In contrast to the standalone version gpg, which is more suited for server and embedded platforms, this version is installed under the name gpg2 and more targeted to the desktop as it requires several other modules to be installed. The standalone version will be kept maintained and it is possible to install both versions on the same system. If you need to use different configuration files, you should make use of something like `gpg.conf-2' instead of just `gpg.conf'.
Commands are not distinguished from options execpt for the fact that only one command is allowed.
gpg2 may be run with no commands, in which case it will perform a reasonable action depending on the type of file it is given as input (an encrypted message is decrypted, a signature is verified, a file containing keys is listed).
Please remember that option as well as command parsing stops as soon as a non-option is encountered, you can explicitly stop parsing by using the special option --.
Avoid using the output of this command in scripts or other programs as it is likely to change as GnuPG changes. See --with-colons for a machine-parseable key listing command that is appropriate for use in scripts and other programs.
For each signature listed, there are several flags in between the "sig" tag and keyid. These flags give additional information about each signature. From left to right, they are the numbers 1-3 for certificate check level (see --ask-cert-level), "L" for a local or non-exportable signature (see --lsign-key), "R" for a nonRevocable signature (see the --edit-key command "nrsign"), "P" for a signature that contains a policy URL (see --cert-policy-url), "N" for a signature that contains a notation (see --cert-notation), "X" for an eXpired signature (see --ask-cert-expire), and the numbers 1-9 or "T" for 10 and above to indicate trust signature levels (see the --edit-key command "tsign").
There are a few other options which control how this command works. Most notable here is the --keyserver-options merge-only option which does not insert new keys but does only the merging of new signatures, user-IDs and subkeys.
For use with cron jobs, this command can be used together with --batch in which case the trust database check is done only if a check is needed. To force a run even in batch mode add the option --yes.
This section explains the main commands for key management
There is an experimental feature which allows you to create keys in batch mode. See the file `doc/DETAILS' in the source distribution on how to use this.
gpg2 comes features a bunch of options to control the exact behaviour and to change the default configuration.
Long options can be put in an options file (default "~/.gnupg/gpg.conf"). Short option names will not work - for example, "armor" is a valid option for the options file, while "a" is not. Do not write the 2 dashes, but simply the name of the option and any required arguments. Lines with a hash ('#') as the first non-white-space character are ignored. Commands may be put in this file too, but that is not generally useful as the command will execute automatically with every execution of gpg.
Please remember that option parsing stops as soon as a non-option is encountered, you can explicitly stop parsing by using the special option --.
These options are used to change the configuraton and are usually found in the option file.
Show any preferred keyserver URL in the --list-sigs or --check-sigs listings. Defaults to no.
The default viewer is "xloadimage -fork -quiet -title 'KeyID
The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin". Note that if your image viewer program is not secure, then executing it from GnuPG does not make it secure.
Note that this adds a keyring to the current list. If the intent is to use the specified keyring alone, use --keyring along with --no-default-keyring.
0 means you make no particular claim as to how carefully you verified the key.
1 means you believe the key is owned by the person who claims to own it but you could not, or did not verify the key at all. This is useful for a "persona" verification, where you sign the key of a pseudonymous user.
2 means you did casual verification of the key. For example, this could mean that you verified that the key fingerprint and checked the user ID on the key against a photo ID.
3 means you did extensive verification of the key. For example, this could mean that you verified the key fingerprint with the owner of the key in person, and that you checked, by means of a hard to forge document with a photo ID (such as a passport) that the name of the key owner matches the name in the user ID on the key, and finally that you verified (by exchange of email) that the email address on the key belongs to the key owner.
Note that the examples given above for levels 2 and 3 are just that: examples. In the end, it is up to you to decide just what "casual" and "extensive" mean to you.
This option defaults to 0 (no particular claim).
Most keyservers synchronize with each other, so there is generally no need to send keys to more than one server. The keyserver hkp://subkeys.pgp.net uses round robin DNS to give a different keyserver each time you use it.
Note that this option makes a "web bug" like behavior possible. Keyserver operators can see which keys you request, so by sending you a message signed by a brand new key (which you naturally will not have on your local keyring), the operator can tell both your IP address and the time when you verified the signature.
been given
Note that the warning for unsafe --homedir permissions cannot be suppressed in the gpg.conf file, as this would allow an attacker to place an unsafe gpg.conf file in place, and use this file to suppress warnings about itself. The --homedir permissions warning may only be suppressed on the command line.
The values are key IDs or fingerprints, but any key description is accepted. Note that a value with spaces in it will be treated as two different values. Note also there is only one level of expansion --- you cannot make an group that points to another group. When used from the command line, it may be necessary to quote the argument to this option to prevent the shell from treating it as multiple arguments.
These options control what GnuPG is compliant to. Only one of these options may be active at a time. Note that the default setting of this is nearly always the correct one. See the INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below before using one of these options.
This option implies --rfc1991 --disable-mdc --no-force-v4-certs --no-sk-comment --escape-from-lines --force-v3-sigs --no-ask-sig-expire --no-ask-cert-expire --cipher-algo IDEA --digest-algo MD5 --compress-algo 1. It also disables --textmode when encrypting.
This option implies --disable-mdc --no-sk-comment --escape-from-lines --force-v3-sigs --no-ask-sig-expire.
