summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2002-07-01 10:52:37 +0200
committerWerner Koch <wk@gnupg.org>2002-07-01 10:52:37 +0200
commitabcd9ea5db1ae9c3d88053127fc7a2d5d798c2d5 (patch)
tree1fbde10c212b2684283c3dde750b84a71242d21f /doc
parent* Makefile.am: Due to problems with VPATH builds we don't try to (diff)
downloadgnupg2-abcd9ea5db1ae9c3d88053127fc7a2d5d798c2d5.tar.xz
gnupg2-abcd9ea5db1ae9c3d88053127fc7a2d5d798c2d5.zip
Better keep it in the CVS
Diffstat (limited to 'doc')
-rw-r--r--doc/gpg.texi1427
1 files changed, 1427 insertions, 0 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi
new file mode 100644
index 000000000..8adcc7bf7
--- /dev/null
+++ b/doc/gpg.texi
@@ -0,0 +1,1427 @@
+\input texinfo
+@c This Texinfo document has been automatically generated by
+@c docbook2texi from a DocBook documentation. The tool used
+@c can be found at:
+@c <URL:http://shell.ipoline.com/~elmert/hacks/docbook2X/>
+@c Please send any bug reports, improvements, comments,
+@c patches, etc. to Steve Cheng <steve@ggi-project.org>.
+
+@setfilename gpg.info
+@dircategory GnuPG
+@direntry
+* gpg: (gpg). GnuPG encryption and signing tool.
+@end direntry
+
+@node top
+@top gpg
+@menu
+@end menu
+
+@majorheading Name
+gpg ---- encryption and signing tool
+
+@majorheading Synopsis
+
+@majorheading DESCRIPTION
+@code{gpg} is the main program for the GnuPG system.
+
+This man page only lists the commands and options available.
+For more verbose documentation get the GNU Privacy Handbook (GPH) or
+one of the other documents at http://www.gnupg.org/docs.html .
+
+Please remember that option parsing stops as soon as a non option is
+encountered, you can explicitly stop option parsing by using the
+special option "---".
+
+@majorheading COMMANDS
+@code{gpg} recognizes these commands:
+
+@table @asis
+@item -s, ---sign
+Make a signature. This command may be combined
+with ---encrypt.
+
+@item ---clearsign
+Make a clear text signature.
+
+@item -b, ---detach-sign
+Make a detached signature.
+
+@item -e, ---encrypt
+Encrypt data. This option may be combined with ---sign.
+
+@item -c, ---symmetric
+Encrypt with symmetric cipher only.
+This command asks for a passphrase.
+
+@item ---store
+Store only (make a simple RFC1991 packet).
+
+@item ---decrypt @code{file}
+Decrypt @code{file} (or stdin if no file is specified) and
+write it to stdout (or the file specified with
+---output). If the decrypted file is signed, the
+signature is also verified. This command differs
+from the default operation, as it never writes to the
+filename which is included in the file and it
+rejects files which don't begin with an encrypted
+message.
+
+@item ---verify @code{sigfile} @code{signed-files}
+Assume that @code{sigfile} is a signature and verify it
+without generating any output. With no arguments,
+the signature packet is read from stdin. If
+only a sigfile is given, it may be a complete
+signature or a detached signature, in which case
+the signed stuff is expected in a file without the
+".sig" or ".asc" extension.
+With more than
+1 argument, the first should be a detached signature
+and the remaining files are the signed stuff. To read the signed
+stuff from stdin, use @samp{-} as the second filename.
+For security reasons a detached signature cannot read the signed
+material from stdin without denoting it in the above way.
+
+@item ---verify-files @code{files}
+This is a special version of the ---verify command which does not work with
+detached signatures. The command expects the files to be verified either
+on the command line or reads the filenames from stdin; each name must be on
+separate line. The command is intended for quick checking of many files.
+
+@item ---encrypt-files @code{files}
+This is a special version of the ---encrypt command. The command expects
+the files to be encrypted either on the command line or reads the filenames
+from stdin; each name must be on separate line. The command is intended
+for a quick encryption of multiple files.
+
+@item ---decrypt-files @code{files}
+The same as ---encrypt-files with the difference that files will be
+decrypted. The syntax or the filenames is the same.
+
+@item ---list-keys @code{names}
+@itemx ---list-public-keys @code{names}
+List all keys from the public keyrings, or just the
+ones given on the command line.
+
+@item ---list-secret-keys @code{names}
+List all keys from the secret keyrings, or just the
+ones given on the command line.
+
+@item ---list-sigs @code{names}
+Same as ---list-keys, but the signatures are listed too.
+
+@item ---check-sigs @code{names}
+Same as ---list-sigs, but the signatures are verified.
+
+@item ---fingerprint @code{names}
+List all keys with their fingerprints. This is the
+same output as ---list-keys but with the additional output
+of a line with the fingerprint. May also be combined
+with ---list-sigs or --check-sigs.
+If this command is given twice, the fingerprints of all
+secondary keys are listed too.
+
+@item ---list-packets
+List only the sequence of packets. This is mainly
+useful for debugging.
+
+@item ---gen-key
+Generate a new key pair. This command is normally only used
+interactively.
+
+There is an experimental feature which allows you to create keys
+in batch mode. See the file @file{doc/DETAILS}
+in the source distribution on how to use this.
+
+@item ---edit-key @code{name}
+Present a menu which enables you to do all key
+related tasks:
+
+@table @asis
+@item sign
+Make a signature on key of user @code{name}
+If the key is not yet signed by the default
+user (or the users given with -u), the
+program displays the information of the key
+again, together with its fingerprint and
+asks whether it should be signed. This
+question is repeated for all users specified
+with -u.
+
+@item lsign
+Same as ---sign but the signature is marked as
+non-exportable and will therefore never be used
+by others. This may be used to make keys valid
+only in the local environment.
+
+@item nrsign
+Same as ---sign but the signature is marked as non-revocable and can
+therefore never be revoked.
+
+@item nrlsign
+Combines the functionality of nrsign and lsign to make a signature
+that is both non-revocable and
+non-exportable.
+
+@item revsig
+Revoke a signature. GnuPG asks for every
+signature which has been done by one of
+the secret keys, whether a revocation
+certificate should be generated.
