// 1d83445b5bb6f83e08be8276d6bde539
* 4 Invoking GPG

// gpg is the OpenPGP part of the GNU Privacy Guard (GnuPG).
gpgは、GNU Privacy Guard(GnuPG)のOpenPGP実装部です。~
// It is a tool to provide digital encryption and signing services using the OpenPGP standard.
// gpg features complete key management and all the bells and whistles you would expect from a full OpenPGP implementation.

// There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x.
GnuPGには大きく分けて、GnuPG 1.xとGnuPG 2.xの2つのバージョン系列があります。~
// GnuPG 2.x supports modern encryption algorithms and thus should be preferred over GnuPG 1.x.
GnuPG 2.xは最新の暗号化アルゴリズムをサポートしているため、GnuPG 1.xよりも好ましいと言えます。~
// You only need to use GnuPG 1.x if your platform doesn’t support GnuPG 2.x, or you need support for some features that GnuPG 2.x has deprecated, e.g., ecrypting data created with PGP-2 keys.
GnuPG 1.xを使う必要があるのは、使用しているプラットフォームがGnuPG 2.xをサポートしていない場合や、PGP-2鍵で作成されたデータの暗号化など、GnuPG 2.xが非推奨としている機能が必要な場合だけです。~

// If you are looking for version 1 of GnuPG, you may find that version installed under the name gpg1.

// See [Option Index], page 217, for an index to gpg’s commands and options.
gpgのコマンドやオプションの索引については、[Option Index] 217ページ を参照してください。

** 4.1 Commands

// Commands are not distinguished from options except for the fact that only one command is allowed.

// Generally speaking, irrelevant options are silently ignored, and may not be checked for correctness.

// gpg may be run with no commands.

// In this case it will print a warning perform a reasonable action depending on the type of file it is given as input

// (an encrypted message is decrypted, a signature is verified, a file containing keys is listed, etc.).

// If you run into any problems, please add the option ‘--verbose’ to the invocation to see more diagnostics.

*** 4.1.1 Commands not specific to the function

: --version | 
// Print the program version and licensing information. 
// Note that you cannot abbreviate this command.

: --help &br; -h |
// Print a usage message summarizing the most useful command-line options.
// Note that you cannot arbitrarily abbreviate this command 
//(though you can useits short form ‘-h’).

: --warranty |
// Print warranty information.

: --dump-options |
// Print a list of all available options and commands.
// Note that you cannot abbreviate this command.

*** 4.1.2 Commands to select the type of operation

: --sign &br; -s |
Sign a message. This command may be combined with ‘--encrypt’ (to sign
and encrypt a message), ‘--symmetric’ (to sign and symmetrically encrypt
a message), or both ‘--encrypt’ and ‘--symmetric’ (to sign and encrypt a
message that can be decrypted using a secret key or a passphrase). The signing
key is chosen by default or can be set explicitly using the ‘--local-user’ and
‘--default-key’ options.

: --clear-sign &br; --clearsign |
Make a cleartext signature. The content in a cleartext signature is readable
without any special software. OpenPGP software is only needed to verify the
signature. cleartext signatures may modify end-of-line whitespace for platform
independence and are not intended to be reversible. The signing key is chosen by
default or can be set explicitly using the ‘--local-user’ and ‘--default-key’

: --detach-sign &br; -b |
Make a detached signature.

: --encrypt &br; -e |
// Encrypt data to one or more public keys.
// This command may be combined with ‘--sign’ (to sign and encrypt a message),
// ‘--symmetric’ (to encrypt a message that can be decrypted using a secret key or a passphrase),
// or ‘--sign’and ‘--symmetric’ together (for a signed message that can be decrypted using a secret key or a passphrase).
// ‘--recipient’ and related options specify which public keys to use for encryption.

: --symmetric &br; -c |
Encrypt with a symmetric cipher using a passphrase. The default symmetric
cipher used is AES-128, but may be chosen with the ‘--cipher-algo’ option.
This command may be combined with ‘--sign’ (for a signed and symmetrically
encrypted message), ‘--encrypt’ (for a message that may be decrypted
via a secret key or a passphrase), or ‘--sign’ and ‘--encrypt’ together (for a
signed message that may be decrypted via a secret key or a passphrase). gpg
caches the passphrase used for symmetric encryption so that a decrypt operation
may not require that the user needs to enter the passphrase. The option
‘--no-symkey-cache’ can be used to disable this feature.

: --store |
Store only (make a simple literal data packet).