There are special codes that may be used in notation names. "%k" will be expanded into the key ID of the key being signed, "%K" into the long key ID of the key being signed, "%f" into the fingerprint of the key being signed, "%s" into the key ID of the key making the signature, "%S" into the long key ID of the key making the signature, "%g" into the fingerprint of the key making the signature (which might be a subkey), "%p" into the fingerprint of the primary key of the key making the signature, "%c" into the signature count from the OpenPGP smartcard, and "%%" results in a single "%". %k, %K, and %f are only meaningful when making a key signature (certification), and %c is only meaningful when using the OpenPGP smartcard.
The same %-expandos used for notation data are available here as well.
The same %-expandos used for notation data are available here as well.
ZLIB may give better compression results than ZIP, as the compression window size is not limited to 8k. BZIP2 may give even better compression results than that, but will use a significantly larger amount of memory while compressing and decompressing. This may be significant in low memory situations. Note, however, that PGP (all versions) only supports ZIP compression. Using any algorithm other than ZIP or "none" will make the message unreadable with PGP. In general, you do not want to use this option as it allows you to violate the OpenPGP standard. --personal-compress-preferences is the safe way to accomplish the same thing.
We think that Key Escrow is a Bad Thing; however the user should have the freedom to decide whether to go to prison or to reveal the content of one specific message without compromising all messages ever encrypted for one secret key. DON'T USE IT UNLESS YOU ARE REALLY FORCED TO DO SO.
There are different ways to specify a user ID to GnuPG. Some of them are only valid for gpg others are only good for gpgsm. Here is the entire list of ways to specify a key:
When using gpg an exclamation mark may be appended to force using the specified primary or secondary key and not to try and calculate which primary or secondary key to use.
The last four lines of the example give the key ID in their long form as internally used by the OpenPGP protocol. You can see the long key ID using the option --with-colons.
234567C4 0F34E556E 01347A56A 0xAB123456 234AABBCC34567C4 0F323456784E56EAB 01AB3FED1347A5612 0x234AABBCC34567C4
When using gpg an exclamation mark may be appended to force using the specified primary or secondary key and not to try and calculate which primary or secondary key to use.
The best way to specify a key Id is by using the fingerprint. This avoids any ambiguities in case that there are duplicated key IDs.
1234343434343434C434343434343434 123434343434343C3434343434343734349A3434 0E12343434343434343434EAB3484343434343434 0xE12343434343434343434EAB3484343434343434
(gpgsm also accepts colons between each pair of hexadecimal digits because this is the de-facto standard on how to present X.509 fingerprints.)
=Heinrich Heine <
<
+Heinrich Heine duesseldorf
/CN=Heinrich Heine,O=Poets,L=Paris,C=FR
#/CN=Root Cert,O=Poets,L=Paris,C=FR
#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
&D75F22C3F86E355877348498CDC92BD21010A480
Heine *Heine
Please note that we have reused the hash mark identifier which was used in old GnuPG versions to indicate the so called local-id. It is not anymore used and there should be no conflict when used with X.509 stuff.
Using the RFC-2253 format of DNs has the drawback that it is not possible to map them back to the original encoding, however we don't have to do this because our key database stores this encoding as meta data.
The program returns 0 if everything was fine, 1 if at least a signature was bad, and other error codes for fatal errors.
Use a *good* password for your user account and a *good* passphrase to protect your secret key. This passphrase is the weakest part of the whole system. Programs to do dictionary attacks on your secret keyring are very easy to write and so you should protect your "~/.gnupg/" directory very well.
Keep in mind that, if this program is used over a network (telnet), it is *very* easy to spy out your passphrase!
If you are going to verify detached signatures, make sure that the program knows about it; either give both filenames on the command line or use to specify stdin.
GnuPG tries to be a very flexible implementation of the OpenPGP standard. In particular, GnuPG implements many of the optional parts of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2 compression algorithms. It is important to be aware that not all OpenPGP programs implement these optional algorithms and that by forcing their use via the --cipher-algo, --digest-algo, --cert-digest-algo, or --compress-algo options in GnuPG, it is possible to create a perfectly valid OpenPGP message, but one that cannot be read by the intended recipient.
There are dozens of variations of OpenPGP programs available, and each supports a slightly different subset of these optional algorithms. For example, until recently, no (unhacked) version of PGP supported the BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be read by a PGP user. By default, GnuPG uses the standard OpenPGP preferences system that will always do the right thing and create messages that are usable by all recipients, regardless of which OpenPGP program they use. Only override this safe default if you really know what you are doing.
If you absolutely must override the safe default, or if the preferences on a given key are invalid for some reason, you are far better off using the --pgp6, --pgp7, or --pgp8 options. These options are safe as they do not force any particular algorithms in violation of OpenPGP, but rather reduce the available algorithms to a "PGP-safe" list.
There are a few configuration files to control certain aspects of gpg2's operation. Unless noted, they are expected in the current home directory (see: [option --homedir]).
Note that on larger installations, it is useful to put predefined files into the directory `/etc/skel/.gnupg/' so that newly created users start up with a working configuration. For existing users the a small helper script is provided to create these files (see: [addgnupghome]).
For internal purposes gpg2 creates and maintaines a few other files; They all live in in the current home directory (see: [option --homedir]). Only the gpg2 may modify these files.
Operation is further controlled by a few environment variables:
On many systems this program should be installed as setuid(root). This is necessary to lock memory pages. Locking memory pages prevents the operating system from writing memory pages (which may contain passphrases or other sensitive material) to disk. If you get no warning message about insecure memory your operating system supports locking without being root. The program drops root privileges as soon as locked memory is allocated.
The full documentation for this tool is maintained as a Texinfo manual. If GnuPG and the info program are properly installed at your site, the command
info gnupg
should give you access to the complete manual including a menu structure and an index.