From 1423b4239b7ba81011e945d6eef5b9840f1de01c Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 16 Jun 1999 18:25:37 +0000 Subject: See ChangeLog: Wed Jun 16 20:16:21 CEST 1999 Werner Koch --- doc/Makefile.am | 18 +- doc/gpg.1pod | 631 ----------------------------- doc/gpg.sgml | 1214 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 1222 insertions(+), 641 deletions(-) delete mode 100644 doc/gpg.1pod create mode 100644 doc/gpg.sgml (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am index 460a63dbb..26f83e32b 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -1,25 +1,23 @@ ## Process this file with automake to create Makefile.in -EXTRA_DIST = DETAILS gpg.1pod gpg.1 FAQ HACKING OpenPGP +EXTRA_DIST = DETAILS gpg.sgml gpg.1 FAQ HACKING OpenPGP man_MANS = gpg.1 - -%: %pod - pod2man $< --section=`echo $@ | sed 's/^.*(?)$$/$$&/'`\ - --release="`date -r $< '+%d %b %Y'`"\ - --center="GNU Tools" --date=' '\ - >$@,$$$$ && mv -f $@,$$$$ $@\ - || rm -f $@,$$$$ - +%.1 : %.sgml +if HAVE_DOCBOOK_TO_MAN + docbook-to-man $< >$@ +else + : Warning: missing docbook-to-man, cannot make $@ +endif %.txt : %.sgml sgml2txt -c latin $* %.html : %.sgml - sgml2html -l deutsch -c latin $* + sgml2html -c latin $* %.dvi : %.sgml -rm $*.sgml.tmp diff --git a/doc/gpg.1pod b/doc/gpg.1pod deleted file mode 100644 index dc9a2e73e..000000000 --- a/doc/gpg.1pod +++ /dev/null @@ -1,631 +0,0 @@ -=head1 NAME - -gpg - GNU Privacy Guard - -=head1 SYNOPSIS - -B [--homedir name] [--options file] [options] command [args] - -=head1 DESCRIPTION - -B is the main program for the GnuPG system. - -=head1 COMMANDS - -B recognizes these commands: - -B<-s>, B<--sign> - Make a signature. This option may be combined - with B<--encrypt>. - -B<--clearsign> - Make a clear text signature. - -B<-b>, B<--detach-sign> - Make a detached signature. - -B<-e>, B<--encrypt> - Encrypt data. This option may be combined with B<--sign>. - -B<-c>, B<--symmetric> - Encrypt with symmetric cipher only - This command asks for a passphrase. - -B<--store> - Store only (make a simple RFC1991 packet). - -B<--decrypt> [I] - Decrypt file (or stdin if no file is specified) and - write it to stdout (or the file specified with - B<--output>). If the decrypted file is signed, the - signature is also verified. This command differs - from the default operation, as it never writes to the - filename which is included in the file and it - rejects files which don't begin with an encrypted - message. - -B<--verify> [[I] {I}] - Assume that I is a signature and verify it - without generating any output. With no arguments, - the signature packet is read from stdin (it may be a - detached signature when not used in batch mode). If - only a sigfile is given, it may be a complete - signature or a detached signature, in which case - the signed stuff is expected in a file without the - I<.sig> or I<.asc> extension (if such a file does - not exist it is expected at stdin - use B<-> as - filename to force a read from stdin). With more than - 1 argument, the first should be a detached signature - and the remaining files are the signed stuff. - -B<-k> [I] [I] - Kludge to be somewhat compatible with PGP. - Without arguments, all public keyrings are listed. - With one argument, only I is listed. - Special combinations are also allowed, but they may - give strange results when combined with more options. - B<-kv> Same as B<-k> - B<-kvv> List the signatures with every key. - B<-kvvv> Additionally check all signatures. - B<-kvc> List fingerprints - B<-kvvc> List fingerprints and signatures - - B - -B<--list-keys> [I] -B<--list-public-keys> [I] - List all keys from the public keyrings, or just the - ones given on the command line. - -B<--list-secret-keys> [I] - List all keys from the secret keyrings, or just the - ones given on the command line. - -B<--list-sigs> [I] - Same as B<--list-keys>, but the signatures are listed - too. - -B<--check-sigs> [I] - Same as B<--list-sigs>, but the signatures are verified. - -B<--fingerprint> [I] - List all keys with their fingerprints. This is the - same output as B but with the additional output - of a line with the fingerprint. May also be combined - with B<--list-sigs> or B<--check-sigs>. - If this command is given twice, the fingerprints of all - secondary keys are listed too. - -B<--list-packets> - List only the sequence of packets. This is mainly - useful for debugging. - -B<--gen-key> - Generate a new key pair. This command can only be - used interactive. - - -B<--edit-key> I - Present a menu which enables you to do all key - related tasks: - B - Make a signature on key of user I. - If the key is not yet signed by the default - user (or the users given with B<-u>), the - program displays the information of the key - again, together with its fingerprint and - asks whether it should be signed. This - question is repeated for all users specified - with B<-u>. - B - Same as B but the signature is marked as - non-exportbale and will therefore never be used - by others. This may be used to make keys valid - only in the local environment. - B - Revoke a signature. GnuPG asks for every - every signature