: --decrypt &br; -d |
Decrypt the file given on the command line (or STDIN if no file is specified) and
write it to STDOUT (or the file specified with ‘--output’). If the decrypted file
is signed, the signature is also verified. This command differs from the default
operation, as it never writes to the filename which is included in the file and it
rejects files that don’t begin with an encrypted message.
// Decrypt the file given on the command line (or STDIN if no file is specified) and write it to STDOUT (or the file specified with ‘--output’).
// If the decrypted file is signed, the signature is also verified.
// This command differs from the default operation, as it never writes to the filename which is included in the file and it rejects files that don’t begin with an encrypted message.

: --verify |
Assume that the first argument is a signed file and verify it without generating
any output. With no arguments, the signature packet is read from STDIN. If
only one argument is given, the specified file is expected to include a complete
With more than one argument, the first argument should specify a file with a
detached signature and the remaining files should contain the signed data. To
read the signed data from STDIN, use ‘-’ as the second filename. For security
reasons, a detached signature will not read the signed material from STDIN if
not explicitly specified.
Note: If the option ‘--batch’ is not used, gpg may assume that a single argument
is a file with a detached signature, and it will try to find a matching
data file by stripping certain suffixes. Using this historical feature to verify a
detached signature is strongly discouraged; you should always specify the data
file explicitly.
Note: When verifying a cleartext signature, gpg verifies only what makes up the
cleartext signed data and not any extra data outside of the cleartext signature
or the header lines directly following the dash marker line. The option --output
may be used to write out the actual signed data, but there are other pitfalls
with this format as well. It is suggested to avoid cleartext signatures in favor
of detached signatures.
Note: Sometimes the use of the gpgv tool is easier than using the full-fledged
gpg with this option. gpgv is designed to compare signed data against a list of
trusted keys and returns with success only for a good signature. It has its own
manual page.

: --multifile |
This modifies certain other commands to accept multiple files for processing
on the command line or read from STDIN with each filename on a separate
line. This allows for many files to be processed at once. ‘--multifile’ may
currently be used along with ‘--verify’, ‘--encrypt’, and ‘--decrypt’. Note
that ‘--multifile --verify’ may not be used with detached signatures.

: --verify-files |
Identical to ‘--multifile --verify’.

: --encrypt-files |
Identical to ‘--multifile --encrypt’.

: --decrypt-files |
Identical to ‘--multifile --decrypt’.

: --list-keys &br; -k &br; --list-public-keys |
List the specified keys. If no keys are specified, then all keys from the configured
public keyrings are listed.
Never use the output of this command in scripts or other programs. The
output is intended only for humans and its format is likely to change. The
‘--with-colons’ option emits the output in a stable, machine-parseable format,
which is intended for use by scripts and other programs.

: --list-secret-keys &br; -K |
List the specified secret keys. If no keys are specified, then all known secret
keys are listed. A # after the initial tags sec or ssb means that the secret key or
subkey is currently not usable. We also say that this key has been taken offline
(for example, a primary key can be taken offline by exporting the key using the
command ‘--export-secret-subkeys’). A > after these tags indicate that the
key is stored on a smartcard. See also ‘--list-keys’.

: --check-signatures &br; --check-sigs |
Same as ‘--list-keys’, but the key signatures are verified and listed too.
Note that for performance reasons the revocation status of a signing key is
not shown. This command has the same effect as using ‘--list-keys’ with
The status of the verification is indicated by a flag directly following the "sig"
tag (and thus before the flags described below. A "!" indicates that the signature
has been successfully verified, a "-" denotes a bad signature and a "%" is
used if an error occurred while checking the signature (e.g. a non supported
algorithm). Signatures where the public key is not available are not listed; to
see their keyids the command ‘--list-sigs’ can be used.
For each signature listed, there are several flags in between the signature
status flag and keyid. These flags give additional information about each key
signature. From left to right, they are the numbers 1-3 for certificate check
level (see ‘--ask-cert-level’), "L" for a local or non-exportable signature
(see ‘--lsign-key’), "R" for a nonRevocable signature (see the ‘--edit-key’
command "nrsign"), "P" for a signature that contains a policy URL (see
‘--cert-policy-url’), "N" for a signature that contains a notation (see
‘--cert-notation’), "X" for an eXpired signature (see ‘--ask-cert-expire’),
and the numbers 1-9 or "T" for 10 and above to indicate trust signature levels
(see the ‘--edit-key’ command "tsign").

