![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
// 1d83445b5bb6f83e08be8276d6bde539 * 4 Invoking GPG // gpg is the OpenPGP part of the GNU Privacy Guard (GnuPG). gpgは、GNU Privacy Guard(GnuPG)のOpenPGP実装部です。~ // It is a tool to provide digital encryption and signing services using the OpenPGP standard. OpenPGP規格を用いた暗号化・署名を提供するツールです。~ // gpg features complete key management and all the bells and whistles you would expect from a full OpenPGP implementation. gpgは、すべての鍵管理機能を備えており、完全なOpenPGP実装に期待されているすべての機能を備えています。~ // There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPGには大きく分けて、GnuPG 1.xとGnuPG 2.xの2つのバージョン系列があります。~ // GnuPG 2.x supports modern encryption algorithms and thus should be preferred over GnuPG 1.x. GnuPG 2.xは最新の暗号化アルゴリズムをサポートしているため、GnuPG 1.xよりも好ましいと言えます。~ // You only need to use GnuPG 1.x if your platform doesn’t support GnuPG 2.x, or you need support for some features that GnuPG 2.x has deprecated, e.g., ecrypting data created with PGP-2 keys. GnuPG 1.xを使う必要があるのは、使用しているプラットフォームがGnuPG 2.xをサポートしていない場合や、PGP-2鍵で作成されたデータの暗号化など、GnuPG 2.xが非推奨としている機能が必要な場合だけです。~ // If you are looking for version 1 of GnuPG, you may find that version installed under the name gpg1. GnuPGのバージョン1を探している場合、gpg1という名前でインストールされているかもしれません。 // See [Option Index], page 217, for an index to gpg’s commands and options. gpgのコマンドやオプションの索引については、[Option Index] 217ページ を参照してください。 ** 4.1 Commands // Commands are not distinguished from options except for the fact that only one command is allowed. コマンドは1つしか使えないこと以外は、オプションとの違いはありません。 // Generally speaking, irrelevant options are silently ignored, and may not be checked for correctness. 一般的に、無関係なオプションは無視され、正しさもチェックされません。 // gpg may be run with no commands. gpgはコマンドなしでも実行できます。 // In this case it will print a warning perform a reasonable action depending on the type of file it is given as input この場合、警告が表示され、入力されたファイルの種類に応じて適切な処理が行われます。 // (an encrypted message is decrypted, a signature is verified, a file containing keys is listed, etc.). (暗号化されたメッセージの復号化、署名の検証、ファイル内の鍵のリストアップなどを行います) // If you run into any problems, please add the option ‘--verbose’ to the invocation to see more diagnostics. 何か問題が発生した場合は、起動時に「--verbose」オプションを追加することで、より詳細な診断結果を見ることができます。 *** 4.1.1 Commands not specific to the function : --version | // Print the program version and licensing information. プログラムのバージョンとライセンス情報を表示します。 // Note that you cannot abbreviate this command. なお、このコマンドは省略することはできません。 : --help &br; -h | // Print a usage message summarizing the most useful command-line options. 最も便利なコマンドラインオプションをまとめた使用法を表示します。 // Note that you cannot arbitrarily abbreviate this command なお、このコマンドを任意に省略することはできません //(though you can useits short form ‘-h’). (短縮形の「-h」を使うこともできますが) : --warranty | // Print warranty information. 保証情報を表示します。 : --dump-options | // Print a list of all available options and commands. すべての使用可能なオプションとコマンドの一覧を表示します。 // Note that you cannot abbreviate this command. なお、このコマンドは省略することはできません。 *** 4.1.2 Commands to select the type of operation : --sign &br; -s | Sign a message. This command may be combined with ‘--encrypt’ (to sign and encrypt a message), ‘--symmetric’ (to sign and symmetrically encrypt a message), or both ‘--encrypt’ and ‘--symmetric’ (to sign and encrypt a message that can be decrypted using a secret key or a passphrase). The signing key is chosen by default or can be set explicitly using the ‘--local-user’ and ‘--default-key’ options. : --clear-sign &br; --clearsign | Make a cleartext signature. The content in a cleartext signature is readable without any special software. OpenPGP software is only needed to verify the signature. cleartext signatures may modify end-of-line whitespace for platform independence and are not intended to be reversible. The signing key is chosen by default or can be set explicitly using the ‘--local-user’ and ‘--default-key’ options. : --detach-sign &br; -b | Make a detached signature. : --encrypt &br; -e | // Encrypt data to one or more public keys. データを1つ以上の公開鍵で暗号化します。 // This command may be combined with ‘--sign’ (to sign and encrypt a message), このコマンドは、「--sign」(メッセージの署名と暗号化) // ‘--symmetric’ (to encrypt a message that can be decrypted using a secret key or a passphrase), もしくは「--symmetric」(秘密鍵かパスフレーズで復号化できる暗号化) // or ‘--sign’and ‘--symmetric’ together (for a signed message that can be decrypted using a secret key or a passphrase). もしくは「--sign」と「--symmetric」の両方(秘密鍵かパスフレーズで復号化できる署名付きメッセージ)と組み合わせることが出来ます。 // ‘--recipient’ and related options specify which public keys to use for encryption. 「--recipient」と関連するオプションは、暗号化に使用する公開鍵を指定します。 : --symmetric &br; -c | Encrypt with a symmetric cipher using a passphrase. The default symmetric cipher used is AES-128, but may be chosen with the ‘--cipher-algo’ option. This command may be combined with ‘--sign’ (for a signed and symmetrically encrypted message), ‘--encrypt’ (for a message that may be decrypted via a secret key or a passphrase), or ‘--sign’ and ‘--encrypt’ together (for a signed message that may be decrypted via a secret key or a passphrase). gpg caches the passphrase used for symmetric encryption so that a decrypt operation may not require that the user needs to enter the passphrase. The option ‘--no-symkey-cache’ can be used to disable this feature. : --store | Store only (make a simple literal data packet). : --decrypt &br; -d | Decrypt the file given on the command line (or STDIN if no file is specified) and write it to STDOUT (or the file specified with ‘--output’). If the decrypted file is signed, the signature is also verified. This command differs from the default operation, as it never writes to the filename which is included in the file and it rejects files that don’t begin with an encrypted message. // Decrypt the file given on the command line (or STDIN if no file is specified) and write it to STDOUT (or the file specified with ‘--output’). コマンドラインで指定されたファイル(ファイルが指定されていない場合は標準入力)を復号し、標準出力(もしくは「--output」で指定されたファイル)に書き込みます。 // If the decrypted file is signed, the signature is also verified. 復号化されたファイルが署名されている場合、その署名も検証されます。 // This command differs from the default operation, as it never writes to the filename which is included in the file and it rejects files that don’t begin with an encrypted message. このコマンドは、デフォルトの動作と異なり、ファイルに含まれるファイル名には書き込まず、暗号化されたメッセージで始まらないファイルを拒否します。 : --verify | Assume that the first argument is a signed file and verify it without generating any output. With no arguments, the signature packet is read from STDIN. If only one argument is given, the specified file is expected to include a complete signature. With more than one argument, the first argument should specify a file with a detached signature and the remaining files should contain the signed data. To read the signed data from STDIN, use ‘-’ as the second filename. For security reasons, a detached signature will not read the signed material from STDIN if not explicitly specified. Note: If the option ‘--batch’ is not used, gpg may assume that a single argument is a file with a detached signature, and it will try to find a matching data file by stripping certain suffixes. Using this historical feature to verify a detached signature is strongly discouraged; you should always specify the data file explicitly. Note: When verifying a cleartext signature, gpg verifies only what makes up the cleartext signed data and not any extra data outside of the cleartext signature or the header lines directly following the dash marker line. The option --output may be used to write out the actual signed data, but there are other pitfalls with this format as well. It is suggested to avoid cleartext signatures in favor of detached signatures. Note: Sometimes the use of the gpgv tool is easier than using the full-fledged gpg with this option. gpgv is designed to compare signed data against a list of trusted keys and returns with success only for a good signature. It has its own manual page. : --multifile | This modifies certain other commands to accept multiple files for processing on the command line or read from STDIN with each filename on a separate line. This allows for many files to be processed at once. ‘--multifile’ may currently be used along with ‘--verify’, ‘--encrypt’, and ‘--decrypt’. Note that ‘--multifile --verify’ may not be used with detached signatures. : --verify-files | Identical to ‘--multifile --verify’. : --encrypt-files | Identical to ‘--multifile --encrypt’. : --decrypt-files | Identical to ‘--multifile --decrypt’. : --list-keys &br; -k &br; --list-public-keys | List the specified keys. If no keys are specified, then all keys from the configured public keyrings are listed. Never use the output of this command in scripts or other programs. The output is intended only for humans and its format is likely to change. The ‘--with-colons’ option emits the output in a stable, machine-parseable format, which is intended for use by scripts and other programs. : --list-secret-keys &br; -K | List the specified secret keys. If no keys are specified, then all known secret keys are listed. A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable. We also say that this key has been taken offline (for example, a primary key can be taken offline by exporting the key using the command ‘--export-secret-subkeys’). A > after these tags indicate that the key is stored on a smartcard. See also ‘--list-keys’. : --check-signatures &br; --check-sigs | Same as ‘--list-keys’, but the key signatures are verified and listed too. Note that for performance reasons the revocation status of a signing key is not shown. This command has the same effect as using ‘--list-keys’ with ‘--with-sig-check’. The status of the verification is indicated by a flag directly following the "sig" tag (and thus before the flags described below. A "!" indicates that the signature has been successfully verified, a "-" denotes a bad signature and a "%" is used if an error occurred while checking the signature (e.g. a non supported algorithm). Signatures where the public key is not available are not listed; to see their keyids the command ‘--list-sigs’ can be used. For each signature listed, there are several flags in between the signature status flag and keyid. These flags give additional information about each key signature. From left to right, they are the numbers 1-3 for certificate check level (see ‘--ask-cert-level’), "L" for a local or non-exportable signature (see ‘--lsign-key’), "R" for a nonRevocable signature (see the ‘--edit-key’ command "nrsign"), "P" for a signature that contains a policy URL (see ‘--cert-policy-url’), "N" for a signature that contains a notation (see ‘--cert-notation’), "X" for an eXpired signature (see ‘--ask-cert-expire’), and the numbers 1-9 or "T" for 10 and above to indicate trust signature levels (see the ‘--edit-key’ command "tsign"). : --locate-keys &br; --locate-external-keys | Locate the keys given as arguments. This command basically uses the same algorithm as used when locating keys for encryption and may thus be used to see what keys gpg might use. In particular external methods as defined by ‘--auto-key-locate’ are used to locate a key if the arguments comain valid mail addresses. Only public keys are listed. The variant ‘--locate-external-keys’ does not consider a locally existing key and can thus be used to force the refresh of a key via the defined external methods. If a fingerprint is given and and the methods defined by –auto-keylocate define LDAP servers, the key is fetched from these resources; defined non-LDAP keyservers are skipped. : --show-keys | This commands takes OpenPGP keys as input and prints information about them in the same way the command ‘--list-keys’ does for locally stored key. In addition the list options show-unusable-uids, show-unusable-subkeys, show-notations and show-policy-urls are also enabled. As usual for automated processing, this command should be combined with the option ‘--with-colons’. : --fingerprint | List all keys (or the specified ones) along with their fingerprints. This is the same output as ‘--list-keys’ but with the additional output of a line with the fingerprint. May also be combined with ‘--check-signatures’. If this command is given twice, the fingerprints of all secondary keys are listed too. This command also forces pretty printing of fingerprints if the keyid format has been set to "none". : --list-packets | List only the sequence of packets. This command is only useful for debugging. When used with option ‘--verbose’ the actual MPI values are dumped and not only their lengths. Note that the output of this command may change with new releases. : --edit-card &br; --card-edit | Present a menu to work with a smartcard. The subcommand "help" provides an overview on available commands. For a detailed description, please see the Card HOWTO at https://gnupg.org/documentation/howtos.html#GnuPGcardHOWTO. : --card-status | Show the content of the smart card. : --change-pin | Present a menu to allow changing the PIN of a smartcard. This functionality is also available as the subcommand "passwd" with the ‘--edit-card’ command. : --delete-keys name | Remove key from the public keyring. In batch mode either ‘--yes’ is required or the key must be specified by fingerprint. This is a safeguard against accidental deletion of multiple keys. If the exclamation mark syntax is used with the fingerprint of a subkey only that subkey is deleted; if the exclamation mark is used with the fingerprint of the primary key the entire public key is deleted. : --delete-secret-keys name | Remove key from the secret keyring. In batch mode the key must be specified by fingerprint. The option ‘--yes’ can be used to advise gpg-agent not to request a confirmation. This extra pre-caution is done because gpg can’t be sure that the secret key (as controlled by gpg-agent) is only used for the given OpenPGP public key. If the exclamation mark syntax is used with the fingerprint of a subkey only the secret part of that subkey is deleted; if the exclamation mark is used with the fingerprint of the primary key only the secret part of the primary key is deleted. : --delete-secret-and-public-key name | Same as ‘--delete-key’, but if a secret key exists, it will be removed first. In batch mode the key must be specified by fingerprint. The option ‘--yes’ can be used to advise gpg-agent not to request a confirmation. : --export | Either export all keys from all keyrings (default keyring and those registered via option ‘--keyring’), or if at least one name is given, those of the given name. The exported keys are written to STDOUT or to the file given with option ‘--output’. Use together with ‘--armor’ to mail those keys. : --send-keys keyIDs | Similar to ‘--export’ but sends the keys to a keyserver. Fingerprints may be used instead of key IDs. Don’t send your complete keyring to a keyserver — select only those keys which are new or changed by you. If no keyIDs are given, gpg does nothing. Take care: Keyservers are by design write only systems and thus it is not possible to ever delete keys once they have been send to a keyserver. : --export-secret-keys &br; --export-secret-subkeys | Same as ‘--export’, but exports the secret keys instead. The exported keys are written to STDOUT or to the file given with option ‘--output’. This command is often used along with the option ‘--armor’ to allow for easy printing of the key for paper backup; however the external tool paperkey does a better job of creating backups on paper. Note that exporting a secret key can be a security risk if the exported keys are sent over an insecure channel. The second form of the command has the special property to render the secret part of the primary key useless; this is a GNU extension to OpenPGP and other implementations can not be expected to successfully import such a key. Its intended use is in generating a full key with an additional signing subkey on a dedicated machine. This command then exports the key without the primary key to