to the -filename which is included in the file and it -rejects files which don't begin with an encrypted -message. - -@item --verify -Assume that @code{sigfile} is a signature and verify it -without generating any output. With no arguments, -the signature packet is read from stdin. If -only a sigfile is given, it may be a complete -signature or a detached signature, in which case -the signed stuff is expected in a file without the -".sig" or ".asc" extension. -With more than -1 argument, the first should be a detached signature -and the remaining files are the signed stuff. To read the signed -stuff from stdin, use @samp{-} as the second filename. -For security reasons a detached signature cannot read the signed -material from stdin without denoting it in the above way. - -@item --multifile -This modifies certain other commands to accept multiple files for -processing on the command line or read from stdin with each filename -on a separate line. This allows for many files to be processed at -once. --multifile may currently be used along with --verify, ---encrypt, and --decrypt. Note that `--multifile --verify' may not be -used with detached signatures. - -@item --verify-files -Identical to `--multifile --verify'. - -@item --encrypt-files -Identical to `--multifile --encrypt'. - -@item --decrypt-files -Identical to `--multifile --decrypt'. - -@item --list-keys -@itemx --list-public-keys -List all keys from the public keyrings, or just the ones given on the -command line. - -Avoid using the output of this command in scripts or other programs as -it is likely to change as GnuPG changes. See --with-colons for a -machine-parseable key listing command that is appropriate for use in -scripts and other programs. - -@item -K, --list-secret-keys -List all keys from the secret keyrings, or just the ones given on the -command line. A '#' after the letters 'sec' means that the secret key -is not usable (for example, if it was created via ---export-secret-subkeys). - -@item --list-sigs -Same as --list-keys, but the signatures are listed too. - -For each signature listed, there are several flags in between the -"sig" tag and keyid. These flags give additional information about -each signature. From left to right, they are the numbers 1-3 for -certificate check level (see --ask-cert-level), "L" for a local or -non-exportable signature (see --lsign-key), "R" for a nonRevocable -signature (see the --edit-key command "nrsign"), "P" for a signature -that contains a policy URL (see --cert-policy-url), "N" for a -signature that contains a notation (see --cert-notation), "X" for an -eXpired signature (see --ask-cert-expire), and the numbers 1-9 or "T" -for 10 and above to indicate trust signature levels (see the ---edit-key command "tsign"). - -@item --check-sigs -Same as --list-sigs, but the signatures are verified. - -@item --fingerprint -List all keys with their fingerprints. This is the -same output as --list-keys but with the additional output -of a line with the fingerprint. May also be combined -with --list-sigs or --check-sigs. -If this command is given twice, the fingerprints of all -secondary keys are listed too. - -@item --list-packets -List only the sequence of packets. This is mainly -useful for debugging. - -@item --gen-key -Generate a new key pair. This command is normally only used -interactively. - -There is an experimental feature which allows you to create keys -in batch mode. See the file @file{doc/DETAILS} -in the source distribution on how to use this. - -@item --edit-key @code{name} -Present a menu which enables you to do all key -related tasks: - -@table @asis - -@item sign -Make a signature on key of user @code{name} If the key is not yet -signed by the default user (or the users given with -u), the program -displays the information of the key again, together with its -fingerprint and asks whether it should be signed. This question is -repeated for all users specified with --u. - -@item lsign -Same as "sign" but the signature is marked as non-exportable and will -therefore never be used by others. This may be used to make keys -valid only in the local environment. - -@item nrsign -Same as "sign" but the signature is marked as non-revocable and can -therefore never be revoked. - -@item tsign -Make a trust signature. This is a signature that combines the notions -of certification (like a regular signature), and trust (like the -"trust" command). It is generally only useful in distinct communities -or groups. -@end table - -Note that "l" (for local / non-exportable), "nr" (for non-revocable, -and "t" (for trust) may be freely mixed and prefixed to "sign" to -create a signature of any type desired. - -@table @asis - -@item revsig -Revoke a signature. For every signature which has been generated by -one of the secret keys, GnuPG asks whether a revocation certificate -should be generated. - -@item trust -Change the owner trust value. This updates the -trust-db immediately and no save is required. - -@item disable -@itemx enable -Disable or enable an entire key. A disabled key can not normally be -used for encryption. - -@item adduid -Create an alternate user id. - -@item addphoto -Create a photographic user id. This will prompt for a JPEG file that -will be embedded into the user ID. Note that a very large JPEG will -make for a very large key. Also note that some programs will display -your JPEG unchanged (GnuPG), and some programs will scale it to fit in -a dialog box (PGP). - -@item deluid -Delete a user id. - -@item delsig -Delete a signature. - -@item revuid -Revoke a user id. - -@item addkey -Add a subkey to this key. - -@item addcardkey -Generate a key on a card and add it -to this key. - -@item keytocard -Transfer the selected secret key (or the primary key if no key has -been selected) to a smartcard. The secret key in the keyring will be -replaced by a stub if the key could be stored successfully on the card -and you use the save command later. Only certain key types may be -transferred to the card. A sub menu allows you to select on what card -to store the key. Note that it is not possible to get that key back -from the card - if the card gets broken your secret key will be lost -unless you have a backup somewhere. - -@item bkuptocard @code{file} -Restore the given file to a card. This command -may be used to restore a backup key (as generated during card -initialization) to a new card. In almost all cases this will be the -encryption key. You should use this command only -with the corresponding public key and make sure that the file -given as argument is indeed the backup to restore. You should -then select 2 to restore as encryption key. -You will first be asked to enter the passphrase of the backup key and -then for the Admin PIN of the card. - -@item delkey -Remove a subkey. - -@item addrevoker -Add a designated revoker. This takes one optional argument: -"sensitive". If a designated revoker is marked as sensitive, it will -not be exported by default (see -export-options). - -@item revkey -Revoke a subkey. - -@item expire -Change the key expiration time. If a subkey is selected, the -expiration time of this subkey will be changed. With no selection, -the key expiration of the primary key is changed. - -@item passwd -Change the passphrase of the secret key. - -@item primary -Flag the current user id as the primary one, removes the primary user -id flag from all other user ids and sets the timestamp of all affected -self-signatures one second ahead. Note that setting a photo user ID -as primary makes it primary over other photo user IDs, and setting a -regular user ID as primary makes it primary over other regular user -IDs. - -@item uid @code{n} -Toggle selection of user id with index @code{n}. -Use 0 to deselect all. - -@item key @code{n} -Toggle selection of subkey with index @code{n}. -Use 0 to deselect all. - -@item check -Check all selected user ids. - -@item showphoto -Display the selected photographic user -id. - -@item pref -List preferences from the selected user ID. This shows the actual -preferences, without including any implied preferences. - -@item showpref -More verbose preferences listing for the selected user ID. This shows -the preferences in effect by including the implied preferences of 3DES -(cipher), SHA-1 (digest), and Uncompressed (compression) if they are -not already included in the preference list. In addition, the -preferred keyserver and signature notations (if any) are shown. - -@item setpref @code{string} -Set the list of user ID preferences to @code{string} for all (or just -the selected) user IDs. Calling setpref with no arguments sets the -preference list to the default (either built-in or set via ---default-preference-list), and calling setpref with "none" as the -argument sets an empty preference list. Use "gpg --version" to get a -list of available algorithms. Note that while you can change the -preferences on an attribute user ID (aka "photo ID"), GnuPG does not -select keys via attribute user IDs so these preferences will not be -used by GnuPG. - -@item keyserver -Set a preferred keyserver for the specified user ID(s). This allows -other users to know where you prefer they get your key from. See ---keyserver-options honor-keyserver-url for more on how this works. -Setting a value of "none" removes an existing preferred keyserver. - -@item notation -Set a name=value notation for the specified user ID(s). See ---cert-notation for more on how this works. Setting a value of "none" -removes all notations, setting a notation prefixed with a minus sign -(-) removes that notation, and setting a notation name (without the -=value) prefixed with a minus sign removes all notations with that -name. - -@item toggle -Toggle between public and secret key listing. - -@item clean -Compact (by removing all signatures except the selfsig) any user ID -that is no longer usable (e.g. revoked, or expired). Then, remove any -signatures that are not usable by the trust calculations. -Specifically, this removes any signature that does not validate, any -signature that is superseded by a later signature, revoked signatures, -and signatures issued by keys that are not present on the keyring. - -@item minimize -Make the key as small as possible. This removes all signatures from -each user ID except for the most recent self-signature. - -@item cross-certify -Add cross-certification signatures to signing subkeys that may not -currently have them. Cross-certification signatures protect against a -subtle attack against signing subkeys. See ---require-cross-certification. - -@item save -Save all changes to the key rings and quit. - -@item quit -Quit the program without updating the -key rings. -@end table - -The listing shows you the key with its secondary -keys and all user ids. Selected keys or user ids -are indicated by an asterisk. The trust value is -displayed with the primary key: the first is the -assigned owner trust and the second is the calculated -trust value. Letters are used for the values: - -@table @asis - -@item - -No ownertrust assigned / not yet calculated. - -@item e -Trust -calculation has failed; probably due to an expired key. - -@item q -Not enough information for calculation. - -@item n -Never trust this key. - -@item m -Marginally trusted. - -@item f -Fully trusted. - -@item u -Ultimately trusted. -@end table - -@item --card-edit -Present a menu to work with a smartcard. The subcommand "help" provides -an overview on available commands. For a detailed description, please -see the Card HOWTO at -http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO . - -@item --card-status -Show the content of the smart card. - -@item --change-pin -Present a menu to allow changing the PIN of a smartcard. This -functionality is also available as the subcommand "passwd" with the ---card-edit command. - -@item --sign-key @code{name} -Signs a public key with your secret key. This is a shortcut version of -the subcommand "sign" from --edit. - -@item --lsign-key @code{name} -Signs a public key with your secret key but marks it as -non-exportable. This is a shortcut version of the subcommand "lsign" -from --edit. - -@item --delete-key @code{name} -Remove key from the public keyring. In batch mode either --yes is -required or the key must be specified by fingerprint. This is a -safeguard against accidental deletion of multiple keys. - -@item --delete-secret-key @code{name} -Remove key from the secret and public keyring. In batch mode the key -must be specified by fingerprint. - -@item --delete-secret-and-public-key @code{name} -Same as --delete-key, but if a secret key exists, it will be removed -first. In batch mode the key must be specified by fingerprint. - -@item --gen-revoke @code{name} -Generate a revocation certificate for the complete key. To revoke -a subkey or a signature, use the --edit command. - -@item --desig-revoke @code{name} -Generate a designated revocation certificate for a key. This allows a -user (with the permission of the keyholder) to revoke someone else's -key. - -@item --export -Either export all keys from all keyrings (default -keyrings and those registered via option --keyring), -or if at least one name is given, those of the given -name. The new keyring is written to stdout or to -the file given with option "output". Use together -with --armor to mail those keys. - -@item --send-keys -Same as --export but sends the keys to a keyserver. -Option --keyserver must be used to give the name -of this keyserver. Don't send your complete keyring -to a keyserver - select only those keys which are new -or changed by you. - -@item --export-secret-keys -@itemx --export-secret-subkeys -Same as --export, but exports the secret keys instead. -This is normally not very useful and a security risk. -The second form of the command has the special property to -render the secret part of the primary key useless; this is -a GNU extension to OpenPGP and other implementations can -not be expected to successfully import such a key. -See the option --simple-sk-checksum if you want to import such an -exported key with an older OpenPGP implementation. - -@item --import -@itemx --fast-import -Import/merge keys. This adds the given keys to the -keyring. The fast version is currently just a synonym. - -There are a few other options which control how this command works. -Most notable here is the --keyserver-options merge-only option which -does not insert new keys but does only the merging of new signatures, -user-IDs and subkeys. - -@item --recv-keys @code{key IDs} -Import the keys with the given key IDs from a keyserver. Option ---keyserver must be used to give the name of this keyserver. - -@item --refresh-keys -Request updates from a keyserver for keys that already exist on the -local keyring. This is useful for updating a key with the latest -signatures, user IDs, etc. Calling this with no arguments will -refresh the entire keyring. Option --keyserver must be used to give -the name of the keyserver for all keys that do not have preferred -keyservers set (see --keyserver-options honor-keyserver-url). - -@item --search-keys @code{names} -Search the keyserver for the given names. Multiple names given here -will be joined together to create the search string for the keyserver. -Option --keyserver must be used to give the name of this keyserver. -Keyservers that support different search methods allow using the -syntax specified in "How to specify a user ID" below. Note that -different keyserver types support different search methods. Currently -only LDAP supports them all. - -@item --fetch-keys @code{URIs} -Retrieve keys located at the specified URIs. Note that different -installations of GnuPG may support different protocols (HTTP, FTP, -LDAP, etc.) - -@item --update-trustdb -Do trust database maintenance. This command iterates over all keys -and builds the Web of Trust. This is an interactive command because it -may have to ask for the "ownertrust" values for keys. The user has to -give an estimation of how far she trusts the owner of the displayed -key to correctly certify (sign) other keys. GnuPG only asks for the -ownertrust value if it has not yet been assigned to a key. Using the ---edit-key menu, the assigned value can be changed at any time. - -@item --check-trustdb -Do trust database maintenance without user interaction. From time to -time the trust database must be updated so that expired keys or -signatures and the resulting changes in the Web of Trust can be -tracked. Normally, GnuPG will calculate when this is required and do -it automatically unless --no-auto-check-trustdb is set. This command -can be used to force a trust database check at any time. The -processing is identical to that of --update-trustdb but it skips keys -with a not yet defined "ownertrust". - -For use with cron jobs, this command can be used together with --batch -in which case the trust database check is done only if a check is -needed. To force a run even in batch mode add the option --yes. - -@item --export-ownertrust -Send the ownertrust values to stdout. This is useful for backup -purposes as these values are the only ones which can't be re-created -from a corrupted trust DB. - -@item --import-ownertrust -Update the trustdb with the ownertrust values stored -in @code{files} (or stdin if not given); existing -values will be overwritten. - -@item --rebuild-keydb-caches -When updating from version 1.0.6 to 1.0.7 this command should be used -to create signature caches in the keyring. It might be handy in other -situations too. - -@item --print-md @code{algo} -@itemx --print-mds -Print message digest of algorithm ALGO for all given files or stdin. -With the second form (or a deprecated "*" as algo) digests for all -available algorithms are printed. - -@item --gen-random @code{0|1|2} -Emit COUNT random bytes of the given quality level. If count is not given -or zero, an endless sequence of random bytes will be emitted. -PLEASE, don't use this command unless you know what you are doing; it may -remove precious entropy from the system! - -@item --gen-prime @code{mode} @code{bits} -Use the source, Luke :-). The output format is still subject to change. - -@item --version -Print version information along with a list -of supported algorithms. - -@item --warranty -Print warranty information. - -@item -h, --help -Print usage information. This is a really long list even though it -doesn't list all options. For every option, consult this manual. -@end table -@chapheading OPTIONS - -Long options can be put in an options file (default -"~/.gnupg/gpg.conf"). Short option names will not work - for example, -"armor" is a valid option for the options file, while "a" is not. Do -not write the 2 dashes, but simply the name of the option and any -required arguments. Lines with a hash ('#') as the first -non-white-space character are ignored. Commands may be put in this -file too, but that is not generally useful as the command will execute -automatically with every execution of gpg. - -@code{gpg} recognizes these options: - -@table @asis - -@item -a, --armor -Create ASCII armored output. - -@item -o, --output @code{file} -Write output to @code{file}. - -@item --max-output @code{n} -This option sets a limit on the number of bytes that will be generated -when processing a file. Since OpenPGP supports various levels of -compression, it is possible that the plaintext of a given message may -be significantly larger than the original OpenPGP message. While -GnuPG works properly with such messages, there is often a desire to -set a maximum file size that will be generated before processing is -forced to stop by the OS limits. Defaults to 0, which means "no -limit". - -@item --mangle-dos-filenames -@itemx --no-mangle-dos-filenames -Older version of Windows cannot handle filenames with more than one -dot. --mangle-dos-filenames causes GnuPG to replace (rather than add -to) the extension of an output filename to avoid this problem. This -option is off by default and has no effect on non-Windows platforms. - -@item -u, --local-user @code{name} -Use @code{name} as the key to sign with. Note that this option -overrides --default-key. - -@item --default-key @code{name} -Use @code{name} as the default key to sign with. If this option is not -used, the default key is the first key found in the secret keyring. -Note that -u or --local-user overrides this option. - -@item -r, --recipient @code{name} -Encrypt for user id @code{name}. If this option or --hidden-recipient -is not specified, GnuPG asks for the user-id unless ---default-recipient is given. - -@item -R, --hidden-recipient @code{name} -Encrypt for user ID @code{name}, but hide the key ID of this user's -key. This option helps to hide the receiver of the message and is a -limited countermeasure against traffic analysis. If this option or ---recipient is not specified, GnuPG asks for the user ID unless ---default-recipient is given. - -@item --default-recipient @code{name} -Use @code{name} as default recipient if option --recipient is not used and -don't ask if this is a valid one. @code{name} must be non-empty. - -@item --default-recipient-self -Use the default key as default recipient if option --recipient is not used and -don't ask if this is a valid one. The default key is the first one from the -secret keyring or the one set with --default-key. - -@item --no-default-recipient -Reset --default-recipient and --default-recipient-self. - -@item --encrypt-to @code{name} -Same as --recipient but this one is intended for use -in the options file and may be used with -your own user-id as an "encrypt-to-self". These keys -are only used when there are other recipients given -either by use of --recipient or by the asked user id. -No trust checking is performed for these user ids and -even disabled keys can be used. - -@item --hidden-encrypt-to @code{name} -Same as --hidden-recipient but this one is intended for use in the -options file and may be used with your own user-id as a hidden -"encrypt-to-self". These keys are only used when there are other -recipients given either by use of --recipient or by the asked user id. -No trust checking is performed for these user ids and even disabled -keys can be used. - -@item --no-encrypt-to -Disable the use of all --encrypt-to and --hidden-encrypt-to keys. - -@item -v, --verbose -Give more information during processing. If used -twice, the input data is listed in detail. - -@item -q, --quiet -Try to be as quiet as possible. - -@item -z @code{n} -@itemx --compress-level @code{n} -@itemx --bzip2-compress-level @code{n} -Set compression level to @code{n} for the ZIP and ZLIB compression -algorithms. The default is to use the default compression level of -zlib (normally 6). --bzip2-compress-level sets the compression level -for the BZIP2 compression algorithm (defaulting to 6 as well). This -is a different option from --compress-level since BZIP2 uses a -significant amount of memory for each additional compression level. --z sets both. A value of 0 for @code{n} disables compression. - -@item --bzip2-decompress-lowmem -Use a different decompression method for BZIP2 compressed files. This -alternate method uses a bit more than half the memory, but also runs -at half the speed. This is useful under extreme low memory -circumstances when the file was originally compressed at a high ---bzip2-compress-level. - -@item -t, --textmode -@itemx --no-textmode -Treat input files as text and store them in the OpenPGP canonical text -form with standard "CRLF" line endings. This also sets the necessary -flags to inform the recipient that the encrypted or signed data is -text and may need its line endings converted back to whatever the -local system uses. This option is useful when communicating between -two platforms that have different line ending conventions (UNIX-like -to Mac, Mac to Windows, etc). --no-textmode disables this option, and -is the default. - -If -t (but not --textmode) is used together with armoring and signing, -this enables clearsigned messages. This kludge is needed for -command-line compatibility with command-line versions of PGP; normally -you would use --sign or --clearsign to select the type of the -signature. - -@item -n, --dry-run -Don't make any changes (this is not completely implemented). - -@item -i, --interactive -Prompt before overwriting any files. - -@item --batch -@itemx --no-batch -Use batch mode. Never ask, do not allow interactive commands. ---no-batch disables this option. - -@item --no-tty -Make sure that the TTY (terminal) is never used for any output. -This option is needed in some cases because GnuPG sometimes prints -warnings to the TTY if --batch is used. - -@item --yes -Assume "yes" on most questions. - -@item --no -Assume "no" on most questions. - -@item --ask-cert-level -@itemx --no-ask-cert-level -When making a key signature, prompt for a certification level. If -this option is not specified, the certification level used is set via ---default-cert-level. See --default-cert-level for information on the -specific levels and how they are used. --no-ask-cert-level disables -this option. This option defaults to no. - -@item --default-cert-level @code{n} -The default to use for the check level when signing a key. - -0 means you make no particular claim as to how carefully you verified -the key. - -1 means you believe the key is owned by the person who claims to own -it but you could not, or did not verify the key at all. This is -useful for a "persona" verification, where you sign the key of a -pseudonymous user. - -2 means you did casual verification of the key. For example, this -could mean that you verified that the key fingerprint and checked the -user ID on the key against a photo ID. - -3 means you did extensive verification of the key. For example, this -could mean that you verified the key fingerprint with the owner of the -key in person, and that you checked, by means of a hard to forge -document with a photo ID (such as a passport) that the name of the key -owner matches the name in the user ID on the key, and finally that you -verified (by exchange of email) that the email address on the key -belongs to the key owner. - -Note that the examples given above for levels 2 and 3 are just that: -examples. In the end, it is up to you to decide just what "casual" -and "extensive" mean to you. - -This option defaults to 0 (no particular claim). - -@item --min-cert-level -When building the trust database, treat any signatures with a -certification level below this as invalid. Defaults to 2, which -disregards level 1 signatures. Note that level 0 "no particular -claim" signatures are always accepted. - -@item --trusted-key @code{long key ID} -Assume that the specified key (which must be given -as a full 8 byte key ID) is as trustworthy as one of -your own secret keys. This option is useful if you -don't want to keep your secret keys (or one of them) -online but still want to be able to check the validity of a given -recipient's or signator's key. - -@item --trust-model @code{pgp|classic|direct|always|auto} -Set what trust model GnuPG should follow. The models are: - -@table @asis - -@item pgp -This is the Web of Trust combined with trust signatures as used in PGP -5.x and later. This is the default trust model when creating a new -trust database. - -@item classic -This is the standard Web of Trust as used in PGP 2.x and earlier. - -@item direct -Key validity is set directly by the user and not calculated via the -Web of Trust. - -@item always -Skip key validation and assume that used keys are always fully -trusted. You generally won't use this unless you are using some -external validation scheme. This option also suppresses the -"[uncertain]" tag printed with signature checks when there is no -evidence that the user ID is bound to the key. - -@item auto -Select the trust model depending on whatever the internal trust -database says. This is the default model if such a database already -exists. -@end table - -@item --always-trust -Identical to `--trust-model always'. This option is deprecated. - -@item --auto-key-locate @code{parameters} -@itemx --no-auto-key-locate -GnuPG can automatically locate and retrieve keys as needed using this -option. This happens when encrypting to an email address (in the -"user@@example.com" form), and there are no user@@example.com keys on -the local keyring. This option takes any number of the following -arguments, in the order they are to be tried: - -@table @asis - -@item cert -locate a key using DNS CERT, as specified in 2538bis (currently in -draft): http://www.josefsson.org/rfc2538bis/ - -@item pka -locate a key using DNS PKA. - -@item ldap -locate a key using the PGP Universal method of checking -"ldap://keys.(thedomain)". - -@item keyserver -locate a key using whatever keyserver is defined using the --keyserver -option. - -@item (keyserver URL) -In addition, a keyserver URL as used in the --keyserver option may be -used here to query that particular keyserver. -@end table - -@item --keyid-format @code{short|0xshort|long|0xlong} -Select how to display key IDs. "short" is the traditional 8-character -key ID. "long" is the more accurate (but less convenient) -16-character key ID. Add an "0x" to either to include an "0x" at the -beginning of the key ID, as in 0x99242560. - -@item --keyserver @code{name} -Use @code{name} as your keyserver. This is the server that ---recv-keys, --send-keys, and --search-keys will communicate with to -receive keys from, send keys to, and search for keys on. The format -of the @code{name} is a URI: `scheme:[//]keyservername[:port]' The -scheme is the type of keyserver: "hkp" for the HTTP (or compatible) -keyservers, "ldap" for the LDAP keyservers, or "mailto" for the Graff -email keyserver. Note that your particular installation of GnuPG may -have other keyserver types available as well. Keyserver schemes are -case-insensitive. After the keyserver name, optional keyserver -configuration options may be provided. These are the same as the -global --keyserver-options from below, but apply only to this -particular keyserver. - -Most keyservers synchronize with each other, so there is generally no -need to send keys to more than one server. The keyserver -"hkp://subkeys.pgp.net" uses round robin DNS to give a different -keyserver each time you use it. - -@item --keyserver-options @code{name=value1 } -This is a space or comma delimited string that gives options for the -keyserver. Options can be prepended with a `no-' to give the opposite -meaning. Valid import-options or export-options may be used here as -well to apply to importing (--recv-key) or exporting (--send-key) a -key from a keyserver. While not all options are available for all -keyserver types, some common options are: - -@table @asis - -@item include-revoked -When searching for a key with --search-keys, include keys that are -marked on the keyserver as revoked. Note that not all keyservers -differentiate between revoked and unrevoked keys, and for such -keyservers this option is meaningless. Note also that most keyservers -do not have cryptographic verification of key revocations, and so -turning this option off may result in skipping keys that are -incorrectly marked as revoked. - -@item include-disabled -When searching for a key with --search-keys, include keys that are -marked on the keyserver as disabled. Note that this option is not -used with HKP keyservers. - -@item auto-key-retrieve -This option enables the automatic