: --locate-keys &br; --locate-external-keys |
Locate the keys given as arguments. This command basically uses the same
algorithm as used when locating keys for encryption and may thus be used to
see what keys gpg might use. In particular external methods as defined by
‘--auto-key-locate’ are used to locate a key if the arguments comain valid
mail addresses. Only public keys are listed.
The variant ‘--locate-external-keys’ does not consider a locally existing
key and can thus be used to force the refresh of a key via the defined external
methods. If a fingerprint is given and and the methods defined by –auto-keylocate
define LDAP servers, the key is fetched from these resources; defined
non-LDAP keyservers are skipped.

: --show-keys |
This commands takes OpenPGP keys as input and prints information about
them in the same way the command ‘--list-keys’ does for locally stored key.
In addition the list options show-unusable-uids, show-unusable-subkeys,
show-notations and show-policy-urls are also enabled. As usual for
automated processing, this command should be combined with the option

: --fingerprint |
List all keys (or the specified ones) along with their fingerprints. This is the
same output as ‘--list-keys’ but with the additional output of a line with
the fingerprint. May also be combined with ‘--check-signatures’. If this
command is given twice, the fingerprints of all secondary keys are listed too.
This command also forces pretty printing of fingerprints if the keyid format has
been set to "none".

: --list-packets |
List only the sequence of packets. This command is only useful for debugging.
When used with option ‘--verbose’ the actual MPI values are dumped and
not only their lengths. Note that the output of this command may change with
new releases.

: --edit-card &br; --card-edit |
Present a menu to work with a smartcard. The subcommand "help" provides
an overview on available commands. For a detailed description, please see the
Card HOWTO at https://gnupg.org/documentation/howtos.html#GnuPGcardHOWTO.

: --card-status |
Show the content of the smart card.

: --change-pin |
Present a menu to allow changing the PIN of a smartcard. This functionality is
also available as the subcommand "passwd" with the ‘--edit-card’ command.

: --delete-keys name |
Remove key from the public keyring. In batch mode either ‘--yes’ is required or
the key must be specified by fingerprint. This is a safeguard against accidental
deletion of multiple keys. If the exclamation mark syntax is used with the
fingerprint of a subkey only that subkey is deleted; if the exclamation mark is
used with the fingerprint of the primary key the entire public key is deleted.

: --delete-secret-keys name |
Remove key from the secret keyring. In batch mode the key must be specified by
fingerprint. The option ‘--yes’ can be used to advise gpg-agent not to request
a confirmation. This extra pre-caution is done because gpg can’t be sure that
the secret key (as controlled by gpg-agent) is only used for the given OpenPGP
public key. If the exclamation mark syntax is used with the fingerprint of a
subkey only the secret part of that subkey is deleted; if the exclamation mark is
used with the fingerprint of the primary key only the secret part of the primary
key is deleted.

: --delete-secret-and-public-key name |
Same as ‘--delete-key’, but if a secret key exists, it will be removed first. In
batch mode the key must be specified by fingerprint. The option ‘--yes’ can
be used to advise gpg-agent not to request a confirmation.

: --export |
Either export all keys from all keyrings (default keyring and those registered
via option ‘--keyring’), or if at least one name is given, those of the given
name. The exported keys are written to STDOUT or to the file given with
option ‘--output’. Use together with ‘--armor’ to mail those keys.

: --send-keys keyIDs |
Similar to ‘--export’ but sends the keys to a keyserver. Fingerprints may be
used instead of key IDs. Don’t send your complete keyring to a keyserver —
select only those keys which are new or changed by you. If no keyIDs are given,
gpg does nothing.
Take care: Keyservers are by design write only systems and thus it is not
possible to ever delete keys once they have been send to a keyserver.

: --export-secret-keys &br; --export-secret-subkeys |
Same as ‘--export’, but exports the secret keys instead. The exported keys are
written to STDOUT or to the file given with option ‘--output’. This command
is often used along with the option ‘--armor’ to allow for easy printing of the
key for paper backup; however the external tool paperkey does a better job of
creating backups on paper. Note that exporting a secret key can be a security
risk if the exported keys are sent over an insecure channel.
The second form of the command has the special property to render the secret
part of the primary key useless; this is a GNU extension to OpenPGP and
other implementations can not be expected to successfully import such a key.
Its intended use is in generating a full key with an additional signing subkey on
a dedicated machine. This command then exports the key without the primary
key to the main machine.
GnuPG may ask you to enter the passphrase for the key. This is required,
because the internal protection method of the secret key is different from the
one specified by the OpenPGP protocol.