the main machine. GnuPG may ask you to enter the passphrase for the key. This is required, because the internal protection method of the secret key is different from the one specified by the OpenPGP protocol. : --export-ssh-key | This command is used to export a key in the OpenSSH public key format. It requires the specification of one key by the usual means and exports the latest valid subkey which has an authentication capability to STDOUT or to the file given with option ‘--output’. That output can directly be added to ssh’s ‘authorized_key’ file. By specifying the key to export using a key ID or a fingerprint suffixed with an exclamation mark (!), a specific subkey or the primary key can be exported. This does not even require that the key has the authentication capability flag set. : --import &br; --fast-import | Import/merge keys. This adds the given keys to the keyring. The fast version is currently just a synonym. There are a few other options which control how this command works. Most notable here is the ‘--import-options merge-only’ option which does not insert new keys but does only the merging of new signatures, user-IDs and subkeys. : --receive-keys keyIDs & br; --recv-keys keyIDs | Import the keys with the given keyIDs from a keyserver. : --refresh-keys | Request updates from a keyserver for keys that already exist on the local keyring. This is useful for updating a key with the latest signatures, user IDs, etc. Calling this with no arguments will refresh the entire keyring. : --search-keys names | Search the keyserver for the given names. Multiple names given here will be joined together to create the search string for the keyserver. Note that keyservers search for names in a different and simpler way than gpg does. The best choice is to use a mail address. Due to data privacy reasons keyservers may even not even allow searching by user id or mail address and thus may only return results when being used with the ‘--recv-key’ command to search by key fingerprint or keyid. : --fetch-keys URIs | Retrieve keys located at the specified URIs. Note that different installations of GnuPG may support different protocols (HTTP, FTP, LDAP, etc.). When using HTTPS the system provided root certificates are used by this command. : --update-trustdb | Do trust database maintenance. This command iterates over all keys and builds the Web of Trust. This is an interactive command because it may have to ask for the "ownertrust" values for keys. The user has to give an estimation of how far she trusts the owner of the displayed key to correctly certify (sign) other keys. GnuPG only asks for the ownertrust value if it has not yet been assigned to a key. Using the ‘--edit-key’ menu, the assigned value can be changed at any time. : --check-trustdb | Do trust database maintenance without user interaction. From time to time the trust database must be updated so that expired keys or signatures and the resulting changes in the Web of Trust can be tracked. Normally, GnuPG will calculate when this is required and do it automatically unless ‘--no-auto-check-trustdb’ is set. This command can be used to force a trust database check at any time. The processing is identical to that of ‘--update-trustdb’ but it skips keys with a not yet defined "ownertrust". For use with cron jobs, this command can be used together with ‘--batch’ in which case the trust database check is done only if a check is needed. To force a run even in batch mode add the option ‘--yes’. : --export-ownertrust | Send the ownertrust values to STDOUT. This is useful for backup purposes as these values are the only ones which can’t be re-created from a corrupted trustdb. Example: gpg --export-ownertrust > otrust.txt : --import-ownertrust | Update the trustdb with the ownertrust values stored in files (or STDIN if not given); existing values will be overwritten. In case of a severely damaged trustdb and if you have a recent backup of the ownertrust values (e.g. in the file ‘otrust.txt’), you may re-create the trustdb using these commands: cd ~/.gnupg rm trustdb.gpg gpg --import-ownertrust < otrust.txt : --rebuild-keydb-caches | When updating from version 1.0.6 to 1.0.7 this command should be used to create signature caches in the keyring. It might be handy in other situations too. : --print-md algo &br; --print-mds | Print message digest of algorithm algo for all given files or STDIN. With the second form (or a deprecated "*" for algo) digests for all available algorithms are printed. : --gen-random 0/1/2 count | Emit count random bytes of the given quality level 0, 1 or 2. If count is not given or zero, an endless sequence of random bytes will be emitted. If used with ‘--armor’ the output will be base64 encoded. PLEASE, don’t use this command unless you know what you are doing; it may remove precious entropy from the system! : --gen-prime mode bits | Use the source, Luke :-). The output format is subject to change with ant release. : --enarmor &br; --dearmor | Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor. This is a GnuPG extension to OpenPGP and in general not very useful. : --unwrap | This command is similar to ‘--decrypt’ with the change that the output is not the usual plaintext but the original message with the decryption layer removed. Thus the output will be an OpenPGP