+
+@item trust
+Change the owner trust value. This updates the
+trust-db immediately and no save is required.
+
+@item disable
+@itemx enable
+Disable or enable an entire key. A disabled key can normally not be used
+for encryption.
+
+@item adduid
+Create an alternate user id.
+
+@item addphoto
+Create a photographic user id.
+
+@item deluid
+Delete a user id.
+
+@item addkey
+Add a subkey to this key.
+
+@item delkey
+Remove a subkey.
+
+@item addrevoker
+Add a designated revoker.
+
+@item revkey
+Revoke a subkey.
+
+@item expire
+Change the key expiration time. If a key is
+selected, the time of this key will be changed.
+With no selection the key expiration of the
+primary key is changed.
+
+@item passwd
+Change the passphrase of the secret key.
+
+@item primary
+Flag the current user id as the primary one, removes the primary user
+id flag from all other user ids and sets the timestamp of all affected
+self-signatures one second ahead. Note that setting a photo user ID
+as primary makes it primary over other photo user IDs, and setting a
+regular user ID as primary makes it primary over other regular user
+IDs.
+
+@item uid @code{n}
+Toggle selection of user id with index @code{n}.
+Use 0 to deselect all.
+
+@item key @code{n}
+Toggle selection of subkey with index @code{n}.
+Use 0 to deselect all.
+
+@item check
+Check all selected user ids.
+
+@item showphoto
+Display the selected photographic user
+id.
+
+@item pref
+List preferences.
+
+@item showpref
+More verbose preferences listing.
+
+@item setpref @code{string}
+Set the list of user ID preferences to @code{string}, this should be
+a string similar to the one printed by "pref". Using an empty string
+will set the default preference string, using "none" will set the
+preferences to nil. Only available algorithms are allowed. This
+command just initializes an internal list and does not change anything
+unless another command which changes the self-signatures is used.
+
+@item updpref
+Change the preferences of all user IDs (or just of the selected ones
+to the current list of preferences. The timestamp of all affected
+self-signatures fill be advanced by one second.
+
+@item toggle
+Toggle between public and secret key listing.
+
+@item save
+Save all changes to the key rings and quit.
+
+@item quit
+Quit the program without updating the
+key rings.
+
+@end table
+
+The listing shows you the key with its secondary
+keys and all user ids. Selected keys or user ids
+are indicated by an asterisk. The trust value is
+displayed with the primary key: the first is the
+assigned owner trust and the second is the calculated
+trust value. Letters are used for the values:
+
+@table @asis
+@item -
+No ownertrust assigned / not yet calculated.
+
+@item e
+Trust
+calculation has failed; probably due to an expired key.
+
+@item q
+Not enough information for calculation.
+
+@item n
+Never trust this key.
+
+@item m
+Marginally trusted.
+
+@item f
+Fully trusted.
+
+@item u
+Ultimately trusted.
+
+@end table
+
+@item ---sign-key @code{name}
+Signs a public key with your secret key. This is a shortcut version of
+the subcommand "sign" from ---edit.
+
+@item ---lsign-key @code{name}
+Signs a public key with your secret key but marks it as
+non-exportable. This is a shortcut version of the subcommand "lsign"
+from ---edit.
+
+@item ---nrsign-key @code{name}
+Signs a public key with your secret key but marks it as non-revocable.
+This is a shortcut version of the subcommand "nrsign" from ---edit.
+
+@item ---delete-key @code{name}
+Remove key from the public keyring
+
+@item ---delete-secret-key @code{name}
+Remove key from the secret and public keyring
+
+@item ---delete-secret-and-public-key @code{name}
+Same as ---delete-key, but if a secret key exists, it will be removed first.
+
+@item ---gen-revoke
+Generate a revocation certificate for the complete key. To revoke
+a subkey or a signature, use the ---edit command.
+
+@item ---desig-revoke
+Generate a designated revocation certificate for a key. This allows a
+user (with the permission of the keyholder) to revoke someone elses
+key.
+
+@item ---export @code{names}
+Either export all keys from all keyrings (default
+keyrings and those registered via option ---keyring),
+or if at least one name is given, those of the given
+name. The new keyring is written to stdout or to
+the file given with option "output". Use together
+with ---armor to mail those keys.
+
+@item ---send-keys @code{names}
+Same as ---export but sends the keys to a keyserver.
+Option ---keyserver must be used to give the name
+of this keyserver. Don't send your complete keyring
+to a keyserver - select only those keys which are new
+or changed by you.
+
+@item ---export-all @code{names}
+Same as ---export, but also exports keys which
+are not compatible with OpenPGP.
+
+@item ---export-secret-keys @code{names}
+@itemx ---export-secret-subkeys @code{names}
+Same as ---export, but exports the secret keys instead.
+This is normally not very useful and a security risk.
+The second form of the command has the special property to
+render the secret part of the primary key useless; this is
+a GNU extension to OpenPGP and other implementations can
+not be expected to successfully import such a key.
+See the option ---simple-sk-checksum if you want to import such an
+exported key with an older OpenPGP implementation.
+
+@item ---import @code{files}
+@itemx ---fast-import @code{files}
+Import/merge keys. This adds the given keys to the
+keyring. The fast version is currently just a synonym.
+
+There are a few other options which control how this command works.
+Most notable here is the ---merge-only option which does not insert new keys
+but does only the merging of new signatures, user-IDs and subkeys.
+
+@item ---recv-keys @code{key IDs}
+Import the keys with the given key IDs from a keyserver. Option
+---keyserver must be used to give the name of this keyserver.
+
+@item ---search-keys @code{names}
+Search the keyserver for the given names. Multiple names given here
+will be joined together to create the search string for the keyserver.
+Option ---keyserver must be used to give the name of this keyserver.
+
+@item ---update-trustdb
+Do trust DB maintenance. This command goes over all keys and builds
+the Web-of-Trust. This is an interactive command because it may has to
+ask for the "ownertrust" values of keys. The user has to give an
+estimation in how far she trusts the owner of the displayed key to
+correctly certify (sign) other keys. It does only ask for that value
+if it has not yet been assigned to a key. Using the edit menu, that
+value can be changed at any time later.