: --export-ssh-key |
This command is used to export a key in the OpenSSH public key format.
It requires the specification of one key by the usual means and exports the
latest valid subkey which has an authentication capability to STDOUT or to
the file given with option ‘--output’. That output can directly be added to
ssh’s ‘authorized_key’ file.
By specifying the key to export using a key ID or a fingerprint suffixed with
an exclamation mark (!), a specific subkey or the primary key can be exported.
This does not even require that the key has the authentication capability flag

: --import &br; --fast-import |
Import/merge keys. This adds the given keys to the keyring. The fast version
is currently just a synonym.
There are a few other options which control how this command works. Most
notable here is the ‘--import-options merge-only’ option which does not
insert new keys but does only the merging of new signatures, user-IDs and

: --receive-keys keyIDs & br; --recv-keys keyIDs |
Import the keys with the given keyIDs from a keyserver.

: --refresh-keys |
Request updates from a keyserver for keys that already exist on the local
keyring. This is useful for updating a key with the latest signatures, user
IDs, etc. Calling this with no arguments will refresh the entire keyring.

: --search-keys names |
Search the keyserver for the given names. Multiple names given here will be
joined together to create the search string for the keyserver. Note that keyservers
search for names in a different and simpler way than gpg does. The
best choice is to use a mail address. Due to data privacy reasons keyservers
may even not even allow searching by user id or mail address and thus may
only return results when being used with the ‘--recv-key’ command to search
by key fingerprint or keyid.

: --fetch-keys URIs |
Retrieve keys located at the specified URIs. Note that different installations
of GnuPG may support different protocols (HTTP, FTP, LDAP, etc.). When
using HTTPS the system provided root certificates are used by this command.

: --update-trustdb |
Do trust database maintenance. This command iterates over all keys and builds
the Web of Trust. This is an interactive command because it may have to ask
for the "ownertrust" values for keys. The user has to give an estimation of how
far she trusts the owner of the displayed key to correctly certify (sign) other
keys. GnuPG only asks for the ownertrust value if it has not yet been assigned
to a key. Using the ‘--edit-key’ menu, the assigned value can be changed at
any time.

: --check-trustdb |
Do trust database maintenance without user interaction. From time to
time the trust database must be updated so that expired keys or signatures
and the resulting changes in the Web of Trust can be tracked. Normally,
GnuPG will calculate when this is required and do it automatically unless
‘--no-auto-check-trustdb’ is set. This command can be used to force a
trust database check at any time. The processing is identical to that of
‘--update-trustdb’ but it skips keys with a not yet defined "ownertrust".
For use with cron jobs, this command can be used together with ‘--batch’ in
which case the trust database check is done only if a check is needed. To force
a run even in batch mode add the option ‘--yes’.

: --export-ownertrust |
Send the ownertrust values to STDOUT. This is useful for backup purposes
as these values are the only ones which can’t be re-created from a corrupted
trustdb. Example:
 gpg --export-ownertrust > otrust.txt

: --import-ownertrust |
Update the trustdb with the ownertrust values stored in files (or STDIN if
not given); existing values will be overwritten. In case of a severely damaged
trustdb and if you have a recent backup of the ownertrust values (e.g. in the
file ‘otrust.txt’), you may re-create the trustdb using these commands:
 cd ~/.gnupg
 rm trustdb.gpg
 gpg --import-ownertrust < otrust.txt

: --rebuild-keydb-caches |
When updating from version 1.0.6 to 1.0.7 this command should be used to
create signature caches in the keyring. It might be handy in other situations

: --print-md algo &br; --print-mds |
Print message digest of algorithm algo for all given files or STDIN. With the
second form (or a deprecated "*" for algo) digests for all available algorithms
are printed.

: --gen-random 0/1/2 count |
Emit count random bytes of the given quality level 0, 1 or 2. If count is not
given or zero, an endless sequence of random bytes will be emitted. If used
with ‘--armor’ the output will be base64 encoded. PLEASE, don’t use this
command unless you know what you are doing; it may remove precious entropy
from the system!

: --gen-prime mode bits |
Use the source, Luke :-). The output format is subject to change with ant

: --enarmor &br; --dearmor |
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor. This
is a GnuPG extension to OpenPGP and in general not very useful.

: --unwrap |
This command is similar to ‘--decrypt’ with the change that the output is not
the usual plaintext but the original message with the decryption layer removed.
Thus the output will be an OpenPGP data structure which often means a
signed OpenPGP message. Note that this command may or may not remove a
compression layer which is often found beneath the encryption layer.

: --tofu-policy {auto/good/unknown/bad/ask} keys |
Set the TOFU policy for all the bindings associated with the specified keys.
For more information about the meaning of the policies, see [trust-model-tofu],
page 59. The keys may be specified either by their fingerprint (preferred) or
their keyid.