which has been done by one of - teh secret keys, whether a revocation - certificate should be generated. - B - Change the owner trust value. This updates the - trust-db immediately and no save is required. - B - Create an alternate user id. - B - Delete an user id. - B - Add a subkey to this key. - B - Remove a subkey. - B - Revoke a subkey. - B - Change the key expiration time. If a key is - selected, the time of this key will be changed. - With no selection the key expiration of the - primary key is changed. - B - Change the passphrase of the secret key. - B I - Toggle selection of user id with index I. - Use 0 to deselect all. - B I - Toggle selection of subkey with index I. - Use 0 to deselect all. - B - Check all selected user ids. - B - List preferences. - B - Toggle between public and secret key listing. - B - Save all changes to the key rings and quit. - B - Quit the program without updating the - key rings. - The listing shows you the key with its secondary - keys and all user ids. Selected keys or user ids - are indicated by an asterisk. The trust value is - displayed with the primary key: the first is the - assigned owner trust and the second is the calculated - trust value. Letters are used for the values: - B<-> No ownertrust assigned / not yet calculated. - B Trust calculation has failed. - B Not enough information for calculation. - B Never trust this key. - B Marginally trusted. - B Fully trusted. - B Ultimately trusted - - -B<--delete-key> - Remove key from the public keyring - -B<--delete-secret-key> - Remove key from the secret and public keyring - -B<--gen-revoke> - Generate a revocation certificate. - -B<--export> [I] - Either export all keys from all keyrings (default - keyrings and those registered via option B<--keyring>), - or if at least one name is given, those of the given - name. The new keyring is written to F or to - the file given with option "output". Use together - with B<-a> to mail those keys. - -B<--send-keys> [I] - Same as B<--export> but sends the keys to a keyserver. - Option B<--keyserver> must be used to give the name - of this keyserver. Don't send your complete keyring - to a keyserver - select only those keys which are new - or changed by you. - -B<--export-all> [I] - Same as B<--export> but does also export keys which - are not compatible to OpenPGP. - -B<--export-secret-keys> [I] - Same as B<--export>, but does export the secret keys. - This is normally not very useful. - -B<--import>, B<--fast-import> - Import/merge keys. The fast version does not build - the trustdb; this can be done at any time with the - command B<--update-trustdb>. - -B<--recv-keys> I - Import the keys with the given key IDs from a HKP - keyserver. Option B<--keyserver> must be used to - give the name of this keyserver. - -B<--export-ownertrust> - List the assigned ownertrust values in ASCII format - for backup purposes - -B<--import-ownertrust> [I] - Update the trustdb with the ownertrust values stored - in I (or stdin if not given); existing - values will be overwritten. - -=head1 OPTIONS - -Long options can be put in an options file (default F<~/.gnupg/options>). -Do not write the 2 dashes, but simply the name of the option and any -required arguments. Lines with a hash as the first non-white-space -character are ignored. Commands may be put in this file too, but that -does not make sense. - -B recognizes these options: - - -B<-a>, B<--armor> - Create ASCII armored output. - -B<-o> I, B<--output> I - Write output to I. - -B<-u> I, B<--local-user> I - Use I as the user-id to sign. - This option is silently ignored for the list commands, - so that it can be used in an options file. - -B<--default-key> I - Use I as default user-id for signatures. If this - is not used the default user-id is the first user-id - from the secret keyring. - -B<-r> I, B<--recipient> I - Encrypt for user id I. If this option is not - specified, GnuPG asks for the user id. - -B<--encrypt-to> I - Same as B<--recipient> but this one is intended for - in the options file and may be used together with - an own user-id as an "encrypt-to-self". These keys - are only used when there are other recipients given - either by use of --recipient or by the asked user id. - No trust checking is performed for these user ids. - -B<--no-encrypt-to> - Disable the use of all B<--encrypt-to> keys. - -B<-v>, B<--verbose> - Give more information during processing. If used - twice, the input data is listed in detail. - -B<-q>, B<--quiet> - Be somewhat more quiet in some cases. - -B<-z> I - Set compress level to I. A value of 0 for I - disables compression. Default is to use the default - compression level of zlib (normally 6). - -B<-t>, B<--textmode> - Use canonical text mode. If B<-t> (but not - B<--textmode>) is used together with armoring - and signing, this enables clearsigned messages. - This kludge is needed for PGP compatibility; - normally you would use B<--sign> or B<--clearsign> - to selected the type of the signature. - -B<-n>, B<--dry-run> - Don't make any changes (not yet implemented). - -B<-i>, B<--interactive> - Prompt before overwriting any files. - -B<--batch> - Use