+
+@item ---check-trustdb
+Do trust DB maintenance without user interaction. Form time to time
+the trust database must be updated so that expired keys and resulting
+changes in the Web-of-Trust can be tracked. GnuPG tries to figure
+when this is required and then does it implicitly; this command can be
+used to force such a check. The processing is identically to that of
+---update-trustdb but it skips keys with a not yet defined "ownertrust".
+
+For use with cron jobs, this command can be used together with ---batch
+in which case the check is only done when it is due. To force a run
+even in batch mode add the option ---yes.
+
+@item ---export-ownertrust @code{file}
+Store the ownertrust values into
+@code{file} (or stdin if not given). This is useful for backup
+purposes as these values are the only ones which can't be re-created
+from a corrupted trust DB.
+
+@item ---import-ownertrust @code{files}
+Update the trustdb with the ownertrust values stored
+in @code{files} (or stdin if not given); existing
+values will be overwritten.
+
+@item ---print-md @code{algo} @code{files}
+@itemx ---print-mds @code{files}
+Print message digest of algorithm ALGO for all given files or stdin.
+With the second form (or a deprecated "*" as algo) digests for all
+available algorithms are printed.
+
+@item ---gen-random @code{0|1|2} @code{count}
+Emit COUNT random bytes of the given quality level. If count is not given
+or zero, an endless sequence of random bytes will be emitted.
+PLEASE, don't use this command unless you know what you are doing; it may
+remove precious entropy from the system!
+
+@item ---gen-prime @code{mode} @code{bits} @code{qbits}
+Use the source, Luke :-). The output format is still subject to change.
+
+@item ---version
+Print version information along with a list
+of supported algorithms.
+
+@item ---warranty
+Print warranty information.
+
+@item -h, ---help
+Print usage information. This is a really long list even though it doesn't list
+all options.
+
+@end table
+
+@majorheading OPTIONS
+Long options can be put in an options file (default "~/.gnupg/options").
+Do not write the 2 dashes, but simply the name of the option and any
+required arguments. Lines with a hash as the first non-white-space
+character are ignored. Commands may be put in this file too, but that
+does not make sense.
+
+@code{gpg} recognizes these options:
+
+@table @asis
+@item -a, ---armor
+Create ASCII armored output.
+
+@item -o, ---output @code{file}
+Write output to @code{file}.
+
+@item -u, ---local-user @code{name}
+Use @code{name} as the user ID to sign.
+This option is silently ignored for the list commands,
+so that it can be used in an options file.
+
+@item ---default-key @code{name}
+Use @code{name} as default user ID for signatures. If this
+is not used the default user ID is the first user ID
+found in the secret keyring.
+
+@item -r, ---recipient @code{name}
+@itemx
+Encrypt for user id @code{name}. If this option is not
+specified, GnuPG asks for the user-id unless ---default-recipient is given
+
+@item ---default-recipient @code{name}
+Use @code{name} as default recipient if option ---recipient is not used and
+don't ask if this is a valid one. @code{name} must be non-empty.
+
+@item ---default-recipient-self
+Use the default key as default recipient if option ---recipient is not used and
+don't ask if this is a valid one. The default key is the first one from the
+secret keyring or the one set with ---default-key.
+
+@item ---no-default-recipient
+Reset ---default-recipient and --default-recipient-self.
+
+@item ---encrypt-to @code{name}
+Same as ---recipient but this one is intended for use
+in the options file and may be used with
+your own user-id as an "encrypt-to-self". These keys
+are only used when there are other recipients given
+either by use of ---recipient or by the asked user id.
+No trust checking is performed for these user ids and
+even disabled keys can be used.
+
+@item ---no-encrypt-to
+Disable the use of all ---encrypt-to keys.
+
+@item -v, ---verbose
+Give more information during processing. If used
+twice, the input data is listed in detail.
+
+@item -q, ---quiet
+Try to be as quiet as possible.
+
+@item -z @code{n}, ---compress @code{n}
+Set compression level to @code{n}. A value of 0 for @code{n}
+disables compression. Default is to use the default
+compression level of zlib (normally 6).
+
+@item -t, ---textmode
+Use canonical text mode. If -t (but not
+---textmode) is used together with armoring
+and signing, this enables clearsigned messages.
+This kludge is needed for PGP compatibility;
+normally you would use ---sign or --clearsign
+to selected the type of the signature.
+
+@item -n, ---dry-run
+Don't make any changes (this is not completely implemented).
+
+@item -i, ---interactive
+Prompt before overwriting any files.
+
+@item ---batch
+Use batch mode. Never ask, do not allow interactive
+commands.
+
+@item ---no-tty
+Make sure that the TTY (terminal) is never used for any output.
+This option is needed in some cases because GnuPG sometimes prints
+warnings to the TTY if ---batch is used.
+
+@item ---no-batch
+Disable batch mode. This may be of use if ---batch
+is enabled from an options file.
+
+@item ---yes
+Assume "yes" on most questions.
+
+@item ---no
+Assume "no" on most questions.
+
+@item ---default-cert-check-level @code{n}
+The default to use for the check level when signing a key.
+
+0 means you make no particular claim as to how carefully you verified
+the key.
+
+1 means you believe the key is owned by the person who claims to own
+it but you could not, or did not verify the key at all. This is
+useful for a "persona" verification, where you sign the key of a
+pseudonymous user.
+
+2 means you did casual verification of the key. For example, this
+could mean that you verified that the key fingerprint and checked the
+user ID on the key against a photo ID.
+
+3 means you did extensive verification of the key. For example, this
+could mean that you verified the key fingerprint with the owner of the
+key in person, and that you checked, by means of a hard to forge
+document with a photo ID (such as a passport) that the name of the key
+owner matches the name in the user ID on the key, and finally that you
+verified (by exchange of email) that the email address on the key
+belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are just that:
+examples. In the end, it is up to you to decide just what "casual"
+and "extensive" mean to you.
+
+This option defaults to 0.
+
+@item ---trusted-key @code{long key ID}
+Assume that the specified key (which must be given
+as a full 8 byte key ID) is as trustworthy as one of
+your own secret keys. This option is useful if you
+don't want to keep your secret keys (or one of them)
+online but still want to be able to check the validity of a given
+recipient's or signator's key.
+
+@item ---always-trust
+Skip key validation and assume that used keys are always fully trusted.
+You won't use this unless you have installed some external validation
+scheme. This option also suppresses the "[uncertain]" tag printed
+with signature checks when there is no evidence that the user ID
+is bound to the key.
+
+@item ---keyserver @code{name}
+Use @code{name} as your keyserver. This is the server that ---recv-keys,
+---send-keys, and --search-keys will communicate with to receive keys
+from, send keys to, and search for keys on. The format of the
+@code{name} is a URI: `scheme:[//]keyservername[:port]' The scheme is
+the type of keyserver: "hkp" for the Horowitz (or compatible)
+keyservers, "ldap" for the NAI LDAP keyserver, or "mailto" for the
+Horowitz email keyserver. Note that your particular installation of
+GnuPG may have other keyserver types available as well.
+
+Most keyservers synchronize with each other, so there is generally no
+need to send keys to more than one server. Using the command "host -l
+pgp.net | grep wwwkeys" gives you a list of HKP keyservers. When
+using one of the wwwkeys servers, due to load balancing using
+round-robin DNS you may notice that you get a different key server
+each time.
+
+@item ---keyserver-options @code{parameters}
+This is a space or comma delimited string that gives options for the
+keyserver. Options can be prepended with a `no-' to give the opposite
+meaning. While not all options are available for all keyserver types,
+some common options are:
+
+@table @asis
+@item include-revoked
+When receiving or searching for a key, include keys that are marked on
+the keyserver as revoked. Note that this option is always set when
+using the NAI HKP keyserver, as this keyserver does not differentiate
+between revoked and unrevoked keys.
+
+@item include-disabled
+When receiving or searching for a key, include keys that are marked on
+the keyserver as disabled. Note that this option is not used with HKP
+keyservers, as they do not support disabling keys.
+
+@item use-temp-files
+On most Unix-like platforms, GnuPG communicates with the keyserver
+helper program via pipes, which is the most efficient method. This
+option forces GnuPG to use temporary files to communicate. On some
+platforms (such as Win32 and RISC OS), this option is always enabled.
+
+@item keep-temp-files
+If using `use-temp-files', do not delete the temp files after using
+them. This option is useful to learn the keyserver communication
+protocol by reading the temporary files.
+
+@item verbose
+Tell the keyserver helper program to be more verbose. This option can
+be repeated multiple times to increase the verbosity level.
+
+@item honor-http-proxy
+For keyserver schemes that use HTTP (such as HKP), try to access the
+keyserver over the proxy set with the environment variable
+"http_proxy".
+
+@item auto-key-retrieve
+This option enables the automatic retrieving of keys from a keyserver
+when verifying signatures made by keys that are not on the local
+keyring.
+
+@end table
+
+@item ---show-photos
+Causes ---list-keys, --list-sigs, --list-public-keys, and
+---list-secret-keys to also display the photo ID attached to a key, if
+any.
+See also ---photo-viewer.
+
+@item ---no-show-photos
+Resets the ---show-photos flag.
+
+@item ---photo-viewer @code{string}
+This is the command line that should be run to view a photo ID. "%i"
+will be expanded to a filename containing the photo. "%I" does the
+same, except the file will not be deleted once the viewer exits.
+Other flags are "%k" for the key ID, "%K" for the long key ID, "%f"
+for the key fingerprint, "%t" for the extension of the image type
+(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"),
+and "%%" for an actual percent sign. If neither %i or %I are present,
+then the photo will be supplied to the viewer on standard input.
+
+The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
+stdin"
+
+@item ---show-keyring
+Causes ---list-keys, --list-public-keys, and --list-secret-keys to
+display the name of the keyring a given key resides on. This is only
+useful when you're listing a specific key or set of keys. It has no
+effect when listing all keys.
+
+@item ---keyring @code{file}
+Add @code{file} to the list of keyrings.
+If @code{file} begins with a tilde and a slash, these
+are replaced by the HOME directory. If the filename
+does not contain a slash, it is assumed to be in the
+home-directory ("~/.gnupg" if ---homedir is not used).
+The filename may be prefixed with a scheme:
+
+"gnupg-ring:" is the default one.
+
+It might make sense to use it together with ---no-default-keyring.
+
+@item ---secret-keyring @code{file}
+Same as ---keyring but for the secret keyrings.
+
+@item ---homedir @code{directory}
+Set the name of the home directory to @code{directory} If this
+option is not used it defaults to "~/.gnupg". It does
+not make sense to use this in a options file. This
+also overrides the environment variable "GNUPGHOME".
+
+@item ---charset @code{name}
+Set the name of the native character set. This is used
+to convert some strings to proper UTF-8 encoding.
+Valid values for @code{name} are:
+
+@table @asis
+@item iso-8859-1
+This is the default Latin 1 set.
+
+@item iso-8859-2
+The Latin 2 set.
+
+@item koi8-r
+The usual Russian set (rfc1489).
+
+@item utf-8
+Bypass all translations and assume
+that the OS uses native UTF-8 encoding.
+
+@end table
+
+@item ---utf8-strings
+@itemx ---no-utf8-strings
+Assume that the arguments are already given as UTF8 strings. The default
+(---no-utf8-strings)
+is to assume that arguments are encoded in the character set as specified
+by ---charset. These options affect all following arguments. Both options may
+be used multiple times.
+
+@item ---options @code{file}
+Read options from @code{file} and do not try to read
+them from the default options file in the homedir
+(see ---homedir). This option is ignored if used
+in an options file.
+
+@item ---no-options
+Shortcut for "---options /dev/null". This option is
+detected before an attempt to open an option file.
+Using this option will also prevent the creation of a
+"~./gnupg" homedir.
+
+@item ---load-extension @code{name}
+Load an extension module. If @code{name} does not
+contain a slash it is searched in "/usr/local/lib/gnupg"
+See the manual for more information about extensions.
+
+@item ---debug @code{flags}
+Set debugging flags. All flags are or-ed and @code{flags} may
+be given in C syntax (e.g. 0x0042).
+
+@item ---debug-all
+Set all useful debugging flags.
+
+@item ---status-fd @code{n}
+Write special status strings to the file descriptor @code{n}.
+See the file DETAILS in the documentation for a listing of them.
+
+@item ---logger-fd @code{n}
+Write log output to file descriptor @code{n} and not to stderr.
+
+@item ---attribute-fd @code{n}
+Write attribute subpackets to the file descriptor @code{n}. This is
+most useful for use with ---status-fd, since the status messages are
+needed to separate out the various subpackets from the stream
+delivered to the file descriptor.
+
+@item ---sk-comments
+Include secret key comment packets when exporting secret keys. This
+is a GnuPG extension to the OpenPGP standard, and is off by default.
+Please note that this has nothing to do with the comments in clear
+text signatures or armor headers.
+
+@item ---no-sk-comments
+Resets the ---sk-comments option.
+
+@item ---no-comment
+See ---sk-comments. This option is deprecated and may be removed soon.
+
+@item ---comment @code{string}
+Use @code{string} as comment string in clear text signatures.
+The default is not do write a comment string.
+
+@item ---default-comment
+Force to write the standard comment string in clear
+text signatures. Use this to overwrite a ---comment
+from a config file. This option is now obsolete because there is no
+default comment string anymore.
+
+@item ---no-version
+Omit the version string in clear text signatures.
+
+@item ---emit-version
+Force to write the version string in clear text
+signatures. Use this to overwrite a previous
+---no-version from a config file.
+
+@item -N, ---notation-data @code{name=value}
+Put the name value pair into the signature as notation data.
+@code{name} must consist only of alphanumeric characters, digits
+or the underscore; the first character must not be a digit.
+@code{value} may be any printable string; it will be encoded in UTF8,
+so you should check that your ---charset is set correctly.
+If you prefix @code{name} with an exclamation mark, the notation
+data will be flagged as critical (rfc2440:5.2.3.15).
+
+@item ---show-notation
+Show key signature notations in the ---list-sigs or --check-sigs
+listings.
+
+@item ---no-show-notation
+Do not show key signature notations in the ---list-sigs or --check-sigs
+listings.
+
+@item ---set-policy-url @code{string}
+Use @code{string} as Policy URL for signatures (rfc2440:5.2.3.19).
+If you prefix it with an exclamation mark, the policy URL
+packet will be flagged as critical.
+
+@item ---show-policy-url
+Show any policy URLs set in the ---list-sigs or --check-sigs listings.
+
+@item ---no-show-policy-url
+Do not show any policy URLs set in the ---list-sigs or --check-sigs
+listings.
+
+@item ---set-filename @code{string}
+Use @code{string} as the name of file which is stored in
+messages.
+
+@item ---for-your-eyes-only
+Set the `for your eyes only' flag in the message. This causes GnuPG
+to refuse to save the file unless the ---output option is given, and
+PGP to use the "secure viewer" with a Tempest-resistant font to
+display the message. This option overrides ---set-filename.
+
+@item ---no-for-your-eyes-only
+Resets the ---for-your-eyes-only flag.
+
+@item ---use-embedded-filename
+Try to create a file with a name as embedded in the data.
+This can be a dangerous option as it allows to overwrite files.
+
+@item ---completes-needed @code{n}
+Number of completely trusted users to introduce a new
+key signer (defaults to 1).
+
+@item ---marginals-needed @code{n}
+Number of marginally trusted users to introduce a new
+key signer (defaults to 3)
+
+@item ---max-cert-depth @code{n}
+Maximum depth of a certification chain (default is 5).
+
+@item ---cipher-algo @code{name}
+Use @code{name} as cipher algorithm. Running the program
+with the command ---version yields a list of supported
+algorithms. If this is not used the cipher algorithm is
+selected from the preferences stored with the key.
+
+@item ---digest-algo @code{name}
+Use @code{name} as the message digest algorithm. Running the program
+with the command ---version yields a list of supported algorithms.
+
+@item ---cert-digest-algo @code{name}
+Use @code{name} as the message digest algorithm used when signing a
+key. Running the program with the command ---version yields a list of
+supported algorithms. Be aware that if you choose an algorithm that
+GnuPG supports but other OpenPGP implementations do not, then some
+users will not be able to use the key signatures you make, or quite
+possibly your entire key.
+
+@item ---s2k-cipher-algo @code{name}
+Use @code{name} as the cipher algorithm used to protect secret keys.
+The default cipher is CAST5. This cipher is also used for
+conventional encryption if ---cipher-algo is not given.
+
+@item ---s2k-digest-algo @code{name}
+Use @code{name} as the digest algorithm used to mangle the
+passphrases. The default algorithm is RIPE-MD-160.
+This digest algorithm is also used for conventional
+encryption if ---digest-algo is not given.
+
+@item ---s2k-mode @code{n}
+Selects how passphrases are mangled. If @code{n} is 0
+a plain passphrase (which is not recommended) will be used,
+a 1 (default) adds a salt to the passphrase and
+a 3 iterates the whole process a couple of times.
+Unless ---rfc1991 is used, this mode is also used
+for conventional encryption.
+
+@item ---simple-sk-checksum
+Secret keys are integrity protected by using a SHA-1 checksum. This
+method will be part of an enhanced OpenPGP specification but GnuPG
+already uses it as a countermeasure against certain attacks. Old
+applications don't understand this new format, so this option may be
+used to switch back to the old behaviour. Using this this option
+bears a security risk.
+
+@item ---compress-algo @code{n}
+Use compression algorithm @code{n}. Default is 2 which is RFC1950
+compression. You may use 1 to use the old zlib version (RFC1951) which
+is used by PGP. 0 disables compression. The default algorithm may give
+better results because the window size is not limited to 8K. If this
+is not used the OpenPGP behavior is used, i.e. the compression
+algorithm is selected from the preferences; note, that this can't be
+done if you do not encrypt the data.
+
+@item ---disable-cipher-algo @code{name}
+Never allow the use of @code{name} as cipher algorithm.
+The given name will not be checked so that a later loaded algorithm
+will still get disabled.
+
+@item ---disable-pubkey-algo @code{name}
+Never allow the use of @code{name} as public key algorithm.
+The given name will not be checked so that a later loaded algorithm
+will still get disabled.
+
+@item ---no-sig-cache
+Do not cache the verification status of key signatures.
+Caching gives a much better performance in key listings. However, if
+you suspect that your public keyring is not save against write
+modifications, you can use this option to disable the caching. It
+probably does not make sense to disable it because all kind of damage
+can be done if someone else has write access to your public keyring.
+
+@item ---no-sig-create-check
+GnuPG normally verifies each signature right after creation to protect
+against bugs and hardware malfunctions which could leak out bits from
+the secret key. This extra verification needs some time (about 115%
+for DSA keys), and so this option can be used to disable it.
+However, due to the fact that the signature creation needs manual
+interaction, this performance penalty does not matter in most settings.
+
+@item ---auto-check-trustdb
+If GnuPG feels that its information about the Web-of-Trust has to be
+updated, it automatically runs the ---check-trustdb command
+internally. This may be a time consuming process.
+
+@item ---no-auto-check-trustdb
+Resets the ---auto-check-trustdb option.
+
+@item ---throw-keyid
+Do not put the keyid into encrypted packets. This option
+hides the receiver of the message and is a countermeasure
+against traffic analysis. It may slow down the decryption
+process because all available secret keys are tried.
+
+@item ---not-dash-escaped
+This option changes the behavior of cleartext signatures
+so that they can be used for patch files. You should not
+send such an armored file via email because all spaces
+and line endings are hashed too. You can not use this
+option for data which has 5 dashes at the beginning of a
+line, patch files don't have this. A special armor header
+line tells GnuPG about this cleartext signature option.
+
+@item ---escape-from-lines
+Because some mailers change lines starting with "From "
+to "<From " it is good to handle such lines in a special
+way when creating cleartext signatures. All other PGP
+versions do it this way too. This option is not enabled
+by default because it would violate rfc2440.
+
+@item ---passphrase-fd @code{n}
+Read the passphrase from file descriptor @code{n}. If you use
+0 for @code{n}, the passphrase will be read from stdin. This
+can only be used if only one passphrase is supplied.
+Don't use this option if you can avoid it.
+
+@item ---command-fd @code{n}
+This is a replacement for the deprecated shared-memory IPC mode.
+If this option is enabled, user input on questions is not expected
+from the TTY but from the given file descriptor. It should be used
+together with ---status-fd. See the file doc/DETAILS in the source
+distribution for details on how to use it.
+
+@item ---use-agent
+Try to use the GnuPG-Agent. Please note that this agent is still under
+development. With this option, GnuPG first tries to connect to the
+agent before it asks for a passphrase.
+
+@item ---gpg-agent-info
+Override the value of the environment variable
+@samp{GPG_AGENT_INFO}. This is only used when ---use-agent has been given
+
+@item ---rfc1991
+Try to be more RFC1991 (PGP 2.x) compliant.
+
+@item ---pgp2
+Set up all options to be as PGP 2.x compliant as possible, and warn if
+an action is taken (e.g. encrypting to a non-RSA key) that will create
+a message that PGP 2.x will not be able to handle. Note that `PGP
+2.x' here means `MIT PGP 2.6.2'. There are other versions of PGP 2.x
+available, but the MIT release is a good common baseline.
+
+This option implies `---rfc1991 --no-openpgp --disable-mdc
+---no-force-v4-certs --no-comment --escape-from-lines --force-v3-sigs
+---no-ask-sig-expire --no-ask-cert-expire --cipher-algo IDEA
+---digest-algo MD5 --compress-algo 1'
+
+@item ---no-pgp2
+Resets the ---pgp2 option.
+
+@item ---pgp6
+Set up all options to be as PGP 6 compliant as possible. This
+restricts you to the ciphers IDEA (if the IDEA plugin is installed),
+3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the
+compression algorithms none and ZIP. This also disables making
+signatures with signing subkeys as PGP 6 does not understand
+signatures made by signing subkeys.
+
+This option implies `---disable-mdc --no-comment --escape-from-lines
+---force-v3-sigs --no-ask-sig-expire --compress-algo 1'
+
+@item ---no-pgp6
+Resets the ---pgp6 option.
+
+@item ---pgp7
+Set up all options to be as PGP 7 compliant as possible. This is
+identical to ---pgp6 except that the list of allowable ciphers is
+expanded to add AES128, AES192, AES256, and TWOFISH.
+
+@item ---no-pgp7
+Resets the ---pgp7 option.
+
+@item ---openpgp
+Reset all packet, cipher and digest options to OpenPGP behavior. Use
+this option to reset all previous options like ---rfc1991,
+---force-v3-sigs, --s2k-*, --cipher-algo, --digest-algo and
+---compress-algo to OpenPGP compliant values. All PGP workarounds are
+also disabled.
+
+@item ---force-v3-sigs
+OpenPGP states that an implementation should generate v4 signatures
+but PGP versions 5 and higher only recognize v4 signatures on key
+material. This option forces v3 signatures for signatures on data.
+Note that this option overrides ---ask-sig-expire, as v3 signatures
+cannot have expiration dates.
+
+@item ---no-force-v3-sigs
+Reset the ---force-v3-sigs option.
+
+@item ---force-v4-certs
+Always use v4 key signatures even on v3 keys. This option also
+changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1.
+
+@item ---no-force-v4-certs
+Reset the ---force-v4-certs option.
+
+@item ---force-mdc
+Force the use of encryption with appended manipulation code. This is
+always used with the newer ciphers (those with a blocksize greater
+than 64 bit).
+
+@item ---allow-non-selfsigned-uid
+Allow the import and use of keys with user IDs which are not
+self-signed. This is not recommended, as a non self-signed user ID is
+trivial to forge.
+
+@item ---no-allow-non-selfsigned-uid
+Reset the ---allow-non-selfsigned-uid option.
+
+@item ---allow-freeform-uid
+Disable all checks on the form of the user ID while generating a new
+one. This option should only be used in very special environments as
+it does not ensure the de-facto standard format of user IDs.
+
+@item ---ignore-time-conflict
+GnuPG normally checks that the timestamps associated with keys and
+signatures have plausible values. However, sometimes a signature seems to
+be older than the key due to clock problems. This option makes these
+checks just a warning.
+
+@item ---ignore-valid-from
+GnuPG normally does not select and use subkeys created in the future. This
+option allows the use of such keys and thus exhibits the pre-1.0.7
+behaviour. You should not use this option unless you there is some
+clock problem.
+
+@item ---ignore-crc-error
+The ASCII armor used by OpenPG is protected by a CRC checksum against
+transmission errors. Sometimes it happens that the CRC gets mangled
+somewhere on the transmission channel
+but the actual content (which is anyway protected by
+the OpenPGP protocol) is still okay. This option will let gpg ignore
+CRC errors.
+
+@item ---lock-once
+Lock the databases the first time a lock is requested
+and do not release the lock until the process
+terminates.
+
+@item ---lock-multiple
+Release the locks every time a lock is no longer
+needed. Use this to override a previous ---lock-once
+from a config file.
+
+@item ---lock-never
+Disable locking entirely. This option should be used only in very
+special environments, where it can be assured that only one process
+is accessing those files. A bootable floppy with a stand-alone
+encryption system will probably use this. Improper usage of this
+option may lead to data and key corruption.
+
+@item ---no-random-seed-file
+GnuPG uses a file to store its internal random pool over invocations.
+This makes random generation faster; however sometimes write operations
+are not desired. This option can be used to achieve that with the cost of
+slower random generation.
+
+@item ---no-verbose
+Reset verbose level to 0.
+
+@item ---no-greeting
+Suppress the initial copyright message but do not
+enter batch mode.
+
+@item ---no-secmem-warning
+Suppress the warning about "using insecure memory".
+
+@item ---no-permission-warning
+Suppress the warning about unsafe file permissions.
+
+@item ---no-armor
+Assume the input data is not in ASCII armored format.
+
+@item ---no-default-keyring
+Do not add the default keyrings to the list of
+keyrings.
+
+@item ---skip-verify
+Skip the signature verification step. This may be
+used to make the decryption faster if the signature
+verification is not needed.
+
+@item ---with-colons
+Print key listings delimited by colons. Note, that the output will be
+encoded in UTF-8 regardless of any ---charset setting.
+
+@item ---with-key-data
+Print key listings delimited by colons (like ---with-colons) and print the public key data.
+
+@item ---with-fingerprint
+Same as the command ---fingerprint but changes only the format of the output
+and may be used together with another command.
+
+@item ---fast-list-mode
+Changes the output of the list commands to work faster; this is achieved
+by leaving some parts empty. Some applications don't need the user ID and
+the trust information given in the listings. By using this options they
+can get a faster listing. The exact behaviour of this option may change
+in future versions.
+
+@item ---fixed-list-mode
+Do not merge user ID and primary key in ---with-colon listing mode and
+print all timestamps as seconds since 1970-01-01.
+
+@item ---list-only
+Changes the behaviour of some commands. This is like ---dry-run but
+different in some cases. The semantic of this command may be extended in
+the future. Currently it only skips the actual decryption pass and
+therefore enables a fast listing of the encryption keys.
+
+@item ---no-literal
+This is not for normal use. Use the source to see for what it might be useful.
+
+@item ---set-filesize
+This is not for normal use. Use the source to see for what it might be useful.
+
+@item ---emulate-md-encode-bug
+GnuPG versions prior to 1.0.2 had a bug in the way a signature was encoded.
+This options enables a workaround by checking faulty signatures again with
+the encoding used in old versions. This may only happen for ElGamal signatures
+which are not widely used.
+
+@item ---show-session-key
+Display the session key used for one message. See ---override-session-key
+for the counterpart of this option.
+
+We think that Key-Escrow is a Bad Thing; however the user should
+have the freedom to decide whether to go to prison or to reveal the content of
+one specific message without compromising all messages ever encrypted for one
+secret key. DON'T USE IT UNLESS YOU ARE REALLY FORCED TO DO SO.
+
+@item ---override-session-key @code{string}
+Don't use the public key but the session key @code{string}. The format of this
+string is the same as the one printed by ---show-session-key. This option
+is normally not used but comes handy in case someone forces you to reveal the
+content of an encrypted message; using this option you can do this without
+handing out the secret key.
+
+@item ---ask-sig-expire
+When making a data signature, prompt for an expiration time. If this
+option is not specified, the expiration time is "never".
+
+@item ---no-ask-sig-expire
+Resets the ---ask-sig-expire option.
+
+@item ---ask-cert-expire
+When making a key signature, prompt for an expiration time. If this
+option is not specified, the expiration time is "never".
+
+@item ---no-ask-cert-expire
+Resets the ---ask-cert-expire option.
+
+@item ---expert
+Allow the user to do certain nonsensical or "silly" things like
+signing an expired or revoked key, or certain potentially incompatible
+things like generating deprecated key types. This also disables
+certain warning messages about potentially incompatible actions. As
+the name implies, this option is for experts only. If you don't fully
+understand the implications of what it allows you to do, leave this
+off.
+
+@item ---no-expert
+Resets the ---expert option.
+
+@item ---merge-only
+Don't insert new keys into the keyrings while doing an import.
+
+@item ---allow-secret-key-import
+This is an obsolete option and is not used anywhere.
+
+@item ---try-all-secrets
+Don't look at the key ID as stored in the message but try all secret keys in
+turn to find the right decryption key. This option forces the behaviour as
+used by anonymous recipients (created by using ---throw-keyid) and might come
+handy in case where an encrypted message contains a bogus key ID.
+
+@item ---enable-special-filenames
+This options enables a mode in which filenames of the form
+@file{-&n}, where n is a non-negative decimal number,
+refer to the file descriptor n and not to a file with that name.
+
+@item ---no-expensive-trust-checks
+Experimental use only.
+
+@item ---group @code{name=value}
+Sets up a name group, which is similar to aliases in email programs.
+Any time the group name is a receipient (-r or ---recipient), it will
+be expanded to the values specified. Note there is only one level of
+expansion - you cannot make an group that points to another group.
+
+@item ---preserve-permissions
+Don't change the permissions of a secret keyring back to user
+read/write only. Use this option only if you really know what you are doing.
+
+@item ---personal-cipher-preferences @code{string}
+Set the list of personal cipher preferences to @code{string}, this list
+should be a string similar to the one printed by the command "pref" in
+the edit menu. This allows the user to factor in their own preferred
+algorithms when algorithms are chosen via recipient key preferences.
+
+@item ---personal-digest-preferences @code{string}
+Set the list of personal digest preferences to @code{string}, this list
+should be a string similar to the one printed by the command "pref" in
+the edit menu. This allows the user to factor in their own preferred
+algorithms when algorithms are chosen via recipient key preferences.
+
+@item ---personal-compress-preferences @code{string}
+Set the list of personal compression preferences to @code{string}, this
+list should be a string similar to the one printed by the command
+"pref" in the edit menu. This allows the user to factor in their own
+preferred algorithms when algorithms are chosen via recipient key
+preferences.
+
+@item ---default-preference-list @code{string}
+Set the list of default preferences to @code{string}, this list should
+be a string similar to the one printed by the command "pref" in the
+edit menu. This affects both key generation and "updpref" in the edit
+menu.
+
+@end table
+
+@majorheading How to specify a user ID
+There are different ways on how to specify a user ID to GnuPG;
+here are some examples:
+
+@table @asis
+@item
+@item 234567C4
+@itemx 0F34E556E
+@itemx 01347A56A
+@itemx 0xAB123456
+Here the key ID is given in the usual short form.
+
+@item 234AABBCC34567C4
+@itemx 0F323456784E56EAB
+@itemx 01AB3FED1347A5612
+@itemx 0x234AABBCC34567C4
+Here the key ID is given in the long form as used by OpenPGP
+(you can get the long key ID using the option ---with-colons).
+
+@item 1234343434343434C434343434343434
+@itemx 123434343434343C3434343434343734349A3434
+@itemx 0E12343434343434343434EAB3484343434343434
+@itemx 0xE12343434343434343434EAB3484343434343434
+The best way to specify a key ID is by using the fingerprint of
+the key. This avoids any ambiguities in case that there are duplicated
+key IDs (which are really rare for the long key IDs).
+
+@item =Heinrich Heine <heinrichh@@uni-duesseldorf.de>
+Using an exact to match string. The equal sign indicates this.
+
+@item <heinrichh@@uni-duesseldorf.de>
+Using the email address part which must match exactly. The left angle bracket
+indicates this email address mode.
+
+@item +Heinrich Heine duesseldorf
+All words must match exactly (not case sensitive) but can appear in
+any order in the user ID. Words are any sequences of letters,
+digits, the underscore and all characters with bit 7 set.
+
+@item Heine
+@itemx *Heine
+By case insensitive substring matching. This is the default mode but
+applications may want to explicitly indicate this by putting the asterisk
+in front.
+
+@end table
+
+Note that you can append an exclamation mark to key IDs or
+fingerprints. This flag tells GnuPG to use exactly the given primary
+or secondary key and not to try to figure out which secondary or
+primary key to use.
+
+@majorheading RETURN VALUE
+The program returns 0 if everything was fine, 1 if at least
+a signature was bad, and other error codes for fatal errors.
+
+@majorheading EXAMPLES
+@table @asis
+@item gpg -se -r @code{Bob} @code{file}
+sign and encrypt for user Bob
+
+@item gpg ---clearsign @code{file}
+make a clear text signature
+
+@item gpg -sb @code{file}
+make a detached signature
+
+@item gpg ---list-keys @code{user_ID}
+show keys
+
+@item gpg ---fingerprint @code{user_ID}
+show fingerprint
+
+@item gpg ---verify @code{pgpfile}
+@itemx gpg ---verify @code{sigfile} @code{files}
+Verify the signature of the file but do not output the data. The second form
+is used for detached signatures, where @code{sigfile} is the detached
+signature (either ASCII armored of binary) and @code{files} are the signed
+data; if this is not given the name of the file holding the signed data is
+constructed by cutting off the extension (".asc" or ".sig") of
+@code{sigfile} or by asking the user for the filename.
+
+@end table
+
+@majorheading ENVIRONMENT
+@table @asis
+@item HOME
+Used to locate the default home directory.
+
+@item GNUPGHOME
+If set directory used instead of "~/.gnupg".
+
+@item GPG_AGENT_INFO
+Used to locate the gpg-agent; only honored when
+---use-agent is set. The value consists of 3 colon delimited fields:
+The first is the path to the Unix Domain Socket, the second the PID of
+the gpg-agent and the protocol version which should be set to 1. When
+starting the gpg-agent as described in its documentation, this
+variable is set to the correct value. The option ---gpg-agent-info can
+be used to overide it.
+
+@item http_proxy
+Only honored when the option ---honor-http-proxy is set.
+
+@end table
+
+@majorheading FILES
+@table @asis
+@item ~/.gnupg/secring.gpg
+The secret keyring
+
+@item ~/.gnupg/secring.gpg.lock
+and the lock file
+
+@item ~/.gnupg/pubring.gpg
+The public keyring
+
+@item ~/.gnupg/pubring.gpg.lock
+and the lock file
+
+@item ~/.gnupg/trustdb.gpg
+The trust database
+
+@item ~/.gnupg/trustdb.gpg.lock
+and the lock file
+
+@item ~/.gnupg/random_seed
+used to preserve the internal random pool
+
+@item ~/.gnupg/options
+May contain options
+
+@item /usr[/local]/share/gnupg/options.skel
+Skeleton options file
+
+@item /usr[/local]/lib/gnupg/
+Default location for extensions
+
+@end table
+
+@majorheading WARNINGS
+Use a *good* password for your user account and a *good* passphrase
+to protect your secret key. This passphrase is the weakest part of the
+whole system. Programs to do dictionary attacks on your secret keyring
+are very easy to write and so you should protect your "~/.gnupg/"
+directory very well.
+
+Keep in mind that, if this program is used over a network (telnet), it
+is *very* easy to spy out your passphrase!
+
+If you are going to verify detached signatures, make sure that the
+program knows about it; either be giving both filenames on the
+commandline or using @samp{-} to specify stdin.
+
+@majorheading BUGS
+On many systems this program should be installed as setuid(root). This
+is necessary to lock memory pages. Locking memory pages prevents the
+operating system from writing memory pages to disk. If you get no
+warning message about insecure memory your operating system supports
+locking without being root. The program drops root privileges as soon
+as locked memory is allocated.
+
+@bye