*** 4.1.3 How to manage your keys

This section explains the main commands for key management.

: --quick-generate-key user-id [algo [usage [expire]]] &br; --quick-gen-key |
This is a simple command to generate a standard key with one user id. In
contrast to ‘--generate-key’ the key is generated directly without the need to
answer a bunch of prompts. Unless the option ‘--yes’ is given, the key creation
will be canceled if the given user id already exists in the keyring.
If invoked directly on the console without any special options an answer to a
“Continue?” style confirmation prompt is required. In case the user id already
exists in the keyring a second prompt to force the creation of the key will show
If algo or usage are given, only the primary key is created and no prompts are
shown. To specify an expiration date but still create a primary and subkey use
“default” or “future-default” for algo and “default” for usage. For a description
of these optional arguments see the command --quick-add-key. The usage
accepts also the value “cert” which can be used to create a certification only
primary key; the default is to a create certification and signing key.
The expire argument can be used to specify an expiration date for the key.
Several formats are supported; commonly the ISO formats “YYYY-MM-DD”
or “YYYYMMDDThhmmss” are used. To make the key expire in N seconds, N
days, N weeks, N months, or N years use “seconds=N”, “Nd”, “Nw”, “Nm”, or
“Ny” respectively. Not specifying a value, or using “-” results in a key expiring
in a reasonable default interval. The values “never”, “none” can be used for no
expiration date.
If this command is used with ‘--batch’, ‘--pinentry-mode’ has been
set to loopback, and one of the passphrase options (‘--passphrase’,
‘--passphrase-fd’, or ‘--passphrase-file’) is used, the supplied passphrase
is used for the new key and the agent does not ask for it. To create a key
without any protection --passphrase ’’ may be used.
To create an OpenPGP key from the keys available on the currently inserted
smartcard, the special string “card” can be used for algo. If the card features an
encryption and a signing key, gpg will figure them out and creates an OpenPGP
key consisting of the usual primary key and one subkey. This works only with
certain smartcards. Note that the interactive ‘--full-gen-key’ command allows
to do the same but with greater flexibility in the selection of the smartcard
Note that it is possible to create a primary key and a subkey using non-default
algorithms by using “default” and changing the default parameters using the
option ‘--default-new-key-algo’.

: --quick-set-expire fpr expire [*/subfprs] |
With two arguments given, directly set the expiration time of the primary key
identified by fpr to expire. To remove the expiration time 0 can be used. With
three arguments and the third given as an asterisk, the expiration time of all
non-revoked and not yet expired subkeys are set to expire. With more than two
arguments and a list of fingerprints given for subfprs, all non-revoked subkeys
matching these fingerprints are set to expire.

: --quick-add-key fpr [algo [usage [expire]]] |
Directly add a subkey to the key identified by the fingerprint fpr. Without the
optional arguments an encryption subkey is added. If any of the arguments are
given a more specific subkey is added.
algo may be any of the supported algorithms or curve names given in the format
as used by key listings. To use the default algorithm the string “default”
or “-” can be used. Supported algorithms are “rsa”, “dsa”, “elg”, “ed25519”,
“cv25519”, and other ECC curves. For example the string “rsa” adds an RSA
key with the default key length; a string “rsa4096” requests that the key length
is 4096 bits. The string “future-default” is an alias for the algorithm which will
likely be used as default algorithm in future versions of gpg. To list the supported
ECC curves the command gpg --with-colons --list-config curve
can be used.
Depending on the given algo the subkey may either be an encryption subkey or
a signing subkey. If an algorithm is capable of signing and encryption and such
a subkey is desired, a usage string must be given. This string is either “default”
or “-” to keep the default or a comma delimited list (or space delimited list) of
keywords: “sign” for a signing subkey, “auth” for an authentication subkey, and
“encr” for an encryption subkey (“encrypt” can be used as alias for “encr”).
The valid combinations depend on the algorithm.
The expire argument can be used to specify an expiration date for the key.
Several formats are supported; commonly the ISO formats “YYYY-MM-DD”
or “YYYYMMDDThhmmss” are used. To make the key expire in N seconds, N
days, N weeks, N months, or N years use “seconds=N”, “Nd”, “Nw”, “Nm”, or
“Ny” respectively. Not specifying a value, or using “-” results in a key expiring
in a reasonable default interval. The values “never”, “none” can be used for no
expiration date.

: --generate-key &br; --gen-key |
Generate a new key pair using the current default parameters. This is the
standard command to create a new key. In addition to the key a revocation
certificate is created and stored in the ‘openpgp-revocs.d’ directory below the
GnuPG home directory.