data structure which often means a signed OpenPGP message. Note that this command may or may not remove a compression layer which is often found beneath the encryption layer. : --tofu-policy {auto/good/unknown/bad/ask} keys | Set the TOFU policy for all the bindings associated with the specified keys. For more information about the meaning of the policies, see [trust-model-tofu], page 59. The keys may be specified either by their fingerprint (preferred) or their keyid. *** 4.1.3 How to manage your keys This section explains the main commands for key management. : --quick-generate-key user-id [algo [usage [expire]]] &br; --quick-gen-key | This is a simple command to generate a standard key with one user id. In contrast to ‘--generate-key’ the key is generated directly without the need to answer a bunch of prompts. Unless the option ‘--yes’ is given, the key creation will be canceled if the given user id already exists in the keyring. If invoked directly on the console without any special options an answer to a “Continue?” style confirmation prompt is required. In case the user id already exists in the keyring a second prompt to force the creation of the key will show up. If algo or usage are given, only the primary key is created and no prompts are shown. To specify an expiration date but still create a primary and subkey use “default” or “future-default” for algo and “default” for usage. For a description of these optional arguments see the command --quick-add-key. The usage accepts also the value “cert” which can be used to create a certification only primary key; the default is to a create certification and signing key. The expire argument can be used to specify an expiration date for the key. Several formats are supported; commonly the ISO formats “YYYY-MM-DD” or “YYYYMMDDThhmmss” are used. To make the key expire in N seconds, N days, N weeks, N months, or N years use “seconds=N”, “Nd”, “Nw”, “Nm”, or “Ny” respectively. Not specifying a value, or using “-” results in a key expiring in a reasonable default interval. The values “never”, “none” can be used for no expiration date. If this command is used with ‘--batch’, ‘--pinentry-mode’ has been set to loopback, and one of the passphrase options (‘--passphrase’, ‘--passphrase-fd’, or ‘--passphrase-file’) is used, the supplied passphrase is used for the new key and the agent does not ask for it. To create a key without any protection --passphrase ’’ may be used. To create an OpenPGP key from the keys available on the currently inserted smartcard, the special string “card” can be used for algo. If the card features an encryption and a signing key, gpg will figure them out and creates an OpenPGP key consisting of the usual primary key and one subkey. This works only with certain smartcards. Note that the interactive ‘--full-gen-key’ command allows to do the same but with greater flexibility in the selection of the smartcard keys. Note that it is possible to create a primary key and a subkey using non-default algorithms by using “default” and changing the default parameters using the option ‘--default-new-key-algo’. : --quick-set-expire fpr expire [*/subfprs] | With two arguments given, directly set the expiration time of the primary key identified by fpr to expire. To remove the expiration time 0 can be used. With three arguments and the third given as an asterisk, the expiration time of all non-revoked and not yet expired subkeys are set to expire. With more than two arguments and a list of fingerprints given for subfprs, all non-revoked subkeys matching these fingerprints are set to expire. : --quick-add-key fpr [algo [usage [expire]]] | Directly add a subkey to the key identified by the fingerprint fpr. Without the optional arguments an encryption subkey is added. If any of the arguments are given a more specific subkey is added. algo may be any of the supported algorithms or curve names given in the format as used by key listings. To use the default algorithm the string “default” or “-” can be used. Supported algorithms are “rsa”, “dsa”, “elg”, “ed25519”, “cv25519”, and other ECC curves. For example the string “rsa” adds an RSA key with the default key length; a string “rsa4096” requests that the key length is 4096 bits. The string “future-default” is an alias for the algorithm which will likely be used as default algorithm in future versions of gpg. To list the supported ECC curves the command gpg --with-colons --list-config curve can be used. Depending on the given algo the subkey may either be an encryption subkey or a signing subkey. If an algorithm is capable of signing and encryption and such a subkey is desired, a usage string must be given. This string is either “default” or “-” to keep the default or a comma delimited list (or space delimited list) of keywords: “sign” for a signing subkey, “auth” for an authentication subkey, and “encr” for an encryption subkey (“encrypt” can be used as alias for “encr”). The valid combinations depend on the algorithm. The expire argument can be used to specify an expiration date for the key. Several formats are supported; commonly the ISO formats “YYYY-MM-DD” or “YYYYMMDDThhmmss” are used. To make the key expire in N seconds, N days, N weeks, N months, or N years use “seconds=N”, “Nd”, “Nw”, “Nm”, or “Ny” respectively. Not specifying a value, or using “-” results in a key expiring in a reasonable default interval. The values “never”, “none” can be used for no expiration date. : --generate-key &br; --gen-key | Generate a new key pair using the current default parameters. This is the standard command to create a new key. In addition to the key a revocation certificate is created and stored in the ‘openpgp-revocs.d’ directory below the GnuPG home directory. : --full-generate-key &br; --full-gen-key | Generate a new key pair with dialogs for all options. This is an extended version of ‘--generate-key’. There is also a feature which allows you to create keys in batch mode. See the manual section “Unattended key generation” on how to use this. : --generate-revocation name &br; --gen-revoke name | Generate a revocation certificate for the complete key. To only revoke a subkey or a key signature, use the ‘--edit’ command. This command merely creates the revocation certificate so that it can be used to revoke the key if that is ever needed. To actually revoke a key the created revocation certificate needs to be merged with the key to revoke. This is done by importing the revocation certificate using the ‘--import’ command. Then the revoked key needs to be published, which is best done by sending the key to a keyserver (command ‘--send-key’) and by exporting (‘--export’) it to a file which is then send to frequent communication partners. : --generate-designated-revocation name &br; --desig-revoke name | Generate a designated revocation certificate for a key. This allows a user (with the permission of the keyholder) to revoke someone else’s key. : --edit-key | Present a menu which enables you to do most of the key management related tasks. It expects the specification of a key on the command line. :: uid n | Toggle selection of user ID or photographic user ID with index n. Use * to select all and 0 to deselect all. :: key n | Toggle selection of subkey with index n or key ID n. Use * to select all and 0 to deselect all. :: sign | Make a signature on key of user name. If the key is not yet signed by the default user (or the users given with ‘-u’), the program displays the information of the key again, together with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with ‘-u’. :: lsign | Same as "sign" but the signature is marked as non-exportable and will therefore never be used by others. This may be used to make keys valid only in the local environment. :: nrsign | Same as "sign" but the signature is marked as non-revocable and can therefore never be revoked. :: tsign | Make a trust signature. This is a signature that combines the notions of certification (like a regular signature), and trust (like the "trust" command). It is generally only useful in distinct communities or groups. For more information please read the sections “Trust Signature” and “Regular Expression” in RFC-4880. :|Note that "l" (for local / non-exportable), "nr" (for non-revocable, and "t" (for trust) may be freely mixed and prefixed to "sign" to create a signature of any type desired. If the option ‘--only-sign-text-ids’ is specified, then any non-text based user ids (e.g., photo IDs) will not be selected for signing. :: delsig | Delete a signature. Note that it is not possible to retract a signature, once it has been send to the public (i.e. to a keyserver). In that case you better use revsig. :: revsig | Revoke a signature. For every signature which has been generated by one of the secret keys, GnuPG asks whether a revocation certificate should be generated. :: check | Check the signatures on all selected user IDs. With the extra option selfsig only self-signatures are shown. :: adduid | Create an additional user ID. :: addphoto | Create a photographic user ID. This will prompt for a JPEG file that will be embedded into the user ID. Note that a very large JPEG will make for a very large key. Also note that some programs will display your JPEG unchanged (GnuPG), and some programs will scale it to fit in a dialog box (PGP). :: showphoto | Display the selected photographic user ID. :: deluid | Delete a user ID or photographic user ID. Note that it is not possible to retract a user id, once it has been send to the public (i.e. to a keyserver). In that case you better use revuid. :: revuid | Revoke a user ID or photographic user ID. :: primary | Flag the current user id as the primary one, removes the primary user id flag from all other user ids and sets the timestamp of all affected self-signatures one second ahead. Note that setting a photo user ID as primary makes it primary over other photo user IDs, and setting a regular user ID as primary makes it primary over other regular user IDs. :: keyserver | Set a preferred keyserver for the specified user ID(s). This allows other users to know where you prefer they get your key from. See ‘--keyserver-options honor-keyserver-url’ for more on how this works. Setting a value of "none" removes an existing preferred keyserver. :: notation | Set a name=value notation for the specified user ID(s). See ‘--cert-notation’ for more on how this works. Setting a value of "none" removes all notations, setting a notation prefixed with a minus sign (-) removes that notation, and setting a notation name (without the =value) prefixed with a minus sign removes all notations with that name. :: pref | List preferences from the selected user ID. This shows the actual preferences, without including any implied preferences. :: showpref | More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list. In addition, the preferred keyserver and signature notations (if any) are shown. :: setpref string | Set the list of user ID preferences to string for all (or just the selected) user IDs. Calling setpref with no arguments sets the preference list to the default (either built-in or set via ‘--default-preference-list’), and calling setpref with "none" as the argument sets an empty preference list. Use gpg--version to get a list of available algorithms. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences will not be used by GnuPG. When setting preferences, you should list the algorithms in the order which you’d like to see them used by someone else when encrypting a message to your key. If you don’t include 3DES, it will be automatically added at the end. Note that there are many factors that go into choosing an algorithm (for example, your key may not be the only recipient), and so the remote OpenPGP application being used to send to you may or may not follow your exact chosen order for a given message. It will, however, only choose an algorithm that is present on the preference list of every recipient key. See also the INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below. :: addkey | Add a subkey to this key. :: addcardkey | Generate a subkey on a card and add it to this key. :: keytocard | Transfer the selected secret subkey (or the primary key if no subkey has been selected) to a smartcard. The secret key in the keyring will be replaced by a stub if the key could be stored successfully on the card and you use the save command later. Only certain key types may be transferred to the card. A sub menu allows you to select on what card to store the key. Note that it is not possible to get that key back from the card - if the card gets broken your secret key will be lost unless you have a backup somewhere. :: bkuptocard file | Restore the given file to a card. This command may be used to restore a backup key (as generated during card initialization) to a new card. In almost all cases this will be the encryption key. You should use this command only with the corresponding public key and make sure that the file given as argument is indeed the backup to restore. You should then select 2 to restore as encryption key. You will first be asked to enter the passphrase of the backup key and then for the Admin PIN of the card. :: keytotpm | Transfer the selected secret subkey (or the primary key if no subkey has been selected) to TPM form. The secret key in the keyring will be replaced by the TPM representation of that key, which can only be read by the particular TPM that created it (so the keyfile now becomes locked to the laptop containing the TPM). Only certain key types may be transferred to the TPM (all TPM 2.0 systems are mandated to have the rsa2048 and nistp256 algorithms but newer TPMs may have more). Note that the key itself is not transferred into the TPM, merely encrypted by the TPM in-place, so if the keyfile is deleted, the key will be lost. Once transferred to TPM representation, the key file can never be converted back to non- TPM form and the key will die when the TPM does, so you should first have a backup on secure offline storage of the actual secret key file before conversion. It is essential to use the physical system TPM that you have rw permission on the TPM resource manager device (/dev/tpmrm0). Usually this means you must be a member of the tss group. :: delkey | Remove a subkey (secondary key). Note that it is not possible to retract a subkey, once it has been send to the public (i.e. to a keyserver). In that case you better use revkey. Also note that this only deletes the public part of a key. :: revkey | Revoke a subkey. :: expire | Change the key or subkey expiration time. If a subkey is selected, the expiration time of this subkey will be changed. With no selection, the key expiration of the primary key is changed. :: trust | Change the owner trust value for the key. This updates the trust-db immediately and no save is required. :: disable &br; enable | Disable or enable an entire key. A disabled key can not normally be used for encryption. :: addrevoker | Add a designated revoker to the key. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options). :: passwd | Change the passphrase of the secret key. :: toggle | This is dummy command which exists only for backward compatibility. :: clean | Compact (by removing all signatures except the selfsig) any user ID that is no longer usable (e.g. revoked, or expired). Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any signature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring. :: minimize | Make the key as small as possible. This removes all signatures from each user ID except for the most recent self-signature. :: change-usage | Change the usage flags (capabilities) of the primary key or of subkeys. These usage flags (e.g. Certify, Sign, Authenticate, Encrypt) are set during key creation. Sometimes it is useful to have the opportunity to change them (for example to add Authenticate) after they have been created. Please take care when doing this; the allowed usage flags depend on the key algorithm. :: cross-certify | Add cross-certification signatures to signing subkeys that may not currently have them. Cross-certification signatures protect against a subtle attack against signing subkeys. See ‘--require-cross-certification’. All new keys generated have this signature by default, so this command is only useful to bring older keys up to date. :: save | Save all changes to the keyring and quit. :: quit | Quit the program without updating the keyring. :|The listing shows you the key with its secondary keys and all user IDs. The primary user ID is indicated by a dot, and selected keys or user IDs are indicated by an asterisk. The trust value is displayed with the primary key: "trust" is the assigned owner trust and "validity" is the calculated validity of the key. Validity values are also displayed for all user IDs. For possible values of trust, see [trust-values], page 137. : --sign-key name | Signs a public key with your secret key. This is a shortcut version of the subcommand "sign" from ‘--edit-key’. : --lsign-key name | Signs a public key with your secret key but marks it as non-exportable. This is a shortcut version of the subcommand "lsign" from ‘--edit-key’. : --quick-sign-key fpr [names] &br; --quick-lsign-key fpr [names] | Directly sign a key from the passphrase without any further user interaction. The fpr must be the verified primary fingerprint of a key in the local keyring. If no names are given, all useful user ids are signed; with given [names] only useful user ids matching one of these names are signed. By default, or if a name is prefixed with a ’*’, a case insensitive substring match is used. If a name is prefixed with a ’=’ a case sensitive exact match is done. The command ‘--quick-lsign-key’ marks the signatures as non-exportable. If such a non-exportable signature already exists the ‘--quick-sign-key’ turns it into a exportable signature. If you need to update an existing signature, for example to add or change notation data, you need to use the option ‘--force-sign-key’. This command uses reasonable defaults and thus does not provide the full flexibility of the "sign" subcommand from ‘--edit-key’. Its intended use is to help unattended key signing by utilizing a list of verified fingerprints. : --quick-add-uid user-id new-user-id | This command adds a new user id to an existing key. In contrast to the interactive sub-command adduid of ‘--edit-key’ the new-user-id is added verbatim with only leading and trailing white space removed, it is expected to be UTF-8 encoded, and no checks on its form are applied. : --quick-revoke-uid user-id user-id-to-revoke | This command revokes a user ID on an existing key. It cannot be used to revoke the last user ID on key (some non-revoked user ID must remain), with revocation reason “User ID is no longer valid”. If you want to specify a different revocation reason, or to supply supplementary revocation text, you should use the interactive sub-command revuid of ‘--edit-key’. : --quick-revoke-sig fpr signing-fpr [names] | This command revokes the key signatures made by signing-fpr from the key specified by the fingerprint fpr. With names given only the signatures on user ids of the key matching any of the given names are affected (see ‘--quick-sign-key’). If a revocation already exists a notice is printed instead of creating a new revocation; no error is returned in this case. Note that key signature revocations may be superseded by a newer key signature and in turn again revoked. : --quick-set-primary-uid user-id primary-user-id | This command sets or updates the primary user ID flag on an existing key. user-id specifies the key and primary-user-id the user ID which shall be flagged as the primary user ID. The primary user ID flag is removed from all other user ids and the timestamp of all affected self-signatures is set one second ahead. : --change-passphrase user-id &br; --passwd user-id | Change the passphrase of the secret key belonging to the certificate specified as user-id. This is a shortcut for the sub-command passwd of the ‘--edit-key’ menu. When using together with the option ‘--dry-run’ this will not actually change the passphrase but check that the current passphrase is correct. ** 4.2 Option Summary gpg features a bunch of options to control the exact behaviour and to change the default configuration. Long options can be put in an options file (default "~/.gnupg/gpg.conf"). Short option names will not work - for example, "armor" is a valid option for the options file, while "a" is not. Do not write the 2 dashes, but simply the name of the option and any required arguments. Lines with a hash (’#’) as the first non-white-space character are ignored. Commands may be put in this file too, but that is not generally useful as the command will execute automatically with every execution of gpg. Please remember that option parsing stops as soon as a non-option is encountered, you can explicitly stop parsing by using the special option ‘--’. *** 4.2.1 How to change the configuration *** 4.2.2 Key related options *** 4.2.3 Input and Output *** 4.2.4 OpenPGP protocol specific options *** 4.2.5 Compliance options *** 4.2.6 Doing things one usually doesn’t want to do *** 4.2.7 Deprecated options