batch mode. Never ask, do not allow interactive - commands. - -B<--no-batch> - Disable batch mode. This may be used if B - is used in the options file. - -B<--yes> - Assume "yes" on most questions. - -B<--no> - Assume "no" on most questions. - -B<--keyserver> I - Use I to lookup keys which are not yet in - your keyring. This is only done while verifying - messages with signatures. The option is also - required for the command B<--send-keys> to - specify the keyserver to where the keys should - be send. All keyservers synchronize with each - other - so there is no need to send keys to more - than one server. Using the command - "host -l pgp.net | grep wwwkeys" gives you a - list of keyservers. Because there is load - balancing using round-robin-dns you may notice - that you get different key servers. - -B<--keyring> I - Add I to the list of keyrings. - If I begins with a tilde and a slash, these - are replaced by the HOME directory. If the filename - does not contain a slash, it is assumed to be in the - home-directory (F<~/.gnupg> if B<--homedir>) is not used. - The filename may be prefixed with a scheme: - "gnupg-ring:" is the default one. - "gnupg-gdbm:" may be used for a GDBM ring. - It might make sense to use it together with - B<--no-default-keyring>. - -B<--secret-keyring> I - Same as B<--keyring> but for the secret keyrings. - -B<--homedir> I - Set the name of the home directory to I. If this - option is not used it defaults to F<~/.gnupg>. It does - not make sense to use this in a options file. This - also overrides the environment variable C. - -B<--charset> I - Set the name of the native character set. This is used - to convert some strings to proper UTF-8 encoding. - Valid values for I are: - B This is the default Latin 1 set. - B The Latin 2 set. - B The usual Russian set (rfc1489). - -B<--options> I - Read options from I and do not try to read - them from the default options file in the homedir - (see B<--homedir>). This option is ignored when used - in an options file. - -B<--no-options> - Shortcut for B<--options> I. This option is - detected before an attempt to open an option file. - -B<--load-extension> I - Load an extension module. If I does not - contain a slash it is searched in B - See the manual for more information about extensions. - -B<--debug> I - Set debugging flags. All flags are or-ed and I may - be given in C syntax (e.g. 0x0042). - -B<--debug-all> - Set all useful debugging flags. - -B<--status-fd> I - Write special status strings to the file descriptor I. - -B<--logger-fd> I - Write log output to file descriptor I and not to stderr. - -B<--no-comment> - Do not write comment packets. This option affects only - the generation of secret keys. Output of option packets - is disabled since version 0.4.2. - -B<--comment> I - Use I as comment string in clear text signatures. - -B<--default-comment> - Force to write the standard comment string in clear - text signatures. Use this to overwrite B<--comment> - from a config file. - -B<--no-version> - Omit the version string in clear text signatures. - -B<--emit-version> - Force to write the version string in clear text - signatures. Use this to overwrite a previous - B<--no-version> from a config file. - -B<--notation-data>, B<-N> I= - Put the name value pair into the signature as notation data. - I Must consists only of alphanumeric characters, digits - or the underscore; the first character muts not be a digit. - B May be any printable string; it will encoded in UTF8, - so sou should have check that your B<--charset> is set right. - If you prefix I with an exclamation mark, the notation - data will be flagged as critical. (rfc2440:5.2.3.15). - -B<--set-policy-url> I - Use I as Policy URL for signatures (rfc2440:5.2.3.19). - If you prefix it with an exclamation mark, the policy URL - packet will be flagged as critical. - -B<--set-filename> I - Use I as the name of file which is stored in - messages. - -B<--completes-needed> I - Number of completely trusted users to introduce a new - key signer (defaults to 1). - -B<--marginals-needed> I - Number of marginally trusted users to introduce a new - key signer (defaults to 3) - -B<--max-cert-depth> I - Maximum depth of a certification chain (default is 5). - -B<--cipher-algo> I - Use I as cipher algorithm. Running the program - with the command B<--version> yields a list of supported - algorithms. If this is not used the cipher algorithm is - selected from the preferences stored with the key. - -B<--digest-algo> I - Use I as message digest algorithm. Running the - program with the command B<--version> yields a list of - supported algorithms. Please note that using this - option may violate the OpenPGP requirement, that a - 160 bit hash is to be used for DSA. - -B<--s2k-cipher-algo> I - Use I as the cipher algorithm used to protect secret - keys. The default cipher is BLOWFISH. This cipher is - also used for conventional encryption if B<--cipher-algo> - is not given. - -B<--s2k-digest-algo> I - Use I as the digest algorithm used to mangle the - passphrases. The default algorithm is RIPE-MD-160. - This digest algorithm is also used for conventional - encryption if B<--digest-algo> is not given. - -B<--s2k-mode> I - Selects how passphrases are mangled. A number of I<0> - uses the plain passphrase (which is not recommended), - a I<1> (default) adds a salt to the passphrase and - I<3> iterates the whole process a couple of times. - Unless -B<--rfc1991> is used, this mode is also used - for conventional encryption. - -B<--compress-algo> I - Use compress algorithm I. Default is I<2> which is - RFC1950 compression. You may use I<1> to use the old zlib - version which is used by PGP. The default algorithm may - give better results because the window size is not limited - to 8K. If this is not used the OpenPGP behavior is used, - i.e. the compression algorithm is selected from the - preferences. - -B<--throw-keyid> - Do not put the keyid into encrypted packets. This option - hides the receiver of the message and is a countermeasure - against traffic analysis. It may slow down the decryption - process because all available secret keys are tried. - -B<--not-dash-escaped> - This option changes the behavior of cleartext signatures - so that they can be used for patch files. You should not - send such an armored file via email because all spaces - and line endings are hashed too. You can not use this - option for data which has 5 dashes at the beginning of a - line, patch files don't have this. A special armor header - line tells GnuPG about this cleartext signature option. - -B<--escape-from-lines> - Because some mailers change lines starting with "From " - to ">From " it is good to handle such lines in a special - way when creating cleartext signatures. All other PGP - versions do it this way too. This option is not enabled - by default because it would violate rfc2440. - -B<--passphrase-fd> I - Read the passphrase from file descriptor I. If you use - 0 for I, the passphrase will be read from stdin. This - can only be used if only one passphrase is supplied. - B - -B<--rfc1991> - Try to be more RFC1991 (PGP 2.x) compliant. - -B<--openpgp> - Reset all packet, cipher and digest options to OpenPGP - behavior. Use this option to reset all previous - options like B<--rfc1991>, B<--force-v3-sigs>, B<--s2k-*>, - B<--cipher-algo>, B<--digest-algo> and B<--compress-algo> to - OpenPGP compliant values. - -B<--force-v3-sigs> - OpenPGP states that an implementation should generate - v4 signatures but PGP 5.x recognizes v4 signatures only - on key material. This options forces v3 signatures for - signatures on data. - -B<--force-mdc> - Force the use of encryption with appended manipulation - code. This is always used with the newer cipher (those - with a blocksize greater than 64 bit). - -B<--lock-once> - Lock the file the first time a lock is requested - and do not release the lock until the process - terminates. - -B<--lock-multiple> - Release the locks every time a lock is no longer - needed. Use this to overwrite a previous B<--lock-once> - from a config file. - -B<--no-verbose> - Reset verbose level to 0. - -B<--no-greeting> - Suppress the initial copyright message but do not - enter batch mode. - -B<--no-armor> - Assume the input data is not in ASCII armored format. - -B<--no-default-keyring> - Do not add the default keyrings to the list of - keyrings. - -B<--skip-verify> - Skip the signature verification step. This may be - used to make the encryption faster if the signature - verification is not needed. - -B<--version> - Print version information along with a list - of supported algorithms. - -B<--with-colons> - Print key listings delimited by colons. - -B<--with-key-data> - Print key listings delimited by colons and print the public key data. - -B<--warranty> - Print warranty information. - -B<-h>, B<--help> - Print usage information. - - -=head1 RETURN VALUE - -The Program returns 0 if everything was fine, 1 if at least -a signature was bad, and other error codes for fatal errors. - -=head1 EXAMPLES - - -se -r Bob [file] sign and encrypt for user Bob - -sat [file] make a clear text signature - -sb [file] make a detached signature - -k [userid] show keys - -kc [userid] show fingerprint - -=head1 ENVIRONMENT - -C Used to locate the default home directory. -C If set directory used instead of F<~/.gnupg>. - -=head1 FILES - -F<~/.gnupg/secring.gpg> The secret keyring -F<~/.gnupg/secring.gpg.lock> and the lock file - -F<~/.gnupg/pubring.gpg> The public keyring -F<~/.gnupg/pubring.gpg.lock> and the lock file - -F<~/.gnupg/trustdb.gpg> The trust database -F<~/.gnupg/trustdb.gpg.lock> and the lock file - -F<~/.gnupg/options> May contain options -F Skeleton file - -F Default location for extensions - -=head1 SEE ALSO - -gpg(1) - - -=head1 WARNINGS - -Use a B password for your user account and a B passphrase -to protect your secret key. This passphrase is the weakest part of the -whole system. Programs to do dictionary attacks on your secret keyring -are very easy to write and so you should protect your B<~/.gnupg/> -directory very well. - -Keep in mind that, if this program is used over a network (telnet), it -is B easy to spy out your passphrase! - -=head1 BUGS - -On many systems this program should be installed as setuid(root). This -is necessary to lock memory pages. Locking memory pages prevents the -operating system from writing memory pages to disk. If you get no -warning message about insecure memory your operating system supports -locking without being root. The program drops root privileges as soon -as locked memory is allocated. - diff --git a/doc/gpg.sgml b/doc/gpg.sgml new file mode 100644 index 000000000..645063db5 --- /dev/null +++ b/doc/gpg.sgml @@ -0,0 +1,1214 @@ + + + + +directory"> +file"> +&ParmFile;"> +files"> +&ParmFiles;"> +names"> +&ParmNames;"> +name"> +&ParmName;"> +key IDs"> +n"> +flags"> +string"> +value"> +name=value"> +]> + + + + gpg + 1 + GNU Tools + + + encryption and signing tool + + + +gpg + --homedir + --options + + command + + + + + + DESCRIPTION + + + + + +COMMANDS + + + + + + +-s, --sign + +Make a signature. This command may be combined +with --encrypt. + + + + +--clearsign + +Make a clear text signature. + + + + +-b, --detach-sign + +Make a detached signature. + + + + +-e, --encrypt + +Encrypt data. This option may be combined with --sign. + + + + +-c, --symmetric + +Encrypt with symmetric cipher only +This command asks for a passphrase. + + + +--store + +Store only (make a simple RFC1991 packet). + + + + +--decrypt &OptParmFile; + +Decrypt &ParmFile; (or stdin if no file is specified) and +write it to stdout (or the file specified with +--output). If the decrypted file is signed, the +signature is also verified. This command differs +from the default operation, as it never writes to the +filename which is included in the file and it +rejects files which don't begin with an encrypted +message. + + + + +--verify + + +Assume that + + + + +--list-keys &OptParmNames; +--list-public-keys &OptParmNames; + +List all keys from the public keyrings, or just the +ones given on the command line. + + + + +--list-secret-keys &OptParmNames; + +List all keys from the secret keyrings, or just the +ones given on the command line. + + + + +--list-sigs &OptParmNames; + +Same as --list-keys, but the signatures are listed too. + + + + +--list-sigs &OptParmNames; + +Same as --list-sigs, but the signatures are verified. + + + + +--fingerprint &OptParmNames; + +List all keys with their fingerprints. This is the +same output as --list-keys but with the additional output +of a line with the fingerprint. May also be combined +with --list-sigs or --check-sigs. +If this command is given twice, the fingerprints of all +secondary keys are listed too. + + + + +--list-packets + +List only the sequence of packets. This is mainly +useful for debugging. + + + + +--gen-key + +Generate a new key pair. This command can only be +used interactive. + + + + +--edit-key &ParmName; + +Present a menu which enables you to do all key +related tasks: + + + + sign + +Make a signature on key of user &ParmName; +If the key is not yet signed by the default +user (or the users given with -u), the +program displays the information of the key +again, together with its fingerprint and +asks whether it should be signed. This +question is repeated for all users specified +with -u. + + lsign + +Same as --sign but the signature is marked as +non-exportbale and will therefore never be used +by others. This may be used to make keys valid +only in the local environment. + + revsig + +Revoke a signature. GnuPG asks for every +every signature which has been done by one of +the secret keys, whether a revocation +certificate should be generated. + + trust + +Change the owner trust value. This updates the +trust-db immediately and no save is required. + + adduid + +Create an alternate user id. + + deluid + +Delete an user id. + + addkey + +Add a subkey to this key. + + delkey + +Remove a subkey. + + revkey + +Revoke a subkey. + + expire + +Change the key expiration time. If a key is +selected, the time of this key will be changed. +With no selection the key expiration of the +primary key is changed. + + passwd + +Change the passphrase of the secret key. + + uid &ParmN; + +Toggle selection of user id with index &ParmN;. +Use 0 to deselect all. + + key &ParmN; + +Toggle selection of subkey with index &ParmN;. +Use 0 to deselect all. + + check + +Check all selected user ids. + + pref + +List preferences. + + toggle + +Toggle between public and secret key listing. + + save + +Save all changes to the key rings and quit. + + quit + +Quit the program without updating the +key rings. + + +The listing shows you the key with its secondary +keys and all user ids. Selected keys or user ids +are indicated by an asterisk. The trust value is +displayed with the primary key: the first is the +assigned owner trust and the second is the calculated +trust value. Letters are used for the values: + + -No ownertrust assigned / not yet calculated. + eTrust calculation has failed. + qNot enough information for calculation. + nNever trust this key. + mMarginally trusted. + fFully trusted. + uUltimately trusted. + + + + + +--delete-key &ParmName; + +Remove key from the public keyring + + + +--delete-secret-key &ParmName; + +Remove key from the secret and public keyring + + + +--gen-revoke + +Generate a revocation certificate for the complete key. To revoke +a subkey or a signature, use the --edit command. + + + + +--export &OptParmNames; + +Either export all keys from all keyrings (default +keyrings and those registered via option --keyring), +or if at least one name is given, those of the given +name. The new keyring is written to stdout or to +the file given with option "output". Use together +with --armor to mail those keys. + + + + +--send-keys &OptParmNames; + +Same as --export but sends the keys to a keyserver. +Option --keyserver must be used to give the name +of this keyserver. Don't send your complete keyring +to a keyserver - select only those keys which are new +or changed by you. + + + + +--export-all &OptParmNames; + +Same as --export, but does also export keys which +are not compatible to OpenPGP. + + + + +--export-secret-keys &OptParmNames; + +Same as --export, but does export the secret keys. +This is normally not very useful and a security risk. + + + + +--import &OptParmFiles; +--fast-import &OptParmFiles; + +Import/merge keys. The fast version does not build +the trustdb; this can be done at any time with the +command --update-trustdb. + + + + +--recv-keys &ParmKeyIDs; + +Import the keys with the given key IDs from a HKP +keyserver. Option --keyserver must be used to +give the name of this keyserver. + + + + +--export-ownertrust + +List the assigned ownertrust values in ASCII format +for backup purposes + + + + +--import-ownertrust &OptParmFiles; + +Update the trustdb with the ownertrust values stored +in &ParmFiles; (or stdin if not given); existing +values will be overwritten. + + + + +--version + +Print version information along with a list +of supported algorithms. + + + + +--warranty + +Print warranty information. + + + + +-h, --help + +Print usage information. This is a really long list even it does list +not all options. + + + + + + + + +OPTIONS + +Long options can be put in an options file (default "~/.gnupg/options"). +Do not write the 2 dashes, but simply the name of the option and any +required arguments. Lines with a hash as the first non-white-space +character are ignored. Commands may be put in this file too, but that +does not make sense. + + + + + + + + +-a, --armor + +Create ASCII armored output. + + + + +-o, --output &ParmFile; + +Write output to &ParmFile;. + + + + +-u, --local-user &ParmName; + +Use &ParmName as the user ID to sign. +This option is silently ignored for the list commands, +so that it can be used in an options file. + + + + +--default-key &ParmName; + +Use &ParmName; as default user ID for signatures. If this +is not used the default user ID is the first user ID +found in the secret keyring. + + + + +-r, --recipient &ParmName; + + +Encrypt for user id &ParmName;. If this option is not +specified, GnuPG asks for the user id. + + + + +--encrypt-to &ParmName; + +Same as --recipient but this one is intended for +in the options file and may be used together with +an own user-id as an "encrypt-to-self". These keys +are only used when there are other recipients given +either by use of --recipient or by the asked user id. +No trust checking is performed for these user ids. + + + + +--no-encrypt-to + +Disable the use of all --encrypt-to keys. + + + + +-v, --verbose + +Give more information during processing. If used +twice, the input data is listed in detail. + + + + +-q, --quiet + +Try to be as quiet as possible. + + + + +-z &ParmN; + +Set compression level to &ParmN;. A value of 0 for &ParmN; +disables compression. Default is to use the default +compression level of zlib (normally 6). + + + + +-t, --textmode + +Use canonical text mode. If -t (but not +--textmode) is used together with armoring +and signing, this enables clearsigned messages. +This kludge is needed for PGP compatibility; +normally you would use --sign or --clearsign +to selected the type of the signature. + + + + +-n, --dry-run + +Don't make any changes (this is not completely implemented). + + + + +-i, --interactive + +Prompt before overwriting any files. + + + + +--batch + +Use batch mode. Never ask, do not allow interactive +commands. + + + + +--no-batch + +Disable batch mode. This may be of use if --batch +is enabled from an options file. + + + + +--yes + +Assume "yes" on most questions. + + + + +--no + + Assume "no" on most questions. + + + + +--keyserver &ParmName; + +Use &ParmName to lookup keys which are not yet in +your keyring. This is only done while verifying +messages with signatures. The option is also +required for the command --send-keys to +specify the keyserver to where the keys should +be send. All keyservers synchronize with each +other - so there is no need to send keys to more +than one server. Using the command +"host -l pgp.net | grep wwwkeys" gives you a +list of keyservers. Because there is load +balancing using round-robin DNS you may notice +that you get different key servers. + + + + +--keyring &ParmFile; + +Add &ParmFile to the list of keyrings. +If &ParmFile begins with a tilde and a slash, these +are replaced by the HOME directory. If the filename +does not contain a slash, it is assumed to be in the +home-directory ("~/.gnupg" if --homedir is not used). +The filename may be prefixed with a scheme: +"gnupg-ring:" is the default one. +"gnupg-gdbm:" may be used for a GDBM ring. +It might make sense to use it together with --no-default-keyring. + + + + +--secret-keyring &ParmFile; + +Same as --keyring but for the secret keyrings. + + + + +--homedir &ParmDir; + +Set the name of the home directory to &ParmDir; If this +option is not used it defaults to "~/.gnupg". It does +not make sense to use this in a options file. This +also overrides the environment variable "GNUPGHOME". + + + + +--charset &ParmName; + +Set the name of the native character set. This is used +to convert some strings to proper UTF-8 encoding. +Valid values for &ParmName; are: + + +iso-8859-1This is the default Latin 1 set. + + +iso-8859-2The Latin 2 set. + + +koi8-rThe usual Russian set (rfc1489). + + + + + + +--options &ParmFile; + +Read options from &ParmFile; and do not try to read +them from the default options file in the homedir +(see --homedir). This option is ignored if used +in an options file. + + + + +--no-options + +Shortcut for "--options /dev/null". This option is +detected before an attempt to open an option file. + + + + +--load-extension &ParmName; + +Load an extension module. If &ParmName; does not +contain a slash it is searched in "/usr/local/lib/gnupg" +See the manual for more information about extensions. + + + + +--debug &ParmFlags; + +Set debugging flags. All flags are or-ed and &ParmFlags; may +be given in C syntax (e.g. 0x0042). + + + + +--debug-all + + Set all useful debugging flags. + + + + +--status-fd &ParmN; + +Write special status strings to the file descriptor &ParmN;. +See the file DETAILS in the documentation for a listing of them. + + + + +--logger-fd &ParmN; + +Write log output to file descriptor &ParmN; and not to stderr. + + + + +--no-comment + +Do not write comment packets. This option affects only +the generation of secret keys. Output of option packets +is disabled since version 0.4.2. + + + + +--comment &ParmString; + +Use &ParmString; as comment string in clear text signatures. + + + + +--default-comment + +Force to write the standard comment string in clear +text signatures. Use this to overwrite a --comment +from a config file. + + + + +--no-version + +Omit the version string in clear text signatures. + + + + +--emit-version + +Force to write the version string in clear text +signatures. Use this to overwrite a previous +--no-version from a config file. + + + + +-N, --notation-data &ParmNameValue; + +Put the name value pair into the signature as notation data. +&ParmName; must consists only of alphanumeric characters, digits +or the underscore; the first character must not be a digit. +&ParmValue; may be any printable string; it will encoded in UTF8, +so sou should have check that your --charset is set right. +If you prefix &ParmName; with an exclamation mark, the notation +data will be flagged as critical (rfc2440:5.2.3.15). + + + + +--set-policy-url &ParmString; + +Use &ParmString; as Policy URL for signatures (rfc2440:5.2.3.19). +If you prefix it with an exclamation mark, the policy URL +packet will be flagged as critical. + + + + +--set-filename &ParmString; + +Use &ParmString; as the name of file which is stored in +messages. + + + + +--completes-needed &ParmN; + +Number of completely trusted users to introduce a new +key signer (defaults to 1). + + + + +--marginals-needed &ParmN; + +Number of marginally trusted users to introduce a new +key signer (defaults to 3) + + + + +--max-cert-depth &ParmN; + +Maximum depth of a certification chain (default is 5). + + + + +--cipher-algo &ParmName; + +Use &ParmName; as cipher algorithm. Running the program +with the command --version yields a list of supported +algorithms. If this is not used the cipher algorithm is +selected from the preferences stored with the key. + + + + +--digest-algo &ParmName; + +Use &ParmName; as message digest algorithm. Running the +program with the command --version yields a list of +supported algorithms. Please note that using this +option may violate the OpenPGP requirement, that a +160 bit hash is to be used for DSA. + + + + +--s2k-cipher-algo &ParmName; + +Use &ParmName; as the cipher algorithm used to protect secret +keys. The default cipher is BLOWFISH. This cipher is +also used for conventional encryption if --cipher-algo +is not given. + + + + +--s2k-digest-algo &ParmName; + +Use &ParmName; as the digest algorithm used to mangle the +passphrases. The default algorithm is RIPE-MD-160. +This digest algorithm is also used for conventional +encryption if --digest-algo is not given. + + + + +--s2k-mode &ParmN; + +Selects how passphrases are mangled. If &ParmN; is 0 +a plain passphrase (which is not recommended) will be used, +a 1 (default) adds a salt to the passphrase and +a 3 iterates the whole process a couple of times. +Unless --rfc1991 is used, this mode is also used +for conventional encryption. + + + + +--compress-algo &ParmN; + +Use compress algorithm &ParmN;. Default is 2 which is +RFC1950 compression. You may use 1 to use the old zlib +version which is used by PGP. The default algorithm may +give better results because the window size is not limited +to 8K. If this is not used the OpenPGP behavior is used, +i.e. the compression algorithm is selected from the +preferences; note, that this can't be done if you do +not encrypt the data. + + + + +--throw-keyid + +Do not put the keyid into encrypted packets. This option +hides the receiver of the message and is a countermeasure +against traffic analysis. It may slow down the decryption +process because all available secret keys are tried. + + + + +--not-dash-escaped + +This option changes the behavior of cleartext signatures +so that they can be used for patch files. You should not +send such an armored file via email because all spaces +and line endings are hashed too. You can not use this +option for data which has 5 dashes at the beginning of a +line, patch files don't have this. A special armor header +line tells GnuPG about this cleartext signature option. + + + + +--escape-from-lines + +Because some mailers change lines starting with "From " +to "<From " it is good to handle such lines in a special +way when creating cleartext signatures. All other PGP +versions do it this way too. This option is not enabled +by default because it would violate rfc2440. + + + + +--passphrase-fd &ParmN; + +Read the passphrase from file descriptor &ParmN;. If you use +0 for &ParmN;, the passphrase will be read from stdin. This +can only be used if only one passphrase is supplied. + +Don't use this option if you can avoid it. + + + + +--rfc1991 + +Try to be more RFC1991 (PGP 2.x) compliant. + + + + +--openpgp + +Reset all packet, cipher and digest options to OpenPGP +behavior. Use this option to reset all previous +options like --rfc1991, --force-v3-sigs, --s2k-*, +--cipher-algo, --digest-algo and --compress-algo to +OpenPGP compliant values. + + + + +--force-v3-sigs + +OpenPGP states that an implementation should generate +v4 signatures but PGP 5.x recognizes v4 signatures only +on key material. This options forces v3 signatures for +signatures on data. + + + + +--force-mdc + +Force the use of encryption with appended manipulation +code. This is always used with the newer cipher (those +with a blocksize greater than 64 bit). + + + + +--lock-once + +Lock the databases the first time a lock is requested +and do not release the lock until the process +terminates. + + + + +--lock-multiple + +Release the locks every time a lock is no longer +needed. Use this to override a previous --lock-once +from a config file. + + + + +--no-verbose + +Reset verbose level to 0. + + + + +--no-greeting + +Suppress the initial copyright message but do not +enter batch mode. + + + + +--no-armor + +Assume the input data is not in ASCII armored format. + + + + +--no-default-keyring + +Do not add the default keyrings to the list of +keyrings. + + + + +--skip-verify + +Skip the signature verification step. This may be +used to make the encryption faster if the signature +verification is not needed. + + + + +--with-colons + +Print key listings delimited by colons. + + + + +--with-key-data + +Print key listings delimited by colons and print the public key data. + + + + + + + RETURN VALUE + +The program returns 0 if everything was fine, 1 if at least +a signature was bad, and other error codes for fatal errors. + + + + + EXAMPLES + + + +gpg -se -r +sign and encrypt for user Bob + + + +gpg --clearsign &ParmFile; +make a clear text signature + + + +gpg -sb &ParmFile; +make a detached signature + + + +gpg --list-keys +show keys + + + +gpg --fingerprint +show fingerprint + + + + + + + + ENVIRONMENT + + + +HOME +Used to locate the default home directory. + + +GNUPGHOME +If set directory used instead of "~/.gnupg". + + + + + + + FILES + + + +~/.gnupg/secring.gpg +The secret keyring + + + +~/.gnupg/secring.gpg.lock +and the lock file + + + +~/.gnupg/pubring.gpg +The public keyring + + + +~/.gnupg/pubring.gpg.lock +and the lock file + + + +~/.gnupg/trustdb.gpg +The trust database + + + +~/.gnupg/trustdb.gpg.lock +and the lock file + + + +~/.gnupg/options +May contain options + + + +/usr[/local]/share/gnupg/options.skel +Skeleton options file + + + +/usr[/local]/lib/gnupg/ +Default location for extensions + + + + + + + + + WARNINGS + +Use a *good* password for your user account and a *good* passphrase +to protect your secret key. This passphrase is the weakest part of the +whole system. Programs to do dictionary attacks on your secret keyring +are very easy to write and so you should protect your "~/.gnupg/" +directory very well. + + +Keep in mind that, if this program is used over a network (telnet), it +is *very* easy to spy out your passphrase! + + + + + + BUGS + +On many systems this program should be installed as setuid(root). This +is necessary to lock memory pages. Locking memory pages prevents the +operating system from writing memory pages to disk. If you get no +warning message about insecure memory your operating system supports +locking without being root. The program drops root privileges as soon +as locked memory is allocated. + + + + + -- cgit v1.2.3