: --full-generate-key &br; --full-gen-key |
Generate a new key pair with dialogs for all options. This is an extended version
of ‘--generate-key’.
There is also a feature which allows you to create keys in batch mode. See the
manual section “Unattended key generation” on how to use this.

: --generate-revocation name &br; --gen-revoke name |
Generate a revocation certificate for the complete key. To only revoke a subkey
or a key signature, use the ‘--edit’ command.
This command merely creates the revocation certificate so that it can be used
to revoke the key if that is ever needed. To actually revoke a key the created
revocation certificate needs to be merged with the key to revoke. This is done
by importing the revocation certificate using the ‘--import’ command. Then
the revoked key needs to be published, which is best done by sending the key
to a keyserver (command ‘--send-key’) and by exporting (‘--export’) it to a
file which is then send to frequent communication partners.

: --generate-designated-revocation name &br; --desig-revoke name |
Generate a designated revocation certificate for a key. This allows a user (with
the permission of the keyholder) to revoke someone else’s key.

: --edit-key |
Present a menu which enables you to do most of the key management related
tasks. It expects the specification of a key on the command line.

:: uid n |
Toggle selection of user ID or photographic user ID with index n.
Use * to select all and 0 to deselect all.
:: key n |
Toggle selection of subkey with index n or key ID n. Use * to select
all and 0 to deselect all.
:: sign |
Make a signature on key of user name. If the key is not yet signed by
the default user (or the users given with ‘-u’), the program displays
the information of the key again, together with its fingerprint and
asks whether it should be signed. This question is repeated for all
users specified with ‘-u’.
:: lsign |
Same as "sign" but the signature is marked as non-exportable and
will therefore never be used by others. This may be used to make
keys valid only in the local environment.
:: nrsign |
Same as "sign" but the signature is marked as non-revocable and
can therefore never be revoked.
:: tsign |
Make a trust signature. This is a signature that combines the notions
of certification (like a regular signature), and trust (like the
"trust" command). It is generally only useful in distinct communities
or groups. For more information please read the sections
“Trust Signature” and “Regular Expression” in RFC-4880.

:|Note that "l" (for local / non-exportable), "nr" (for non-revocable, and "t"
(for trust) may be freely mixed and prefixed to "sign" to create a signature of
any type desired.
If the option ‘--only-sign-text-ids’ is specified, then any non-text based
user ids (e.g., photo IDs) will not be selected for signing.

:: delsig |
Delete a signature. Note that it is not possible to retract a signature,
once it has been send to the public (i.e. to a keyserver). In
that case you better use revsig.
:: revsig |
Revoke a signature. For every signature which has been generated
by one of the secret keys, GnuPG asks whether a revocation
certificate should be generated.
:: check |
Check the signatures on all selected user IDs. With the extra option
selfsig only self-signatures are shown.
:: adduid |
Create an additional user ID.
:: addphoto |
Create a photographic user ID. This will prompt for a JPEG file
that will be embedded into the user ID. Note that a very large JPEG
will make for a very large key. Also note that some programs will
display your JPEG unchanged (GnuPG), and some programs will
scale it to fit in a dialog box (PGP).

:: showphoto |
Display the selected photographic user ID.

:: deluid |
Delete a user ID or photographic user ID. Note that it is not possible
to retract a user id, once it has been send to the public (i.e. to a
keyserver). In that case you better use revuid.

:: revuid |
Revoke a user ID or photographic user ID.
:: primary |
Flag the current user id as the primary one, removes the primary
user id flag from all other user ids and sets the timestamp of all
affected self-signatures one second ahead. Note that setting a photo
user ID as primary makes it primary over other photo user IDs, and
setting a regular user ID as primary makes it primary over other
regular user IDs.

:: keyserver |
Set a preferred keyserver for the specified user ID(s). This allows
other users to know where you prefer they get your key from. See
‘--keyserver-options honor-keyserver-url’ for more on how
this works. Setting a value of "none" removes an existing preferred

:: notation |
Set a name=value notation for the specified user ID(s). See
‘--cert-notation’ for more on how this works. Setting a value
of "none" removes all notations, setting a notation prefixed with
a minus sign (-) removes that notation, and setting a notation
name (without the =value) prefixed with a minus sign removes all
notations with that name.

:: pref |
List preferences from the selected user ID. This shows the actual
preferences, without including any implied preferences.

:: showpref |
More verbose preferences listing for the selected user ID. This shows
the preferences in effect by including the implied preferences of
3DES (cipher), SHA-1 (digest), and Uncompressed (compression)
if they are not already included in the preference list. In addition,
the preferred keyserver and signature notations (if any) are shown.