retrieving of keys from a keyserver -when verifying signatures made by keys that are not on the local -keyring. - -Note that this option makes a "web bug" like behavior possible. -Keyserver operators can see which keys you request, so by sending you -a message signed by a brand new key (which you naturally will not have -on your local keyring), the operator can tell both your IP address and -the time when you verified the signature. - -@item honor-keyserver-url -When using --refresh-keys, if the key in question has a preferred -keyserver URL, then use that preferred keyserver to refresh the key -from. In addition, if auto-key-retrieve is set, and the signature -being verified has a preferred keyserver URL, then use that preferred -keyserver to fetch the key from. Defaults to yes. - -@item honor-pka-record -If auto-key-retrieve is set, and the signature being verified has a -PKA record, then use the PKA information to fetch the key. Defaults -to yes. - -@item include-subkeys -When receiving a key, include subkeys as potential targets. Note that -this option is not used with HKP keyservers, as they do not support -retrieving keys by subkey id. - -@item use-temp-files -On most Unix-like platforms, GnuPG communicates with the keyserver -helper program via pipes, which is the most efficient method. This -option forces GnuPG to use temporary files to communicate. On some -platforms (such as Win32 and RISC OS), this option is always enabled. - -@item keep-temp-files -If using `use-temp-files', do not delete the temp files after using -them. This option is useful to learn the keyserver communication -protocol by reading the temporary files. - -@item verbose -Tell the keyserver helper program to be more verbose. This option can -be repeated multiple times to increase the verbosity level. - -@item timeout -Tell the keyserver helper program how long (in seconds) to try and -perform a keyserver action before giving up. Note that performing -multiple actions at the same time uses this timeout value per action. -For example, when retrieving multiple keys via --recv-keys, the -timeout applies separately to each key retrieval, and not to the ---recv-keys command as a whole. Defaults to 30 seconds. - -@item http-proxy -For HTTP-like keyserver schemes that (such as HKP and HTTP itself), -try to access the keyserver over a proxy. If a @code{value} is -specified, use this as the HTTP proxy. If no @code{value} is -specified, the value of the environment variable "http_proxy", if any, -will be used. - -@item max-cert-size -When retrieving a key via DNS CERT, only accept keys up to this size. -Defaults to 16384 bytes. -@end table - -@item --import-options @code{parameters} -This is a space or comma delimited string that gives options for -importing keys. Options can be prepended with a `no-' to give the -opposite meaning. The options are: - -@table @asis - -@item import-local-sigs -Allow importing key signatures marked as "local". This is not -generally useful unless a shared keyring scheme is being used. -Defaults to no. - -@item repair-pks-subkey-bug -During import, attempt to repair the damage caused by the PKS -keyserver bug (pre version 0.9.6) that mangles keys with multiple -subkeys. Note that this cannot completely repair the damaged key as -some crucial data is removed by the keyserver, but it does at least -give you back one subkey. Defaults to no for regular --import and to -yes for keyserver --recv-keys. - -@item merge-only -During import, allow key updates to existing keys, but do not allow -any new keys to be imported. Defaults to no. - -@item import-clean -After import, compact (remove all signatures except the -self-signature) any user IDs from the new key that are not usable. -Then, remove any signatures from the new key that are not usable. -This includes signatures that were issued by keys that are not present -on the keyring. This option is the same as running the --edit-key -command "clean" after import. Defaults to no. - -@item import-minimal -Import the smallest key possible. This removes all signatures except -the most recent self-signature on each user ID. This option is the -same as running the --edit-key command "minimize" after import. -Defaults to no. -@end table - -@item --export-options @code{parameters} -This is a space or comma delimited string that gives options for -exporting keys. Options can be prepended with a `no-' to give the -opposite meaning. The options are: - -@table @asis - -@item export-local-sigs -Allow exporting key signatures marked as "local". This is not -generally useful unless a shared keyring scheme is being used. -Defaults to no. - -@item export-attributes -Include attribute user IDs (photo IDs) while exporting. This is -useful to export keys if they are going to be used by an OpenPGP -program that does not accept attribute user IDs. Defaults to yes. - -@item export-sensitive-revkeys -Include designated revoker information that was marked as -"sensitive". Defaults to no. - -@item export-reset-subkey-passwd -When using the "--export-secret-subkeys" command, this option resets -the passphrases for all exported subkeys to empty. This is useful -when the exported subkey is to be used on an unattended machine where -a passphrase doesn't necessarily make sense. Defaults to no. - -@item export-clean -Compact (remove all signatures from) user IDs on the key being -exported if the user IDs are not usable. Also, do not export any -signatures that are not usable. This includes signatures that were -issued by keys that are not present on the keyring. This option is -the same as running the --edit-key command "clean" before export -except that the local copy of the key is not modified. Defaults to -no. - -@item export-minimal -Export the smallest key possible. This removes all signatures except -the most recent self-signature on each user ID. This option is the -same as running the --edit-key command "minimize" before export except -that the local copy of the key is not modified. Defaults to no. -@end table - -@item --list-options @code{parameters} -This is a space or comma delimited string that gives options used when -listing keys and signatures (that is, --list-keys, --list-sigs, ---list-public-keys, --list-secret-keys, and the --edit-key functions). -Options can be prepended with a `no-' to give the opposite meaning. -The options are: - -@table @asis - -@item show-photos -Causes --list-keys, --list-sigs, --list-public-keys, and ---list-secret-keys to display any photo IDs attached to the key. -Defaults to no. See also --photo-viewer. - -@item show-policy-urls -Show policy URLs in the --list-sigs or --check-sigs listings. -Defaults to no. - -@item show-notations -@itemx show-std-notations -@itemx show-user-notations -Show all, IETF standard, or user-defined signature notations in the ---list-sigs or --check-sigs listings. Defaults to no. - -@item show-keyserver-urls -Show any preferred keyserver URL in the --list-sigs or --check-sigs -listings. Defaults to no. - -@item show-uid-validity -Display the calculated validity of user IDs during key listings. -Defaults to no. - -@item show-unusable-uids -Show revoked and expired user IDs in key listings. Defaults to no. - -@item show-unusable-subkeys -Show revoked and expired subkeys in key listings. Defaults to no. - -@item show-keyring -Display the keyring name at the head of key listings to show which -keyring a given key resides on. Defaults to no. - -@item show-sig-expire -Show signature expiration dates (if any) during --list-sigs or ---check-sigs listings. Defaults to no. - -@item show-sig-subpackets -Include signature subpackets in the key listing. This option can take -an optional argument list of the subpackets to list. If no argument -is passed, list all subpackets. Defaults to no. This option is only -meaningful when using --with-colons along with --list-sigs or ---check-sigs. -@end table - -@item --verify-options @code{parameters} -This is a space or comma delimited string that gives options used when -verifying signatures. Options can be prepended with a `no-' to give -the opposite meaning. The options are: - -@table @asis - -@item show-photos -Display any photo IDs present on the key that issued the signature. -Defaults to no. See also --photo-viewer. - -@item show-policy-urls -Show policy URLs in the signature being verified. Defaults to no. - -@item show-notations -@itemx show-std-notations -@itemx show-user-notations -Show all, IETF standard, or user-defined signature notations in the -signature being verified. Defaults to IETF standard. - -@item show-keyserver-urls -Show any preferred keyserver URL in the signature being verified. -Defaults to no. - -@item show-uid-validity -Display the calculated validity of the user IDs on the key that issued -the signature. Defaults to no. - -@item show-unusable-uids -Show revoked and expired user IDs during signature verification. -Defaults to no. - -@item pka-lookups -Enable PKA lookups to verify sender addresses. Note that PKA is based -on DNS, and so enabling this option may disclose information on when -and what signatures are verified or to whom data is encrypted. This -is similar to the "web bug" described for the auto-key-retrieve -feature. - -@item pka-trust-increase -Raise the trust in a signature to full if the signature passes PKA -validation. This option is only meaningful if pka-lookups is set. -@end table - -@item --enable-dsa2 -@itemx --disable-dsa2 -Enables new-style DSA keys which (unlike the old style) may be larger -than 1024 bit and use hashes other than SHA-1 and RIPEMD/160. Note -that very few programs currently support these keys and signatures -from them. - -@item --show-photos -@itemx --no-show-photos -Causes --list-keys, --list-sigs, --list-public-keys, ---list-secret-keys, and verifying a signature to also display the -photo ID attached to the key, if any. See also --photo-viewer. These -options are deprecated. Use `--list-options [no-]show-photos' and/or -`--verify-options [no-]show-photos' instead. - -@item --photo-viewer @code{string} -This is the command line that should be run to view a photo ID. "%i" -will be expanded to a filename containing the photo. "%I" does the -same, except the file will not be deleted once the viewer exits. -Other flags are "%k" for the key ID, "%K" for the long key ID, "%f" -for the key fingerprint, "%t" for the extension of the image type -(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"), -and "%%" for an actual percent sign. If neither %i or %I are present, -then the photo will be supplied to the viewer on standard input. - -The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k' -stdin". Note that if your image viewer program is not secure, then -executing it from GnuPG does not make it secure. - -@item --exec-path @code{string} -Sets a list of directories to search for photo viewers and keyserver -helpers. If not provided, keyserver helpers use the compiled-in -default directory, and photo viewers use the $PATH environment -variable. -Note, that on W32 system this value is ignored when searching for -keyserver helpers. - -@item --show-keyring -Display the keyring name at the head of key listings to show which -keyring a given key resides on. This option is deprecated: use -`--list-options [no-]show-keyring' instead. - -@item --keyring @code{file} -Add @code{file} to the current list of keyrings. If @code{file} begins -with a tilde and a slash, these are replaced by the $HOME -directory. If the filename does not contain a slash, it is assumed to -be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME -is not used). - -Note that this adds a keyring to the current list. If the intent is -to use the specified keyring alone, use --keyring along with ---no-default-keyring. - -@item --secret-keyring @code{file} -Same as --keyring but for the secret keyrings. - -@item --primary-keyring @code{file} -Designate @code{file} as the primary public keyring. This means that -newly imported keys (via --import or keyserver --recv-from) will go to -this keyring. - -@item --trustdb-name @code{file} -Use @code{file} instead of the default trustdb. If @code{file} begins -with a tilde and a slash, these are replaced by the $HOME -directory. If the filename does not contain a slash, it is assumed to -be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME -is not used). - -@item --homedir @code{directory} -Set the name of the home directory to @code{directory} If this option is not -used it defaults to "~/.gnupg". It does not make sense to use this in -a options file. This also overrides the environment variable -$GNUPGHOME. - -@item --pcsc-driver @code{file} -Use @code{file} to access the smartcard reader. The current default is -`libpcsclite.so.1' for GLIBC based systems, -`/System/Library/Frameworks/PCSC.framework/PCSC' for MAC OS X, -`winscard.dll' for Windows and `libpcsclite.so' for other systems. - -@item --ctapi-driver @code{file} -Use @code{file} to access the smartcard reader. The current default -is `libtowitoko.so'. Note that the use of this interface is -deprecated; it may be removed in future releases. - -@item --disable-ccid -Disable the integrated support for CCID compliant readers. This -allows to fall back to one of the other drivers even if the internal -CCID driver can handle the reader. Note, that CCID support is only -available if libusb was available at build time. - -@item --reader-port @code{number_or_string} -This option may be used to specify the port of the card terminal. A -value of 0 refers to the first serial device; add 32768 to access USB -devices. The default is 32768 (first USB device). PC/SC or CCID -readers might need a string here; run the program in verbose mode to get -a list of available readers. The default is then the first reader -found. - -@item --display-charset @code{name} -Set the name of the native character set. This is used to convert -some informational strings like user IDs to the proper UTF-8 encoding. -Note that this has nothing to do with the character set of data to be -encrypted or signed; GnuPG does not recode user supplied data. If -this option is not used, the default character set is determined from -the current locale. A verbosity level of 3 shows the chosen set. -Valid values for @code{name} are: - -@table @asis - -@item iso-8859-1 -This is the Latin 1 set. - -@item iso-8859-2 -The Latin 2 set. - -@item iso-8859-15 -This is currently an alias for -the Latin 1 set. - -@item koi8-r -The usual Russian set (rfc1489). - -@item utf-8 -Bypass all translations and assume -that the OS uses native UTF-8 encoding. -@end table - -@item --utf8-strings -@itemx --no-utf8-strings -Assume that command line arguments are given as UTF8 strings. The -default (--no-utf8-strings) is to assume that arguments are encoded in -the character set as specified by --display-charset. These options -affect all following arguments. Both options may be used multiple -times. - -@item --options @code{file} -Read options from @code{file} and do not try to read -them from the default options file in the homedir -(see --homedir). This option is ignored if used -in an options file. - -@item --no-options -Shortcut for "--options /dev/null". This option is -detected before an attempt to open an option file. -Using this option will also prevent the creation of a -"~./gnupg" homedir. - -@item --load-extension @code{name} -Load an extension module. If @code{name} does not contain a slash it is -searched for in the directory configured when GnuPG was built -(generally "/usr/local/lib/gnupg"). Extensions are not generally -useful anymore, and the use of this option is deprecated. - -@item --debug @code{flags} -Set debugging flags. All flags are or-ed and @code{flags} may -be given in C syntax (e.g. 0x0042). - -@item --debug-all -Set all useful debugging flags. - -@item --debug-ccid-driver -Enable debug output from the included CCID driver for smartcards. -Note that this option is only available on some system. - -@item --enable-progress-filter -Enable certain PROGRESS status outputs. This option allows frontends -to display a progress indicator while gpg is processing larger files. -There is a slight performance overhead using it. - -@item --status-fd @code{n} -Write special status strings to the file descriptor @code{n}. -See the file DETAILS in the documentation for a listing of them. - -@item --status-file @code{file} -Same as --status-fd, except the status data is written to file -@code{file}. - -@item --logger-fd @code{n} -Write log output to file descriptor @code{n} and not to stderr. - -@item --logger-file @code{file} -Same as --logger-fd, except the logger data is written to file -@code{file}. - -@item --attribute-fd @code{n} -Write attribute subpackets to the file descriptor @code{n}. This is -most useful for use with --status-fd, since the status messages are -needed to separate out the various subpackets from the stream -delivered to the file descriptor. - -@item --attribute-file @code{file} -Same as --attribute-fd, except the attribute data is written to file -@code{file}. - -@item --comment @code{string} -@itemx --no-comments -Use @code{string} as a comment string in clear text signatures and -ASCII armored messages or keys (see --armor). The default behavior is -not to use a comment string. --comment may be repeated multiple times -to get multiple comment strings. --no-comments removes all comments. -It is a good idea to keep the length of a single comment below 60 -characters to avoid problems with mail programs wrapping such lines. -Note that comment lines, like all other header lines, are not -protected by the signature. - -@item --emit-version -@itemx --no-emit-version -Force inclusion of the version string in ASCII armored output. ---no-emit-version disables this option. - -@item --sig-notation @code{name=value} -@itemx --cert-notation @code{name=value} -@itemx -N, --set-notation @code{name=value} -Put the name value pair into the signature as notation data. -@code{name} must consist only of printable characters or spaces, and -must contain a '@@' character in the form keyname@@domain.example.com -(substituting the appropriate keyname and domain name, of course). -This is to help prevent pollution of the IETF reserved notation -namespace. The --expert flag overrides the '@@' check. @code{value} -may be any printable string; it will be encoded in UTF8, so you should -check that your --display-charset is set correctly. If you prefix -@code{name} with an exclamation mark (!), the notation data will be -flagged as critical (rfc2440:5.2.3.15). --sig-notation sets a -notation for data signatures. --cert-notation sets a notation for key -signatures (certifications). --set-notation sets both. - -There are special codes that may be used in notation names. "%k" will -be expanded into the key ID of the key being signed, "%K" into the -long key ID of the key being signed, "%f" into the fingerprint of the -key being signed, "%s" into the key ID of the key making the -signature, "%S" into the long key ID of the key making the signature, -"%g" into the fingerprint of the key making the signature (which might -be a subkey), "%p" into the fingerprint of the primary key of the key -making the signature, "%c" into the signature count from the OpenPGP -smartcard, and "%%" results in a single "%". %k, %K, and %f are only -meaningful when making a key signature (certification), and %c is only -meaningful when using the OpenPGP smartcard. - -@item --show-notation -@itemx --no-show-notation -Show signature notations in the --list-sigs or --check-sigs listings -as well as when verifying a signature with a notation in it. These -options are deprecated. Use `--list-options [no-]show-notation' -and/or `--verify-options [no-]show-notation' instead. - -@item --sig-policy-url @code{string} -@itemx --cert-policy-url @code{string} -@itemx --set-policy-url @code{string} -Use @code{string} as a Policy URL for signatures (rfc2440:5.2.3.19). -If you prefix it with an exclamation mark (!), the policy URL packet -will be flagged as critical. --sig-policy-url sets a policy url for -data signatures. --cert-policy-url sets a policy url for key -signatures (certifications). --set-policy-url sets both. - -The same %-expandos used for notation data are available here as well. - -@item --show-policy-url -@itemx --no-show-policy-url -Show policy URLs in the --list-sigs or --check-sigs listings as well -as when verifying a signature with a policy URL in it. These options -are deprecated. Use `--list-options [no-]show-policy-url' and/or -`--verify-options [no-]show-policy-url' instead. - -@item --sig-keyserver-url @code{string} -Use @code{string} as a preferred keyserver URL for data signatures. If -you prefix it with an exclamation mark, the keyserver URL packet will -be flagged as critical. - -The same %-expandos used for notation data are available here as well. - -@item --set-filename @code{string} -Use @code{string} as the filename which is stored inside messages. -This overrides the default, which is to use the actual filename of the -file being encrypted. - -@item --for-your-eyes-only -@itemx --no-for-your-eyes-only -Set the `for your eyes only' flag in the message. This causes GnuPG -to refuse to save the file unless the --output option is given, and -PGP to use the "secure viewer" with a Tempest-resistant font to -display the message. This option overrides --set-filename. ---no-for-your-eyes-only disables this option. - -@item --use-embedded-filename -@itemx --no-use-embedded-filename -Try to create a file with a name as embedded in the data. This can be -a dangerous option as it allows to overwrite files. Defaults to no. - -@item --completes-needed @code{n} -Number of completely trusted users to introduce a new -key signer (defaults to 1). - -@item --marginals-needed @code{n} -Number of marginally trusted users to introduce a new -key signer (defaults to 3) - -@item --max-cert-depth @code{n} -Maximum depth of a certification chain (default is 5). - -@item --cipher-algo @code{name} -Use @code{name} as cipher algorithm. Running the program with the -command --version yields a list of supported algorithms. If this is -not used the cipher algorithm is selected from the preferences stored -with the key. In general, you do not want to use this option as it -allows you to violate the OpenPGP standard. ---personal-cipher-preferences is the safe way to accomplish the same -thing. - -@item --digest-algo @code{name} -Use @code{name} as the message digest algorithm. Running the program -with the command --version yields a list of supported algorithms. In -general, you do not want to use this option as it allows you to -violate the OpenPGP standard. --personal-digest-preferences is the -safe way to accomplish the same thing. - -@item --compress-algo @code{name} -Use compression algorithm @code{name}. "zlib" is RFC-1950 ZLIB -compression. "zip" is RFC-1951 ZIP compression which is used by PGP. -"bzip2" is a more modern compression scheme that can compress some -things better than zip or zlib, but at the cost of more memory used -during compression and decompression. "uncompressed" or "none" -disables compression. If this option is not used, the default -behavior is to examine the recipient key preferences to see which -algorithms the recipient supports. If all else fails, ZIP is used for -maximum compatibility. - -ZLIB may give better compression results than ZIP, as the compression -window size is not limited to 8k. BZIP2 may give even better -compression results than that, but will use a significantly larger -amount of memory while compressing and decompressing. This may be -significant in low memory situations. Note, however, that PGP (all -versions) only supports ZIP compression. Using any algorithm other -than ZIP or "none" will make the message unreadable with PGP. In -general, you do not want to use this option as it allows you to -violate the OpenPGP standard. --personal-compress-preferences is the -safe way to accomplish the same thing. - -@item --cert-digest-algo @code{name} -Use @code{name} as the message digest algorithm used when signing a -key. Running the program with the command --version yields a list of -supported algorithms. Be aware that if you choose an algorithm that -GnuPG supports but other OpenPGP implementations do not, then some -users will not be able to use the key signatures you make, or quite -possibly your entire key. - -@item --s2k-cipher-algo @code{name} -Use @code{name} as the cipher algorithm used to protect secret keys. -The default cipher is CAST5. This cipher is also used for -conventional encryption if --personal-cipher-preferences and ---cipher-algo is not given. - -@item --s2k-digest-algo @code{name} -Use @code{name} as the digest algorithm used to mangle the passphrases. -The default algorithm is SHA-1. - -@item --s2k-mode @code{n} -Selects how passphrases are mangled. If @code{n} is 0 a plain -passphrase (which is not recommended) will be used, a 1 adds a salt to -the passphrase and a 3 (the default) iterates the whole process a -couple of times. Unless --rfc1991 is used, this mode is also used for -conventional encryption. - -@item --simple-sk-checksum -Secret keys are integrity protected by using a SHA-1 checksum. This -method is part of the upcoming enhanced OpenPGP specification but -GnuPG already uses it as a countermeasure against certain attacks. -Old applications don't understand this new format, so this option may -be used to switch back to the old behaviour. Using this option bears -a security risk. Note that using this option only takes effect when -the secret key is encrypted - the simplest way to make this happen is -to change the passphrase on the key (even changing it to the same -value is acceptable). - -@item --disable-cipher-algo @code{name} -Never allow the use of @code{name} as cipher algorithm. -The given name will not be checked so that a later loaded algorithm -will still get disabled. - -@item --disable-pubkey-algo @code{name} -Never allow the use of @code{name} as public key algorithm. -The given name will not be checked so that a later loaded algorithm -will still get disabled. - -@item --no-sig-cache -Do not cache the verification status of key signatures. -Caching gives a much better performance in key listings. However, if -you suspect that your public keyring is not save against write -modifications, you can use this option to disable the caching. It -probably does not make sense to disable it because all kind of damage -can be done if someone else has write access to your public keyring. - -@item --no-sig-create-check -GnuPG normally verifies each signature right after creation to protect -against bugs and hardware malfunctions which could leak out bits from -the secret key. This extra verification needs some time (about 115% -for DSA keys), and so this option can be used to disable it. -However, due to the fact that the signature creation needs manual -interaction, this performance penalty does not matter in most settings. - -@item --auto-check-trustdb -@itemx --no-auto-check-trustdb -If GnuPG feels that its information about the Web of Trust has to be -updated, it automatically runs the --check-trustdb command internally. -This may be a time consuming process. --no-auto-check-trustdb -disables this option. - -@item --throw-keyids -@itemx --no-throw-keyids -Do not put the recipient key IDs into encrypted messages. This helps -to hide the receivers of the message and is a limited countermeasure -against traffic analysis. On the receiving side, it may slow down the -decryption process because all available secret keys must be tried. ---no-throw-keyids disables this option. This option is essentially -the same as using --hidden-recipient for all recipients. - -@item --not-dash-escaped -This option changes the behavior of cleartext signatures -so that they can be used for patch files. You should not -send such an armored file via email because all spaces -and line endings are hashed too. You can not use this -option for data which has 5 dashes at the beginning of a -line, patch files don't have this. A special armor header -line tells GnuPG about this cleartext signature option. - -@item --escape-from-lines -@itemx --no-escape-from-lines -Because some mailers change lines starting with "From " to ">From -" it is good to handle such lines in a special way when creating -cleartext signatures to prevent the mail system from breaking the -signature. Note that all other PGP versions do it this way too. -Enabled by default. --no-escape-from-lines disables this option. - -@item --passphrase-fd @code{n} -Read the passphrase from file descriptor @code{n}. Only the first line -will be read from file descriptor @code{n}. If you use 0 for @code{n}, -the passphrase will be read from stdin. This can only be used if only -one passphrase is supplied. - -@item --passphrase-file @code{file} -Read the passphrase from file @code{file}. Only the first line will -be read from file @code{file}. This can only be used if only one -passphrase is supplied. Obviously, a passphrase stored in a file is -of questionable security if other users can read this file. Don't use -this option if you can avoid it. - -@item --passphrase @code{string} -Use @code{string} as the passphrase. This can only be used if only one -passphrase is supplied. Obviously, this is of very questionable -security on a multi-user system. Don't use this option if you can -avoid it. - -@item --command-fd @code{n} -This is a replacement for the deprecated shared-memory IPC mode. -If this option is enabled, user input on questions is not expected -from the TTY but from the given file descriptor. It should be used -together with --status-fd. See the file doc/DETAILS in the source -distribution for details on how to use it. - -@item --command-file @code{file} -Same as --command-fd, except the commands are read out of file -@code{file} - -@item --use-agent -@itemx --no-use-agent -Try to use the GnuPG-Agent. Please note that this agent is still under -development. With this option, GnuPG first tries to connect to the -agent before it asks for a passphrase. --no-use-agent disables this -option. - -@item --gpg-agent-info -Override the value of the environment variable -@samp{GPG_AGENT_INFO}. This is only used when --use-agent has been given - -@item Compliance options -These options control what GnuPG is compliant to. Only one of these -options may be active at a time. Note that the default setting of -this is nearly always the correct one. See the INTEROPERABILITY WITH -OTHER OPENPGP PROGRAMS section below before using one of these -options. - -@table @asis - -@item --gnupg -Use standard GnuPG behavior. This is essentially OpenPGP behavior -(see --openpgp), but with some additional workarounds for common -compatibility problems in different versions of PGP. This is the -default option, so it is not generally needed, but it may be useful to -override a different compliance option in the gpg.conf file. - -@item --openpgp -Reset all packet, cipher and digest options to strict OpenPGP -behavior. Use this option to reset all previous options like ---rfc1991, --force-v3-sigs, --s2k-*, --cipher-algo, --digest-algo and ---compress-algo to OpenPGP compliant values. All PGP workarounds are -disabled. - -@item --rfc2440 -Reset all packet, cipher and digest options to strict RFC-2440 -behavior. Note that this is currently the same thing as --openpgp. - -@item --rfc1991 -Try to be more RFC-1991 (PGP 2.x) compliant. - -@item --pgp2 -Set up all options to be as PGP 2.x compliant as possible, and warn if -an action is taken (e.g. encrypting to a non-RSA key) that will create -a message that PGP 2.x will not be able to handle. Note that `PGP -2.x' here means `MIT PGP 2.6.2'. There are other versions of PGP 2.x -available, but the MIT release is a good common baseline. - -This option implies `--rfc1991 --disable-mdc --no-force-v4-certs ---no-sk-comment --escape-from-lines --force-v3-sigs ---no-ask-sig-expire --no-ask-cert-expire --cipher-algo IDEA ---digest-algo MD5 --compress-algo 1'. It also disables --textmode -when encrypting. - -@item --pgp6 -Set up all options to be as PGP 6 compliant as possible. This -restricts you to the ciphers IDEA (if the IDEA plugin is installed), -3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the -compression algorithms none and ZIP. This also disables ---throw-keyids, and making signatures with signing subkeys as PGP 6 -does not understand signatures made by signing subkeys. - -This option implies `--disable-mdc --no-sk-comment --escape-from-lines ---force-v3-sigs --no-ask-sig-expire' - -@item --pgp7 -Set up all options to be as PGP 7 compliant as possible. This is -identical to --pgp6 except that MDCs are not disabled, and the list of -allowable ciphers is expanded to add AES128, AES192, AES256, and -TWOFISH. - -@item --pgp8 -Set up all options to be as PGP 8 compliant as possible. PGP 8 is a -lot closer to the OpenPGP standard than previous versions of PGP, so -all this does is disable --throw-keyids and set --escape-from-lines. -All algorithms are allowed except for the SHA224, SHA384, and SHA512 -digests. -@end table - -@item --force-v3-sigs -@itemx --no-force-v3-sigs -OpenPGP states that an implementation should generate v4 signatures -but PGP versions 5 through 7 only recognize v4 signatures on key -material. This option forces v3 signatures for signatures on data. -Note that this option overrides --ask-sig-expire, as v3 signatures -cannot have expiration dates. --no-force-v3-sigs disables this -option. - -@item --force-v4-certs -@itemx --no-force-v4-certs -Always use v4 key signatures even on v3 keys. This option also -changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1. ---no-force-v4-certs disables this option. - -@item --force-mdc -Force the use of encryption with a modification detection code. This -is always used with the newer ciphers (those with a blocksize greater -than 64 bits), or if all of the recipient keys indicate MDC support in -their feature flags. - -@item --disable-mdc -Disable the use of the modification detection code. Note that by -using this option, the encrypted message becomes vulnerable to a -message modification attack. - -@item --allow-non-selfsigned-uid -@itemx --no-allow-non-selfsigned-uid -Allow the import and use of keys with user IDs which are not -self-signed. This is not recommended, as a non self-signed user ID is -trivial to forge. --no-allow-non-selfsigned-uid disables. - -@item --allow-freeform-uid -Disable all checks on the form of the user ID while generating a new -one. This option should only be used in very special environments as -it does not ensure the de-facto standard format of user IDs. - -@item --ignore-time-conflict -GnuPG normally checks that the timestamps associated with keys and -signatures have plausible values. However, sometimes a signature -seems to be older than the key due to clock problems. This option -makes these checks just a warning. See also --ignore-valid-from for -timestamp issues on subkeys. - -@item --ignore-valid-from -GnuPG normally does not select and use subkeys created in the future. -This option allows the use of such keys and thus exhibits the -pre-1.0.7 behaviour. You should not use this option unless you there -is some clock problem. See also --ignore-time-conflict for timestamp -issues with signatures. - -@item --ignore-crc-error -The ASCII armor used by OpenPGP is protected by a CRC checksum against -transmission errors. Occasionally the CRC gets mangled somewhere on -the transmission channel but the actual content (which is protected by -the OpenPGP protocol anyway) is still okay. This option allows GnuPG -to ignore CRC errors. - -@item --ignore-mdc-error -This option changes a MDC integrity protection failure into a warning. -This can be useful if a message is partially corrupt, but it is -necessary to get as much data as possible out of the corrupt message. -However, be aware that a MDC protection failure may also mean that the -message was tampered with intentionally by an attacker. - -@item --lock-once -Lock the databases the first time a lock is requested -and do not release the lock until the process -terminates. - -@item --lock-multiple -Release the locks every time a lock is no longer -needed. Use this to override a previous --lock-once -from a config file. - -@item --lock-never -Disable locking entirely. This option should be used only in very -special environments, where it can be assured that only one process -is accessing those files. A bootable floppy with a stand-alone -encryption system will probably use this. Improper usage of this -option may lead to data and key corruption. - -@item --exit-on-status-write-error -This option will cause write errors on the status FD to immediately -terminate the process. That should in fact be the default but it -never worked this way and thus we need an option to enable this, so -that the change won't break applications which close their end of a -status fd connected pipe too early. Using this option along with ---enable-progress-filter may be used to cleanly cancel long running -gpg operations. - -@item --limit-card-insert-tries @code{n} -With @code{n} greater than 0 the number of prompts asking to insert a -smartcard gets limited to N-1. Thus with a value of 1 gpg won't at -all ask to insert a card if none has been inserted at startup. This -option is useful in the configuration file in case an application does -not know about the smartcard support and waits ad infinitum for an -inserted card. - -@item --no-random-seed-file -GnuPG uses a file to store its internal random pool over invocations. -This makes random generation faster; however sometimes write operations -are not desired. This option can be used to achieve that with the cost of -slower random generation. - -@item --no-verbose -Reset verbose level to 0. - -@item --no-greeting -Suppress the initial copyright message. - -@item --no-secmem-warning -Suppress the warning about "using insecure memory". - -@item --no-permission-warning -Suppress the warning about unsafe file and home directory (--homedir) -permissions. Note that the permission checks that GnuPG performs are -not intended to be authoritative, but rather they simply warn about -certain common permission problems. Do not assume that the lack of a -warning means that your system is secure. - -Note that the warning for unsafe --homedir permissions cannot be -suppressed in the gpg.conf file, as this would allow an attacker to -place an unsafe gpg.conf file in place, and use this file to suppress -warnings about itself. The --homedir permissions warning may only be -suppressed on the command line. - -@item --no-mdc-warning -Suppress the warning about missing MDC integrity protection. - -@item --require-secmem -@itemx --no-require-secmem -Refuse to run if GnuPG cannot get secure memory. Defaults to no -(i.e. run, but give a warning). - -@item --no-armor -Assume the input data is not in ASCII armored format. - -@item --no-default-keyring -Do not add the default keyrings to the list of keyrings. Note that -GnuPG will not operate without any keyrings, so if you use this option -and do not provide alternate keyrings via --keyring or ---secret-keyring, then GnuPG will still use the default public or -secret keyrings. - -@item --skip-verify -Skip the signature verification step. This may be -used to make the decryption faster if the signature -verification is not needed. - -@item --with-colons -Print key listings delimited by colons. Note that the output will be -encoded in UTF-8 regardless of any --display-charset setting. This -format is useful when GnuPG is called from scripts and other programs -as it is easily machine parsed. The details of this format are -documented in the file doc/DETAILS, which is included in the GnuPG -source distribution. - -@item --with-key-data -Print key listings delimited by colons (like --with-colons) and print the public key data. - -@item --with-fingerprint -Same as the command --fingerprint but changes only the format of the output -and may be used together with another command. - -@item --fast-list-mode -Changes the output of the list commands to work faster; this is achieved -by leaving some parts empty. Some applications don't need the user ID and -the trust information given in the listings. By using this options they -can get a faster listing. The exact behaviour of this option may change -in future versions. - -@item --fixed-list-mode -Do not merge primary user ID and primary key in --with-colon listing -mode and print all timestamps as seconds since 1970-01-01. - -@item --list-only -Changes the behaviour of some commands. This is like --dry-run but -different in some cases. The semantic of this command may be extended in -the future. Currently it only skips the actual decryption pass and -therefore enables a fast listing of the encryption keys. - -@item --no-literal -This is not for normal use. Use the source to see for what it might be useful. - -@item --set-filesize -This is not for normal use. Use the source to see for what it might be useful. - -@item --show-session-key -Display the session key used for one message. See --override-session-key -for the counterpart of this option. - -We think that Key Escrow is a Bad Thing; however the user should have -the freedom to decide whether to go to prison or to reveal the content -of one specific message without compromising all messages ever -encrypted for one secret key. DON'T USE IT UNLESS YOU ARE REALLY -FORCED TO DO SO. - -@item --override-session-key @code{string} -Don't use the public key but the session key @code{string}. The format of this -string is the same as the one printed by --show-session-key. This option -is normally not used but comes handy in case someone forces you to reveal the -content of an encrypted message; using this option you can do this without -handing out the secret key. - -@item --require-cross-certification -@itemx --no-require-certification -When verifying a signature made from a subkey, ensure that the cross -certification "back signature" on the subkey is present and valid. -This protects against a subtle attack against subkeys that can sign. -Currently defaults to --no-require-cross-certification, but will be -changed to --require-cross-certification in the future. - -@item --ask-sig-expire -@itemx --no-ask-sig-expire -When making a data signature, prompt for an expiration time. If this -option is not specified, the expiration time set via ---default-sig-expire is used. --no-ask-sig-expire disables this -option. Note that by default, --force-v3-sigs is set which also -disables this option. If you want signature expiration, you must set ---no-force-v3-sigs as well as turning --ask-sig-expire on. - -@item --default-sig-expire -The default expiration time to use for signature expiration. Valid -values are "0" for no expiration, a number followed by the letter d -(for days), w (for weeks), m (for months), or y (for years) (for -example "2m" for two months, or "5y" for five years), or an absolute -date in the form YYYY-MM-DD. Defaults to "0". - -@item --ask-cert-expire -@itemx --no-ask-cert-expire -When making a key signature, prompt for an expiration time. If this -option is not specified, the expiration time set via ---default-cert-expire is used. --no-ask-cert-expire disables this -option. - -@item --default-cert-expire -The default expiration time to use for key signature expiration. -Valid values are "0" for no expiration, a number followed by the -letter d (for days), w (for weeks), m (for months), or y (for years) -(for example "2m" for two months, or "5y" for five years), or an -absolute date in the form YYYY-MM-DD. Defaults to "0". - -@item --expert -@itemx --no-expert -Allow the user to do certain nonsensical or "silly" things like -signing an expired or revoked key, or certain potentially incompatible -things like generating unusual key types. This also disables certain -warning messages about potentially incompatible actions. As the name -implies, this option is for experts only. If you don't fully -understand the implications of what it allows you to do, leave this -off. --no-expert disables this option. - -@item --allow-secret-key-import -This is an obsolete option and is not used anywhere. - -@item --try-all-secrets -Don't look at the key ID as stored in the message but try all secret -keys in turn to find the right decryption key. This option forces the -behaviour as used by anonymous recipients (created by using ---throw-keyids) and might come handy in case where an encrypted -message contains a bogus key ID. - -@item --allow-multisig-verification -Allow verification of concatenated signed messages. This will run a -signature verification for each data+signature block. There are some -security issues with this option and thus it is off by default. Note -that versions of GPG prior to version 1.4.3 implicitly allowed this. - -@item --enable-special-filenames -This options enables a mode in which filenames of the form -@file{-&n}, where n is a non-negative decimal number, -refer to the file descriptor n and not to a file with that name. - -@item --no-expensive-trust-checks -Experimental use only. - -@item --group @code{name=value1 } -Sets up a named group, which is similar to aliases in email programs. -Any time the group name is a recipient (-r or --recipient), it will be -expanded to the values specified. Multiple groups with the same name -are automatically merged into a single group. - -The values are @code{key IDs} or fingerprints, but any key description -is accepted. Note that a value with spaces in it will be treated as -two different values. Note also there is only one level of expansion -- you cannot make an group that points to another group. When used -from the command line, it may be necessary to quote the argument to -this option to prevent the shell from treating it as multiple -arguments. - -@item --ungroup @code{name} -Remove a given entry from the --group list. - -@item --no-groups -Remove all entries from the --group list. - -@item --preserve-permissions -Don't change the permissions of a secret keyring back to user -read/write only. Use this option only if you really know what you are doing. - -@item --personal-cipher-preferences @code{string} -Set the list of personal cipher preferences to @code{string}, this list -should be a string similar to the one printed by the command "pref" in -the edit menu. This allows the user to factor in their own preferred -algorithms when algorithms are chosen via recipient key preferences. -The most highly ranked cipher in this list is also used for the ---symmetric encryption command. - -@item --personal-digest-preferences @code{string} -Set the list of personal digest preferences to @code{string}, this list -should be a string similar to the one printed by the command "pref" in -the edit menu. This allows the user to factor in their own preferred -algorithms when algorithms are chosen via recipient key preferences. -The most highly ranked digest algorithm in this list is algo used when -signing without encryption (e.g. --clearsign or --sign). The default -value is SHA-1. - -@item --personal-compress-preferences @code{string} -Set the list of personal compression preferences to @code{string}, this -list should be a string similar to the one printed by the command -"pref" in the edit menu. This allows the user to factor in their own -preferred algorithms when algorithms are chosen via recipient key -preferences. The most highly ranked algorithm in this list is also -used when there are no recipient keys to consider (e.g. --symmetric). - -@item --default-preference-list @code{string} -Set the list of default preferences to @code{string}. This preference -list is used for new keys and becomes the default for "setpref" in the -edit menu. - -@item --default-keyserver-url @code{name} -Set the default keyserver URL to @code{name}. This keyserver will be -used as the keyserver URL when writing a new self-signature on a key, -which includes key generation and changing preferences. - -@item --list-config -Display various internal configuration parameters of GnuPG. This -option is intended for external programs that call GnuPG to perform -tasks, and is thus not generally useful. See the file -@file{doc/DETAILS} in the source distribution for the -details of which configuration items may be listed. --list-config is -only usable with --with-colons set. -@end table -@chapheading How to specify a user ID - -There are different ways to specify a user ID to GnuPG; here are some -examples: - -@table @asis - -@item - -@item 234567C4 -@itemx 0F34E556E -@itemx 01347A56A -@itemx 0xAB123456 -Here the key ID is given in the usual short form. - -@item 234AABBCC34567C4 -@itemx 0F323456784E56EAB -@itemx 01AB3FED1347A5612 -@itemx 0x234AABBCC34567C4 -Here the key ID is given in the long form as used by OpenPGP -(you can get the long key ID using the option --with-colons). - -@item 1234343434343434C434343434343434 -@itemx 123434343434343C3434343434343734349A3434 -@itemx 0E12343434343434343434EAB3484343434343434 -@itemx 0xE12343434343434343434EAB3484343434343434 -The best way to specify a key ID is by using the fingerprint of -the key. This avoids any ambiguities in case that there are duplicated -key IDs (which are really rare for the long key IDs). - -@item =Heinrich Heine <heinrichh@@uni-duesseldorf.de> -Using an exact to match string. The equal sign indicates this. - -@item <heinrichh@@uni-duesseldorf.de> -Using the email address part which must match exactly. The left angle bracket -indicates this email address mode. - -@item @@heinrichh -Match within the <email.address> part of a user ID. The at sign -indicates this email address mode. - -@item Heine -@itemx *Heine -By case insensitive substring matching. This is the default mode but -applications may want to explicitly indicate this by putting the asterisk -in front. -@end table - -Note that you can append an exclamation mark (!) to key IDs or -fingerprints. This flag tells GnuPG to use the specified primary or -secondary key and not to try and calculate which primary or secondary -key to use. -@chapheading RETURN VALUE - -The program returns 0 if everything was fine, 1 if at least -a signature was bad, and other error codes for fatal errors. -@chapheading EXAMPLES - -@table @asis - -@item gpg -se -r @code{Bob} @code{file} -sign and encrypt for user Bob - -@item gpg --clearsign @code{file} -make a clear text signature - -@item gpg -sb @code{file} -make a detached signature - -@item gpg --list-keys @code{user_ID} -show keys - -@item gpg --fingerprint @code{user_ID} -show fingerprint - -@item gpg --verify @code{pgpfile} -@itemx gpg --verify @code{sigfile} -Verify the signature of the file but do not output the data. The -second form is used for detached signatures, where @code{sigfile} -is the detached signature (either ASCII armored or binary) and -are the signed data; if this is not given, the name of -the file holding the signed data is constructed by cutting off the -extension (".asc" or ".sig") of @code{sigfile} or by asking the -user for the filename. -@end table -@chapheading ENVIRONMENT - -@table @asis - -@item HOME -Used to locate the default home directory. - -@item GNUPGHOME -If set directory used instead of "~/.gnupg". - -@item GPG_AGENT_INFO -Used to locate the gpg-agent; only honored when ---use-agent is set. The value consists of 3 colon delimited fields: -The first is the path to the Unix Domain Socket, the second the PID of -the gpg-agent and the protocol version which should be set to 1. When -starting the gpg-agent as described in its documentation, this -variable is set to the correct value. The option --gpg-agent-info can -be used to override it. - -@item COLUMNS -@itemx LINES -Used to size some displays to the full size of the screen. -@end table -@chapheading FILES - -@table @asis - -@item ~/.gnupg/secring.gpg -The secret keyring - -@item ~/.gnupg/secring.gpg.lock -and the lock file - -@item ~/.gnupg/pubring.gpg -The public keyring - -@item ~/.gnupg/pubring.gpg.lock -and the lock file - -@item ~/.gnupg/trustdb.gpg -The trust database - -@item ~/.gnupg/trustdb.gpg.lock -and the lock file - -@item ~/.gnupg/random_seed -used to preserve the internal random pool - -@item ~/.gnupg/gpg.conf -Default configuration file - -@item ~/.gnupg/options -Old style configuration file; only used when gpg.conf -is not found - -@item /usr[/local]/share/gnupg/options.skel -Skeleton options file - -@item /usr[/local]/lib/gnupg/ -Default location for extensions -@end table -@chapheading WARNINGS - -Use a *good* password for your user account and a *good* passphrase -to protect your secret key. This passphrase is the weakest part of the -whole system. Programs to do dictionary attacks on your secret keyring -are very easy to write and so you should protect your "~/.gnupg/" -directory very well. - -Keep in mind that, if this program is used over a network (telnet), it -is *very* easy to spy out your passphrase! - -If you are going to verify detached signatures, make sure that the -program knows about it; either give both filenames on the command line -or use @samp{-} to specify stdin. -@chapheading INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS - -GnuPG tries to be a very flexible implementation of the OpenPGP -standard. In particular, GnuPG implements many of the optional parts -of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2 -compression algorithms. It is important to be aware that not all -OpenPGP programs implement these optional algorithms and that by -forcing their use via the --cipher-algo, --digest-algo, ---cert-digest-algo, or --compress-algo options in GnuPG, it is -possible to create a perfectly valid OpenPGP message, but one that -cannot be read by the intended recipient. - -There are dozens of variations of OpenPGP programs available, and each -supports a slightly different subset of these optional algorithms. -For example, until recently, no (unhacked) version of PGP supported -the BLOWFISH cipher algorithm. A message using BLOWFISH simply could -not be read by a PGP user. By default, GnuPG uses the standard -OpenPGP preferences system that will always do the right thing and -create messages that are usable by all recipients, regardless of which -OpenPGP program they use. Only override this safe default if you -really know what you are doing. - -If you absolutely must override the safe default, or if the -preferences on a given key are invalid for some reason, you are far -better off using the --pgp6, --pgp7, or --pgp8 options. These options -are safe as they do not force any particular algorithms in violation -of OpenPGP, but rather reduce the available algorithms to a "PGP-safe" -list. -@chapheading BUGS - -On many systems this program should be installed as setuid(root). This -is necessary to lock memory pages. Locking memory pages prevents the -operating system from writing memory pages (which may contain -passphrases or other sensitive material) to disk. If you get no -warning message about insecure memory your operating system supports -locking without being root. The program drops root privileges as soon -as locked memory is allocated. - -@bye diff --git a/doc/gpgv.sgml b/doc/gpgv.sgml deleted file mode 100644 index ee16d0e94..000000000 --- a/doc/gpgv.sgml +++ /dev/null @@ -1,225 +0,0 @@ -<!-- gpgv.sgml - the man page for GnuPG - Copyright (C) 2000, 2001 Free Software Foundation, Inc. - - This file is part of GnuPG. - - GnuPG is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - GnuPG is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - 02110-1301, USA. ---> -<!-- This file should be processed by docbook-to-man to - create a manual page. This program has currently the bug - not to remove leading white space. So this source file does - not look very pretty - - FIXME: generated a file with entity (e.g. pathnames) from the - configure scripts and include it here ---> - - -<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [ -<!entity ParmDir "<parameter>directory</parameter>"> -<!entity ParmFile "<parameter>file</parameter>"> -<!entity OptParmFile "<optional>&ParmFile;</optional>"> -<!entity ParmFiles "<parameter>files</parameter>"> -<!entity OptParmFiles "<optional>&ParmFiles;</optional>"> -<!entity ParmNames "<parameter>names</parameter>"> -<!entity OptParmNames "<optional>&ParmNames;</optional>"> -<!entity ParmName "<parameter>name</parameter>"> -<!entity OptParmName "<optional>&ParmName;</optional>"> -<!entity ParmKeyIDs "<parameter>key IDs</parameter>"> -<!entity ParmN "<parameter>n</parameter>"> -<!entity ParmFlags "<parameter>flags</parameter>"> -<!entity ParmString "<parameter>string</parameter>"> -<!entity ParmValue "<parameter>value</parameter>"> -<!entity ParmNameValue "<parameter>name=value</parameter>"> -]> - -<refentry id="gpgv"> -<refmeta> - <refentrytitle>gpgv</refentrytitle> - <manvolnum>1</manvolnum> - <refmiscinfo class="gnu">GNU Tools</refmiscinfo> -</refmeta> -<refnamediv> - <refname/gpgv/ - <refpurpose>signature verification tool</> -</refnamediv> -<refsynopsisdiv> - <synopsis> -<command>gpgv</command> - <optional><parameter/options/</optional> - <optional><parameter/signed files/</optional> - </synopsis> -</refsynopsisdiv> - -<refsect1> - <title>DESCRIPTION</title> - <para> -<command/gpgv/ is the OpenPGP signature checking tool. - </para> - <para> -This program is a stripped down version of <command/gpg/ which is able -only -to check signatures. It is somewhat smaller than the fully blown -<command/gpg/ and uses a different (and simpler) way to check that -the public keys used to make the signature are trustworthy. There are -no options files and only very few options are implemented. -</para> -<para> -<command/gpgv/ assumes that all keys in the keyring are trustworthy. -By default it uses a keyring named <filename/trustedkeys.gpg/ which is -assumed to be in the home directory as defined by GnuPG or set by an -option or an environment variable. An option may be used to specify -another keyring or even multiple keyrings. -</para> -</refsect1> - -<refsect1> -<title>OPTIONS</title> -<para> -<command/gpgv/ recognizes these options: -</para> - -<variablelist> - - -<varlistentry> -<term>-v, --verbose</term> -<listitem><para> -Gives more information during processing. If used -twice, the input data is listed in detail. -</para></listitem></varlistentry> - - -<varlistentry> -<term>-q, --quiet</term> -<listitem><para> -Try to be as quiet as possible. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--keyring &ParmFile;</term> -<listitem><para> -Add &ParmFile to the list of keyrings. -If &ParmFile begins with a tilde and a slash, these -are replaced by the HOME directory. If the filename -does not contain a slash, it is assumed to be in the -home-directory ("~/.gnupg" if --homedir is not used). -The filename may be prefixed with a scheme:</para> -<para>"gnupg-ring:" is the default one.</para> -</listitem></varlistentry> - - -<varlistentry> -<term>--homedir &ParmDir;</term> -<listitem><para> -Set the name of the home directory to &ParmDir; If this -option is not used, it defaults to "~/.gnupg". It does -not make sense to use this in an options file. This -also overrides the environment variable "GNUPGHOME". -</para></listitem></varlistentry> - - -<varlistentry> -<term>--status-fd &ParmN;</term> -<listitem><para> -Write special status strings to the file descriptor &ParmN;. -See the file DETAILS in the documentation for a listing of them. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--logger-fd &ParmN;</term> -<listitem><para> -Write log output to file descriptor &ParmN; and not to stderr. -</para></listitem></varlistentry> - - -<varlistentry> -<term>--ignore-time-conflict</term> -<listitem><para> -GnuPG normally checks that the timestamps associated with keys and -signatures have plausible values. However, sometimes a signature seems to -be older than the key due to clock problems. This option makes these -checks just warnings. -</para></listitem></varlistentry> - - -</variablelist> -</refsect1> - - -<refsect1> - <title>RETURN VALUE</title> - <para> -The program returns 0 if everything was fine, 1 if at least -one signature was bad, and other error codes for fatal errors. - </para> -</refsect1> - -<refsect1> - <title>EXAMPLES</title> - <variablelist> - -<varlistentry> -<term>gpgv <parameter/pgpfile/</term> -<term>gpgv <parameter/sigfile/ &OptParmFiles;</term> -<listitem><para> -Verify the signature of the file. The second form -is used for detached signatures, where <parameter/sigfile/ is the detached -signature (either ASCII armored or binary) and &OptParmFiles are the signed -data; if this is not given the name of the file holding the signed data is -constructed by cutting off the extension (".asc", ".sig" or ".sign") from -<parameter/sigfile/. -</para></listitem></varlistentry> - - </variablelist> -</refsect1> - - -<refsect1> - <title>ENVIRONMENT</title> - - <variablelist> -<varlistentry> -<term>HOME</term> -<listitem><para>Used to locate the default home directory.</para></listitem> -</varlistentry> -<varlistentry> -<term>GNUPGHOME</term> -<listitem><para>If set directory used instead of "~/.gnupg".</para></listitem> -</varlistentry> - - </variablelist> - -</refsect1> - -<refsect1> - <title>FILES</title> - <variablelist> - -<varlistentry> -<term>~/.gnupg/trustedkeys.gpg</term> -<listitem><para>The default keyring with the allowed keys</para></listitem> -</varlistentry> - - </variablelist> -</refsect1> - -<!-- SEE ALSO not yet needed--> - -</refentry> - diff --git a/doc/gpgv.texi b/doc/gpgv.texi deleted file mode 100644 index 2985a5dbb..000000000 --- a/doc/gpgv.texi +++ /dev/null @@ -1,114 +0,0 @@ -\input texinfo -@setfilename gpgv.info -@dircategory GnuPG -@direntry -* gpgv: (gpgv). GnuPG signature verification tool. -@end direntry - -@node Top, , , (dir) -@top gpgv -@chapheading Name - -gpgv --- signature verification tool -@chapheading Synopsis - -@example -gpgv - options - signed files - -@end example -@chapheading DESCRIPTION - -@code{gpgv} is the OpenPGP signature checking tool. - -This program is a stripped down version of @code{gpg} which is able -only -to check signatures. It is somewhat smaller than the fully blown -@code{gpg} and uses a different (and simpler) way to check that -the public keys used to make the signature are trustworthy. There are -no options files and only very few options are implemented. - -@code{gpgv} assumes that all keys in the keyring are trustworthy. -By default it uses a keyring named @file{trustedkeys.gpg} which is -assumed to be in the home directory as defined by GnuPG or set by an -option or an environment variable. An option may be used to specify -another keyring or even multiple keyrings. -@chapheading OPTIONS - -@code{gpgv} recognizes these options: - -@table @asis - -@item -v, --verbose -Gives more information during processing. If used -twice, the input data is listed in detail. - -@item -q, --quiet -Try to be as quiet as possible. - -@item --keyring @code{file} -Add @code{file} to the list of keyrings. -If @code{file} begins with a tilde and a slash, these -are replaced by the HOME directory. If the filename -does not contain a slash, it is assumed to be in the -home-directory ("~/.gnupg" if --homedir is not used). -The filename may be prefixed with a scheme: - -"gnupg-ring:" is the default one. - -@item --homedir @code{directory} -Set the name of the home directory to @code{directory} If this -option is not used, it defaults to "~/.gnupg". It does -not make sense to use this in an options file. This -also overrides the environment variable "GNUPGHOME". - -@item --status-fd @code{n} -Write special status strings to the file descriptor @code{n}. -See the file DETAILS in the documentation for a listing of them. - -@item --logger-fd @code{n} -Write log output to file descriptor @code{n} and not to stderr. - -@item --ignore-time-conflict -GnuPG normally checks that the timestamps associated with keys and -signatures have plausible values. However, sometimes a signature seems to -be older than the key due to clock problems. This option makes these -checks just warnings. -@end table -@chapheading RETURN VALUE - -The program returns 0 if everything was fine, 1 if at least -one signature was bad, and other error codes for fatal errors. -@chapheading EXAMPLES - -@table @asis - -@item gpgv @code{pgpfile} -@itemx gpgv @code{sigfile} -Verify the signature of the file. The second form -is used for detached signatures, where @code{sigfile} is the detached -signature (either ASCII armored or binary) and are the signed -data; if this is not given the name of the file holding the signed data is -constructed by cutting off the extension (".asc", ".sig" or ".sign") from -@code{sigfile}. -@end table -@chapheading ENVIRONMENT - -@table @asis - -@item HOME -Used to locate the default home directory. - -@item GNUPGHOME -If set directory used instead of "~/.gnupg". -@end table -@chapheading FILES - -@table @asis - -@item ~/.gnupg/trustedkeys.gpg -The default keyring with the allowed keys -@end table - -@bye diff --git a/doc/yat2m.c b/doc/yat2m.c new file mode 100644 index 000000000..e250db4d5 --- /dev/null +++ b/doc/yat2m.c @@ -0,0 +1,1325 @@ +/* yat2m.c - Yet Another Texi 2 Man converter + * Copyright (C) 2005 g10 Code GmbH + * Copyright (C) 2006 2006 Free Software Foundation, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/* + This is a simple textinfo to man page converter. It needs some + special markup in th e texinfo and tries best to get a create man + page. It has been designed for the GnuPG man pages and thus only + a few texinfo commands are supported. + + To use this you need to add the following macros into your texinfo + source: + + @macro manpage {a} + @end macro + @macro mansect {a} + @end macro + @macro manpause + @end macro + @macro mancont + @end macro + + They are used by yat2m to select parts of the Texinfo which should + go into the man page. These macros need to be used without leading + left space. Processing starts after a "manpage" macro has been + seen. "mansect" identifies the section and yat2m make sure to + emit the sections in the proper order. Note that @mansect skips + the next input line if that line begins with @section, @subsection or + @chapheading. + + To insert verbatim troff markup, the follwing texinfo code may be + used: + + @ifset manverb + .B whateever you want + @end ifset + + alternativly a special comment may be used: + + @c man:.B whatever you want + + This is useful in case you need just one line. If you want to + include parts only in the man page but keep the texinfo + translation you may use: + + @ifset isman + stuff to be rendered only on man pages + @end ifset + + or to exclude stuff from man pages: + + @ifclear isman + stuff not to be rendered on man pages + @end ifclear + + the keyword @section is ignored, however @subsection gets rendered + as ".SS". @menu is completely skipped. Several man pages may be + extracted from one file, either using the --store or the --select + option. + + +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <stddef.h> +#include <string.h> +#include <errno.h> +#include <stdarg.h> +#include <assert.h> +#include <ctype.h> +#include <time.h> + + +#define PGM "yat2m" +#define VERSION "0.5" + +/* The maximum length of a line including the linefeed and one extra + character. */ +#define LINESIZE 1024 + +/* Option flags. */ +static int verbose; +static int quiet; +static int debug; +static const char *opt_source; +static const char *opt_release; +static const char *opt_select; +static const char *opt_include; +static int opt_store; + +/* The only define we understand is -D gpgone. Thus we need a simple + boolean tro track it. */ +static int gpgone_defined; + +/* Flag to keep track whether any error occurred. */ +static int any_error; + + +/* Object to keep macro definitions. */ +struct macro_s +{ + struct macro_s *next; + char *value; /* Malloced value. */ + char name[1]; +}; +typedef struct macro_s *macro_t; + +/* List of all defined macros. */ +static macro_t macrolist; + + +/* Object to store one line of content. */ +struct line_buffer_s +{ + struct line_buffer_s *next; + int verbatim; /* True if LINE contains verbatim data. The default + is Texinfo source. */ + char *line; +}; +typedef struct line_buffer_s *line_buffer_t; + + +/* Object to collect the data of a section. */ +struct section_buffer_s +{ + char *name; /* Malloced name of the section. This may be + NULL to indicate this slot is not used. */ + line_buffer_t lines; /* Linked list with the lines of the section. */ + line_buffer_t *lines_tail; /* Helper for faster appending to the + linked list. */ + line_buffer_t last_line; /* Points to the last line appended. */ +}; +typedef struct section_buffer_s *section_buffer_t; + +/* Variable to keep info about the current page together. */ +static struct +{ + /* Filename of the current page or NULL if no page is active. Malloced. */ + char *name; + + /* Number of allocated elements in SECTIONS below. */ + size_t n_sections; + /* Array with the data of the sections. */ + section_buffer_t sections; + +} thepage; + + +/* The list of standard section names. COMMANDS and ASSUAN are GnuPG + specific. */ +static const char * const standard_sections[] = + { "NAME", "SYNOPSIS", "DESCRIPTION", + "RETURN VALUE", "EXIT STATUS", "ERROR HANDLING", "ERRORS", + "COMMANDS", "OPTIONS", "USAGE", "EXAMPLES", "FILES", + "ENVIRONMENT", "DIAGNOSTICS", "SECURITY", "CONFORMING TO", + "ASSUAN", "NOTES", "BUGS", "AUTHOR", "SEE ALSO", NULL }; + + +/*-- Local prototypes. --*/ +static void proc_texi_buffer (FILE *fp, const char *line, size_t len, + int *table_level, int *eol_action); + + + +/* Print diagnostic message and exit with failure. */ +static void +die (const char *format, ...) +{ + va_list arg_ptr; + + fflush (stdout); + fprintf (stderr, "%s: ", PGM); + + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); + putc ('\n', stderr); + + exit (1); +} + + +/* Print diagnostic message. */ +static void +err (const char *format, ...) +{ + va_list arg_ptr; + + fflush (stdout); + if (strncmp (format, "%s:%d:", 6)) + fprintf (stderr, "%s: ", PGM); + + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); + putc ('\n', stderr); + any_error = 1; +} + +/* Print diagnostic message. */ +static void +inf (const char *format, ...) +{ + va_list arg_ptr; + + fflush (stdout); + fprintf (stderr, "%s: ", PGM); + + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); + putc ('\n', stderr); +} + + +static void * +xmalloc (size_t n) +{ + void *p = malloc (n); + if (!p) + die ("out of core: %s", strerror (errno)); + return p; +} + +static void * +xcalloc (size_t n, size_t m) +{ + void *p = calloc (n, m); + if (!p) + die ("out of core: %s", strerror (errno)); + return p; +} + +static void * +xrealloc (void *old, size_t n) +{ + void *p = realloc (old, n); + if (!p) + die ("out of core: %s", strerror (errno)); + return p; +} + +static char * +xstrdup (const char *string) +{ + void *p = malloc (strlen (string)+1); + if (!p) + die ("out of core: %s", strerror (errno)); + strcpy (p, string); + return p; +} + + +/* Uppercase the ascii characters in STRING. */ +static char * +ascii_strupr (char *string) +{ + char *p; + + for (p = string; *p; p++) + if (!(*p & 0x80)) + *p = toupper (*p); + return string; +} + + +/* Return the current date as an ISO string. */ +const char * +isodatestring (void) +{ + static char buffer[11+5]; + struct tm *tp; + time_t atime = time (NULL); + + if (atime < 0) + strcpy (buffer, "????" "-??" "-??"); + else + { + tp = gmtime (&atime); + sprintf (buffer,"%04d-%02d-%02d", + 1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday ); + } + return buffer; +} + + + +/* Return a section buffer for the section NAME. Allocate a new buffer + if this is a new section. Keep track of the sections in THEPAGE. + This function may reallocate the section array in THEPAGE. */ +static section_buffer_t +get_section_buffer (const char *name) +{ + int i; + section_buffer_t sect; + + /* If there is no section we put everything into the required NAME + section. Given that this is the first one listed it is likely + that error are easily visible. */ + if (!name) + name = "NAME"; + + for (i=0; i < thepage.n_sections; i++) + { + sect = thepage.sections + i; + if (sect->name && !strcmp (name, sect->name)) + return sect; + } + for (i=0; i < thepage.n_sections; i++) + if (!thepage.sections[i].name) + break; + if (i < thepage.n_sections) + sect = thepage.sections + i; + else + { + /* We need to allocate or reallocate the section array. */ + size_t old_n = thepage.n_sections; + size_t new_n = 20; + + if (!old_n) + thepage.sections = xcalloc (new_n, sizeof *thepage.sections); + else + { + thepage.sections = xrealloc (thepage.sections, + ((old_n + new_n) + * sizeof *thepage.sections)); + memset (thepage.sections + old_n, 0, + new_n * sizeof *thepage.sections); + } + thepage.n_sections += new_n; + + /* Setup the tail pointers. */ + for (i=old_n; i < thepage.n_sections; i++) + { + sect = thepage.sections + i; + sect->lines_tail = §->lines; + } + sect = thepage.sections + old_n; + } + + /* Store the name. */ + assert (!sect->name); + sect->name = xstrdup (name); + return sect; +} + + + +/* Add the content of LINE to the section named SECTNAME. */ +static void +add_content (const char *sectname, char *line, int verbatim) +{ + section_buffer_t sect; + line_buffer_t lb; + + sect = get_section_buffer (sectname); + if (sect->last_line && !sect->last_line->verbatim == !verbatim) + { + /* Lets append that line to the last one. We do this to keep + all lines of the same kind (i.e.verbatim or not) together in + one large buffer. */ + size_t n1, n; + + lb = sect->last_line; + n1 = strlen (lb->line); + n = n1 + 1 + strlen (line) + 1; + lb->line = xrealloc (lb->line, n); + strcpy (lb->line+n1, "\n"); + strcpy (lb->line+n1+1, line); + } + else + { + lb = xcalloc (1, sizeof *lb); + lb->verbatim = verbatim; + lb->line = xstrdup (line); + sect->last_line = lb; + *sect->lines_tail = lb; + sect->lines_tail = &lb->next; + } +} + + +/* Prepare for a new man page using the filename NAME. */ +static void +start_page (char *name) +{ + if (verbose) + inf ("starting page `%s'", name); + assert (!thepage.name); + thepage.name = xstrdup (name); + thepage.n_sections = 0; +} + + +/* Write the .TH entry of the current page. Return -1 if there is a + problem with the page. */ +static int +write_th (FILE *fp) +{ + char *name, *p; + + name = ascii_strupr (xstrdup (thepage.name)); + p = strrchr (name, '.'); + if (!p || !p[1]) + { + err ("no section name in man page `%s'", thepage.name); + free (name); + return -1; + } + *p++ = 0; + fprintf (fp, ".TH %s %s %s \"%s\" \"%s\"\n", + name, p, isodatestring (), opt_release, opt_source); + return 0; +} + + +/* Process the texinfo command COMMAND (without the leading @) and + write output if needed to FP. REST is the remainer of the line + which should either point to an opening brace or to a white space. + The function returns the number of characters already processed + from REST. LEN is the usable length of REST. TABLE_LEVEL is used to + control the indentation of tables. */ +static size_t +proc_texi_cmd (FILE *fp, const char *command, const char *rest, size_t len, + int *table_level, int *eol_action) +{ + static struct { + const char *name; /* Name of the command. */ + int what; /* What to do with this command. */ + const char *lead_in; /* String to print with a opening brace. */ + const char *lead_out;/* String to print with the closing brace. */ + } cmdtbl[] = { + { "command", 0, "\\fB", "\\fR" }, + { "code", 0, "\\fB", "\\fR" }, + { "sc", 0, "\\fB", "\\fR" }, + { "var", 0, "\\fI", "\\fR" }, + { "samp", 0, "\n'", "'\n" }, + { "file", 0, "`\\fI","\\fR'" }, + { "env", 0, "`\\fI","\\fR'" }, + { "acronym", 0 }, + { "dfn", 0 }, + { "option", 0, "\\fB", "\\fR" }, + { "example", 1, ".RS 2\n.nf\n" }, + { "smallexample", 1, ".RS 2\n.nf\n" }, + { "asis", 7 }, + { "anchor", 7 }, + { "cartouche", 1 }, + { "xref", 0, "see: [", "]" }, + { "pxref", 0, "see: [", "]" }, + { "uref", 0, "(\\fB", "\\fR)" }, + { "footnote",0, " ([", "])" }, + { "emph", 0, "\\fI", "\\fR" }, + { "w", 1 }, + { "c", 5 }, + { "opindex", 1 }, + { "cpindex", 1 }, + { "cindex", 1 }, + { "noindent", 0 }, + { "section", 1 }, + { "chapter", 1 }, + { "subsection", 6, "\n.SS " }, + { "chapheading", 0}, + { "item", 2, ".TP\n.B " }, + { "itemx", 2, ".TP\n.B " }, + { "table", 3 }, + { "itemize", 3 }, + { "bullet", 0, "* " }, + { "end", 4 }, + { "quotation",1, ".RS\n\\fB" }, + { NULL } + }; + size_t n; + int i; + const char *s; + const char *lead_out = NULL; + int ignore_args = 0; + + for (i=0; cmdtbl[i].name && strcmp (cmdtbl[i].name, command); i++) + ; + if (cmdtbl[i].name) + { + s = cmdtbl[i].lead_in; + if (s) + fputs (s, fp); + lead_out = cmdtbl[i].lead_out; + switch (cmdtbl[i].what) + { + case 1: /* Throw away the entire line. */ + s = memchr (rest, '\n', len); + return s? (s-rest)+1 : len; + case 2: /* Handle @item. */ + break; + case 3: /* Handle table. */ + if (++(*table_level) > 1) + fputs (".RS\n", fp); + /* Now throw away the entire line. */ + s = memchr (rest, '\n', len); + return s? (s-rest)+1 : len; + break; + case 4: /* Handle end. */ + for (s=rest, n=len; n && (*s == ' ' || *s == '\t'); s++, n--) + ; + if (n >= 5 && !memcmp (s, "table", 5) + && (!n || s[5] == ' ' || s[5] == '\t' || s[5] == '\n')) + { + if ((*table_level)-- > 1) + fputs (".RE\n", fp); + } + else if (n >= 7 && !memcmp (s, "example", 7) + && (!n || s[7] == ' ' || s[7] == '\t' || s[7] == '\n')) + { + fputs (".fi\n.RE\n", fp); + } + else if (n >= 12 && !memcmp (s, "smallexample", 12) + && (!n || s[12] == ' ' || s[12] == '\t' || s[12] == '\n')) + { + fputs (".fi\n.RE\n", fp); + } + else if (n >= 9 && !memcmp (s, "quotation", 9) + && (!n || s[9] == ' ' || s[9] == '\t' || s[9] == '\n')) + { + fputs ("\\fR\n.RE\n", fp); + } + /* Now throw away the entire line. */ + s = memchr (rest, '\n', len); + return s? (s-rest)+1 : len; + case 5: /* Handle special comments. */ + for (s=rest, n=len; n && (*s == ' ' || *s == '\t'); s++, n--) + ; + if (n >= 4 && !memcmp (s, "man:", 4)) + { + for (s+=4, n-=4; n && *s != '\n'; n--, s++) + putc (*s, fp); + putc ('\n', fp); + } + /* Now throw away the entire line. */ + s = memchr (rest, '\n', len); + return s? (s-rest)+1 : len; + case 6: + *eol_action = 1; + break; + case 7: + ignore_args = 1; + break; + default: + break; + } + } + else + { + macro_t m; + + for (m = macrolist; m ; m = m->next) + if (!strcmp (m->name, command)) + break; + if (m) + { + proc_texi_buffer (fp, m->value, strlen (m->value), + table_level, eol_action); + ignore_args = 1; /* Parameterized macros are not yet supported. */ + } + else + inf ("texinfo command `%s' not supported (%.*s)", command, + ((s = memchr (rest, '\n', len)), (s? (s-rest) : len)), rest); + } + + if (*rest == '{') + { + /* Find matching closing brace. */ + for (s=rest+1, n=1, i=1; i && *s && n < len; s++, n++) + if (*s == '{') + i++; + else if (*s == '}') + i--; + if (i) + { + err ("closing brace for command `%s' not found", command); + return len; + } + if (n > 2 && !ignore_args) + proc_texi_buffer (fp, rest+1, n-2, table_level, eol_action); + } + else + n = 0; + + if (lead_out) + fputs (lead_out, fp); + + return n; +} + + + +/* Process the string LINE with LEN bytes of Texinfo content. */ +static void +proc_texi_buffer (FILE *fp, const char *line, size_t len, + int *table_level, int *eol_action) +{ + const char *s; + char cmdbuf[256]; + int cmdidx = 0; + int in_cmd = 0; + size_t n; + + for (s=line; *s && len; s++, len--) + { + if (in_cmd) + { + if (in_cmd == 1) + { + switch (*s) + { + case '@': case '{': case '}': + putc (*s, fp); in_cmd = 0; + break; + case ':': /* Not ending a sentence flag. */ + in_cmd = 0; + break; + case '.': case '!': case '?': /* Ending a sentence. */ + putc (*s, fp); in_cmd = 0; + break; + case ' ': case '\t': case '\n': /* Non collapsing spaces. */ + putc (*s, fp); in_cmd = 0; + break; + default: + cmdidx = 0; + cmdbuf[cmdidx++] = *s; + in_cmd++; + break; + } + } + else if (*s == '{' || *s == ' ' || *s == '\t' || *s == '\n') + { + cmdbuf[cmdidx] = 0; + n = proc_texi_cmd (fp, cmdbuf, s, len, table_level, eol_action); + assert (n <= len); + s += n; len -= n; + s--; len++; + in_cmd = 0; + } + else if (cmdidx < sizeof cmdbuf -1) + cmdbuf[cmdidx++] = *s; + else + { + err ("texinfo command too long - ignored"); + in_cmd = 0; + } + } + else if (*s == '@') + in_cmd = 1; + else if (*s == '\n') + { + switch (*eol_action) + { + case 1: /* Create a dummy paragraph. */ + fputs ("\n\\ \n", fp); + break; + default: + putc (*s, fp); + } + *eol_action = 0; + } + else + putc (*s, fp); + } + + if (in_cmd > 1) + { + cmdbuf[cmdidx] = 0; + n = proc_texi_cmd (fp, cmdbuf, s, len, table_level, eol_action); + assert (n <= len); + s += n; len -= n; + s--; len++; + in_cmd = 0; + } +} + + +/* Do something with the Texinfo line LINE. */ +static void +parse_texi_line (FILE *fp, const char *line, int *table_level) +{ + int eol_action = 0; + + /* A quick test whether there are any texinfo commands. */ + if (!strchr (line, '@')) + { + fputs (line, fp); + putc ('\n', fp); + return; + } + proc_texi_buffer (fp, line, strlen (line), table_level, &eol_action); + putc ('\n', fp); +} + + +/* Write all the lines LINES to FP. */ +static void +write_content (FILE *fp, line_buffer_t lines) +{ + line_buffer_t line; + int table_level = 0; + + for (line = lines; line; line = line->next) + { + if (line->verbatim) + { + fputs (line->line, fp); + putc ('\n', fp); + } + else + { +/* fputs ("TEXI---", fp); */ +/* fputs (line->line, fp); */ +/* fputs ("---\n", fp); */ + parse_texi_line (fp, line->line, &table_level); + } + } +} + + + +static int +is_standard_section (const char *name) +{ + int i; + const char *s; + + for (i=0; (s=standard_sections[i]); i++) + if (!strcmp (s, name)) + return 1; + return 0; +} + + +/* Finish a page; that is sort the data and write it out to the file. */ +static void +finish_page (void) +{ + FILE *fp; + section_buffer_t sect; + int idx; + const char *s; + int i; + + if (!thepage.name) + return; /* No page active. */ + + if (verbose) + inf ("finishing page `%s'", thepage.name); + + if (opt_select) + { + if (!strcmp (opt_select, thepage.name)) + { + inf ("selected `%s'", thepage.name ); + fp = stdout; + } + else + { + fp = fopen ( "/dev/null", "w" ); + if (!fp) + die ("failed to open /dev/null: %s\n", strerror (errno)); + } + } + else if (opt_store) + { + inf ("writing `%s'", thepage.name ); + fp = fopen ( thepage.name, "w" ); + if (!fp) + die ("failed to create `%s': %s\n", thepage.name, strerror (errno)); + } + else + fp = stdout; + + if (write_th (fp)) + goto leave; + + for (idx=0; (s=standard_sections[idx]); idx++) + { + for (i=0; i < thepage.n_sections; i++) + { + sect = thepage.sections + i; + if (sect->name && !strcmp (s, sect->name)) + break; + } + if (i == thepage.n_sections) + sect = NULL; + + if (sect) + { + fprintf (fp, ".SH %s\n", sect->name); + write_content (fp, sect->lines); + /* Now continue with all non standard sections directly + following this one. */ + for (i++; i < thepage.n_sections; i++) + { + sect = thepage.sections + i; + if (sect->name && is_standard_section (sect->name)) + break; + if (sect->name) + { + fprintf (fp, ".SH %s\n", sect->name); + write_content (fp, sect->lines); + } + } + + } + } + + + leave: + if (fp != stdout) + fclose (fp); + free (thepage.name); + thepage.name = NULL; + /* FIXME: Cleanup the content. */ +} + + + + +/* Parse one Texinfo file and create manpages according to the + embedded instructions. */ +static void +parse_file (const char *fname, FILE *fp, char **section_name, int in_pause) +{ + char *line; + int lnr = 0; + /* Fixme: The follwing state variables don't carry over to include + files. */ + int in_verbatim = 0; + int skip_to_end = 0; /* Used to skip over menu entries. */ + int skip_sect_line = 0; /* Skip after @mansect. */ + int ifset_nesting = 0; /* How often a ifset has been seen. */ + int ifclear_nesting = 0; /* How often a ifclear has been seen. */ + int in_gpgone = 0; /* Keep track of "@ifset gpgone" parts. */ + int not_in_gpgone = 0; /* Keep track of "@ifclear gpgone" parts. */ + int not_in_man = 0; /* Keep track of "@ifclear isman" parts. */ + + /* Helper to define a macro. */ + char *macroname = NULL; + char *macrovalue = NULL; + size_t macrovaluesize = 0; + size_t macrovalueused = 0; + + line = xmalloc (LINESIZE); + while (fgets (line, LINESIZE, fp)) + { + size_t n = strlen (line); + int got_line = 0; + char *p; + + lnr++; + if (!n || line[n-1] != '\n') + { + err ("%s:%d: trailing linefeed missing, line too long or " + "embedded Nul character", fname, lnr); + break; + } + line[--n] = 0; + + if (*line == '@') + { + for (p=line+1, n=1; *p && *p != ' ' && *p != '\t'; p++) + n++; + while (*p == ' ' || *p == '\t') + p++; + } + else + p = line; + + /* Take action on macro. */ + if (macroname) + { + if (n == 4 && !memcmp (line, "@end", 4) + && (line[4]==' '||line[4]=='\t'||!line[4]) + && !strncmp (p, "macro", 5) + && (p[5]==' '||p[5]=='\t'||!p[5])) + { + macro_t m; + + if (macrovalueused) + macrovalue[--macrovalueused] = 0; /* Kill the last LF. */ + macrovalue[macrovalueused] = 0; /* Terminate macro. */ + macrovalue = xrealloc (macrovalue, macrovalueused+1); + + for (m= macrolist; m; m = m->next) + if (!strcmp (m->name, macroname)) + break; + if (m) + free (m->value); + else + { + m = xcalloc (1, sizeof *m + strlen (macroname)); + strcpy (m->name, macroname); + m->next = macrolist; + macrolist = m; + } + m->value = macrovalue; + macrovalue = NULL; + free (macroname); + macroname = NULL; + } + else + { + if (macrovalueused + strlen (line) + 2 >= macrovaluesize) + { + macrovaluesize += strlen (line) + 256; + macrovalue = xrealloc (macrovalue, macrovaluesize); + } + strcpy (macrovalue+macrovalueused, line); + macrovalueused += strlen (line); + macrovalue[macrovalueused++] = '\n'; + } + continue; + } + + + if (n >= 5 && !memcmp (line, "@node", 5) + && (line[5]==' '||line[5]=='\t'||!line[5])) + { + /* Completey ignore @node lines. */ + continue; + } + + + if (skip_sect_line) + { + skip_sect_line = 0; + if (!strncmp (line, "@section", 8) + || !strncmp (line, "@subsection", 11) + || !strncmp (line, "@chapheading", 12)) + continue; + } + + /* We only parse lines we need and ignore the rest. There are a + few macros used to control this as well as one @ifset + command. Parts we know about are saved away into containers + separate for each section. */ + + /* First process ifset/ifclear commands. */ + if (*line == '@') + { + if (n == 6 && !memcmp (line, "@ifset", 6) + && (line[6]==' '||line[6]=='\t')) + { + ifset_nesting++; + + if (!strncmp (p, "manverb", 7) && (p[7]==' '||p[7]=='\t'||!p[7])) + { + if (in_verbatim) + err ("%s:%d: nested \"@ifset manverb\"", fname, lnr); + else + in_verbatim = ifset_nesting; + } + else if (!strncmp (p, "gpgone", 6) + && (p[6]==' '||p[6]=='\t'||!p[6])) + { + if (in_gpgone) + err ("%s:%d: nested \"@ifset gpgone\"", fname, lnr); + else + in_gpgone = ifset_nesting; + } + continue; + } + else if (n == 4 && !memcmp (line, "@end", 4) + && (line[4]==' '||line[4]=='\t') + && !strncmp (p, "ifset", 5) + && (p[5]==' '||p[5]=='\t'||!p[5])) + { + if (in_verbatim && ifset_nesting == in_verbatim) + in_verbatim = 0; + if (in_gpgone && ifset_nesting == in_gpgone) + in_gpgone = 0; + + if (ifset_nesting) + ifset_nesting--; + else + err ("%s:%d: unbalanced \"@end ifset\"", fname, lnr); + continue; + } + else if (n == 8 && !memcmp (line, "@ifclear", 8) + && (line[8]==' '||line[8]=='\t')) + { + ifclear_nesting++; + + if (!strncmp (p, "gpgone", 6) + && (p[6]==' '||p[6]=='\t'||!p[6])) + { + if (not_in_gpgone) + err ("%s:%d: nested \"@ifclear gpgone\"", fname, lnr); + else + not_in_gpgone = ifclear_nesting; + } + + else if (!strncmp (p, "isman", 5) + && (p[5]==' '||p[5]=='\t'||!p[5])) + { + if (not_in_man) + err ("%s:%d: nested \"@ifclear isman\"", fname, lnr); + else + not_in_man = ifclear_nesting; + } + + continue; + } + else if (n == 4 && !memcmp (line, "@end", 4) + && (line[4]==' '||line[4]=='\t') + && !strncmp (p, "ifclear", 7) + && (p[7]==' '||p[7]=='\t'||!p[7])) + { + if (not_in_gpgone && ifclear_nesting == not_in_gpgone) + not_in_gpgone = 0; + if (not_in_man && ifclear_nesting == not_in_man) + not_in_man = 0; + + if (ifclear_nesting) + ifclear_nesting--; + else + err ("%s:%d: unbalanced \"@end ifclear\"", fname, lnr); + continue; + } + } + + /* Take action on ifset/ifclear. */ + if ( (in_gpgone && !gpgone_defined) + || (not_in_gpgone && gpgone_defined) + || not_in_man) + continue; + + /* Process commands. */ + if (*line == '@') + { + if (skip_to_end + && n == 4 && !memcmp (line, "@end", 4) + && (line[4]==' '||line[4]=='\t'||!line[4])) + { + skip_to_end = 0; + } + else if (in_verbatim) + { + got_line = 1; + } + else if (n == 6 && !memcmp (line, "@macro", 6)) + { + macroname = xstrdup (p); + macrovalue = xmalloc ((macrovaluesize = 1024)); + macrovalueused = 0; + } + else if (n == 8 && !memcmp (line, "@manpage", 8)) + { + free (*section_name); + *section_name = NULL; + finish_page (); + start_page (p); + in_pause = 0; + } + else if (n == 8 && !memcmp (line, "@mansect", 8)) + { + if (!thepage.name) + err ("%s:%d: section outside of a man page", fname, lnr); + else + { + free (*section_name); + *section_name = ascii_strupr (xstrdup (p)); + in_pause = 0; + skip_sect_line = 1; + } + } + else if (n == 9 && !memcmp (line, "@manpause", 9)) + { + if (!*section_name) + err ("%s:%d: pausing outside of a man section", fname, lnr); + else if (in_pause) + err ("%s:%d: already pausing", fname, lnr); + else + in_pause = 1; + } + else if (n == 8 && !memcmp (line, "@mancont", 8)) + { + if (!*section_name) + err ("%s:%d: continue outside of a man section", fname, lnr); + else if (!in_pause) + err ("%s:%d: continue while not pausing", fname, lnr); + else + in_pause = 0; + } + else if (n == 5 && !memcmp (line, "@menu", 5) + && (line[5]==' '||line[5]=='\t'||!line[5])) + { + skip_to_end = 1; + } + else if (n == 8 && !memcmp (line, "@include", 8) + && (line[8]==' '||line[8]=='\t'||!line[8])) + { + char *incname = xstrdup (p); + FILE *incfp = fopen (incname, "r"); + + if (!incfp && opt_include && *opt_include && *p != '/') + { + free (incname); + incname = xmalloc (strlen (opt_include) + 1 + + strlen (p) + 1); + strcpy (incname, opt_include); + if ( incname[strlen (incname)-1] != '/' ) + strcat (incname, "/"); + strcat (incname, p); + incfp = fopen (incname, "r"); + } + + if (!incfp) + err ("can't open include file `%s':%s", + incname, strerror (errno)); + else + { + parse_file (incname, incfp, section_name, in_pause); + fclose (incfp); + } + free (incname); + } + else if (n == 4 && !memcmp (line, "@bye", 4) + && (line[4]==' '||line[4]=='\t'||!line[4])) + { + break; + } + else if (!skip_to_end) + got_line = 1; + } + else if (!skip_to_end) + got_line = 1; + + if (got_line && in_verbatim) + add_content (*section_name, line, 1); + else if (got_line && thepage.name && *section_name && !in_pause) + add_content (*section_name, line, 0); + + } + if (ferror (fp)) + err ("%s:%d: read error: %s", fname, lnr, strerror (errno)); + free (macroname); + free (macrovalue); + free (line); +} + + +static void +top_parse_file (const char *fname, FILE *fp) +{ + char *section_name = NULL; /* Name of the current section or NULL + if not in a section. */ + while (macrolist) + { + macro_t m = macrolist->next; + free (m->value); + free (m); + macrolist = m; + } + + parse_file (fname, fp, §ion_name, 0); + free (section_name); + finish_page (); +} + + +int +main (int argc, char **argv) +{ + int last_argc = -1; + + opt_source = "GNU"; + opt_release = ""; + + if (argc) + { + argc--; argv++; + } + while (argc && last_argc != argc ) + { + last_argc = argc; + if (!strcmp (*argv, "--")) + { + argc--; argv++; + break; + } + else if (!strcmp (*argv, "--help")) + { + puts ( + "Usage: " PGM " [OPTION] [FILE]\n" + "Extract man pages from a Texinfo source.\n\n" + " --source NAME use NAME as source field\n" + " --release STRING use STRING as the release field\n" + " --store write output using @manpage name\n" + " --select NAME only output pages with @manpage NAME\n" + " --verbose enable extra informational output\n" + " --debug enable additional debug output\n" + " --help display this help and exit\n" + " -I DIR also search in include DIR\n" + " -D gpgone the only useable define\n\n" + "With no FILE, or when FILE is -, read standard input.\n\n" + "Report bugs to <[email protected]>."); + exit (0); + } + else if (!strcmp (*argv, "--version")) + { + puts (PGM " " VERSION "\n" + "Copyright (C) 2005 g10 Code GmbH\n" + "This program comes with ABSOLUTELY NO WARRANTY.\n" + "This is free software, and you are welcome to redistribute it\n" + "under certain conditions. See the file COPYING for details."); + exit (0); + } + else if (!strcmp (*argv, "--verbose")) + { + verbose = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--quiet")) + { + quiet = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--debug")) + { + verbose = debug = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--source")) + { + argc--; argv++; + if (argc) + { + opt_source = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "--release")) + { + argc--; argv++; + if (argc) + { + opt_release = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "--store")) + { + opt_store = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--select")) + { + argc--; argv++; + if (argc) + { + opt_select = strrchr (*argv, '/'); + if (opt_select) + opt_select++; + else + opt_select = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "-I")) + { + argc--; argv++; + if (argc) + { + opt_include = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "-D")) + { + argc--; argv++; + if (argc) + { + if (!strcmp (*argv, "gpgone")) + gpgone_defined = 1; + argc--; argv++; + } + } + } + + if (argc > 1) + die ("usage: " PGM " [OPTION] [FILE] (try --help for more information)\n"); + + /* Start processing. */ + if (argc && strcmp (*argv, "-")) + { + FILE *fp = fopen (*argv, "rb"); + if (!fp) + die ("%s:0: can't open file: %s", *argv, strerror (errno)); + top_parse_file (*argv, fp); + fclose (fp); + } + else + top_parse_file ("-", stdin); + + return !!any_error; +} + + +/* +Local Variables: +compile-command: "gcc -Wall -g -Wall -o yat2m yat2m.c" +End: +*/ |