:: setpref string |
Set the list of user ID preferences to string for all (or just
the selected) user IDs. Calling setpref with no arguments sets
the preference list to the default (either built-in or set via
‘--default-preference-list’), and calling setpref with "none"
as the argument sets an empty preference list. Use gpg--version
to get a list of available algorithms. Note that while you can
change the preferences on an attribute user ID (aka "photo ID"),
GnuPG does not select keys via attribute user IDs so these
preferences will not be used by GnuPG.
When setting preferences, you should list the algorithms in the
order which you’d like to see them used by someone else when encrypting
a message to your key. If you don’t include 3DES, it will
be automatically added at the end. Note that there are many factors
that go into choosing an algorithm (for example, your key may
not be the only recipient), and so the remote OpenPGP application
being used to send to you may or may not follow your exact chosen
order for a given message. It will, however, only choose an algorithm
that is present on the preference list of every recipient key.
PROGRAMS section below.

:: addkey |
Add a subkey to this key.

:: addcardkey |
Generate a subkey on a card and add it to this key.

:: keytocard |
Transfer the selected secret subkey (or the primary key if no subkey
has been selected) to a smartcard. The secret key in the keyring
will be replaced by a stub if the key could be stored successfully
on the card and you use the save command later. Only certain key
types may be transferred to the card. A sub menu allows you to
select on what card to store the key. Note that it is not possible
to get that key back from the card - if the card gets broken your
secret key will be lost unless you have a backup somewhere.

:: bkuptocard file |
Restore the given file to a card. This command may be used to
restore a backup key (as generated during card initialization) to a
new card. In almost all cases this will be the encryption key. You
should use this command only with the corresponding public key
and make sure that the file given as argument is indeed the backup
to restore. You should then select 2 to restore as encryption key.
You will first be asked to enter the passphrase of the backup key
and then for the Admin PIN of the card.

:: keytotpm |
Transfer the selected secret subkey (or the primary key if no subkey
has been selected) to TPM form. The secret key in the keyring will
be replaced by the TPM representation of that key, which can only
be read by the particular TPM that created it (so the keyfile now
becomes locked to the laptop containing the TPM). Only certain
key types may be transferred to the TPM (all TPM 2.0 systems are
mandated to have the rsa2048 and nistp256 algorithms but newer
TPMs may have more). Note that the key itself is not transferred
into the TPM, merely encrypted by the TPM in-place, so if the
keyfile is deleted, the key will be lost. Once transferred to TPM
representation, the key file can never be converted back to non-
TPM form and the key will die when the TPM does, so you should
first have a backup on secure offline storage of the actual secret
key file before conversion. It is essential to use the physical system
TPM that you have rw permission on the TPM resource manager
device (/dev/tpmrm0). Usually this means you must be a member
of the tss group.

:: delkey |
Remove a subkey (secondary key). Note that it is not possible to
retract a subkey, once it has been send to the public (i.e. to a
keyserver). In that case you better use revkey. Also note that this
only deletes the public part of a key.

:: revkey |
Revoke a subkey.

:: expire |
Change the key or subkey expiration time. If a subkey is selected,
the expiration time of this subkey will be changed. With no selection,
the key expiration of the primary key is changed.

:: trust |
Change the owner trust value for the key. This updates the trust-db
immediately and no save is required.

:: disable &br; enable |
Disable or enable an entire key. A disabled key can not normally
be used for encryption.

:: addrevoker |
Add a designated revoker to the key. This takes one optional argument:
"sensitive". If a designated revoker is marked as sensitive,
it will not be exported by default (see export-options).

:: passwd |
Change the passphrase of the secret key.

:: toggle |
This is dummy command which exists only for backward compatibility.

:: clean |
Compact (by removing all signatures except the selfsig) any user
ID that is no longer usable (e.g. revoked, or expired). Then, remove
any signatures that are not usable by the trust calculations.
Specifically, this removes any signature that does not validate, any
signature that is superseded by a later signature, revoked signatures,
and signatures issued by keys that are not present on the

:: minimize |
Make the key as small as possible. This removes all signatures from
each user ID except for the most recent self-signature.

:: change-usage |
Change the usage flags (capabilities) of the primary key or of subkeys.
These usage flags (e.g. Certify, Sign, Authenticate, Encrypt)
are set during key creation. Sometimes it is useful to have the
opportunity to change them (for example to add Authenticate) after
they have been created. Please take care when doing this; the
allowed usage flags depend on the key algorithm.

:: cross-certify |
Add cross-certification signatures to signing subkeys that
may not currently have them. Cross-certification signatures
protect against a subtle attack against signing subkeys. See
‘--require-cross-certification’. All new keys generated have
this signature by default, so this command is only useful to bring
older keys up to date.

:: save |
Save all changes to the keyring and quit.

:: quit |
Quit the program without updating the keyring.

:|The listing shows you the key with its secondary keys and all user IDs. The
primary user ID is indicated by a dot, and selected keys or user IDs are indicated
by an asterisk. The trust value is displayed with the primary key: "trust" is
the assigned owner trust and "validity" is the calculated validity of the key.
Validity values are also displayed for all user IDs. For possible values of trust,
see [trust-values], page 137.

: --sign-key name |
Signs a public key with your secret key. This is a shortcut version of the
subcommand "sign" from ‘--edit-key’.

: --lsign-key name |
Signs a public key with your secret key but marks it as non-exportable. This
is a shortcut version of the subcommand "lsign" from ‘--edit-key’.

: --quick-sign-key fpr [names] &br; --quick-lsign-key fpr [names] |
Directly sign a key from the passphrase without any further user interaction.
The fpr must be the verified primary fingerprint of a key in the local keyring.
If no names are given, all useful user ids are signed; with given [names] only
useful user ids matching one of these names are signed. By default, or if a name
is prefixed with a ’*’, a case insensitive substring match is used. If a name is
prefixed with a ’=’ a case sensitive exact match is done.
The command ‘--quick-lsign-key’ marks the signatures as non-exportable.
If such a non-exportable signature already exists the ‘--quick-sign-key’
turns it into a exportable signature. If you need to update an existing
signature, for example to add or change notation data, you need to use the
option ‘--force-sign-key’.
This command uses reasonable defaults and thus does not provide the full
flexibility of the "sign" subcommand from ‘--edit-key’. Its intended use is to
help unattended key signing by utilizing a list of verified fingerprints.

: --quick-add-uid user-id new-user-id |
This command adds a new user id to an existing key. In contrast to the interactive
sub-command adduid of ‘--edit-key’ the new-user-id is added verbatim
with only leading and trailing white space removed, it is expected to be UTF-8
encoded, and no checks on its form are applied.

: --quick-revoke-uid user-id user-id-to-revoke |
This command revokes a user ID on an existing key. It cannot be used to
revoke the last user ID on key (some non-revoked user ID must remain), with
revocation reason “User ID is no longer valid”. If you want to specify a different
revocation reason, or to supply supplementary revocation text, you should use
the interactive sub-command revuid of ‘--edit-key’.

: --quick-revoke-sig fpr signing-fpr [names] |
This command revokes the key signatures made by signing-fpr from the
key specified by the fingerprint fpr. With names given only the signatures
on user ids of the key matching any of the given names are affected (see
‘--quick-sign-key’). If a revocation already exists a notice is printed instead
of creating a new revocation; no error is returned in this case. Note that key
signature revocations may be superseded by a newer key signature and in turn
again revoked.

: --quick-set-primary-uid user-id primary-user-id |
This command sets or updates the primary user ID flag on an existing key.
user-id specifies the key and primary-user-id the user ID which shall be flagged
as the primary user ID. The primary user ID flag is removed from all other user
ids and the timestamp of all affected self-signatures is set one second ahead.

: --change-passphrase user-id &br; --passwd user-id |
Change the passphrase of the secret key belonging to the certificate specified
as user-id. This is a shortcut for the sub-command passwd of the ‘--edit-key’
menu. When using together with the option ‘--dry-run’ this will not actually
change the passphrase but check that the current passphrase is correct.

** 4.2 Option Summary

gpg features a bunch of options to control the exact behaviour and to change the default

Long options can be put in an options file (default "~/.gnupg/gpg.conf"). Short option
names will not work - for example, "armor" is a valid option for the options file, while "a"
is not. Do not write the 2 dashes, but simply the name of the option and any required
arguments. Lines with a hash (’#’) as the first non-white-space character are ignored.
Commands may be put in this file too, but that is not generally useful as the command will
execute automatically with every execution of gpg.

Please remember that option parsing stops as soon as a non-option is encountered, you
can explicitly stop parsing by using the special option ‘--’.

*** 4.2.1 How to change the configuration
*** 4.2.2 Key related options
*** 4.2.3 Input and Output
*** 4.2.4 OpenPGP protocol specific options
*** 4.2.5 Compliance options
*** 4.2.6 Doing things one usually doesn’t want to do
*** 4.2.7 Deprecated options

トップ   編集 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS