No OneTemporary
Actions

Size

238 KB

Subscribers

None

View Options

	diff --git a/doc/DETAILS b/doc/DETAILS
	index fd72b8882..db01baa8e 100644
	--- a/doc/DETAILS
	+++ b/doc/DETAILS
	@@ -1,1291 +1,1291 @@
	# doc/DETAILS -- org --
	#+TITLE: GnuPG Details
	# Globally disable superscripts and subscripts:
	#+OPTIONS: ^:{}
	#

	# Note: This file uses org-mode; it should be easy to read as plain
	# text but be aware of some markup peculiarities: Verbatim code is
	# enclosed in #+begin-example, #+end-example blocks or marked by a
	# colon as the first non-white-space character, words bracketed with
	# equal signs indicate a monospace font, and the usual /italics/,
	# bold, and _underline_ conventions are recognized.

	This is the DETAILS file for GnuPG which specifies some internals and
	parts of the external API for GPG and GPGSM.

	* Format of the colon listings
	The format is a based on colon separated record, each recods starts
	with a tag string and extends to the end of the line. Here is an
	example:
	#+begin_example
	$ gpg --with-colons --list-keys \
	--with-fingerprint --with-fingerprint wk@gnupg.org
	pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC:
	fpr:::::::::ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013:
	uid:f::::::::Werner Koch <wk@g10code.com>:
	uid:f::::::::Werner Koch <wk@gnupg.org>:
	sub:f:1536:16:06AD222CADF6A6E1:919537416:1036177416:::::e:
	fpr:::::::::CF8BCC4B18DE08FCD8A1615906AD222CADF6A6E1:
	sub:r:1536:20:5CE086B5B5A18FF4:899817788:1025961788:::::esc:
	fpr:::::::::AB059359A3B81F410FCFF97F5CE086B5B5A18FF4:
	#+end_example

	The double =--with-fingerprint= prints the fingerprint for the subkeys
	too. Old versions of gpg used a slightly different format and required
	the use of the option =--fixed-list-mode= to conform to the format
	described here.

	** Description of the fields
	*** Field 1 - Type of record

	- pub :: Public key
	- crt :: X.509 certificate
	- crs :: X.509 certificate and private key available
	- sub :: Subkey (secondary key)
	- sec :: Secret key
	- ssb :: Secret subkey (secondary key)
	- uid :: User id (only field 10 is used).
	- uat :: User attribute (same as user id except for field 10).
	- sig :: Signature
	- rev :: Revocation signature
	- fpr :: Fingerprint (fingerprint is in field 10)
	- pkd :: Public key data [*]
	- grp :: Keygrip
	- rvk :: Revocation key
	- tru :: Trust database information [*]
	- spk :: Signature subpacket [*]
	- cfg :: Configuration data [*]

	Records marked with an asterisk are described at [[Special%20field%20formats][Special fields]].

	*** Field 2 - Validity

	This is a letter describing the computed validity of a key.
	Currently this is a single letter, but be prepared that additional
	information may follow in some future versions. Note that GnuPG <
	2.1 does not set this field for secret key listings.

	- o :: Unknown (this key is new to the system)
	- i :: The key is invalid (e.g. due to a missing self-signature)
	- d :: The key has been disabled
	(deprecated - use the 'D' in field 12 instead)
	- r :: The key has been revoked
	- e :: The key has expired
	- - :: Unknown validity (i.e. no value assigned)
	- q :: Undefined validity. '-' and 'q' may safely be treated as
	the same value for most purposes
	- n :: The key is not valid
	- m :: The key is marginal valid.
	- f :: The key is fully valid
	- u :: The key is ultimately valid. This often means that the
	secret key is available, but any key may be marked as
	ultimately valid.
	- w :: The key has a well known private part.
	- s :: The key has special validity. This means that it might be
	self-signed and expected to be used in the STEED sytem.

	If the validity information is given for a UID or UAT record, it
	describes the validity calculated based on this user ID. If given
	for a key record it describes the validity taken from the best
	rated user ID.

	For X.509 certificates a 'u' is used for a trusted root
	certificate (i.e. for the trust anchor) and an 'f' for all other
	valid certificates.

	*** Field 3 - Key length

	The length of key in bits.

	*** Field 4 - Public key algorithm

	The values here are those from the OpenPGP specs or if they are
	greather than 255 the algorithm ids as used by Libgcrypt.

	*** Field 5 - KeyID

	This is the 64 bit keyid as specified by OpenPGP and the last 64
	bit of the SHA-1 fingerprint of an X.509 certifciate.

	*** Field 6 - Creation date

	The creation date of the key is given in UTC. For UID and UAT
	records, this is used for the self-signature date. Note that the
	date is usally printed in seconds since epoch, however, we are
	migrating to an ISO 8601 format (e.g. "19660205T091500"). This is
	currently only relevant for X.509. A simple way to detect the new
	format is to scan for the 'T'. Note that old versions of gpg
	without using the =--fixed-list-mode= option used a "yyyy-mm-tt"
	format.

	*** Field 7 - Expiration date

	Key or UID/UAT expiration date or empty if it does not expire.

	*** Field 8 - Certificate S/N, UID hash, trust signature info

	Used for serial number in crt records. For UID and UAT records,
	this is a hash of the user ID contents used to represent that
	exact user ID. For trust signatures, this is the trust depth
	seperated by the trust value by a space.

	*** Field 9 - Ownertrust

	This is only used on primary keys. This is a single letter, but
	be prepared that additional information may follow in future
	versions. For trust signatures with a regular expression, this is
	the regular expression value, quoted as in field 10.

	*** Field 10 - User-ID
	The value is quoted like a C string to avoid control characters
	(the colon is quoted =\x3a=). For a "pub" record this field is
	not used on --fixed-list-mode. A UAT record puts the attribute
	subpacket count here, a space, and then the total attribute
	subpacket size. In gpgsm the issuer name comes here. A FPR
	record stores the fingerprint here. The fingerprint of a
	revocation key is stored here.
	*** Field 11 - Signature class

	Signature class as per RFC-4880. This is a 2 digit hexnumber
	followed by either the letter 'x' for an exportable signature or
	the letter 'l' for a local-only signature. The class byte of an
	revocation key is also given here, 'x' and 'l' is used the same
	way. This field if not used for X.509.

	*** Field 12 - Key capabilities

	The defined capabilities are:

	- e :: Encrypt
	- s :: Sign
	- c :: Certify
	- a :: Authentication
	- ? :: Unknown capability

	A key may have any combination of them in any order. In addition
	to these letters, the primary key has uppercase versions of the
	letters to denote the _usable_ capabilities of the entire key, and
	a potential letter 'D' to indicate a disabled key.

	*** Field 13 - Issuer certificate fingerprint or other info

	Used in FPR records for S/MIME keys to store the fingerprint of
	the issuer certificate. This is useful to build the certificate
	path based on certificates stored in the local key database it is
	only filled if the issuer certificate is available. The root has
	been reached if this is the same string as the fingerprint. The
	advantage of using this value is that it is guaranteed to have
	been been build by the same lookup algorithm as gpgsm uses.

	For "uid" records this field lists the preferences in the same way
	gpg's --edit-key menu does.

	For "sig" records, this is the fingerprint of the key that issued
	the signature. Note that this is only filled in if the signature
	verified correctly. Note also that for various technical reasons,
	this fingerprint is only available if --no-sig-cache is used.

	*** Field 14 - Flag field

	Flag field used in the --edit menu output

	*** Field 15 - S/N of a token

	Used in sec/ssb to print the serial number of a token (internal
	protect mode 1002) or a '#' if that key is a simple stub (internal
	protect mode 1001). If the option --with-secret is used and a
	secret key is available for the public key, a '+' indicates this.

	*** Field 16 - Hash algorithm

	For sig records, this is the used hash algorithm. For example:
	2 = SHA-1, 8 = SHA-256.

	*** Field 17 - Curve name

	For pub, sub, sec, and ssb records this field is used for the ECC
	curve name.

	** Special fields

	*** PKD - Public key data

	If field 1 has the tag "pkd", a listing looks like this:
	#+begin_example
	pkd:0:1024:B665B1435F4C2 .... FF26ABB:
	! ! !-- the value
	! !------ for information number of bits in the value
	!--------- index (eg. DSA goes from 0 to 3: p,q,g,y)
	#+end_example

	*** TRU - Trust database information
	Example for a "tru" trust base record:
	#+begin_example
	tru:o:0:1166697654:1:3:1:5
	#+end_example

	- Field 2 :: Reason for staleness of trust. If this field is
	empty, then the trustdb is not stale. This field may
	have multiple flags in it:

	- o :: Trustdb is old
	- t :: Trustdb was built with a different trust model
	than the one we are using now.

	- Field 3 :: Trust model

	- 0 :: Classic trust model, as used in PGP 2.x.
	- 1 :: PGP trust model, as used in PGP 6 and later.
	This is the same as the classic trust model,
	except for the addition of trust signatures.

	GnuPG before version 1.4 used the classic trust model
	by default. GnuPG 1.4 and later uses the PGP trust
	model by default.

	- Field 4 :: Date trustdb was created in seconds since Epoch.
	- Field 5 :: Date trustdb will expire in seconds since Epoch.
	- Field 6 :: Number of marginally trusted users to introduce a new
	key signer (gpg's option --marginals-needed).
	- Field 7 :: Number of completely trusted users to introduce a new
	key signer. (gpg's option --completes-needed)

	- Field 8 :: Maximum depth of a certification chain. (gpg's option
	--max-cert-depth)

	*** SPK - Signature subpacket records

	- Field 2 :: Subpacket number as per RFC-4880 and later.
	- Field 3 :: Flags in hex. Currently the only two bits assigned
	are 1, to indicate that the subpacket came from the
	hashed part of the signature, and 2, to indicate the
	subpacket was marked critical.
	- Field 4 :: Length of the subpacket. Note that this is the
	length of the subpacket, and not the length of field
	5 below. Due to the need for %-encoding, the length
	of field 5 may be up to 3x this value.
	- Field 5 :: The subpacket data. Printable ASCII is shown as
	ASCII, but other values are rendered as %XX where XX
	is the hex value for the byte.

	*** CFG - Configuration data

	--list-config outputs information about the GnuPG configuration
	for the benefit of frontends or other programs that call GnuPG.
	There are several list-config items, all colon delimited like the
	rest of the --with-colons output. The first field is always "cfg"
	to indicate configuration information. The second field is one of
	(with examples):

	- version :: The third field contains the version of GnuPG.

	: cfg:version:1.3.5

	- pubkey :: The third field contains the public key algorithms
	this version of GnuPG supports, separated by
	semicolons. The algorithm numbers are as specified in
	RFC-4880. Note that in contrast to the --status-fd
	interface these are _not_ the Libgcrypt identifiers.
	Using =pubkeyname= prints names instead of numbers.

	: cfg:pubkey:1;2;3;16;17

	- cipher :: The third field contains the symmetric ciphers this
	version of GnuPG supports, separated by semicolons.
	The cipher numbers are as specified in RFC-4880.
	Using =ciphername= prints names instead of numbers.

	: cfg:cipher:2;3;4;7;8;9;10

	- digest :: The third field contains the digest (hash) algorithms
	this version of GnuPG supports, separated by
	semicolons. The digest numbers are as specified in
	RFC-4880. Using =digestname= prints names instead of
	numbers.

	: cfg:digest:1;2;3;8;9;10

	- compress :: The third field contains the compression algorithms
	this version of GnuPG supports, separated by
	semicolons. The algorithm numbers are as specified
	in RFC-4880.

	: cfg:compress:0;1;2;3

	- group :: The third field contains the name of the group, and the
	fourth field contains the values that the group expands
	to, separated by semicolons.

	For example, a group of:
	: group mynames = paige 0x12345678 joe patti
	would result in:
	: cfg:group:mynames:patti;joe;0x12345678;paige

	- curve :: The third field contains the curve names this version
	of GnuPG supports, separated by semicolons. Using
	=curveoid= prints OIDs instead of numbers.

	: cfg:curve:ed25519;nistp256;nistp384;nistp521


	* Format of the --status-fd output

	Every line is prefixed with "[GNUPG:] ", followed by a keyword with
	the type of the status line and some arguments depending on the type
	(maybe none); an application should always be prepared to see more
	arguments in future versions.

	** General status codes
	*** NEWSIG
	Is issued right before a signature verification starts. This is
	useful to define a context for parsing ERROR status messages. No
	arguments are currently defined.

	*** GOODSIG <long_keyid_or_fpr> <username>
	The signature with the keyid is good. For each signature only one
	of the codes GOODSIG, BADSIG, EXPSIG, EXPKEYSIG, REVKEYSIG or
	ERRSIG will be emitted. In the past they were used as a marker
	for a new signature; new code should use the NEWSIG status
	instead. The username is the primary one encoded in UTF-8 and %XX
	escaped. The fingerprint may be used instead of the long keyid if
	it is available. This is the case with CMS and might eventually
	also be available for OpenPGP.

	*** EXPSIG <long_keyid_or_fpr> <username>
	The signature with the keyid is good, but the signature is
	expired. The username is the primary one encoded in UTF-8 and %XX
	escaped. The fingerprint may be used instead of the long keyid if
	it is available. This is the case with CMS and might eventually
	also be available for OpenPGP.

	*** EXPKEYSIG <long_keyid_or_fpr> <username>
	The signature with the keyid is good, but the signature was made
	by an expired key. The username is the primary one encoded in
	UTF-8 and %XX escaped. The fingerprint may be used instead of the
	long keyid if it is available. This is the case with CMS and
	might eventually also be available for OpenPGP.

	*** REVKEYSIG <long_keyid_or_fpr> <username>
	The signature with the keyid is good, but the signature was made
	by a revoked key. The username is the primary one encoded in UTF-8
	and %XX escaped. The fingerprint may be used instead of the long
	keyid if it is available. This is the case with CMS and might
	eventually also beñ available for OpenPGP.

	*** BADSIG <long_keyid_or_fpr> <username>
	The signature with the keyid has not been verified okay. The
	username is the primary one encoded in UTF-8 and %XX escaped. The
	fingerprint may be used instead of the long keyid if it is
	available. This is the case with CMS and might eventually also be
	available for OpenPGP.

	*** ERRSIG <keyid> <pkalgo> <hashalgo> <sig_class> <time> <rc>
	It was not possible to check the signature. This may be caused by
	a missing public key or an unsupported algorithm. A RC of 4
	indicates unknown algorithm, a 9 indicates a missing public
	key. The other fields give more information about this signature.
	sig_class is a 2 byte hex-value. The fingerprint may be used
	instead of the keyid if it is available. This is the case with
	gpgsm and might eventually also be available for OpenPGP.

	Note, that TIME may either be the number of seconds since Epoch or
	an ISO 8601 string. The latter can be detected by the presence of
	the letter 'T'.

	*** VALIDSIG <args>

	The args are:

	- <fingerprint_in_hex>
	- <sig_creation_date>
	- <sig-timestamp>
	- <expire-timestamp>
	- <sig-version>
	- <reserved>
	- <pubkey-algo>
	- <hash-algo>
	- <sig-class>
	- [ <primary-key-fpr> ]

	This status indicates that the signature is good. This is the same
	as GOODSIG but has the fingerprint as the argument. Both status
	lines are emitted for a good signature. All arguments here are on
	one long line. sig-timestamp is the signature creation time in
	seconds after the epoch. expire-timestamp is the signature
	expiration time in seconds after the epoch (zero means "does not
	expire"). sig-version, pubkey-algo, hash-algo, and sig-class (a
	2-byte hex value) are all straight from the signature packet.
	PRIMARY-KEY-FPR is the fingerprint of the primary key or identical
	to the first argument. This is useful to get back to the primary
	key without running gpg again for this purpose.

	The primary-key-fpr parameter is used for OpenPGP and not
	class is not defined for CMS and currently set to 0 and 00.
	available for CMS signatures. The sig-version as well as the sig

	Note, that *-TIMESTAMP may either be a number of seconds since
	Epoch or an ISO 8601 string which can be detected by the presence
	of the letter 'T'.

	*** SIG_ID <radix64_string> <sig_creation_date> <sig-timestamp>
	This is emitted only for signatures of class 0 or 1 which have
	been verified okay. The string is a signature id and may be used
	in applications to detect replay attacks of signed messages. Note
	that only DLP algorithms give unique ids - others may yield
	duplicated ones when they have been created in the same second.

	Note, that SIG-TIMESTAMP may either be a number of seconds since
	Epoch or an ISO 8601 string which can be detected by the presence
	of the letter 'T'.

	*** ENC_TO <long_keyid> <keytype> <keylength>
	The message is encrypted to this LONG_KEYID. KEYTYPE is the
	numerical value of the public key algorithm or 0 if it is not
	known, KEYLENGTH is the length of the key or 0 if it is not known
	(which is currently always the case). Gpg prints this line
	always; Gpgsm only if it knows the certificate.

	*** BEGIN_DECRYPTION
	Mark the start of the actual decryption process. This is also
	emitted when in --list-only mode.
	*** END_DECRYPTION
	Mark the end of the actual decryption process. This are also
	emitted when in --list-only mode.
	*** DECRYPTION_INFO <mdc_method> <sym_algo>
	Print information about the symmetric encryption algorithm and the
	MDC method. This will be emitted even if the decryption fails.

	*** DECRYPTION_FAILED
	The symmetric decryption failed - one reason could be a wrong
	passphrase for a symmetrical encrypted message.

	*** DECRYPTION_OKAY
	The decryption process succeeded. This means, that either the
	correct secret key has been used or the correct passphrase for a
	- conventional encrypted message was given. The program itself may
	+ symmetric encrypted message was given. The program itself may
	return an errorcode because it may not be possible to verify a
	signature for some reasons.

	*** SESSION_KEY <algo>:<hexdigits>
	The session key used to decrypt the message. This message will
	only be emitted if the option --show-session-key is used. The
	format is suitable to be passed as value for the option
	--override-session-key. It is not an indication that the
	decryption will or has succeeded.

	*** BEGIN_ENCRYPTION <mdc_method> <sym_algo>
	Mark the start of the actual encryption process.

	*** END_ENCRYPTION
	Mark the end of the actual encryption process.

	*** FILE_START <what> <filename>
	Start processing a file <filename>. <what> indicates the performed
	operation:
	- 1 :: verify
	- 2 :: encrypt
	- 3 :: decrypt

	*** FILE_DONE
	Marks the end of a file processing which has been started
	by FILE_START.

	*** BEGIN_SIGNING
	Mark the start of the actual signing process. This may be used as
	an indication that all requested secret keys are ready for use.

	*** ALREADY_SIGNED <long-keyid>
	Warning: This is experimental and might be removed at any time.

	*** SIG_CREATED <type> <pk_algo> <hash_algo> <class> <timestamp> <keyfpr>
	A signature has been created using these parameters.
	Values for type <type> are:
	- D :: detached
	- C :: cleartext
	- S :: standard
	(only the first character should be checked)

	<class> are 2 hex digits with the OpenPGP signature class.

	Note, that TIMESTAMP may either be a number of seconds since Epoch
	or an ISO 8601 string which can be detected by the presence of the
	letter 'T'.

	*** NOTATION_
	There are actually two related status codes to convey notation
	data:

	- NOTATION_NAME <name>
	- NOTATION_DATA <string>

	<name> and <string> are %XX escaped; the data may be split among
	several NOTATION_DATA lines.

	*** POLICY_URL <string>
	Note that URL in <string> is %XX escaped.

	*** PLAINTEXT <format> <timestamp> <filename>
	This indicates the format of the plaintext that is about to be
	written. The format is a 1 byte hex code that shows the format of
	the plaintext: 62 ('b') is binary data, 74 ('t') is text data with
	no character set specified, and 75 ('u') is text data encoded in
	the UTF-8 character set. The timestamp is in seconds since the
	epoch. If a filename is available it gets printed as the third
	argument, percent-escaped as usual.

	*** PLAINTEXT_LENGTH <length>
	This indicates the length of the plaintext that is about to be
	written. Note that if the plaintext packet has partial length
	encoding it is not possible to know the length ahead of time. In
	that case, this status tag does not appear.

	*** ATTRIBUTE <arguments>
	The list or argemnts are:
	- <fpr>
	- <octets>
	- <type>
	- <index>
	- <count>
	- <timestamp>
	- <expiredate>
	- <flags>

	This is one long line issued for each attribute subpacket when an
	attribute packet is seen during key listing. <fpr> is the
	fingerprint of the key. <octets> is the length of the attribute
	subpacket. <type> is the attribute type (e.g. 1 for an image).
	<index> and <count> indicate that this is the N-th indexed
	subpacket of count total subpackets in this attribute packet.
	<timestamp> and <expiredate> are from the self-signature on the
	attribute packet. If the attribute packet does not have a valid
	self-signature, then the timestamp is 0. <flags> are a bitwise OR
	of:
	- 0x01 :: this attribute packet is a primary uid
	- 0x02 :: this attribute packet is revoked
	- 0x04 :: this attribute packet is expired

	*** SIG_SUBPACKET <type> <flags> <len> <data>
	This indicates that a signature subpacket was seen. The format is
	the same as the "spk" record above.

	** Key related
	*** INV_RECP, INV_SGNR
	The two similar status codes:

	- INV_RECP <reason> <requested_recipient>
	- INV_SGNR <reason> <requested_sender>

	are issued for each unusable recipient/sender. The reasons codes
	currently in use are:

	- 0 :: No specific reason given
	- 1 :: Not Found
	- 2 :: Ambigious specification
	- 3 :: Wrong key usage
	- 4 :: Key revoked
	- 5 :: Key expired
	- 6 :: No CRL known
	- 7 :: CRL too old
	- 8 :: Policy mismatch
	- 9 :: Not a secret key
	- 10 :: Key not trusted
	- 11 :: Missing certificate
	- 12 :: Missing issuer certificate
	- 13 :: Key disabled
	- 14 :: Syntax error in specification

	Note that for historical reasons the INV_RECP status is also used
	for gpgsm's SIGNER command where it relates to signer's of course.
	Newer GnuPG versions are using INV_SGNR; applications should
	ignore the INV_RECP during the sender's command processing once
	they have seen an INV_SGNR. Different codes are used so that they
	can be distinguish while doing an encrypt+sign operation.
	*** NO_RECP <reserved>
	Issued if no recipients are usable.

	*** NO_SGNR <reserved>
	Issued if no senders are usable.

	*** KEYEXPIRED <expire-timestamp>
	The key has expired. expire-timestamp is the expiration time in
	seconds since Epoch. This status line is not very useful because
	it will also be emitted for expired subkeys even if this subkey is
	not used. To check whether a key used to sign a message has
	expired, the EXPKEYSIG status line is to be used.

	Note, that the TIMESTAMP may either be a number of seconds since
	Epoch or an ISO 8601 string which can be detected by the presence
	of the letter 'T'.

	*** KEYREVOKED
	The used key has been revoked by its owner. No arguments yet.

	*** NO_PUBKEY <long keyid>
	The public key is not available

	*** NO_SECKEY <long keyid>
	The secret key is not available

	*** KEY_CREATED <type> <fingerprint> [<handle>]
	A key has been created. Values for <type> are:
	- B :: primary and subkey
	- P :: primary
	- S :: subkey
	The fingerprint is one of the primary key for type B and P and the
	one of the subkey for S. Handle is an arbitrary non-whitespace
	string used to match key parameters from batch key creation run.

	*** KEY_NOT_CREATED [<handle>]
	The key from batch run has not been created due to errors.

	*** TRUST_
	These are several similar status codes:

	- TRUST_UNDEFINED <error_token>
	- TRUST_NEVER <error_token>
	- TRUST_MARGINAL [0 [<validation_model>]]
	- TRUST_FULLY [0 [<validation_model>]]
	- TRUST_ULTIMATE [0 [<validation_model>]]

	For good signatures one of these status lines are emitted to
	indicate the validity of the key used to create the signature.
	The error token values are currently only emitted by gpgsm.

	VALIDATION_MODEL describes the algorithm used to check the
	validity of the key. The defaults are the standard Web of Trust
	model for gpg and the the standard X.509 model for gpgsm. The
	defined values are

	- pgp :: The standard PGP WoT.
	- shell :: The standard X.509 model.
	- chain :: The chain model.
	- steed :: The STEED model.

	Note that the term =TRUST_= in the status names is used for
	historic reasons; we now speak of validity.

	*** PKA_TRUST_
	This is is one:

	- PKA_TRUST_GOOD <mailbox>
	- PKA_TRUST_BAD <mailbox>

	Depending on the outcome of the PKA check one of the above status
	codes is emitted in addition to a =TRUST_*= status.

	** Remote control
	*** GET_BOOL, GET_LINE, GET_HIDDEN, GOT_IT

	These status line are used with --command-fd for interactive
	control of the process.

	*** USERID_HINT <long main keyid> <string>
	Give a hint about the user ID for a certain keyID.

	*** NEED_PASSPHRASE <long keyid> <long main keyid> <keytype> <keylength>
	Issued whenever a passphrase is needed. KEYTYPE is the numerical
	value of the public key algorithm or 0 if this is not applicable,
	KEYLENGTH is the length of the key or 0 if it is not known (this
	is currently always the case).

	*** NEED_PASSPHRASE_SYM <cipher_algo> <s2k_mode> <s2k_hash>
	Issued whenever a passphrase for symmetric encryption is needed.

	*** NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>]
	Issued whenever a PIN is requested to unlock a card.

	*** MISSING_PASSPHRASE
	No passphrase was supplied. An application which encounters this
	message may want to stop parsing immediately because the next
	message will probably be a BAD_PASSPHRASE. However, if the
	application is a wrapper around the key edit menu functionality it
	might not make sense to stop parsing but simply ignoring the
	following BAD_PASSPHRASE.

	*** BAD_PASSPHRASE <long keyid>
	The supplied passphrase was wrong or not given. In the latter
	case you may have seen a MISSING_PASSPHRASE.

	*** GOOD_PASSPHRASE
	The supplied passphrase was good and the secret key material
	is therefore usable.

	** Import/Export
	*** IMPORT_CHECK <long keyid> <fingerprint> <user ID>
	This status is emitted in interactive mode right before
	the "import.okay" prompt.

	*** IMPORTED <long keyid> <username>
	The keyid and name of the signature just imported

	*** IMPORT_OK <reason> [<fingerprint>]
	The key with the primary key's FINGERPRINT has been imported.
	REASON flags are:

	- 0 :: Not actually changed
	- 1 :: Entirely new key.
	- 2 :: New user IDs
	- 4 :: New signatures
	- 8 :: New subkeys
	- 16 :: Contains private key.

	The flags may be ORed.

	*** IMPORT_PROBLEM <reason> [<fingerprint>]
	Issued for each import failure. Reason codes are:

	- 0 :: No specific reason given.
	- 1 :: Invalid Certificate.
	- 2 :: Issuer Certificate missing.
	- 3 :: Certificate Chain too long.
	- 4 :: Error storing certificate.

	*** IMPORT_RES <args>
	Final statistics on import process (this is one long line). The
	args are a list of unsigned numbers separated by white space:

	- <count>
	- <no_user_id>
	- <imported>
	- always 0 (formerly used for the number of RSA keys)
	- <unchanged>
	- <n_uids>
	- <n_subk>
	- <n_sigs>
	- <n_revoc>
	- <sec_read>
	- <sec_imported>
	- <sec_dups>
	- <skipped_new_keys>
	- <not_imported>
	- <skipped_v3_keys>

	** Smartcard related
	*** CARDCTRL <what> [<serialno>]
	This is used to control smartcard operations. Defined values for
	WHAT are:

	- 1 :: Request insertion of a card. Serialnumber may be given
	to request a specific card. Used by gpg 1.4 w/o
	scdaemon
	- 2 :: Request removal of a card. Used by gpg 1.4 w/o scdaemon.
	- 3 :: Card with serialnumber detected
	- 4 :: No card available
	- 5 :: No card reader available
	- 6 :: No card support available
	- 7 :: Card is in termination state

	*** SC_OP_FAILURE [<code>]
	An operation on a smartcard definitely failed. Currently there is
	no indication of the actual error code, but application should be
	prepared to later accept more arguments. Defined values for
	<code> are:

	- 0 :: unspecified error (identically to a missing CODE)
	- 1 :: canceled
	- 2 :: bad PIN

	*** SC_OP_SUCCESS
	A smart card operaion succeeded. This status is only printed for
	certain operation and is mostly useful to check whether a PIN
	change really worked.

	** Miscellaneous status codes
	*** NODATA <what>
	No data has been found. Codes for WHAT are:

	- 1 :: No armored data.
	- 2 :: Expected a packet but did not found one.
	- 3 :: Invalid packet found, this may indicate a non OpenPGP
	message.
	- 4 :: Signature expected but not found

	You may see more than one of these status lines.

	*** UNEXPECTED <what>
	Unexpected data has been encountered. Codes for WHAT are:
	- 0 :: Not further specified
	- 1 :: Corrupted message structure

	*** TRUNCATED <maxno>
	The output was truncated to MAXNO items. This status code is
	issued for certain external requests.

	*** ERROR <error location> <error code> [<more>]
	This is a generic error status message, it might be followed by
	error location specific data. <error code> and <error_location>
	should not contain spaces. The error code is a either a string
	commencing with a letter or such a string prefixed with a
	numerical error code and an underscore; e.g.: "151011327_EOF".

	*** SUCCESS [<location>]
	Postive confirimation that an operation succeeded. <location> is
	optional but if given should not contain spaces. Used only with a
	few commands.

	*** BADARMOR
	The ASCII armor is corrupted. No arguments yet.

	*** DELETE_PROBLEM <reason_code>
	Deleting a key failed. Reason codes are:
	- 1 :: No such key
	- 2 :: Must delete secret key first
	- 3 :: Ambigious specification
	- 4 :: Key is stored on a smartcard.

	*** PROGRESS <what> <char> <cur> <total>
	Used by the primegen and Public key functions to indicate
	progress. <char> is the character displayed with no --status-fd
	enabled, with the linefeed replaced by an 'X'. <cur> is the
	current amount done and <total> is amount to be done; a <total> of
	0 indicates that the total amount is not known. The condition
	: TOTAL && CUR == TOTAL
	may be used to detect the end of an operation.

	Well known values for WHAT are:

	- pk_dsa :: DSA key generation
	- pk_elg :: Elgamal key generation
	- primegen :: Prime generation
	- need_entropy :: Waiting for new entropy in the RNG
	- tick :: Generic tick without any special meaning - useful
	for letting clients know that the server is still
	working.
	- starting_agent :: A gpg-agent was started because it is not
	running as a daemon.
	- learncard :: Send by the agent and gpgsm while learing
	the data of a smartcard.
	- card_busy :: A smartcard is still working

	*** BACKUP_KEY_CREATED <fingerprint> <fname>
	A backup of a key identified by <fingerprint> has been writte to
	the file <fname>; <fname> is percent-escaped.

	*** MOUNTPOINT <name>
	<name> is a percent-plus escaped filename describing the
	mountpoint for the current operation (e.g. used by "g13 --mount").
	This may either be the specified mountpoint or one randomly
	choosen by g13.

	*** PINENTRY_LAUNCHED <pid>
	This status line is emitted by gpg to notify a client that a
	Pinentry has been launched. <pid> is the PID of the Pinentry. It
	may be used to display a hint to the user but can't be used to
	synchronize with Pinentry. Note that there is also an Assuan
	inquiry line with the same name used internally or, if enabled,
	send to the client instead of this status line. Such an inquiry
	may be used to sync with Pinentry

	** Obsolete status codes
	*** SIGEXPIRED
	Removed on 2011-02-04. This is deprecated in favor of KEYEXPIRED.
	*** RSA_OR_IDEA
	Obsolete. This status message used to be emitted for requests to
	use the IDEA or RSA algorithms. It has been dropped from GnuPG
	2.1 after the respective patents expired.
	*** SHM_INFO, SHM_GET, SHM_GET_BOOL, SHM_GET_HIDDEN
	These were used for the ancient shared memory based co-processing.
	*** BEGIN_STREAM, END_STREAM
	Used to issued by the experimental pipemode.


	* Format of the --attribute-fd output

	When --attribute-fd is set, during key listings (--list-keys,
	--list-secret-keys) GnuPG dumps each attribute packet to the file
	descriptor specified. --attribute-fd is intended for use with
	--status-fd as part of the required information is carried on the
	ATTRIBUTE status tag (see above).

	The contents of the attribute data is specified by RFC 4880. For
	convenience, here is the Photo ID format, as it is currently the
	only attribute defined:

	- Byte 0-1 :: The length of the image header. Due to a historical
	accident (i.e. oops!) back in the NAI PGP days, this
	is a little-endian number. Currently 16 (0x10 0x00).

	- Byte 2 :: The image header version. Currently 0x01.

	- Byte 3 :: Encoding format. 0x01 == JPEG.

	- Byte 4-15 :: Reserved, and currently unused.

	All other data after this header is raw image (JPEG) data.


	* Unattended key generation

	Please see the GnuPG manual for a description.


	* Layout of the TrustDB

	The TrustDB is built from fixed length records, where the first byte
	describes the record type. All numeric values are stored in network
	byte order. The length of each record is 40 bytes. The first record
	of the DB is always of type 1 and this is the only record of this
	type.

	FIXME: The layout changed, document it here.
	#+begin_example
	Record type 0:
	--------------
	Unused record, can be reused for any purpose.

	Record type 1:
	--------------
	Version information for this TrustDB. This is always the first
	record of the DB and the only one with type 1.
	1 byte value 1
	3 bytes 'gpg' magic value
	1 byte Version of the TrustDB (2)
	1 byte marginals needed
	1 byte completes needed
	1 byte max_cert_depth
	The three items are used to check whether the cached
	validity value from the dir record can be used.
	1 u32 locked flags [not used]
	1 u32 timestamp of trustdb creation
	1 u32 timestamp of last modification which may affect the validity
	of keys in the trustdb. This value is checked against the
	validity timestamp in the dir records.
	1 u32 timestamp of last validation [currently not used]
	(Used to keep track of the time, when this TrustDB was checked
	against the pubring)
	1 u32 record number of keyhashtable [currently not used]
	1 u32 first free record
	1 u32 record number of shadow directory hash table [currently not used]
	It does not make sense to combine this table with the key table
	because the keyid is not in every case a part of the fingerprint.
	1 u32 record number of the trusthashtbale


	Record type 2: (directory record)
	--------------
	Informations about a public key certificate.
	These are static values which are never changed without user interaction.

	1 byte value 2
	1 byte reserved
	1 u32 LID . (This is simply the record number of this record.)
	1 u32 List of key-records (the first one is the primary key)
	1 u32 List of uid-records
	1 u32 cache record
	1 byte ownertrust
	1 byte dirflag
	1 byte maximum validity of all the user ids
	1 u32 time of last validity check.
	1 u32 Must check when this time has been reached.
	(0 = no check required)


	Record type 3: (key record)
	--------------
	Informations about a primary public key.
	(This is mainly used to lookup a trust record)

	1 byte value 3
	1 byte reserved
	1 u32 LID
	1 u32 next - next key record
	7 bytes reserved
	1 byte keyflags
	1 byte pubkey algorithm
	1 byte length of the fingerprint (in bytes)
	20 bytes fingerprint of the public key
	(This is the value we use to identify a key)

	Record type 4: (uid record)
	--------------
	Informations about a userid
	We do not store the userid but the hash value of the userid because that
	is sufficient.

	1 byte value 4
	1 byte reserved
	1 u32 LID points to the directory record.
	1 u32 next next userid
	1 u32 pointer to preference record
	1 u32 siglist list of valid signatures
	1 byte uidflags
	1 byte validity of the key calculated over this user id
	20 bytes ripemd160 hash of the username.


	Record type 5: (pref record)
	--------------
	This record type is not anymore used.

	1 byte value 5
	1 byte reserved
	1 u32 LID; points to the directory record (and not to the uid record!).
	(or 0 for standard preference record)
	1 u32 next
	30 byte preference data

	Record type 6 (sigrec)
	-------------
	Used to keep track of key signatures. Self-signatures are not
	stored. If a public key is not in the DB, the signature points to
	a shadow dir record, which in turn has a list of records which
	might be interested in this key (and the signature record here
	is one).

	1 byte value 6
	1 byte reserved
	1 u32 LID points back to the dir record
	1 u32 next next sigrec of this uid or 0 to indicate the
	last sigrec.
	6 times
	1 u32 Local_id of signatures dir or shadow dir record
	1 byte Flag: Bit 0 = checked: Bit 1 is valid (we have a real
	directory record for this)
	1 = valid is set (but may be revoked)



	Record type 8: (shadow directory record)
	--------------
	This record is used to reserve a LID for a public key. We
	need this to create the sig records of other keys, even if we
	do not yet have the public key of the signature.
	This record (the record number to be more precise) will be reused
	as the dir record when we import the real public key.

	1 byte value 8
	1 byte reserved
	1 u32 LID (This is simply the record number of this record.)
	2 u32 keyid
	1 byte pubkey algorithm
	3 byte reserved
	1 u32 hintlist A list of records which have references to
	this key. This is used for fast access to
	signature records which are not yet checked.
	Note, that this is only a hint and the actual records
	may not anymore hold signature records for that key
	but that the code cares about this.
	18 byte reserved



	Record Type 10 (hash table)
	--------------
	Due to the fact that we use fingerprints to lookup keys, we can
	implement quick access by some simple hash methods, and avoid
	the overhead of gdbm. A property of fingerprints is that they can be
	used directly as hash values. (They can be considered as strong
	random numbers.)
	What we use is a dynamic multilevel architecture, which combines
	hashtables, record lists, and linked lists.

	This record is a hashtable of 256 entries; a special property
	is that all these records are stored consecutively to make one
	big table. The hash value is simple the 1st, 2nd, ... byte of
	the fingerprint (depending on the indirection level).

	When used to hash shadow directory records, a different table is used
	and indexed by the keyid.

	1 byte value 10
	1 byte reserved
	n u32 recnum; n depends on the record length:
	n = (reclen-2)/4 which yields 9 for the current record length
	of 40 bytes.

	the total number of such record which makes up the table is:
	m = (256+n-1) / n
	which is 29 for a record length of 40.

	To look up a key we use the first byte of the fingerprint to get
	the recnum from this hashtable and look up the addressed record:
	- If this record is another hashtable, we use 2nd byte
	to index this hash table and so on.
	- if this record is a hashlist, we walk all entries
	until we found one a matching one.
	- if this record is a key record, we compare the
	fingerprint and to decide whether it is the requested key;


	Record type 11 (hash list)
	--------------
	see hash table for an explanation.
	This is also used for other purposes.

	1 byte value 11
	1 byte reserved
	1 u32 next next hash list record
	n times n = (reclen-5)/5
	1 u32 recnum

	For the current record length of 40, n is 7



	Record type 254 (free record)
	---------------
	All these records form a linked list of unused records.
	1 byte value 254
	1 byte reserved (0)
	1 u32 next_free
	#+end_example


	* GNU extensions to the S2K algorithm

	1 octet - S2K Usage: either 254 or 255.
	1 octet - S2K Cipher Algo: 0
	1 octet - S2K Specifier: 101
	3 octets - "GNU"
	1 octet - GNU S2K Extension Number.

	If such a GNU extension is used neither an IV nor any kind of
	checksum is used. The defined GNU S2K Extension Numbers are:

	- 1 :: Do not store the secret part at all. No specific data
	follows.

	- 2 :: A stub to access smartcards. This data follows:
	- One octet with the length of the following serial number.
	- The serial number. Regardless of what the length octet
	indicates no more than 16 octets are stored.

	Note that gpg stores the GNU S2K Extension Number internally as an
	S2K Specifier with an offset of 1000.


	* Keyserver helper message format

	The keyserver may be contacted by a Unix Domain socket or via TCP.

	The format of a request is:
	#+begin_example
	command-tag
	"Content-length:" digits
	CRLF
	#+end_example

	Where command-tag is

	#+begin_example
	NOOP
	GET <user-name>
	PUT
	DELETE <user-name>
	#+end_example

	The format of a response is:

	#+begin_example
	"GNUPG/1.0" status-code status-text
	"Content-length:" digits
	CRLF
	#+end_example
	followed by <digits> bytes of data

	Status codes are:

	- 1xx :: Informational - Request received, continuing process

	- 2xx :: Success - The action was successfully received, understood,
	and accepted

	- 4xx :: Client Error - The request contains bad syntax or cannot be
	fulfilled

	- 5xx :: Server Error - The server failed to fulfill an apparently
	valid request


	* Object identifiers

	OIDs below the GnuPG arc:

	#+begin_example
	1.3.6.1.4.1.11591.2 GnuPG
	1.3.6.1.4.1.11591.2.1 notation
	1.3.6.1.4.1.11591.2.1.1 pkaAddress
	1.3.6.1.4.1.11591.2.2 X.509 extensions
	1.3.6.1.4.1.11591.2.2.1 standaloneCertificate
	1.3.6.1.4.1.11591.2.2.2 wellKnownPrivateKey
	1.3.6.1.4.1.11591.2.12242973 invalid encoded OID
	#+end_example



	* Miscellaneous notes

	** v3 fingerprints
	For packet version 3 we calculate the keyids this way:
	- RSA :: Low 64 bits of n
	- ELGAMAL :: Build a v3 pubkey packet (with CTB 0x99) and
	calculate a RMD160 hash value from it. This is used
	as the fingerprint and the low 64 bits are the keyid.

	** Simplified revocation certificates
	Revocation certificates consist only of the signature packet;
	"--import" knows how to handle this. The rationale behind it is to
	keep them small.

	** Documentation on HKP (the http keyserver protocol):

	A minimalistic HTTP server on port 11371 recognizes a GET for
	/pks/lookup. The standard http URL encoded query parameters are
	this (always key=value):

	- op=index (like pgp -kv), op=vindex (like pgp -kvv) and op=get (like
	pgp -kxa)

	- search=<stringlist>. This is a list of words that must occur in the key.
	The words are delimited with space, points, @ and so on. The delimiters
	are not searched for and the order of the words doesn't matter (but see
	next option).

	- exact=on. This switch tells the hkp server to only report exact matching
	keys back. In this case the order and the "delimiters" are important.

	- fingerprint=on. Also reports the fingerprints when used with 'index' or
	'vindex'

	The keyserver also recognizes http-POSTs to /pks/add. Use this to upload
	keys.


	A better way to do this would be a request like:

	/pks/lookup/<gnupg_formatierte_user_id>?op=<operation>

	This can be implemented using Hurd's translator mechanism.
	However, I think the whole key server stuff has to be re-thought;
	I have some ideas and probably create a white paper.
	** Algorithm names for the "keygen.algo" prompt

	When using a --command-fd controlled key generation or "addkey"
	there is way to know the number to enter on the "keygen.algo"
	prompt. The displayed numbers are for human reception and may
	change with releases. To provide a stable way to enter a desired
	algorithm choice the prompt also accepts predefined names for the
	algorithms, which will not change.

	\| Name \| No \| Description \|
	\|---------+----+---------------------------------\|
	\| rsa+rsa \| 1 \| RSA and RSA (default) \|
	\| dsa+elg \| 2 \| DSA and Elgamal \|
	\| dsa \| 3 \| DSA (sign only) \|
	\| rsa/s \| 4 \| RSA (sign only) \|
	\| elg \| 5 \| Elgamal (encrypt only) \|
	\| rsa/e \| 6 \| RSA (encrypt only) \|
	\| dsa/* \| 7 \| DSA (set your own capabilities) \|
	\| rsa/* \| 8 \| RSA (set your own capabilities) \|
	\| ecc+ecc \| 9 \| ECC and ECC \|
	\| ecc/s \| 10 \| ECC (sign only) \|
	\| ecc/* \| 11 \| ECC (set your own capabilities) \|
	\| ecc/e \| 12 \| ECC (encrypt only) \|
	\| keygrip \| 13 \| Existing key \|

	If one of the "foo/*" names are used a "keygen.flags" prompt needs
	to be answered as well. Instead of toggling the predefined flags,
	it is also possible to set them direct: Use a "=" character
	directly followed by a comination of "a" (for authentication), "s"
	(for signing), or "c" (for certification).
	diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
	index dea462e0d..eb02c9c75 100644
	--- a/doc/gpg-agent.texi
	+++ b/doc/gpg-agent.texi
	@@ -1,1596 +1,1596 @@
	@c Copyright (C) 2002 Free Software Foundation, Inc.
	@c This is part of the GnuPG manual.
	@c For copying conditions, see the file gnupg.texi.

	@c Note that we use this texinfo file for all versions of GnuPG:
	@c 2.0 and 2.1. The macro "gpgtwoone" controls parts which are only
	@c valid for GnuPG 2.1 and later.


	@node Invoking GPG-AGENT
	@chapter Invoking GPG-AGENT
	@cindex GPG-AGENT command options
	@cindex command options
	@cindex options, GPG-AGENT command

	@manpage gpg-agent.1
	@ifset manverb
	.B gpg-agent
	\- Secret key management for GnuPG
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpg-agent
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.br
	.B gpg-agent
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.B \-\-server
	.br
	.B gpg-agent
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.B \-\-daemon
	.RI [ command_line ]
	@end ifset

	@mansect description
	@command{gpg-agent} is a daemon to manage secret (private) keys
	independently from any protocol. It is used as a backend for
	@command{gpg} and @command{gpgsm} as well as for a couple of other
	utilities.

	@ifset gpgtwoone
	The agent is automatically started on demand by @command{gpg},
	@command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}.
	Thus there is no reason to start it manually. In case you want to use
	the included Secure Shell Agent you may start the agent using:

	@example
	gpg-connect-agent /bye
	@end example
	@end ifset

	@ifclear gpgtwoone
	@noindent
	The usual way to run the agent is from the @code{~/.xsession} file:

	@example
	eval $(gpg-agent --daemon)
	@end example
	@noindent
	If you don't use an X server, you can also put this into your regular
	startup file @code{~/.profile} or @code{.bash_profile}. It is best not
	to run multiple instance of the @command{gpg-agent}, so you should make
	sure that only one is running: @command{gpg-agent} uses an environment
	variable to inform clients about the communication parameters. You can
	write the content of this environment variable to a file so that you can
	test for a running agent. Here is an example using Bourne shell syntax:

	@smallexample
	gpg-agent --daemon --enable-ssh-support \
	--write-env-file "$@{HOME@}/.gpg-agent-info"
	@end smallexample

	This code should only be run once per user session to initially fire up
	the agent. In the example the optional support for the included Secure
	Shell agent is enabled and the information about the agent is written to
	a file in the HOME directory. Note that by running gpg-agent without
	arguments you may test whether an agent is already running; however such
	a test may lead to a race condition, thus it is not suggested.

	@noindent
	The second script needs to be run for each interactive session:

	@smallexample
	if [ -f "$@{HOME@}/.gpg-agent-info" ]; then
	. "$@{HOME@}/.gpg-agent-info"
	export GPG_AGENT_INFO
	export SSH_AUTH_SOCK
	fi
	@end smallexample

	@noindent
	It reads the data out of the file and exports the variables. If you
	don't use Secure Shell, you don't need the last two export statements.
	@end ifclear

	@noindent
	You should always add the following lines to your @code{.bashrc} or
	whatever initialization file is used for all shell invocations:

	@smallexample
	GPG_TTY=$(tty)
	export GPG_TTY
	@end smallexample

	@noindent
	It is important that this environment variable always reflects the
	output of the @code{tty} command. For W32 systems this option is not
	required.

	Please make sure that a proper pinentry program has been installed
	under the default filename (which is system dependent) or use the
	option @option{pinentry-program} to specify the full name of that program.
	It is often useful to install a symbolic link from the actual used
	pinentry (e.g. @file{/usr/bin/pinentry-gtk}) to the expected
	one (e.g. @file{/usr/bin/pinentry}).

	@manpause
	@noindent
	@xref{Option Index},for an index to @command{GPG-AGENT}'s commands and options.
	@mancont

	@menu
	* Agent Commands:: List of all commands.
	* Agent Options:: List of all options.
	* Agent Configuration:: Configuration files.
	* Agent Signals:: Use of some signals.
	* Agent Examples:: Some usage examples.
	* Agent Protocol:: The protocol the agent uses.
	@end menu

	@mansect commands
	@node Agent Commands
	@section Commands

	Commands are not distinguished from options except for the fact that
	only one command is allowed.

	@table @gnupgtabopt
	@item --version
	@opindex version
	Print the program version and licensing information. Note that you cannot
	abbreviate this command.

	@item --help
	@itemx -h
	@opindex help
	Print a usage message summarizing the most useful command-line options.
	Note that you cannot abbreviate this command.

	@item --dump-options
	@opindex dump-options
	Print a list of all available options and commands. Note that you cannot
	abbreviate this command.

	@item --server
	@opindex server
	Run in server mode and wait for commands on the @code{stdin}. The
	default mode is to create a socket and listen for commands there.

	@item --daemon [@var{command line}]
	@opindex daemon
	Start the gpg-agent as a daemon; that is, detach it from the console
	and run it in the background.
	@ifclear gpgtwoone
	Because @command{gpg-agent} prints out
	important information required for further use, a common way of
	invoking gpg-agent is: @code{eval $(gpg-agent --daemon)} to setup the
	environment variables. The option @option{--write-env-file} is
	another way commonly used to do this.
	@end ifclear
	Yet another way is creating
	a new process as a child of gpg-agent: @code{gpg-agent --daemon
	/bin/sh}. This way you get a new shell with the environment setup
	properly; if you exit from this shell, gpg-agent terminates as well.
	@end table

	@mansect options
	@node Agent Options
	@section Option Summary

	@table @gnupgtabopt

	@anchor{option --options}
	@item --options @var{file}
	@opindex options
	Reads configuration from @var{file} instead of from the default
	per-user configuration file. The default configuration file is named
	@file{gpg-agent.conf} and expected in the @file{.gnupg} directory directly
	below the home directory of the user.

	@anchor{option --homedir}
	@include opt-homedir.texi


	@item -v
	@item --verbose
	@opindex verbose
	Outputs additional information while running.
	You can increase the verbosity by giving several
	verbose commands to @command{gpgsm}, such as @samp{-vv}.

	@item -q
	@item --quiet
	@opindex quiet
	Try to be as quiet as possible.

	@item --batch
	@opindex batch
	Don't invoke a pinentry or do any other thing requiring human interaction.

	@item --faked-system-time @var{epoch}
	@opindex faked-system-time
	This option is only useful for testing; it sets the system time back or
	forth to @var{epoch} which is the number of seconds elapsed since the year
	1970.

	@item --debug-level @var{level}
	@opindex debug-level
	Select the debug level for investigating problems. @var{level} may be
	a numeric value or a keyword:

	@table @code
	@item none
	No debugging at all. A value of less than 1 may be used instead of
	the keyword.
	@item basic
	Some basic debug messages. A value between 1 and 2 may be used
	instead of the keyword.
	@item advanced
	More verbose debug messages. A value between 3 and 5 may be used
	instead of the keyword.
	@item expert
	Even more detailed messages. A value between 6 and 8 may be used
	instead of the keyword.
	@item guru
	All of the debug messages you can get. A value greater than 8 may be
	used instead of the keyword. The creation of hash tracing files is
	only enabled if the keyword is used.
	@end table

	How these messages are mapped to the actual debugging flags is not
	specified and may change with newer releases of this program. They are
	however carefully selected to best aid in debugging.

	@item --debug @var{flags}
	@opindex debug
	This option is only useful for debugging and the behaviour may change at
	any time without notice. FLAGS are bit encoded and may be given in
	usual C-Syntax. The currently defined bits are:

	@table @code
	@item 0 (1)
	X.509 or OpenPGP protocol related data
	@item 1 (2)
	values of big number integers
	@item 2 (4)
	low level crypto operations
	@item 5 (32)
	memory allocation
	@item 6 (64)
	caching
	@item 7 (128)
	show memory statistics.
	@item 9 (512)
	write hashed data to files named @code{dbgmd-000*}
	@item 10 (1024)
	trace Assuan protocol
	@item 12 (4096)
	bypass all certificate validation
	@end table

	@item --debug-all
	@opindex debug-all
	Same as @code{--debug=0xffffffff}

	@item --debug-wait @var{n}
	@opindex debug-wait
	When running in server mode, wait @var{n} seconds before entering the
	actual processing loop and print the pid. This gives time to attach a
	debugger.

	@item --debug-quick-random
	@opindex debug-quick-random
	This option inhibits the use of the very secure random quality level
	(Libgcrypt’s @code{GCRY_VERY_STRONG_RANDOM}) and degrades all request
	down to standard random quality. It is only used for testing and
	shall not be used for any production quality keys. This option is
	only effective when given on the command line.

	@item --debug-pinentry
	@opindex debug-pinentry
	This option enables extra debug information pertaining to the
	Pinentry. As of now it is only useful when used along with
	@code{--debug 1024}.

	@item --no-detach
	@opindex no-detach
	Don't detach the process from the console. This is mainly useful for
	debugging.

	@item -s
	@itemx --sh
	@itemx -c
	@itemx --csh
	@opindex sh
	@opindex csh
	Format the info output in daemon mode for use with the standard Bourne
	shell or the C-shell respectively. The default is to guess it based on
	the environment variable @code{SHELL} which is correct in almost all
	cases.

	@ifclear gpgtwoone
	@item --write-env-file @var{file}
	@opindex write-env-file
	Often it is required to connect to the agent from a process not being an
	inferior of @command{gpg-agent} and thus the environment variable with
	the socket name is not available. To help setting up those variables in
	other sessions, this option may be used to write the information into
	@var{file}. If @var{file} is not specified the default name
	@file{$@{HOME@}/.gpg-agent-info} will be used. The format is suitable
	to be evaluated by a Bourne shell like in this simple example:

	@example
	eval $(cat @var{file})
	eval $(cut -d= -f 1 < @var{file} \| xargs echo export)
	@end example
	@end ifclear


	@item --no-grab
	@opindex no-grab
	Tell the pinentry not to grab the keyboard and mouse. This option
	should in general not be used to avoid X-sniffing attacks.

	@anchor{option --log-file}
	@item --log-file @var{file}
	@opindex log-file
	Append all logging output to @var{file}. This is very helpful in seeing
	what the agent actually does. If neither a log file nor a log file
	descriptor has been set on a Windows platform, the Registry entry
	@code{HKCU\Software\GNU\GnuPG:DefaultLogFile}, if set, is used to specify
	the logging output.


	@anchor{option --no-allow-mark-trusted}
	@item --no-allow-mark-trusted
	@opindex no-allow-mark-trusted
	Do not allow clients to mark keys as trusted, i.e. put them into the
	@file{trustlist.txt} file. This makes it harder for users to inadvertently
	accept Root-CA keys.

	@anchor{option --allow-preset-passphrase}
	@item --allow-preset-passphrase
	@opindex allow-preset-passphrase
	This option allows the use of @command{gpg-preset-passphrase} to seed the
	internal cache of @command{gpg-agent} with passphrases.

	@ifset gpgtwoone
	@anchor{option --allow-loopback-pinentry}
	@item --allow-loopback-pinentry
	@opindex allow-loopback-pinentry
	Allow clients to use the loopback pinentry features; see the option
	@option{pinentry-mode} for details.
	@end ifset

	@ifset gpgtwoone
	@item --no-allow-external-cache
	@opindex no-allow-external-cache
	Tell Pinentry not to enable features which use an external cache for
	passphrases.

	Some desktop environments prefer to unlock all
	credentials with one master password and may have installed a Pinentry
	which employs an additional external cache to implement such a policy.
	By using this option the Pinentry is advised not to make use of such a
	cache and instead always ask the user for the requested passphrase.
	@end ifset

	@item --ignore-cache-for-signing
	@opindex ignore-cache-for-signing
	This option will let @command{gpg-agent} bypass the passphrase cache for all
	signing operation. Note that there is also a per-session option to
	control this behaviour but this command line option takes precedence.

	@item --default-cache-ttl @var{n}
	@opindex default-cache-ttl
	Set the time a cache entry is valid to @var{n} seconds. The default is
	600 seconds.

	@item --default-cache-ttl-ssh @var{n}
	@opindex default-cache-ttl
	Set the time a cache entry used for SSH keys is valid to @var{n}
	seconds. The default is 1800 seconds.

	@item --max-cache-ttl @var{n}
	@opindex max-cache-ttl
	Set the maximum time a cache entry is valid to @var{n} seconds. After
	this time a cache entry will be expired even if it has been accessed
	recently or has been set using @command{gpg-preset-passphrase}. The
	default is 2 hours (7200 seconds).

	@item --max-cache-ttl-ssh @var{n}
	@opindex max-cache-ttl-ssh
	Set the maximum time a cache entry used for SSH keys is valid to
	@var{n} seconds. After this time a cache entry will be expired even
	if it has been accessed recently or has been set using
	@command{gpg-preset-passphrase}. The default is 2 hours (7200
	seconds).

	@item --enforce-passphrase-constraints
	@opindex enforce-passphrase-constraints
	Enforce the passphrase constraints by not allowing the user to bypass
	them using the ``Take it anyway'' button.

	@item --min-passphrase-len @var{n}
	@opindex min-passphrase-len
	Set the minimal length of a passphrase. When entering a new passphrase
	shorter than this value a warning will be displayed. Defaults to 8.

	@item --min-passphrase-nonalpha @var{n}
	@opindex min-passphrase-nonalpha
	Set the minimal number of digits or special characters required in a
	passphrase. When entering a new passphrase with less than this number
	of digits or special characters a warning will be displayed. Defaults
	to 1.

	@item --check-passphrase-pattern @var{file}
	@opindex check-passphrase-pattern
	Check the passphrase against the pattern given in @var{file}. When
	entering a new passphrase matching one of these pattern a warning will
	be displayed. @var{file} should be an absolute filename. The default is
	not to use any pattern file.

	Security note: It is known that checking a passphrase against a list of
	pattern or even against a complete dictionary is not very effective to
	enforce good passphrases. Users will soon figure up ways to bypass such
	a policy. A better policy is to educate users on good security
	behavior and optionally to run a passphrase cracker regularly on all
	users passphrases to catch the very simple ones.

	@item --max-passphrase-days @var{n}
	@opindex max-passphrase-days
	Ask the user to change the passphrase if @var{n} days have passed since
	the last change. With @option{--enforce-passphrase-constraints} set the
	user may not bypass this check.

	@item --enable-passphrase-history
	@opindex enable-passphrase-history
	This option does nothing yet.

	@item --pinentry-program @var{filename}
	@opindex pinentry-program
	Use program @var{filename} as the PIN entry. The default is
	installation dependent. With the default configuration the name of
	the default pinentry is @file{pinentry}; if that file does not exist
	but a @file{pinentry-basic} exist the latter is used.

	@item --pinentry-touch-file @var{filename}
	@opindex pinentry-touch-file
	By default the filename of the socket gpg-agent is listening for
	requests is passed to Pinentry, so that it can touch that file before
	exiting (it does this only in curses mode). This option changes the
	file passed to Pinentry to @var{filename}. The special name
	@code{/dev/null} may be used to completely disable this feature. Note
	that Pinentry will not create that file, it will only change the
	modification and access time.


	@item --scdaemon-program @var{filename}
	@opindex scdaemon-program
	Use program @var{filename} as the Smartcard daemon. The default is
	installation dependent and can be shown with the @command{gpgconf}
	command.

	@item --disable-scdaemon
	@opindex disable-scdaemon
	Do not make use of the scdaemon tool. This option has the effect of
	disabling the ability to do smartcard operations. Note, that enabling
	this option at runtime does not kill an already forked scdaemon.

	@ifset gpgtwoone
	@item --disable-check-own-socket
	@opindex disable-check-own-socket
	@command{gpg-agent} employs a periodic self-test to detect a stolen
	socket. This usually means a second instance of @command{gpg-agent}
	has taken over the socket and @command{gpg-agent} will then terminate
	itself. This option may be used to disable this self-test for
	debugging purposes.
	@end ifset

	@item --use-standard-socket
	@itemx --no-use-standard-socket
	@itemx --use-standard-socket-p
	@opindex use-standard-socket
	@opindex no-use-standard-socket
	@opindex use-standard-socket-p
	@ifset gpgtwoone
	Since GnuPG 2.1 the standard socket is always used. These options
	have no more effect. The command @code{gpg-agent
	--use-standard-socket-p} will thus always return success.
	@end ifset
	@ifclear gpgtwoone
	By enabling this option @command{gpg-agent} will listen on the socket
	named @file{S.gpg-agent}, located in the home directory, and not create
	a random socket below a temporary directory. Tools connecting to
	@command{gpg-agent} should first try to connect to the socket given in
	environment variable @var{GPG_AGENT_INFO} and then fall back to this
	socket. This option may not be used if the home directory is mounted on
	a remote file system which does not support special files like fifos or
	sockets.

	Note, that @option{--use-standard-socket} is the default on
	Windows systems.

	The default may be changed at build time. It is
	possible to test at runtime whether the agent has been configured for
	use with the standard socket by issuing the command @command{gpg-agent
	--use-standard-socket-p} which returns success if the standard socket
	option has been enabled.
	@end ifclear

	@item --display @var{string}
	@itemx --ttyname @var{string}
	@itemx --ttytype @var{string}
	@itemx --lc-ctype @var{string}
	@itemx --lc-messages @var{string}
	@itemx --xauthority @var{string}
	@opindex display
	@opindex ttyname
	@opindex ttytype
	@opindex lc-ctype
	@opindex lc-messages
	@opindex xauthority
	These options are used with the server mode to pass localization
	information.

	@item --keep-tty
	@itemx --keep-display
	@opindex keep-tty
	@opindex keep-display
	Ignore requests to change the current @code{tty} or X window system's
	@code{DISPLAY} variable respectively. This is useful to lock the
	pinentry to pop up at the @code{tty} or display you started the agent.


	@anchor{option --extra-socket}
	@item --extra-socket @var{name}
	@opindex extra-socket
	Also listen on native gpg-agent connections on the given socket. The
	intended use for this extra socket is to setup a Unix domain socket
	forwarding from a remote machine to this socket on the local machine.
	A @command{gpg} running on the remote machine may then connect to the
	local gpg-agent and use its private keys. This allows to decrypt or
	sign data on a remote machine without exposing the private keys to the
	remote machine.


	@anchor{option --enable-ssh-support}
	@item --enable-ssh-support
	@opindex enable-ssh-support

	Enable the OpenSSH Agent protocol.

	In this mode of operation, the agent does not only implement the
	gpg-agent protocol, but also the agent protocol used by OpenSSH
	(through a separate socket). Consequently, it should be possible to use
	the gpg-agent as a drop-in replacement for the well known ssh-agent.

	SSH Keys, which are to be used through the agent, need to be added to
	the gpg-agent initially through the ssh-add utility. When a key is
	added, ssh-add will ask for the password of the provided key file and
	send the unprotected key material to the agent; this causes the
	gpg-agent to ask for a passphrase, which is to be used for encrypting
	the newly received key and storing it in a gpg-agent specific
	directory.

	Once a key has been added to the gpg-agent this way, the gpg-agent
	will be ready to use the key.

	Note: in case the gpg-agent receives a signature request, the user might
	need to be prompted for a passphrase, which is necessary for decrypting
	the stored key. Since the ssh-agent protocol does not contain a
	mechanism for telling the agent on which display/terminal it is running,
	gpg-agent's ssh-support will use the TTY or X display where gpg-agent
	has been started. To switch this display to the current one, the
	following command may be used:

	@smallexample
	gpg-connect-agent updatestartuptty /bye
	@end smallexample

	Although all GnuPG components try to start the gpg-agent as needed, this
	is not possible for the ssh support because ssh does not know about it.
	Thus if no GnuPG tool which accesses the agent has been run, there is no
	guarantee that ssh is able to use gpg-agent for authentication. To fix
	this you may start gpg-agent if needed using this simple command:

	@smallexample
	gpg-connect-agent /bye
	@end smallexample

	Adding the @option{--verbose} shows the progress of starting the agent.

	@end table

	All the long options may also be given in the configuration file after
	stripping off the two leading dashes.


	@mansect files
	@node Agent Configuration
	@section Configuration

	There are a few configuration files needed for the operation of the
	agent. By default they may all be found in the current home directory
	(@pxref{option --homedir}).

	@table @file

	@item gpg-agent.conf
	@cindex gpg-agent.conf
	This is the standard configuration file read by @command{gpg-agent} on
	startup. It may contain any valid long option; the leading
	two dashes may not be entered and the option may not be abbreviated.
	This file is also read after a @code{SIGHUP} however only a few
	options will actually have an effect. This default name may be
	changed on the command line (@pxref{option --options}).
	You should backup this file.

	@item trustlist.txt
	This is the list of trusted keys. You should backup this file.

	Comment lines, indicated by a leading hash mark, as well as empty
	lines are ignored. To mark a key as trusted you need to enter its
	fingerprint followed by a space and a capital letter @code{S}. Colons
	may optionally be used to separate the bytes of a fingerprint; this
	allows to cut and paste the fingerprint from a key listing output. If
	the line is prefixed with a @code{!} the key is explicitly marked as
	not trusted.

	Here is an example where two keys are marked as ultimately trusted
	and one as not trusted:

	@cartouche
	@smallexample
	# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
	A6935DD34EF3087973C706FC311AA2CCF733765B S

	# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
	DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S

	# CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
	!14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
	@end smallexample
	@end cartouche

	Before entering a key into this file, you need to ensure its
	authenticity. How to do this depends on your organisation; your
	administrator might have already entered those keys which are deemed
	trustworthy enough into this file. Places where to look for the
	fingerprint of a root certificate are letters received from the CA or
	the website of the CA (after making 100% sure that this is indeed the
	website of that CA). You may want to consider disallowing interactive
	updates of this file by using the @xref{option --no-allow-mark-trusted}.
	It might even be advisable to change the permissions to read-only so
	that this file can't be changed inadvertently.

	As a special feature a line @code{include-default} will include a global
	list of trusted certificates (e.g. @file{/etc/gnupg/trustlist.txt}).
	This global list is also used if the local list is not available.

	It is possible to add further flags after the @code{S} for use by the
	caller:

	@table @code

	@item relax
	@cindex relax
	Relax checking of some root certificate requirements. As of now this
	flag allows the use of root certificates with a missing basicConstraints
	attribute (despite that it is a MUST for CA certificates) and disables
	CRL checking for the root certificate.

	@item cm
	If validation of a certificate finally issued by a CA with this flag set
	fails, try again using the chain validation model.

	@end table


	@item sshcontrol
	@cindex sshcontrol
	This file is used when support for the secure shell agent protocol has
	been enabled (@pxref{option --enable-ssh-support}). Only keys present in
	this file are used in the SSH protocol. You should backup this file.

	The @command{ssh-add} tool may be used to add new entries to this file;
	you may also add them manually. Comment lines, indicated by a leading
	hash mark, as well as empty lines are ignored. An entry starts with
	optional whitespace, followed by the keygrip of the key given as 40 hex
	digits, optionally followed by the caching TTL in seconds and another
	optional field for arbitrary flags. A non-zero TTL overrides the global
	default as set by @option{--default-cache-ttl-ssh}.

	The only flag support is @code{confirm}. If this flag is found for a
	key, each use of the key will pop up a pinentry to confirm the use of
	that key. The flag is automatically set if a new key was loaded into
	@code{gpg-agent} using the option @option{-c} of the @code{ssh-add}
	command.

	The keygrip may be prefixed with a @code{!} to disable an entry entry.

	The following example lists exactly one key. Note that keys available
	through a OpenPGP smartcard in the active smartcard reader are
	implicitly added to this list; i.e. there is no need to list them.

	@cartouche
	@smallexample
	# Key added on: 2011-07-20 20:38:46
	# Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
	34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
	@end smallexample
	@end cartouche

	@item private-keys-v1.d/

	This is the directory where gpg-agent stores the private keys. Each
	key is stored in a file with the name made up of the keygrip and the
	suffix @file{key}. You should backup all files in this directory
	and take great care to keep this backup closed away.


	@end table

	Note that on larger installations, it is useful to put predefined
	files into the directory @file{/etc/skel/.gnupg/} so that newly created
	users start up with a working configuration. For existing users the
	a small helper script is provided to create these files (@pxref{addgnupghome}).



	@c
	@c Agent Signals
	@c
	@mansect signals
	@node Agent Signals
	@section Use of some signals.
	A running @command{gpg-agent} may be controlled by signals, i.e. using
	the @command{kill} command to send a signal to the process.

	Here is a list of supported signals:

	@table @gnupgtabopt

	@item SIGHUP
	@cpindex SIGHUP
	This signal flushes all cached passphrases and if the program has been
	started with a configuration file, the configuration file is read
	again. Only certain options are honored: @code{quiet},
	@code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level},
	@code{debug-pinentry},
	@code{no-grab}, @code{pinentry-program}, @code{default-cache-ttl},
	@code{max-cache-ttl}, @code{ignore-cache-for-signing},
	@code{no-allow-external-cache},
	@code{no-allow-mark-trusted}, @code{disable-scdaemon}, and
	@code{disable-check-own-socket}. @code{scdaemon-program} is also
	supported but due to the current implementation, which calls the
	scdaemon only once, it is not of much use unless you manually kill the
	scdaemon.


	@item SIGTERM
	@cpindex SIGTERM
	Shuts down the process but waits until all current requests are
	fulfilled. If the process has received 3 of these signals and requests
	are still pending, a shutdown is forced.

	@item SIGINT
	@cpindex SIGINT
	Shuts down the process immediately.

	@item SIGUSR1
	@cpindex SIGUSR1
	Dump internal information to the log file.

	@item SIGUSR2
	@cpindex SIGUSR2
	This signal is used for internal purposes.

	@end table

	@c
	@c Examples
	@c
	@mansect examples
	@node Agent Examples
	@section Examples

	@ifset gpgtwoone
	It is important to set the GPG_TTY environment variable in
	your login shell, for example in the @file{~/.bashrc} init script:

	@cartouche
	@example
	export GPG_TTY=$(tty)
	@end example
	@end cartouche

	If you enabled the Ssh Agent Support, you also need to tell ssh about
	it by adding this to your init script:

	@cartouche
	@example
	unset SSH_AGENT_PID
	if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then
	export SSH_AUTH_SOCK="$@{HOME@}/.gnupg/S.gpg-agent.ssh"
	fi
	@end example
	@end cartouche
	@end ifset

	@ifclear gpgtwoone
	The usual way to invoke @command{gpg-agent} is

	@example
	$ eval $(gpg-agent --daemon)
	@end example

	An alternative way is by replacing @command{ssh-agent} with
	@command{gpg-agent}. If for example @command{ssh-agent} is started as
	part of the Xsession initialization, you may simply replace
	@command{ssh-agent} by a script like:

	@cartouche
	@example
	#!/bin/sh

	exec /usr/local/bin/gpg-agent --enable-ssh-support --daemon \
	--write-env-file $@{HOME@}/.gpg-agent-info "$@@"
	@end example
	@end cartouche

	@noindent
	and add something like (for Bourne shells)

	@cartouche
	@example
	if [ -f "$@{HOME@}/.gpg-agent-info" ]; then
	. "$@{HOME@}/.gpg-agent-info"
	export GPG_AGENT_INFO
	export SSH_AUTH_SOCK
	fi
	@end example
	@end cartouche

	@noindent
	to your shell initialization file (e.g. @file{~/.bashrc}).
	@end ifclear

	@c
	@c Assuan Protocol
	@c
	@manpause
	@node Agent Protocol
	@section Agent's Assuan Protocol

	Note: this section does only document the protocol, which is used by
	GnuPG components; it does not deal with the ssh-agent protocol.

	@ifset gpgtwoone
	The @command{gpg-agent} daemon is started on demand by the GnuPG
	components.
	@end ifset
	@ifclear gpgtwoone
	The @command{gpg-agent} should be started by the login shell and set an
	environment variable to tell clients about the socket to be used.
	Clients should deny to access an agent with a socket name which does
	not match its own configuration. An application may choose to start
	an instance of the gpg-agent if it does not figure that any has been
	started; it should not do this if a gpg-agent is running but not
	usable. Because @command{gpg-agent} can only be used in background mode, no
	special command line option is required to activate the use of the
	protocol.
	@end ifclear

	To identify a key we use a thing called keygrip which is the SHA-1 hash
	of an canonical encoded S-Expression of the public key as used in
	Libgcrypt. For the purpose of this interface the keygrip is given as a
	hex string. The advantage of using this and not the hash of a
	certificate is that it will be possible to use the same keypair for
	different protocols, thereby saving space on the token used to keep the
	secret keys.

	@ifset gpgtwoone
	The @command{gpg-agent} may send status messages during a command or when
	returning from a command to inform a client about the progress or result of an
	operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent
	during a server inquire to inform the client of the maximum usable length of
	the inquired data (which should not be exceeded).
	@end ifset

	@menu
	* Agent PKDECRYPT:: Decrypting a session key
	* Agent PKSIGN:: Signing a Hash
	* Agent GENKEY:: Generating a Key
	* Agent IMPORT:: Importing a Secret Key
	* Agent EXPORT:: Exporting a Secret Key
	* Agent ISTRUSTED:: Importing a Root Certificate
	* Agent GET_PASSPHRASE:: Ask for a passphrase
	* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase
	@ifset gpgtwoone
	* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip
	@end ifset
	* Agent GET_CONFIRMATION:: Ask for confirmation
	* Agent HAVEKEY:: Check whether a key is available
	* Agent LEARN:: Register a smartcard
	* Agent PASSWD:: Change a Passphrase
	* Agent UPDATESTARTUPTTY:: Change the Standard Display
	* Agent GETEVENTCOUNTER:: Get the Event Counters
	* Agent GETINFO:: Return information about the process
	* Agent OPTION:: Set options for the session
	@end menu

	@node Agent PKDECRYPT
	@subsection Decrypting a session key

	The client asks the server to decrypt a session key. The encrypted
	session key should have all information needed to select the
	appropriate secret key or to delegate it to a smartcard.

	@example
	SETKEY <keyGrip>
	@end example

	Tell the server about the key to be used for decryption. If this is
	not used, @command{gpg-agent} may try to figure out the key by trying to
	decrypt the message with each key available.

	@example
	PKDECRYPT
	@end example

	The agent checks whether this command is allowed and then does an
	INQUIRY to get the ciphertext the client should then send the cipher
	text.

	@example
	S: INQUIRE CIPHERTEXT
	C: D (xxxxxx
	C: D xxxx)
	C: END
	@end example

	Please note that the server may send status info lines while reading the
	data lines from the client. The data send is a SPKI like S-Exp with
	this structure:

	@example
	(enc-val
	(<algo>
	(<param_name1> <mpi>)
	...
	(<param_namen> <mpi>)))
	@end example

	Where algo is a string with the name of the algorithm; see the libgcrypt
	documentation for a list of valid algorithms. The number and names of
	the parameters depend on the algorithm. The agent does return an error
	if there is an inconsistency.

	If the decryption was successful the decrypted data is returned by
	means of "D" lines.

	Here is an example session:
	@cartouche
	@smallexample
	C: PKDECRYPT
	S: INQUIRE CIPHERTEXT
	C: D (enc-val elg (a 349324324)
	C: D (b 3F444677CA)))
	C: END
	S: # session key follows
	S: S PADDING 0
	S: D (value 1234567890ABCDEF0)
	S: OK descryption successful
	@end smallexample
	@end cartouche

	The “PADDING” status line is only send if gpg-agent can tell what kind
	of padding is used. As of now only the value 0 is used to indicate
	that the padding has been removed.


	@node Agent PKSIGN
	@subsection Signing a Hash

	The client ask the agent to sign a given hash value. A default key
	will be chosen if no key has been set. To set a key a client first
	uses:

	@example
	SIGKEY <keyGrip>
	@end example

	This can be used multiple times to create multiple signature, the list
	of keys is reset with the next PKSIGN command or a RESET. The server
	test whether the key is a valid key to sign something and responds with
	okay.

	@example
	SETHASH --hash=<name>\|<algo> <hexstring>
	@end example

	The client can use this command to tell the server about the data <hexstring>
	(which usually is a hash) to be signed. <algo> is the decimal encoded hash
	algorithm number as used by Libgcrypt. Either <algo> or --hash=<name>
	must be given. Valid names for <name> are:

	@table @code
	@item sha1
	The SHA-1 hash algorithm
	@item sha256
	The SHA-256 hash algorithm
	@item rmd160
	The RIPE-MD160 hash algorithm
	@item md5
	The old and broken MD5 hash algorithm
	@item tls-md5sha1
	A combined hash algorithm as used by the TLS protocol.
	@end table

	@noindent
	The actual signing is done using

	@example
	PKSIGN <options>
	@end example

	Options are not yet defined, but my later be used to choose among
	different algorithms. The agent does then some checks, asks for the
	passphrase and as a result the server returns the signature as an SPKI
	like S-expression in "D" lines:

	@example
	(sig-val
	(<algo>
	(<param_name1> <mpi>)
	...
	(<param_namen> <mpi>)))
	@end example


	The operation is affected by the option

	@example
	OPTION use-cache-for-signing=0\|1
	@end example

	The default of @code{1} uses the cache. Setting this option to @code{0}
	will lead @command{gpg-agent} to ignore the passphrase cache. Note, that there is
	also a global command line option for @command{gpg-agent} to globally disable the
	caching.


	Here is an example session:
	@cartouche
	@smallexample
	C: SIGKEY <keyGrip>
	S: OK key available
	C: SIGKEY <keyGrip>
	S: OK key available
	C: PKSIGN
	S: # I did ask the user whether he really wants to sign
	S: # I did ask the user for the passphrase
	S: INQUIRE HASHVAL
	C: D ABCDEF012345678901234
	C: END
	S: # signature follows
	S: D (sig-val rsa (s 45435453654612121212))
	S: OK
	@end smallexample
	@end cartouche

	@node Agent GENKEY
	@subsection Generating a Key

	This is used to create a new keypair and store the secret key inside the
	active PSE --- which is in most cases a Soft-PSE. An not yet defined
	option allows to choose the storage location. To get the secret key out
	of the PSE, a special export tool has to be used.

	@example
	@ifset gpgtwoone
	GENKEY [--no-protection] [--preset] [<cache_nonce>]
	@end ifset
	@ifclear gpgtwoone
	GENKEY
	@end ifclear
	@end example

	Invokes the key generation process and the server will then inquire
	on the generation parameters, like:

	@example
	S: INQUIRE KEYPARM
	C: D (genkey (rsa (nbits 1024)))
	C: END
	@end example

	The format of the key parameters which depends on the algorithm is of
	the form:

	@example
	(genkey
	(algo
	(parameter_name_1 ....)
	....
	(parameter_name_n ....)))
	@end example

	If everything succeeds, the server returns the public key in a SPKI
	like S-Expression like this:

	@example
	(public-key
	(rsa
	(n <mpi>)
	(e <mpi>)))
	@end example

	Here is an example session:
	@cartouche
	@smallexample
	C: GENKEY
	S: INQUIRE KEYPARM
	C: D (genkey (rsa (nbits 1024)))
	C: END
	S: D (public-key
	S: D (rsa (n 326487324683264) (e 10001)))
	S OK key created
	@end smallexample
	@end cartouche

	@ifset gpgtwoone
	The @option{--no-protection} option may be used to prevent prompting for a
	passphrase to protect the secret key while leaving the secret key unprotected.
	The @option{--preset} option may be used to add the passphrase to the cache
	using the default cache parameters.

	The @option{--inq-passwd} option may be used to create the key with a
	supplied passphrase. When used the agent does an inquiry with the
	keyword @code{NEWPASSWD} to retrieve that passphrase. This option
	takes precedence over @option{--no-protection}; however if the client
	sends a empty (zero-length) passphrase, this is identical to
	@option{--no-protection}.
	@end ifset

	@node Agent IMPORT
	@subsection Importing a Secret Key

	This operation is not yet supported by GpgAgent. Specialized tools
	are to be used for this.

	There is no actual need because we can expect that secret keys
	created by a 3rd party are stored on a smartcard. If we have
	generated the key ourself, we do not need to import it.

	@node Agent EXPORT
	@subsection Export a Secret Key

	Not implemented.

	Should be done by an extra tool.

	@node Agent ISTRUSTED
	@subsection Importing a Root Certificate

	Actually we do not import a Root Cert but provide a way to validate
	any piece of data by storing its Hash along with a description and
	an identifier in the PSE. Here is the interface description:

	@example
	ISTRUSTED <fingerprint>
	@end example

	Check whether the OpenPGP primary key or the X.509 certificate with the
	given fingerprint is an ultimately trusted key or a trusted Root CA
	certificate. The fingerprint should be given as a hexstring (without
	any blanks or colons or whatever in between) and may be left padded with
	00 in case of an MD5 fingerprint. GPGAgent will answer with:

	@example
	OK
	@end example

	The key is in the table of trusted keys.

	@example
	ERR 304 (Not Trusted)
	@end example

	The key is not in this table.

	Gpg needs the entire list of trusted keys to maintain the web of
	trust; the following command is therefore quite helpful:

	@example
	LISTTRUSTED
	@end example

	GpgAgent returns a list of trusted keys line by line:

	@example
	S: D 000000001234454556565656677878AF2F1ECCFF P
	S: D 340387563485634856435645634856438576457A P
	S: D FEDC6532453745367FD83474357495743757435D S
	S: OK
	@end example

	The first item on a line is the hexified fingerprint where MD5
	fingerprints are @code{00} padded to the left and the second item is a
	flag to indicate the type of key (so that gpg is able to only take care
	of PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest
	of the line, so that we can extend the format in the future.

	Finally a client should be able to mark a key as trusted:

	@example
	MARKTRUSTED @var{fingerprint} "P"\|"S"
	@end example

	The server will then pop up a window to ask the user whether she
	really trusts this key. For this it will probably ask for a text to
	be displayed like this:

	@example
	S: INQUIRE TRUSTDESC
	C: D Do you trust the key with the fingerprint @@FPR@@
	C: D bla fasel blurb.
	C: END
	S: OK
	@end example

	Known sequences with the pattern @@foo@@ are replaced according to this
	table:

	@table @code
	@item @@FPR16@@
	Format the fingerprint according to gpg rules for a v3 keys.
	@item @@FPR20@@
	Format the fingerprint according to gpg rules for a v4 keys.
	@item @@FPR@@
	Choose an appropriate format to format the fingerprint.
	@item @@@@
	Replaced by a single @code{@@}
	@end table

	@node Agent GET_PASSPHRASE
	@subsection Ask for a passphrase

	This function is usually used to ask for a passphrase to be used for
	-conventional encryption, but may also be used by programs which need
	+symmetric encryption, but may also be used by programs which need
	special handling of passphrases. This command uses a syntax which helps
	clients to use the agent with minimum effort.

	@example
	GET_PASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]] \
	[--qualitybar] @var{cache_id} \
	[@var{error_message} @var{prompt} @var{description}]
	@end example

	@var{cache_id} is expected to be a string used to identify a cached
	passphrase. Use a @code{X} to bypass the cache. With no other
	arguments the agent returns a cached passphrase or an error. By
	convention either the hexified fingerprint of the key shall be used for
	@var{cache_id} or an arbitrary string prefixed with the name of the
	calling application and a colon: Like @code{gpg:somestring}.

	@var{error_message} is either a single @code{X} for no error message or
	a string to be shown as an error message like (e.g. "invalid
	passphrase"). Blanks must be percent escaped or replaced by @code{+}'.

	@var{prompt} is either a single @code{X} for a default prompt or the
	text to be shown as the prompt. Blanks must be percent escaped or
	replaced by @code{+}.

	@var{description} is a text shown above the entry field. Blanks must be
	percent escaped or replaced by @code{+}.

	The agent either returns with an error or with a OK followed by the hex
	encoded passphrase. Note that the length of the strings is implicitly
	limited by the maximum length of a command. If the option
	@option{--data} is used, the passphrase is not returned on the OK line
	but by regular data lines; this is the preferred method.

	If the option @option{--check} is used, the standard passphrase
	constraints checks are applied. A check is not done if the passphrase
	has been found in the cache.

	If the option @option{--no-ask} is used and the passphrase is not in the
	cache the user will not be asked to enter a passphrase but the error
	code @code{GPG_ERR_NO_DATA} is returned.

	If the option @option{--qualitybar} is used and a minimum passphrase
	length has been configured, a visual indication of the entered
	passphrase quality is shown.

	@example
	CLEAR_PASSPHRASE @var{cache_id}
	@end example

	may be used to invalidate the cache entry for a passphrase. The
	function returns with OK even when there is no cached passphrase.



	@node Agent CLEAR_PASSPHRASE
	@subsection Remove a cached passphrase

	Use this command to remove a cached passphrase.

	@example
	@ifset gpgtwoone
	CLEAR_PASSPHRASE [--mode=normal] <cache_id>
	@end ifset
	@ifclear gpgtwoone
	CLEAR_PASSPHRASE <cache_id>
	@end ifclear
	@end example

	@ifset gpgtwoone
	The @option{--mode=normal} option can be used to clear a @var{cache_id} that
	was set by gpg-agent.
	@end ifset



	@ifset gpgtwoone
	@node Agent PRESET_PASSPHRASE
	@subsection Set a passphrase for a keygrip

	This command adds a passphrase to the cache for the specified @var{keygrip}.

	@example
	PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>]
	@end example

	The passphrase is a hexidecimal string when specified. When not specified, the
	passphrase will be retrieved from the pinentry module unless the
	@option{--inquire} option was specified in which case the passphrase will be
	retrieved from the client.

	The @var{timeout} parameter keeps the passphrase cached for the specified
	number of seconds. A value of @code{-1} means infinate while @code{0} means
	the default (currently only a timeout of -1 is allowed, which means to never
	expire it).
	@end ifset




	@node Agent GET_CONFIRMATION
	@subsection Ask for confirmation

	This command may be used to ask for a simple confirmation by
	presenting a text and 2 buttons: Okay and Cancel.

	@example
	GET_CONFIRMATION @var{description}
	@end example

	@var{description}is displayed along with a Okay and Cancel
	button. Blanks must be percent escaped or replaced by @code{+}. A
	@code{X} may be used to display confirmation dialog with a default
	text.

	The agent either returns with an error or with a OK. Note, that the
	length of @var{description} is implicitly limited by the maximum
	length of a command.



	@node Agent HAVEKEY
	@subsection Check whether a key is available

	This can be used to see whether a secret key is available. It does
	not return any information on whether the key is somehow protected.

	@example
	HAVEKEY @var{keygrips}
	@end example

	The agent answers either with OK or @code{No_Secret_Key} (208). The
	caller may want to check for other error codes as well. More than one
	keygrip may be given. In this case the command returns success if at
	least one of the keygrips corresponds to an available secret key.


	@node Agent LEARN
	@subsection Register a smartcard

	@example
	LEARN [--send]
	@end example

	This command is used to register a smartcard. With the --send
	option given the certificates are send back.


	@node Agent PASSWD
	@subsection Change a Passphrase

	@example
	@ifset gpgtwoone
	PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] @var{keygrip}
	@end ifset
	@ifclear gpgtwoone
	PASSWD @var{keygrip}
	@end ifclear
	@end example

	This command is used to interactively change the passphrase of the key
	identified by the hex string @var{keygrip}.

	@ifset gpgtwoone
	The @option{--preset} option may be used to add the new passphrase to the
	cache using the default cache parameters.
	@end ifset


	@node Agent UPDATESTARTUPTTY
	@subsection Change the standard display

	@example
	UPDATESTARTUPTTY
	@end example

	Set the startup TTY and X-DISPLAY variables to the values of this
	session. This command is useful to direct future pinentry invocations
	to another screen. It is only required because there is no way in the
	ssh-agent protocol to convey this information.


	@node Agent GETEVENTCOUNTER
	@subsection Get the Event Counters

	@example
	GETEVENTCOUNTER
	@end example

	This function return one status line with the current values of the
	event counters. The event counters are useful to avoid polling by
	delaying a poll until something has changed. The values are decimal
	numbers in the range @code{0} to @code{UINT_MAX} and wrapping around to
	0. The actual values should not be relied upon; they shall only be used
	to detect a change.

	The currently defined counters are are:
	@table @code
	@item ANY
	Incremented with any change of any of the other counters.
	@item KEY
	Incremented for added or removed private keys.
	@item CARD
	Incremented for changes of the card readers stati.
	@end table

	@node Agent GETINFO
	@subsection Return information about the process

	This is a multipurpose function to return a variety of information.

	@example
	GETINFO @var{what}
	@end example

	The value of @var{what} specifies the kind of information returned:
	@table @code
	@item version
	Return the version of the program.
	@item pid
	Return the process id of the process.
	@item socket_name
	Return the name of the socket used to connect the agent.
	@item ssh_socket_name
	Return the name of the socket used for SSH connections. If SSH support
	has not been enabled the error @code{GPG_ERR_NO_DATA} will be returned.
	@end table

	@node Agent OPTION
	@subsection Set options for the session

	Here is a list of session options which are not yet described with
	other commands. The general syntax for an Assuan option is:

	@smallexample
	OPTION @var{key}=@var{value}
	@end smallexample

	@noindent
	Supported @var{key}s are:

	@table @code
	@item agent-awareness
	This may be used to tell gpg-agent of which gpg-agent version the
	client is aware of. gpg-agent uses this information to enable
	features which might break older clients.

	@item putenv
	Change the session's environment to be used for the
	Pinentry. Valid values are:

	@table @code
	@item @var{name}
	Delete envvar @var{name}
	@item @var{name}=
	Set envvar @var{name} to the empty string
	@item @var{name}=@var{value}
	Set envvar @var{name} to the string @var{value}.
	@end table

	@item use-cache-for-signing
	See Assuan command @code{PKSIGN}.

	@item allow-pinentry-notify
	This does not need any value. It is used to enable the
	PINENTRY_LAUNCHED inquiry.

	@ifset gpgtwoone
	@item pinentry-mode
	This option is used to change the operation mode of the pinentry. The
	following values are defined:

	@table @code
	@item ask
	This is the default mode which pops up a pinentry as needed.

	@item cancel
	Instead of popping up a pinentry, return the error code
	@code{GPG_ERR_CANCELED}.

	@item error
	Instead of popping up a pinentry, return the error code
	@code{GPG_ERR_NO_PIN_ENTRY}.

	@item loopback
	Use a loopback pinentry. This fakes a pinentry by using inquiries
	back to the caller to ask for a passphrase. This option may only be
	set if the agent has been configured for that.
	Use the @xref{option --allow-loopback-pinentry}.

	@end table
	@end ifset

	@ifset gpgtwoone
	@item cache-ttl-opt-preset
	This option sets the cache TTL for new entries created by GENKEY and
	PASSWD commands when using the @option{--preset} option. It it is not
	used a default value is used.
	@end ifset

	@ifset gpgtwoone
	@item s2k-count
	Instead of using the standard S2K count (which is computed on the
	fly), the given S2K count is used for new keys or when changing the
	passphrase of a key. Values below 65536 are considered to be 0. This
	option is valid for the entire session or until reset to 0. This
	option is useful if the key is later used on boxes which are either
	much slower or faster than the actual box.
	@end ifset

	@end table


	@mansect see also
	@ifset isman
	@command{gpg2}(1),
	@command{gpgsm}(1),
	@command{gpg-connect-agent}(1),
	@command{scdaemon}(1)
	@end ifset
	@include see-also-note.texi
	diff --git a/doc/gpg.texi b/doc/gpg.texi
	index 887a62458..0d855c9ea 100644
	--- a/doc/gpg.texi
	+++ b/doc/gpg.texi
	@@ -1,3593 +1,3594 @@
	@c Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
	@c 2008, 2009, 2010 Free Software Foundation, Inc.
	@c This is part of the GnuPG manual.
	@c For copying conditions, see the file gnupg.texi.

	@c Note that we use this texinfo file for all GnuPG-2 branches.
	@c The macro "gpgtwoone" controls parts which are only
	@c valid for GnuPG 2.1 and later.

	@node Invoking GPG
	@chapter Invoking GPG
	@cindex GPG command options
	@cindex command options
	@cindex options, GPG command

	@c Begin algorithm defaults

	@ifclear gpgtwoone
	@set DEFSYMENCALGO CAST5
	@end ifclear

	@ifset gpgtwoone
	@set DEFSYMENCALGO AES128
	@end ifset

	@c End algorithm defaults


	@macro gpgname
	gpg2
	@end macro
	@manpage gpg2.1
	@ifset manverb
	.B gpg2
	\- OpenPGP encryption and signing tool
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpg2
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.I command
	.RI [ args ]
	@end ifset


	@mansect description
	@command{@gpgname} is the OpenPGP part of the GNU Privacy Guard (GnuPG). It
	is a tool to provide digital encryption and signing services using the
	OpenPGP standard. @command{@gpgname} features complete key management and
	all bells and whistles you can expect from a decent OpenPGP
	implementation.

	In contrast to the standalone command gpg from GnuPG 1.x, which is
	might be better suited for server and embedded platforms, the 2.x
	version is commonly installed under the name @command{gpg2} and
	targeted to the desktop as it requires several other modules to be
	installed.

	@manpause
	The old 1.x version will be kept maintained and it is possible to
	install both versions on the same system. Documentation for the old
	GnuPG 1.x command is available as a man page and at
	@inforef{Top,GnuPG 1,gpg}.

	@xref{Option Index}, for an index to @command{@gpgname}'s commands and options.
	@mancont

	@menu
	* GPG Commands:: List of all commands.
	* GPG Options:: List of all options.
	* GPG Configuration:: Configuration files.
	* GPG Examples:: Some usage examples.

	Developer information:
	* Unattended Usage of GPG:: Using @command{gpg} from other programs.
	@end menu

	@c * GPG Protocol:: The protocol the server mode uses.


	@c *******************************************
	@c ************* **************
	@c ************* COMMANDS **************
	@c ************* **************
	@c *******************************************
	@mansect commands
	@node GPG Commands
	@section Commands

	Commands are not distinguished from options except for the fact that
	only one command is allowed.

	@command{@gpgname} may be run with no commands, in which case it will
	perform a reasonable action depending on the type of file it is given
	as input (an encrypted message is decrypted, a signature is verified,
	a file containing keys is listed).

	Please remember that option as well as command parsing stops as soon as
	a non-option is encountered, you can explicitly stop parsing by
	using the special option @option{--}.


	@menu
	* General GPG Commands:: Commands not specific to the functionality.
	* Operational GPG Commands:: Commands to select the type of operation.
	* OpenPGP Key Management:: How to manage your keys.
	@end menu


	@c *******************************************
	@c ******** GENERAL COMMANDS ***********
	@c *******************************************
	@node General GPG Commands
	@subsection Commands not specific to the function

	@table @gnupgtabopt
	@item --version
	@opindex version
	Print the program version and licensing information. Note that you
	cannot abbreviate this command.

	@item --help
	@itemx -h
	@opindex help
	Print a usage message summarizing the most useful command line options.
	Note that you cannot abbreviate this command.

	@item --warranty
	@opindex warranty
	Print warranty information.

	@item --dump-options
	@opindex dump-options
	Print a list of all available options and commands. Note that you cannot
	abbreviate this command.
	@end table


	@c *******************************************
	@c ****** OPERATIONAL COMMANDS *********
	@c *******************************************
	@node Operational GPG Commands
	@subsection Commands to select the type of operation


	@table @gnupgtabopt

	@item --sign
	@itemx -s
	@opindex sign
	Make a signature. This command may be combined with @option{--encrypt}
	(for a signed and encrypted message), @option{--symmetric} (for a
	signed and symmetrically encrypted message), or @option{--encrypt} and
	@option{--symmetric} together (for a signed message that may be
	decrypted via a secret key or a passphrase). The key to be used for
	signing is chosen by default or can be set with the
	@option{--local-user} and @option{--default-key} options.

	@item --clearsign
	@opindex clearsign
	Make a clear text signature. The content in a clear text signature is
	readable without any special software. OpenPGP software is only needed
	to verify the signature. Clear text signatures may modify end-of-line
	whitespace for platform independence and are not intended to be
	reversible. The key to be used for signing is chosen by default or
	can be set with the @option{--local-user} and @option{--default-key}
	options.


	@item --detach-sign
	@itemx -b
	@opindex detach-sign
	Make a detached signature.

	@item --encrypt
	@itemx -e
	@opindex encrypt
	Encrypt data. This option may be combined with @option{--sign} (for a
	signed and encrypted message), @option{--symmetric} (for a message that
	may be decrypted via a secret key or a passphrase), or @option{--sign}
	and @option{--symmetric} together (for a signed message that may be
	decrypted via a secret key or a passphrase).

	@item --symmetric
	@itemx -c
	@opindex symmetric
	Encrypt with a symmetric cipher using a passphrase. The default
	symmetric cipher used is @value{DEFSYMENCALGO}, but may be chosen with the
	@option{--cipher-algo} option. This option may be combined with
	@option{--sign} (for a signed and symmetrically encrypted message),
	@option{--encrypt} (for a message that may be decrypted via a secret key
	or a passphrase), or @option{--sign} and @option{--encrypt} together
	(for a signed message that may be decrypted via a secret key or a
	passphrase).

	@item --store
	@opindex store
	Store only (make a simple RFC1991 literal data packet).

	@item --decrypt
	@itemx -d
	@opindex decrypt
	Decrypt the file given on the command line (or STDIN if no file
	is specified) and write it to STDOUT (or the file specified with
	@option{--output}). If the decrypted file is signed, the signature is also
	verified. This command differs from the default operation, as it never
	writes to the filename which is included in the file and it rejects
	files which don't begin with an encrypted message.

	@item --verify
	@opindex verify
	Assume that the first argument is a signed file and verify it without
	generating any output. With no arguments, the signature packet is
	read from STDIN. If only a one argument is given, it is expected to
	be a complete signature.

	With more than 1 argument, the first should be a detached signature
	and the remaining files ake up the the signed data. To read the signed
	data from STDIN, use @samp{-} as the second filename. For security
	reasons a detached signature cannot read the signed material from
	STDIN without denoting it in the above way.

	Note: If the option @option{--batch} is not used, @command{@gpgname}
	may assume that a single argument is a file with a detached signature
	and it will try to find a matching data file by stripping certain
	suffixes. Using this historical feature to verify a detached
	signature is strongly discouraged; always specify the data file too.

	Note: When verifying a cleartext signature, @command{gpg} verifies
	only what makes up the cleartext signed data and not any extra data
	outside of the cleartext signature or header lines following directly
	the dash marker line. The option @code{--output} may be used to write
	out the actual signed data; but there are other pitfalls with this
	format as well. It is suggested to avoid cleartext signatures in
	favor of detached signatures.

	@item --multifile
	@opindex multifile
	This modifies certain other commands to accept multiple files for
	processing on the command line or read from STDIN with each filename on
	a separate line. This allows for many files to be processed at
	once. @option{--multifile} may currently be used along with
	@option{--verify}, @option{--encrypt}, and @option{--decrypt}. Note that
	@option{--multifile --verify} may not be used with detached signatures.

	@item --verify-files
	@opindex verify-files
	Identical to @option{--multifile --verify}.

	@item --encrypt-files
	@opindex encrypt-files
	Identical to @option{--multifile --encrypt}.

	@item --decrypt-files
	@opindex decrypt-files
	Identical to @option{--multifile --decrypt}.

	@item --list-keys
	@itemx -k
	@itemx --list-public-keys
	@opindex list-keys
	List all keys from the public keyrings, or just the keys given on the
	command line.

	Avoid using the output of this command in scripts or other programs as
	it is likely to change as GnuPG changes. See @option{--with-colons} for a
	machine-parseable key listing command that is appropriate for use in
	scripts and other programs.

	@item --list-secret-keys
	@itemx -K
	@opindex list-secret-keys
	List all keys from the secret keyrings, or just the ones given on the
	command line. A @code{#} after the letters @code{sec} means that the
	secret key is not usable (for example, if it was created via
	@option{--export-secret-subkeys}).

	@item --list-sigs
	@opindex list-sigs
	Same as @option{--list-keys}, but the signatures are listed too.
	This command has the same effect as
	using @option{--list-keys} with @option{--with-sig-list}.

	For each signature listed, there are several flags in between the "sig"
	tag and keyid. These flags give additional information about each
	signature. From left to right, they are the numbers 1-3 for certificate
	check level (see @option{--ask-cert-level}), "L" for a local or
	non-exportable signature (see @option{--lsign-key}), "R" for a
	nonRevocable signature (see the @option{--edit-key} command "nrsign"),
	"P" for a signature that contains a policy URL (see
	@option{--cert-policy-url}), "N" for a signature that contains a
	notation (see @option{--cert-notation}), "X" for an eXpired signature
	(see @option{--ask-cert-expire}), and the numbers 1-9 or "T" for 10 and
	above to indicate trust signature levels (see the @option{--edit-key}
	command "tsign").

	@item --check-sigs
	@opindex check-sigs
	Same as @option{--list-sigs}, but the signatures are verified. Note
	that for performance reasons the revocation status of a signing key is
	not shown.
	This command has the same effect as
	using @option{--list-keys} with @option{--with-sig-check}.

	The status of the verification is indicated by a flag directly following
	the "sig" tag (and thus before the flags described above for
	@option{--list-sigs}). A "!" indicates that the signature has been
	successfully verified, a "-" denotes a bad signature and a "%" is used
	if an error occurred while checking the signature (e.g. a non supported
	algorithm).

	@item --locate-keys
	@opindex locate-keys
	Locate the keys given as arguments. This command basically uses the
	same algorithm as used when locating keys for encryption or signing and
	may thus be used to see what keys @command{@gpgname} might use. In
	particular external methods as defined by @option{--auto-key-locate} may
	be used to locate a key. Only public keys are listed.

	@item --fingerprint
	@opindex fingerprint
	List all keys (or the specified ones) along with their
	fingerprints. This is the same output as @option{--list-keys} but with
	the additional output of a line with the fingerprint. May also be
	combined with @option{--list-sigs} or @option{--check-sigs}. If this
	command is given twice, the fingerprints of all secondary keys are
	listed too.

	@item --list-packets
	@opindex list-packets
	List only the sequence of packets. This is mainly useful for
	debugging. When used with option @option{--verbose} the actual MPI
	values are dumped and not only their lengths.


	@item --card-edit
	@opindex card-edit
	Present a menu to work with a smartcard. The subcommand "help" provides
	an overview on available commands. For a detailed description, please
	see the Card HOWTO at
	https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .

	@item --card-status
	@opindex card-status
	Show the content of the smart card.

	@item --change-pin
	@opindex change-pin
	Present a menu to allow changing the PIN of a smartcard. This
	functionality is also available as the subcommand "passwd" with the
	@option{--card-edit} command.

	@item --delete-keys @code{name}
	@itemx --delete-keys @code{name}
	Remove key from the public keyring. In batch mode either @option{--yes} is
	required or the key must be specified by fingerprint. This is a
	safeguard against accidental deletion of multiple keys.

	@item --delete-secret-keys @code{name}
	@opindex delete-secret-keys
	Remove key from the secret keyring. In batch mode the key
	must be specified by fingerprint.

	@item --delete-secret-and-public-key @code{name}
	@opindex delete-secret-and-public-key
	Same as @option{--delete-key}, but if a secret key exists, it will be
	removed first. In batch mode the key must be specified by fingerprint.

	@item --export
	@opindex export
	Either export all keys from all keyrings (default keyrings and those
	registered via option @option{--keyring}), or if at least one name is given,
	those of the given name. The exported keys are written to STDOUT or to the
	file given with option @option{--output}. Use together with
	@option{--armor} to mail those keys.

	@item --send-keys @code{key IDs}
	@opindex send-keys
	Similar to @option{--export} but sends the keys to a keyserver.
	Fingerprints may be used instead of key IDs. Option @option{--keyserver}
	must be used to give the name of this keyserver. Don't send your
	complete keyring to a keyserver --- select only those keys which are new
	or changed by you. If no key IDs are given, @command{gpg} does nothing.

	@item --export-secret-keys
	@itemx --export-secret-subkeys
	@opindex export-secret-keys
	@opindex export-secret-subkeys
	Same as @option{--export}, but exports the secret keys instead. The
	exported keys are written to STDOUT or to the file given with option
	@option{--output}. This command is often used along with the option
	@option{--armor} to allow easy printing of the key for paper backup;
	however the external tool @command{paperkey} does a better job for
	creating backups on paper. Note that exporting a secret key can be a
	security risk if the exported keys are send over an insecure channel.

	The second form of the command has the special property to render the
	secret part of the primary key useless; this is a GNU extension to
	OpenPGP and other implementations can not be expected to successfully
	import such a key. Its intended use is to generated a full key with
	an additional signing subkey on a dedicated machine and then using
	this command to export the key without the primary key to the main
	machine.

	@ifset gpgtwoone
	GnuPG may ask you to enter the passphrase for the key. This is
	required because the internal protection method of the secret key is
	different from the one specified by the OpenPGP protocol.
	@end ifset
	@ifclear gpgtwoone
	See the option @option{--simple-sk-checksum} if you want to import an
	exported secret key into ancient OpenPGP implementations.
	@end ifclear

	@item --import
	@itemx --fast-import
	@opindex import
	Import/merge keys. This adds the given keys to the
	keyring. The fast version is currently just a synonym.

	There are a few other options which control how this command works.
	Most notable here is the @option{--import-options merge-only} option
	which does not insert new keys but does only the merging of new
	signatures, user-IDs and subkeys.

	@item --recv-keys @code{key IDs}
	@opindex recv-keys
	Import the keys with the given key IDs from a keyserver. Option
	@option{--keyserver} must be used to give the name of this keyserver.

	@item --refresh-keys
	@opindex refresh-keys
	Request updates from a keyserver for keys that already exist on the
	local keyring. This is useful for updating a key with the latest
	signatures, user IDs, etc. Calling this with no arguments will refresh
	the entire keyring. Option @option{--keyserver} must be used to give the
	name of the keyserver for all keys that do not have preferred keyservers
	set (see @option{--keyserver-options honor-keyserver-url}).

	@item --search-keys @code{names}
	@opindex search-keys
	Search the keyserver for the given names. Multiple names given here will
	be joined together to create the search string for the keyserver.
	Option @option{--keyserver} must be used to give the name of this
	keyserver. Keyservers that support different search methods allow using
	the syntax specified in "How to specify a user ID" below. Note that
	different keyserver types support different search methods. Currently
	only LDAP supports them all.

	@item --fetch-keys @code{URIs}
	@opindex fetch-keys
	Retrieve keys located at the specified URIs. Note that different
	installations of GnuPG may support different protocols (HTTP, FTP,
	LDAP, etc.)

	@item --update-trustdb
	@opindex update-trustdb
	Do trust database maintenance. This command iterates over all keys and
	builds the Web of Trust. This is an interactive command because it may
	have to ask for the "ownertrust" values for keys. The user has to give
	an estimation of how far she trusts the owner of the displayed key to
	correctly certify (sign) other keys. GnuPG only asks for the ownertrust
	value if it has not yet been assigned to a key. Using the
	@option{--edit-key} menu, the assigned value can be changed at any time.

	@item --check-trustdb
	@opindex check-trustdb
	Do trust database maintenance without user interaction. From time to
	time the trust database must be updated so that expired keys or
	signatures and the resulting changes in the Web of Trust can be
	tracked. Normally, GnuPG will calculate when this is required and do it
	automatically unless @option{--no-auto-check-trustdb} is set. This
	command can be used to force a trust database check at any time. The
	processing is identical to that of @option{--update-trustdb} but it
	skips keys with a not yet defined "ownertrust".

	For use with cron jobs, this command can be used together with
	@option{--batch} in which case the trust database check is done only if
	a check is needed. To force a run even in batch mode add the option
	@option{--yes}.

	@anchor{option --export-ownertrust}
	@item --export-ownertrust
	@opindex export-ownertrust
	Send the ownertrust values to STDOUT. This is useful for backup purposes
	as these values are the only ones which can't be re-created from a
	corrupted trustdb. Example:
	@c man:.RS
	@example
	@gpgname{} --export-ownertrust > otrust.txt
	@end example
	@c man:.RE


	@item --import-ownertrust
	@opindex import-ownertrust
	Update the trustdb with the ownertrust values stored in @code{files} (or
	STDIN if not given); existing values will be overwritten. In case of a
	severely damaged trustdb and if you have a recent backup of the
	ownertrust values (e.g. in the file @file{otrust.txt}, you may re-create
	the trustdb using these commands:
	@c man:.RS
	@example
	cd ~/.gnupg
	rm trustdb.gpg
	@gpgname{} --import-ownertrust < otrust.txt
	@end example
	@c man:.RE


	@item --rebuild-keydb-caches
	@opindex rebuild-keydb-caches
	When updating from version 1.0.6 to 1.0.7 this command should be used
	to create signature caches in the keyring. It might be handy in other
	situations too.

	@item --print-md @code{algo}
	@itemx --print-mds
	@opindex print-md
	Print message digest of algorithm ALGO for all given files or STDIN.
	With the second form (or a deprecated "*" as algo) digests for all
	available algorithms are printed.

	@item --gen-random @code{0\|1\|2} @code{count}
	@opindex gen-random
	Emit @var{count} random bytes of the given quality level 0, 1 or 2. If
	@var{count} is not given or zero, an endless sequence of random bytes
	will be emitted. If used with @option{--armor} the output will be
	base64 encoded. PLEASE, don't use this command unless you know what
	you are doing; it may remove precious entropy from the system!

	@item --gen-prime @code{mode} @code{bits}
	@opindex gen-prime
	Use the source, Luke :-). The output format is still subject to change.


	@item --enarmor
	@item --dearmor
	@opindex enarmor
	@opindex dearmor
	Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
	This is a GnuPG extension to OpenPGP and in general not very useful.


	@c @item --server
	@c @opindex server
	@c Run gpg in server mode. This feature is not yet ready for use and
	@c thus not documented.

	@end table


	@c *******************************************
	@c ***** KEY MANGEMENT COMMANDS ********
	@c *******************************************
	@node OpenPGP Key Management
	@subsection How to manage your keys

	This section explains the main commands for key management

	@table @gnupgtabopt

	@ifset gpgtwoone
	@item --quick-gen-key @code{user-id}
	@opindex quick-gen-key
	This is a simple command to generate a standard key with one user id.
	In contrast to @option{--gen-key} the key is generated directly
	without the need to answer a bunch of prompts. Unless the option
	@option{--yes} is given, the key creation will be canceled if the
	given user id already exists in the key ring.

	If invoked directly on the console without any special options an
	answer to a ``Continue?'' style confirmation prompt is required. In
	case the user id already exists in the key ring a second prompt to
	force the creation of the key will show up.

	If this command is used with @option{--batch},
	@option{--pinentry-mode} has been set to @code{loopback}, and one of
	the passphrase options (@option{--passphrase},
	@option{--passphrase-fd}, or @option{passphrase-file}) is used, the
	supplied passphrase is used for the new key and the agent does not ask
	for it. To create a key without any protection @code{--passphrase ''}
	may be used.
	@end ifset

	@item --gen-key
	@opindex gen-key
	Generate a new key pair using teh current default parameters. This is
	the standard command to create a new key.

	@ifset gpgtwoone
	@item --full-gen-key
	@opindex gen-key
	Generate a new key pair with dialogs for all options. This is an
	extended version of @option{--gen-key}.

	@end ifset
	There is also a feature which allows you to create keys in batch
	mode. See the the manual section ``Unattended key generation'' on how
	to use this.

	@item --gen-revoke @code{name}
	@opindex gen-revoke
	Generate a revocation certificate for the complete key. To revoke
	a subkey or a signature, use the @option{--edit} command.

	@item --desig-revoke @code{name}
	@opindex desig-revoke
	Generate a designated revocation certificate for a key. This allows a
	user (with the permission of the keyholder) to revoke someone else's
	key.


	@item --edit-key
	@opindex edit-key
	Present a menu which enables you to do most of the key management
	related tasks. It expects the specification of a key on the command
	line.

	@c ****** Begin Edit-key Options ********
	@table @asis

	@item uid @code{n}
	@opindex keyedit:uid
	Toggle selection of user ID or photographic user ID with index @code{n}.
	Use @code{*} to select all and @code{0} to deselect all.

	@item key @code{n}
	@opindex keyedit:key
	Toggle selection of subkey with index @code{n}.
	Use @code{*} to select all and @code{0} to deselect all.

	@item sign
	@opindex keyedit:sign
	Make a signature on key of user @code{name} If the key is not yet
	signed by the default user (or the users given with -u), the program
	displays the information of the key again, together with its
	fingerprint and asks whether it should be signed. This question is
	repeated for all users specified with
	-u.

	@item lsign
	@opindex keyedit:lsign
	Same as "sign" but the signature is marked as non-exportable and will
	therefore never be used by others. This may be used to make keys
	valid only in the local environment.

	@item nrsign
	@opindex keyedit:nrsign
	Same as "sign" but the signature is marked as non-revocable and can
	therefore never be revoked.

	@item tsign
	@opindex keyedit:tsign
	Make a trust signature. This is a signature that combines the notions
	of certification (like a regular signature), and trust (like the
	"trust" command). It is generally only useful in distinct communities
	or groups.
	@end table

	@c man:.RS
	Note that "l" (for local / non-exportable), "nr" (for non-revocable,
	and "t" (for trust) may be freely mixed and prefixed to "sign" to
	create a signature of any type desired.
	@c man:.RE

	@table @asis

	@item delsig
	@opindex keyedit:delsig
	Delete a signature. Note that it is not possible to retract a signature,
	once it has been send to the public (i.e. to a keyserver). In that case
	you better use @code{revsig}.

	@item revsig
	@opindex keyedit:revsig
	Revoke a signature. For every signature which has been generated by
	one of the secret keys, GnuPG asks whether a revocation certificate
	should be generated.

	@item check
	@opindex keyedit:check
	Check the signatures on all selected user IDs.

	@item adduid
	@opindex keyedit:adduid
	Create an additional user ID.

	@item addphoto
	@opindex keyedit:addphoto
	Create a photographic user ID. This will prompt for a JPEG file that
	will be embedded into the user ID. Note that a very large JPEG will make
	for a very large key. Also note that some programs will display your
	JPEG unchanged (GnuPG), and some programs will scale it to fit in a
	dialog box (PGP).

	@item showphoto
	@opindex keyedit:showphoto
	Display the selected photographic user ID.

	@item deluid
	@opindex keyedit:deluid
	Delete a user ID or photographic user ID. Note that it is not
	possible to retract a user id, once it has been send to the public
	(i.e. to a keyserver). In that case you better use @code{revuid}.

	@item revuid
	@opindex keyedit:revuid
	Revoke a user ID or photographic user ID.

	@item primary
	@opindex keyedit:primary
	Flag the current user id as the primary one, removes the primary user
	id flag from all other user ids and sets the timestamp of all affected
	self-signatures one second ahead. Note that setting a photo user ID
	as primary makes it primary over other photo user IDs, and setting a
	regular user ID as primary makes it primary over other regular user
	IDs.

	@item keyserver
	@opindex keyedit:keyserver
	Set a preferred keyserver for the specified user ID(s). This allows
	other users to know where you prefer they get your key from. See
	@option{--keyserver-options honor-keyserver-url} for more on how this
	works. Setting a value of "none" removes an existing preferred
	keyserver.

	@item notation
	@opindex keyedit:notation
	Set a name=value notation for the specified user ID(s). See
	@option{--cert-notation} for more on how this works. Setting a value of
	"none" removes all notations, setting a notation prefixed with a minus
	sign (-) removes that notation, and setting a notation name (without the
	=value) prefixed with a minus sign removes all notations with that name.

	@item pref
	@opindex keyedit:pref
	List preferences from the selected user ID. This shows the actual
	preferences, without including any implied preferences.

	@item showpref
	@opindex keyedit:showpref
	More verbose preferences listing for the selected user ID. This shows
	the preferences in effect by including the implied preferences of 3DES
	(cipher), SHA-1 (digest), and Uncompressed (compression) if they are
	not already included in the preference list. In addition, the
	preferred keyserver and signature notations (if any) are shown.

	@item setpref @code{string}
	@opindex keyedit:setpref
	Set the list of user ID preferences to @code{string} for all (or just
	the selected) user IDs. Calling setpref with no arguments sets the
	preference list to the default (either built-in or set via
	@option{--default-preference-list}), and calling setpref with "none"
	as the argument sets an empty preference list. Use @command{@gpgname
	--version} to get a list of available algorithms. Note that while you
	can change the preferences on an attribute user ID (aka "photo ID"),
	GnuPG does not select keys via attribute user IDs so these preferences
	will not be used by GnuPG.

	When setting preferences, you should list the algorithms in the order
	which you'd like to see them used by someone else when encrypting a
	message to your key. If you don't include 3DES, it will be
	automatically added at the end. Note that there are many factors that
	go into choosing an algorithm (for example, your key may not be the
	only recipient), and so the remote OpenPGP application being used to
	send to you may or may not follow your exact chosen order for a given
	message. It will, however, only choose an algorithm that is present
	on the preference list of every recipient key. See also the
	INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.

	@item addkey
	@opindex keyedit:addkey
	Add a subkey to this key.

	@item addcardkey
	@opindex keyedit:addcardkey
	Generate a subkey on a card and add it to this key.

	@item keytocard
	@opindex keyedit:keytocard
	Transfer the selected secret subkey (or the primary key if no subkey
	has been selected) to a smartcard. The secret key in the keyring will
	be replaced by a stub if the key could be stored successfully on the
	card and you use the save command later. Only certain key types may be
	transferred to the card. A sub menu allows you to select on what card
	to store the key. Note that it is not possible to get that key back
	from the card - if the card gets broken your secret key will be lost
	unless you have a backup somewhere.

	@item bkuptocard @code{file}
	@opindex keyedit:bkuptocard
	Restore the given file to a card. This command may be used to restore a
	backup key (as generated during card initialization) to a new card. In
	almost all cases this will be the encryption key. You should use this
	command only with the corresponding public key and make sure that the
	file given as argument is indeed the backup to restore. You should then
	select 2 to restore as encryption key. You will first be asked to enter
	the passphrase of the backup key and then for the Admin PIN of the card.

	@item delkey
	@opindex keyedit:delkey
	Remove a subkey (secondary key). Note that it is not possible to retract
	a subkey, once it has been send to the public (i.e. to a keyserver). In
	that case you better use @code{revkey}.

	@item revkey
	@opindex keyedit:revkey
	Revoke a subkey.

	@item expire
	@opindex keyedit:expire
	Change the key or subkey expiration time. If a subkey is selected, the
	expiration time of this subkey will be changed. With no selection, the
	key expiration of the primary key is changed.

	@item trust
	@opindex keyedit:trust
	Change the owner trust value for the key. This updates the trust-db
	immediately and no save is required.

	@item disable
	@itemx enable
	@opindex keyedit:disable
	@opindex keyedit:enable
	Disable or enable an entire key. A disabled key can not normally be
	used for encryption.

	@item addrevoker
	@opindex keyedit:addrevoker
	Add a designated revoker to the key. This takes one optional argument:
	"sensitive". If a designated revoker is marked as sensitive, it will
	not be exported by default (see export-options).

	@item passwd
	@opindex keyedit:passwd
	Change the passphrase of the secret key.

	@item toggle
	@opindex keyedit:toggle
	Toggle between public and secret key listing.

	@item clean
	@opindex keyedit:clean
	Compact (by removing all signatures except the selfsig) any user ID
	that is no longer usable (e.g. revoked, or expired). Then, remove any
	signatures that are not usable by the trust calculations.
	Specifically, this removes any signature that does not validate, any
	signature that is superseded by a later signature, revoked signatures,
	and signatures issued by keys that are not present on the keyring.

	@item minimize
	@opindex keyedit:minimize
	Make the key as small as possible. This removes all signatures from
	each user ID except for the most recent self-signature.

	@item cross-certify
	@opindex keyedit:cross-certify
	Add cross-certification signatures to signing subkeys that may not
	currently have them. Cross-certification signatures protect against a
	subtle attack against signing subkeys. See
	@option{--require-cross-certification}. All new keys generated have
	this signature by default, so this option is only useful to bring
	older keys up to date.

	@item save
	@opindex keyedit:save
	Save all changes to the key rings and quit.

	@item quit
	@opindex keyedit:quit
	Quit the program without updating the
	key rings.
	@end table

	@c man:.RS
	The listing shows you the key with its secondary keys and all user
	ids. The primary user id is indicated by a dot, and selected keys or
	user ids are indicated by an asterisk. The trust
	value is displayed with the primary key: the first is the assigned owner
	trust and the second is the calculated trust value. Letters are used for
	the values:
	@c man:.RE

	@table @asis

	@item -
	No ownertrust assigned / not yet calculated.

	@item e
	Trust
	calculation has failed; probably due to an expired key.

	@item q
	Not enough information for calculation.

	@item n
	Never trust this key.

	@item m
	Marginally trusted.

	@item f
	Fully trusted.

	@item u
	Ultimately trusted.

	@end table
	@c ****** End Edit-key Options ********

	@item --sign-key @code{name}
	@opindex sign-key
	Signs a public key with your secret key. This is a shortcut version of
	the subcommand "sign" from @option{--edit}.

	@item --lsign-key @code{name}
	@opindex lsign-key
	Signs a public key with your secret key but marks it as
	non-exportable. This is a shortcut version of the subcommand "lsign"
	from @option{--edit-key}.

	@ifset gpgtwoone
	@item --quick-sign-key @code{fpr} [@code{names}]
	@itemx --quick-lsign-key @code{fpr} [@code{names}]
	@opindex quick-sign-key
	@opindex quick-lsign-key
	Directly sign a key from the passphrase without any further user
	interaction. The @code{fpr} must be the verified primary fingerprint
	of a key in the local keyring. If no @code{names} are given, all
	useful user ids are signed; with given [@code{names}] only useful user
	ids matching one of theses names are signed. The command
	@option{--quick-lsign-key} marks the signatures as non-exportable. If
	such a non-exportable signature already exists the
	@option{--quick-sign-key} turns it into a exportable signature.

	This command uses reasonable defaults and thus does not provide the
	full flexibility of the "sign" subcommand from @option{--edit-key}.
	Its intended use is to help unattended key signing by utilizing a list
	of verified fingerprints.
	@end ifset

	@ifset gpgtwoone
	@item --quick-adduid @var{user-id} @var{new-user-id}
	@opindex quick-adduid
	This command adds a new user id to an existing key. In contrast to
	the interactive sub-command @code{adduid} of @option{--edit-key} the
	@var{new-user-id} is added verbatim with only leading and trailing
	white space removed, it is expected to be UTF-8 encoded, and no checks
	on its form are applied.
	@end ifset

	@item --passwd @var{user_id}
	@opindex passwd
	Change the passphrase of the secret key belonging to the certificate
	specified as @var{user_id}. This is a shortcut for the sub-command
	@code{passwd} of the edit key menu.

	@end table


	@c *******************************************
	@c ************* **************
	@c ************* OPTIONS **************
	@c ************* **************
	@c *******************************************
	@mansect options
	@node GPG Options
	@section Option Summary

	@command{@gpgname} features a bunch of options to control the exact
	behaviour and to change the default configuration.

	@menu
	* GPG Configuration Options:: How to change the configuration.
	* GPG Key related Options:: Key related options.
	* GPG Input and Output:: Input and Output.
	* OpenPGP Options:: OpenPGP protocol specific options.
	* Compliance Options:: Compliance options.
	* GPG Esoteric Options:: Doing things one usually don't want to do.
	* Deprecated Options:: Deprecated options.
	@end menu

	Long options can be put in an options file (default
	"~/.gnupg/gpg.conf"). Short option names will not work - for example,
	"armor" is a valid option for the options file, while "a" is not. Do not
	write the 2 dashes, but simply the name of the option and any required
	arguments. Lines with a hash ('#') as the first non-white-space
	character are ignored. Commands may be put in this file too, but that is
	not generally useful as the command will execute automatically with
	every execution of gpg.

	Please remember that option parsing stops as soon as a non-option is
	encountered, you can explicitly stop parsing by using the special option
	@option{--}.

	@c *******************************************
	@c ****** CONFIGURATION OPTIONS ********
	@c *******************************************
	@node GPG Configuration Options
	@subsection How to change the configuration

	These options are used to change the configuration and are usually found
	in the option file.

	@table @gnupgtabopt

	@item --default-key @var{name}
	@opindex default-key
	Use @var{name} as the default key to sign with. If this option is not
	used, the default key is the first key found in the secret keyring.
	Note that @option{-u} or @option{--local-user} overrides this option.

	@item --default-recipient @var{name}
	@opindex default-recipient
	Use @var{name} as default recipient if option @option{--recipient} is
	not used and don't ask if this is a valid one. @var{name} must be
	non-empty.

	@item --default-recipient-self
	@opindex default-recipient-self
	Use the default key as default recipient if option @option{--recipient} is not
	used and don't ask if this is a valid one. The default key is the first
	one from the secret keyring or the one set with @option{--default-key}.

	@item --no-default-recipient
	@opindex no-default-recipient
	Reset @option{--default-recipient} and @option{--default-recipient-self}.

	@item -v, --verbose
	@opindex verbose
	Give more information during processing. If used
	twice, the input data is listed in detail.

	@item --no-verbose
	@opindex no-verbose
	Reset verbose level to 0.

	@item -q, --quiet
	@opindex quiet
	Try to be as quiet as possible.

	@item --batch
	@itemx --no-batch
	@opindex batch
	@opindex no-batch
	Use batch mode. Never ask, do not allow interactive commands.
	@option{--no-batch} disables this option. Note that even with a
	filename given on the command line, gpg might still need to read from
	STDIN (in particular if gpg figures that the input is a
	detached signature and no data file has been specified). Thus if you
	do not want to feed data via STDIN, you should connect STDIN to
	@file{/dev/null}.

	@item --no-tty
	@opindex no-tty
	Make sure that the TTY (terminal) is never used for any output.
	This option is needed in some cases because GnuPG sometimes prints
	warnings to the TTY even if @option{--batch} is used.

	@item --yes
	@opindex yes
	Assume "yes" on most questions.

	@item --no
	@opindex no
	Assume "no" on most questions.


	@item --list-options @code{parameters}
	@opindex list-options
	This is a space or comma delimited string that gives options used when
	listing keys and signatures (that is, @option{--list-keys},
	@option{--list-sigs}, @option{--list-public-keys},
	@option{--list-secret-keys}, and the @option{--edit-key} functions).
	Options can be prepended with a @option{no-} (after the two dashes) to
	give the opposite meaning. The options are:

	@table @asis

	@item show-photos
	@opindex list-options:show-photos
	Causes @option{--list-keys}, @option{--list-sigs},
	@option{--list-public-keys}, and @option{--list-secret-keys} to
	display any photo IDs attached to the key. Defaults to no. See also
	@option{--photo-viewer}. Does not work with @option{--with-colons}:
	see @option{--attribute-fd} for the appropriate way to get photo data
	for scripts and other frontends.

	@item show-usage
	@opindex list-options:show-usage
	Show usage information for keys and subkeys in the standard key
	listing. This is a list of letters indicating the allowed usage for a
	key (@code{E}=encryption, @code{S}=signing, @code{C}=certification,
	@code{A}=authentication). Defaults to no.

	@item show-policy-urls
	@opindex list-options:show-policy-urls
	Show policy URLs in the @option{--list-sigs} or @option{--check-sigs}
	listings. Defaults to no.

	@item show-notations
	@itemx show-std-notations
	@itemx show-user-notations
	@opindex list-options:show-notations
	@opindex list-options:show-std-notations
	@opindex list-options:show-user-notations
	Show all, IETF standard, or user-defined signature notations in the
	@option{--list-sigs} or @option{--check-sigs} listings. Defaults to no.

	@item show-keyserver-urls
	@opindex list-options:show-keyserver-urls
	Show any preferred keyserver URL in the @option{--list-sigs} or
	@option{--check-sigs} listings. Defaults to no.

	@item show-uid-validity
	@opindex list-options:show-uid-validity
	Display the calculated validity of user IDs during key listings.
	Defaults to no.

	@item show-unusable-uids
	@opindex list-options:show-unusable-uids
	Show revoked and expired user IDs in key listings. Defaults to no.

	@item show-unusable-subkeys
	@opindex list-options:show-unusable-subkeys
	Show revoked and expired subkeys in key listings. Defaults to no.

	@item show-keyring
	@opindex list-options:show-keyring
	Display the keyring name at the head of key listings to show which
	keyring a given key resides on. Defaults to no.

	@item show-sig-expire
	@opindex list-options:show-sig-expire
	Show signature expiration dates (if any) during @option{--list-sigs} or
	@option{--check-sigs} listings. Defaults to no.

	@item show-sig-subpackets
	@opindex list-options:show-sig-subpackets
	Include signature subpackets in the key listing. This option can take an
	optional argument list of the subpackets to list. If no argument is
	passed, list all subpackets. Defaults to no. This option is only
	meaningful when using @option{--with-colons} along with
	@option{--list-sigs} or @option{--check-sigs}.

	@end table

	@item --verify-options @code{parameters}
	@opindex verify-options
	This is a space or comma delimited string that gives options used when
	verifying signatures. Options can be prepended with a `no-' to give
	the opposite meaning. The options are:

	@table @asis

	@item show-photos
	@opindex verify-options:show-photos
	Display any photo IDs present on the key that issued the signature.
	Defaults to no. See also @option{--photo-viewer}.

	@item show-policy-urls
	@opindex verify-options:show-policy-urls
	Show policy URLs in the signature being verified. Defaults to no.

	@item show-notations
	@itemx show-std-notations
	@itemx show-user-notations
	@opindex verify-options:show-notations
	@opindex verify-options:show-std-notations
	@opindex verify-options:show-user-notations
	Show all, IETF standard, or user-defined signature notations in the
	signature being verified. Defaults to IETF standard.

	@item show-keyserver-urls
	@opindex verify-options:show-keyserver-urls
	Show any preferred keyserver URL in the signature being verified.
	Defaults to no.

	@item show-uid-validity
	@opindex verify-options:show-uid-validity
	Display the calculated validity of the user IDs on the key that issued
	the signature. Defaults to no.

	@item show-unusable-uids
	@opindex verify-options:show-unusable-uids
	Show revoked and expired user IDs during signature verification.
	Defaults to no.

	@item show-primary-uid-only
	@opindex verify-options:show-primary-uid-only
	Show only the primary user ID during signature verification. That is
	all the AKA lines as well as photo Ids are not shown with the signature
	verification status.

	@item pka-lookups
	@opindex verify-options:pka-lookups
	Enable PKA lookups to verify sender addresses. Note that PKA is based
	on DNS, and so enabling this option may disclose information on when
	and what signatures are verified or to whom data is encrypted. This
	is similar to the "web bug" described for the auto-key-retrieve
	feature.

	@item pka-trust-increase
	@opindex verify-options:pka-trust-increase
	Raise the trust in a signature to full if the signature passes PKA
	validation. This option is only meaningful if pka-lookups is set.
	@end table

	@item --enable-large-rsa
	@itemx --disable-large-rsa
	@opindex enable-large-rsa
	@opindex disable-large-rsa
	With --gen-key and --batch, enable the creation of larger RSA secret
	keys than is generally recommended (up to 8192 bits). These large
	keys are more expensive to use, and their signatures and
	certifications are also larger.

	@item --enable-dsa2
	@itemx --disable-dsa2
	@opindex enable-dsa2
	@opindex disable-dsa2
	Enable hash truncation for all DSA keys even for old DSA Keys up to
	1024 bit. This is also the default with @option{--openpgp}. Note
	that older versions of GnuPG also required this flag to allow the
	generation of DSA larger than 1024 bit.

	@item --photo-viewer @code{string}
	@opindex photo-viewer
	This is the command line that should be run to view a photo ID. "%i"
	will be expanded to a filename containing the photo. "%I" does the
	same, except the file will not be deleted once the viewer exits.
	Other flags are "%k" for the key ID, "%K" for the long key ID, "%f"
	for the key fingerprint, "%t" for the extension of the image type
	(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"),
	"%v" for the single-character calculated validity of the image being
	viewed (e.g. "f"), "%V" for the calculated validity as a string (e.g.
	"full"), "%U" for a base32 encoded hash of the user ID,
	and "%%" for an actual percent sign. If neither %i or %I are present,
	then the photo will be supplied to the viewer on standard input.

	The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
	STDIN". Note that if your image viewer program is not secure, then
	executing it from GnuPG does not make it secure.

	@item --exec-path @code{string}
	@opindex exec-path
	Sets a list of directories to search for photo viewers and keyserver
	helpers. If not provided, keyserver helpers use the compiled-in
	default directory, and photo viewers use the $PATH environment
	variable.
	Note, that on W32 system this value is ignored when searching for
	keyserver helpers.

	@item --keyring @code{file}
	@opindex keyring
	Add @code{file} to the current list of keyrings. If @code{file} begins
	with a tilde and a slash, these are replaced by the $HOME directory. If
	the filename does not contain a slash, it is assumed to be in the GnuPG
	home directory ("~/.gnupg" if @option{--homedir} or $GNUPGHOME is not
	used).

	Note that this adds a keyring to the current list. If the intent is to
	use the specified keyring alone, use @option{--keyring} along with
	@option{--no-default-keyring}.

	@item --secret-keyring @code{file}
	@opindex secret-keyring
	@ifset gpgtwoone
	This is an obsolete option and ignored. All secret keys are stored in
	the @file{private-keys-v1.d} directory below the GnuPG home directory.
	@end ifset
	@ifclear gpgtwoone
	Same as @option{--keyring} but for the secret keyrings.
	@end ifclear

	@item --primary-keyring @code{file}
	@opindex primary-keyring
	Designate @code{file} as the primary public keyring. This means that
	newly imported keys (via @option{--import} or keyserver
	@option{--recv-from}) will go to this keyring.

	@item --trustdb-name @code{file}
	@opindex trustdb-name
	Use @code{file} instead of the default trustdb. If @code{file} begins
	with a tilde and a slash, these are replaced by the $HOME directory. If
	the filename does not contain a slash, it is assumed to be in the GnuPG
	home directory (@file{~/.gnupg} if @option{--homedir} or $GNUPGHOME is
	not used).

	@include opt-homedir.texi


	@item --display-charset @code{name}
	@opindex display-charset
	Set the name of the native character set. This is used to convert
	some informational strings like user IDs to the proper UTF-8 encoding.
	Note that this has nothing to do with the character set of data to be
	encrypted or signed; GnuPG does not recode user-supplied data. If
	this option is not used, the default character set is determined from
	the current locale. A verbosity level of 3 shows the chosen set.
	Valid values for @code{name} are:

	@table @asis

	@item iso-8859-1
	@opindex display-charset:iso-8859-1
	This is the Latin 1 set.

	@item iso-8859-2
	@opindex display-charset:iso-8859-2
	The Latin 2 set.

	@item iso-8859-15
	@opindex display-charset:iso-8859-15
	This is currently an alias for
	the Latin 1 set.

	@item koi8-r
	@opindex display-charset:koi8-r
	The usual Russian set (rfc1489).

	@item utf-8
	@opindex display-charset:utf-8
	Bypass all translations and assume
	that the OS uses native UTF-8 encoding.
	@end table

	@item --utf8-strings
	@itemx --no-utf8-strings
	@opindex utf8-strings
	Assume that command line arguments are given as UTF8 strings. The
	default (@option{--no-utf8-strings}) is to assume that arguments are
	encoded in the character set as specified by
	@option{--display-charset}. These options affect all following
	arguments. Both options may be used multiple times.

	@anchor{gpg-option --options}
	@item --options @code{file}
	@opindex options
	Read options from @code{file} and do not try to read them from the
	default options file in the homedir (see @option{--homedir}). This
	option is ignored if used in an options file.

	@item --no-options
	@opindex no-options
	Shortcut for @option{--options /dev/null}. This option is detected
	before an attempt to open an option file. Using this option will also
	prevent the creation of a @file{~/.gnupg} homedir.

	@item -z @code{n}
	@itemx --compress-level @code{n}
	@itemx --bzip2-compress-level @code{n}
	@opindex compress-level
	@opindex bzip2-compress-level
	Set compression level to @code{n} for the ZIP and ZLIB compression
	algorithms. The default is to use the default compression level of zlib
	(normally 6). @option{--bzip2-compress-level} sets the compression level
	for the BZIP2 compression algorithm (defaulting to 6 as well). This is a
	different option from @option{--compress-level} since BZIP2 uses a
	significant amount of memory for each additional compression level.
	@option{-z} sets both. A value of 0 for @code{n} disables compression.

	@item --bzip2-decompress-lowmem
	@opindex bzip2-decompress-lowmem
	Use a different decompression method for BZIP2 compressed files. This
	alternate method uses a bit more than half the memory, but also runs
	at half the speed. This is useful under extreme low memory
	circumstances when the file was originally compressed at a high
	@option{--bzip2-compress-level}.


	@item --mangle-dos-filenames
	@itemx --no-mangle-dos-filenames
	@opindex mangle-dos-filenames
	@opindex no-mangle-dos-filenames
	Older version of Windows cannot handle filenames with more than one
	dot. @option{--mangle-dos-filenames} causes GnuPG to replace (rather
	than add to) the extension of an output filename to avoid this
	problem. This option is off by default and has no effect on non-Windows
	platforms.

	@item --ask-cert-level
	@itemx --no-ask-cert-level
	@opindex ask-cert-level
	When making a key signature, prompt for a certification level. If this
	option is not specified, the certification level used is set via
	@option{--default-cert-level}. See @option{--default-cert-level} for
	information on the specific levels and how they are
	used. @option{--no-ask-cert-level} disables this option. This option
	defaults to no.

	@item --default-cert-level @code{n}
	@opindex default-cert-level
	The default to use for the check level when signing a key.

	0 means you make no particular claim as to how carefully you verified
	the key.

	1 means you believe the key is owned by the person who claims to own
	it but you could not, or did not verify the key at all. This is
	useful for a "persona" verification, where you sign the key of a
	pseudonymous user.

	2 means you did casual verification of the key. For example, this
	could mean that you verified the key fingerprint and checked the
	user ID on the key against a photo ID.

	3 means you did extensive verification of the key. For example, this
	could mean that you verified the key fingerprint with the owner of the
	key in person, and that you checked, by means of a hard to forge
	document with a photo ID (such as a passport) that the name of the key
	owner matches the name in the user ID on the key, and finally that you
	verified (by exchange of email) that the email address on the key
	belongs to the key owner.

	Note that the examples given above for levels 2 and 3 are just that:
	examples. In the end, it is up to you to decide just what "casual"
	and "extensive" mean to you.

	This option defaults to 0 (no particular claim).

	@item --min-cert-level
	@opindex min-cert-level
	When building the trust database, treat any signatures with a
	certification level below this as invalid. Defaults to 2, which
	disregards level 1 signatures. Note that level 0 "no particular
	claim" signatures are always accepted.

	@item --trusted-key @code{long key ID}
	@opindex trusted-key
	Assume that the specified key (which must be given
	as a full 8 byte key ID) is as trustworthy as one of
	your own secret keys. This option is useful if you
	don't want to keep your secret keys (or one of them)
	online but still want to be able to check the validity of a given
	recipient's or signator's key.

	@item --trust-model @code{pgp\|classic\|direct\|always\|auto}
	@opindex trust-model
	Set what trust model GnuPG should follow. The models are:

	@table @asis

	@item pgp
	@opindex trust-mode:pgp
	This is the Web of Trust combined with trust signatures as used in PGP
	5.x and later. This is the default trust model when creating a new
	trust database.

	@item classic
	@opindex trust-mode:classic
	This is the standard Web of Trust as introduced by PGP 2.

	@item direct
	@opindex trust-mode:direct
	Key validity is set directly by the user and not calculated via the
	Web of Trust.

	@item always
	@opindex trust-mode:always
	Skip key validation and assume that used keys are always fully
	valid. You generally won't use this unless you are using some
	external validation scheme. This option also suppresses the
	"[uncertain]" tag printed with signature checks when there is no
	evidence that the user ID is bound to the key. Note that this
	trust model still does not allow the use of expired, revoked, or
	disabled keys.

	@item auto
	@opindex trust-mode:auto
	Select the trust model depending on whatever the internal trust
	database says. This is the default model if such a database already
	exists.
	@end table

	@item --auto-key-locate @code{parameters}
	@itemx --no-auto-key-locate
	@opindex auto-key-locate
	GnuPG can automatically locate and retrieve keys as needed using this
	option. This happens when encrypting to an email address (in the
	"user@@example.com" form), and there are no user@@example.com keys on
	the local keyring. This option takes any number of the following
	mechanisms, in the order they are to be tried:

	@table @asis

	@item cert
	Locate a key using DNS CERT, as specified in rfc4398.

	@item pka
	Locate a key using DNS PKA.

	@item ldap
	Using DNS Service Discovery, check the domain in question for any LDAP
	keyservers to use. If this fails, attempt to locate the key using the
	PGP Universal method of checking @samp{ldap://keys.(thedomain)}.

	@item keyserver
	Locate a key using whatever keyserver is defined using the
	@option{--keyserver} option.

	@item keyserver-URL
	In addition, a keyserver URL as used in the @option{--keyserver} option
	may be used here to query that particular keyserver.

	@item local
	Locate the key using the local keyrings. This mechanism allows to
	select the order a local key lookup is done. Thus using
	@samp{--auto-key-locate local} is identical to
	@option{--no-auto-key-locate}.

	@item nodefault
	This flag disables the standard local key lookup, done before any of the
	mechanisms defined by the @option{--auto-key-locate} are tried. The
	position of this mechanism in the list does not matter. It is not
	required if @code{local} is also used.

	@item clear
	Clear all defined mechanisms. This is useful to override
	mechanisms given in a config file.

	@end table

	@item --keyid-format @code{short\|0xshort\|long\|0xlong}
	@opindex keyid-format
	Select how to display key IDs. "short" is the traditional 8-character
	key ID. "long" is the more accurate (but less convenient)
	16-character key ID. Add an "0x" to either to include an "0x" at the
	beginning of the key ID, as in 0x99242560. Note that this option is
	ignored if the option --with-colons is used.

	@item --keyserver @code{name}
	@opindex keyserver
	Use @code{name} as your keyserver. This is the server that
	@option{--recv-keys}, @option{--send-keys}, and @option{--search-keys}
	will communicate with to receive keys from, send keys to, and search for
	keys on. The format of the @code{name} is a URI:
	`scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
	"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP
	keyservers, or "mailto" for the Graff email keyserver. Note that your
	particular installation of GnuPG may have other keyserver types
	available as well. Keyserver schemes are case-insensitive. After the
	keyserver name, optional keyserver configuration options may be
	provided. These are the same as the global @option{--keyserver-options}
	from below, but apply only to this particular keyserver.

	Most keyservers synchronize with each other, so there is generally no
	need to send keys to more than one server. The keyserver
	@code{hkp://keys.gnupg.net} uses round robin DNS to give a different
	keyserver each time you use it.

	@item --keyserver-options @code{name=value}
	@opindex keyserver-options
	This is a space or comma delimited string that gives options for the
	keyserver. Options can be prefixed with a `no-' to give the opposite
	meaning. Valid import-options or export-options may be used here as
	well to apply to importing (@option{--recv-key}) or exporting
	(@option{--send-key}) a key from a keyserver. While not all options
	are available for all keyserver types, some common options are:

	@table @asis

	@item include-revoked
	When searching for a key with @option{--search-keys}, include keys that
	are marked on the keyserver as revoked. Note that not all keyservers
	differentiate between revoked and unrevoked keys, and for such
	keyservers this option is meaningless. Note also that most keyservers do
	not have cryptographic verification of key revocations, and so turning
	this option off may result in skipping keys that are incorrectly marked
	as revoked.

	@item include-disabled
	When searching for a key with @option{--search-keys}, include keys that
	are marked on the keyserver as disabled. Note that this option is not
	used with HKP keyservers.

	@item auto-key-retrieve
	This option enables the automatic retrieving of keys from a keyserver
	when verifying signatures made by keys that are not on the local
	keyring.

	Note that this option makes a "web bug" like behavior possible.
	Keyserver operators can see which keys you request, so by sending you
	a message signed by a brand new key (which you naturally will not have
	on your local keyring), the operator can tell both your IP address and
	the time when you verified the signature.

	@item honor-keyserver-url
	When using @option{--refresh-keys}, if the key in question has a preferred
	keyserver URL, then use that preferred keyserver to refresh the key
	from. In addition, if auto-key-retrieve is set, and the signature
	being verified has a preferred keyserver URL, then use that preferred
	keyserver to fetch the key from. Note that this option introduces a
	"web bug": The creator of the key can see when the keys is
	refreshed. Thus this option is not enabled by default.

	@item honor-pka-record
	If auto-key-retrieve is set, and the signature being verified has a
	PKA record, then use the PKA information to fetch the key. Defaults
	to "yes".

	@item include-subkeys
	When receiving a key, include subkeys as potential targets. Note that
	this option is not used with HKP keyservers, as they do not support
	retrieving keys by subkey id.

	@ifclear gpgtwoone
	@item use-temp-files
	On most Unix-like platforms, GnuPG communicates with the keyserver
	helper program via pipes, which is the most efficient method. This
	option forces GnuPG to use temporary files to communicate. On some
	platforms (such as Win32 and RISC OS), this option is always enabled.
	@end ifclear

	@ifclear gpgtwoone
	@item keep-temp-files
	If using `use-temp-files', do not delete the temp files after using
	them. This option is useful to learn the keyserver communication
	protocol by reading the temporary files.
	@end ifclear

	@item timeout
	Tell the keyserver helper program how long (in seconds) to try and
	perform a keyserver action before giving up. Note that performing
	multiple actions at the same time uses this timeout value per action.
	For example, when retrieving multiple keys via @option{--recv-keys}, the
	timeout applies separately to each key retrieval, and not to the
	@option{--recv-keys} command as a whole. Defaults to 30 seconds.

	@item http-proxy=@code{value}
	Set the proxy to use for HTTP and HKP keyservers.
	@ifset gpgtwoone
	This overrides any proxy defined in @file{dirmngr.conf}.
	@end ifset
	@ifclear gpgtwoone
	This overrides the "http_proxy" environment variable, if any.
	@end ifclear

	@ifclear gpgtwoone
	@item max-cert-size
	When retrieving a key via DNS CERT, only accept keys up to this size.
	Defaults to 16384 bytes.
	@end ifclear

	@item verbose
	@ifset gpgtwoone
	This option has no more function since GnuPG 2.1. Use the
	@code{dirmngr} configuration options instead.
	@end ifset
	@ifclear gpgtwoone
	Tell the keyserver helper program to be more verbose. This option can
	be repeated multiple times to increase the verbosity level.
	@end ifclear

	@item debug
	@ifset gpgtwoone
	This option has no more function since GnuPG 2.1. Use the
	@code{dirmngr} configuration options instead.
	@end ifset
	@ifclear gpgtwoone
	Turn on debug output in the keyserver helper program. Note that the
	details of debug output depends on which keyserver helper program is
	being used, and in turn, on any libraries that the keyserver helper
	program uses internally (libcurl, openldap, etc).
	@end ifclear

	@item check-cert
	@ifset gpgtwoone
	This option has no more function since GnuPG 2.1. Use the
	@code{dirmngr} configuration options instead.
	@end ifset
	@ifclear gpgtwoone
	Enable certificate checking if the keyserver presents one (for hkps or
	ldaps). Defaults to on.
	@end ifclear

	@item ca-cert-file
	@ifset gpgtwoone
	This option has no more function since GnuPG 2.1. Use the
	@code{dirmngr} configuration options instead.
	@end ifset
	@ifclear gpgtwoone
	Provide a certificate store to override the system default. Only
	necessary if check-cert is enabled, and the keyserver is using a
	certificate that is not present in a system default certificate list.

	Note that depending on the SSL library that the keyserver helper is
	built with, this may actually be a directory or a file.
	@end ifclear

	@end table

	@item --completes-needed @code{n}
	@opindex compliant-needed
	Number of completely trusted users to introduce a new
	key signer (defaults to 1).

	@item --marginals-needed @code{n}
	@opindex marginals-needed
	Number of marginally trusted users to introduce a new
	key signer (defaults to 3)

	@item --max-cert-depth @code{n}
	@opindex max-cert-depth
	Maximum depth of a certification chain (default is 5).

	@ifclear gpgtwoone
	@item --simple-sk-checksum
	@opindex simple-sk-checksum
	Secret keys are integrity protected by using a SHA-1 checksum. This
	method is part of the upcoming enhanced OpenPGP specification but
	GnuPG already uses it as a countermeasure against certain attacks.
	Old applications don't understand this new format, so this option may
	be used to switch back to the old behaviour. Using this option bears
	a security risk. Note that using this option only takes effect when
	the secret key is encrypted - the simplest way to make this happen is
	to change the passphrase on the key (even changing it to the same
	value is acceptable).
	@end ifclear

	@item --no-sig-cache
	@opindex no-sig-cache
	Do not cache the verification status of key signatures.
	Caching gives a much better performance in key listings. However, if
	you suspect that your public keyring is not save against write
	modifications, you can use this option to disable the caching. It
	probably does not make sense to disable it because all kind of damage
	can be done if someone else has write access to your public keyring.

	@item --no-sig-create-check
	@opindex no-sig-create-check
	GnuPG normally verifies each signature right after creation to protect
	against bugs and hardware malfunctions which could leak out bits from
	the secret key. This extra verification needs some time (about 115%
	for DSA keys), and so this option can be used to disable it.
	However, due to the fact that the signature creation needs manual
	interaction, this performance penalty does not matter in most settings.

	@item --auto-check-trustdb
	@itemx --no-auto-check-trustdb
	@opindex auto-check-trustdb
	If GnuPG feels that its information about the Web of Trust has to be
	updated, it automatically runs the @option{--check-trustdb} command
	internally. This may be a time consuming
	process. @option{--no-auto-check-trustdb} disables this option.

	@item --use-agent
	@itemx --no-use-agent
	@opindex use-agent
	This is dummy option. @command{@gpgname} always requires the agent.

	@item --gpg-agent-info
	@opindex gpg-agent-info
	This is dummy option. It has no effect when used with @command{gpg2}.


	@item --agent-program @var{file}
	@opindex agent-program
	Specify an agent program to be used for secret key operations. The
	default value is determined by running @command{gpgconf} with the
	option @option{--list-dirs}. Note that the pipe symbol (@code{\|}) is
	used for a regression test suite hack and may thus not be used in the
	file name.
	@ifclear gpgtwoone
	This is only used
	as a fallback when the environment variable @code{GPG_AGENT_INFO} is not
	set or a running agent cannot be connected.
	@end ifclear

	@ifset gpgtwoone
	@item --dirmngr-program @var{file}
	@opindex dirmngr-program
	Specify a dirmngr program to be used for keyserver access. The
	default value is @file{/usr/sbin/dirmngr}. This is only used as a
	fallback when the environment variable @code{DIRMNGR_INFO} is not set or
	a running dirmngr cannot be connected.
	@end ifset

	@item --no-autostart
	@opindex no-autostart
	Do not start the gpg-agent or the dirmngr if it has not yet been
	started and its service is required. This option is mostly useful on
	machines where the connection to gpg-agent has been redirected to
	another machines. If dirmngr is required on the remote machine, it
	may be started manually using @command{gpgconf --launch dirmngr}.

	@item --lock-once
	@opindex lock-once
	Lock the databases the first time a lock is requested
	and do not release the lock until the process
	terminates.

	@item --lock-multiple
	@opindex lock-multiple
	Release the locks every time a lock is no longer
	needed. Use this to override a previous @option{--lock-once}
	from a config file.

	@item --lock-never
	@opindex lock-never
	Disable locking entirely. This option should be used only in very
	special environments, where it can be assured that only one process
	is accessing those files. A bootable floppy with a stand-alone
	encryption system will probably use this. Improper usage of this
	option may lead to data and key corruption.

	@item --exit-on-status-write-error
	@opindex exit-on-status-write-error
	This option will cause write errors on the status FD to immediately
	terminate the process. That should in fact be the default but it never
	worked this way and thus we need an option to enable this, so that the
	change won't break applications which close their end of a status fd
	connected pipe too early. Using this option along with
	@option{--enable-progress-filter} may be used to cleanly cancel long
	running gpg operations.

	@item --limit-card-insert-tries @code{n}
	@opindex limit-card-insert-tries
	With @code{n} greater than 0 the number of prompts asking to insert a
	smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
	all ask to insert a card if none has been inserted at startup. This
	option is useful in the configuration file in case an application does
	not know about the smartcard support and waits ad infinitum for an
	inserted card.

	@item --no-random-seed-file
	@opindex no-random-seed-file
	GnuPG uses a file to store its internal random pool over invocations.
	This makes random generation faster; however sometimes write operations
	are not desired. This option can be used to achieve that with the cost of
	slower random generation.

	@item --no-greeting
	@opindex no-greeting
	Suppress the initial copyright message.

	@item --no-secmem-warning
	@opindex no-secmem-warning
	Suppress the warning about "using insecure memory".

	@item --no-permission-warning
	@opindex permission-warning
	Suppress the warning about unsafe file and home directory (@option{--homedir})
	permissions. Note that the permission checks that GnuPG performs are
	not intended to be authoritative, but rather they simply warn about
	certain common permission problems. Do not assume that the lack of a
	warning means that your system is secure.

	Note that the warning for unsafe @option{--homedir} permissions cannot be
	suppressed in the gpg.conf file, as this would allow an attacker to
	place an unsafe gpg.conf file in place, and use this file to suppress
	warnings about itself. The @option{--homedir} permissions warning may only be
	suppressed on the command line.

	@item --no-mdc-warning
	@opindex no-mdc-warning
	Suppress the warning about missing MDC integrity protection.

	@item --require-secmem
	@itemx --no-require-secmem
	@opindex require-secmem
	Refuse to run if GnuPG cannot get secure memory. Defaults to no
	(i.e. run, but give a warning).


	@item --require-cross-certification
	@itemx --no-require-cross-certification
	@opindex require-cross-certification
	When verifying a signature made from a subkey, ensure that the cross
	certification "back signature" on the subkey is present and valid. This
	protects against a subtle attack against subkeys that can sign.
	Defaults to @option{--require-cross-certification} for
	@command{@gpgname}.

	@item --expert
	@itemx --no-expert
	@opindex expert
	Allow the user to do certain nonsensical or "silly" things like
	signing an expired or revoked key, or certain potentially incompatible
	things like generating unusual key types. This also disables certain
	warning messages about potentially incompatible actions. As the name
	implies, this option is for experts only. If you don't fully
	understand the implications of what it allows you to do, leave this
	off. @option{--no-expert} disables this option.

	@end table


	@c *******************************************
	@c ****** KEY RELATED OPTIONS **********
	@c *******************************************
	@node GPG Key related Options
	@subsection Key related options

	@table @gnupgtabopt

	@item --recipient @var{name}
	@itemx -r
	@opindex recipient
	Encrypt for user id @var{name}. If this option or
	@option{--hidden-recipient} is not specified, GnuPG asks for the user-id
	unless @option{--default-recipient} is given.

	@item --hidden-recipient @var{name}
	@itemx -R
	@opindex hidden-recipient
	Encrypt for user ID @var{name}, but hide the key ID of this user's
	key. This option helps to hide the receiver of the message and is a
	limited countermeasure against traffic analysis. If this option or
	@option{--recipient} is not specified, GnuPG asks for the user ID unless
	@option{--default-recipient} is given.

	@item --encrypt-to @code{name}
	@opindex encrypt-to
	Same as @option{--recipient} but this one is intended for use in the
	options file and may be used with your own user-id as an
	"encrypt-to-self". These keys are only used when there are other
	recipients given either by use of @option{--recipient} or by the asked
	user id. No trust checking is performed for these user ids and even
	disabled keys can be used.

	@item --hidden-encrypt-to @code{name}
	@opindex hidden-encrypt-to
	Same as @option{--hidden-recipient} but this one is intended for use in the
	options file and may be used with your own user-id as a hidden
	"encrypt-to-self". These keys are only used when there are other
	recipients given either by use of @option{--recipient} or by the asked user id.
	No trust checking is performed for these user ids and even disabled
	keys can be used.

	@item --no-encrypt-to
	@opindex no-encrypt-to
	Disable the use of all @option{--encrypt-to} and
	@option{--hidden-encrypt-to} keys.

	@item --group @code{name=value1 }
	@opindex group
	Sets up a named group, which is similar to aliases in email programs.
	Any time the group name is a recipient (@option{-r} or
	@option{--recipient}), it will be expanded to the values
	specified. Multiple groups with the same name are automatically merged
	into a single group.

	The values are @code{key IDs} or fingerprints, but any key description
	is accepted. Note that a value with spaces in it will be treated as
	two different values. Note also there is only one level of expansion
	--- you cannot make an group that points to another group. When used
	from the command line, it may be necessary to quote the argument to
	this option to prevent the shell from treating it as multiple
	arguments.

	@item --ungroup @code{name}
	@opindex ungroup
	Remove a given entry from the @option{--group} list.

	@item --no-groups
	@opindex no-groups
	Remove all entries from the @option{--group} list.

	@item --local-user @var{name}
	@itemx -u
	@opindex local-user
	Use @var{name} as the key to sign with. Note that this option overrides
	@option{--default-key}.

	@ifset gpgtwoone
	@item --try-secret-key @var{name}
	@opindex try-secret-key
	For hidden recipients GPG needs to know the keys to use for trial
	decryption. The key set with @option{--default-key} is always tried
	first, but this is often not sufficient. This option allows to set more
	keys to be used for trial decryption. Although any valid user-id
	specification may be used for @var{name} it makes sense to use at least
	the long keyid to avoid ambiguities. Note that gpg-agent might pop up a
	pinentry for a lot keys to do the trial decryption. If you want to stop
	all further trial decryption you may use close-window button instead of
	the cancel button.
	@end ifset

	@item --try-all-secrets
	@opindex try-all-secrets
	Don't look at the key ID as stored in the message but try all secret
	keys in turn to find the right decryption key. This option forces the
	behaviour as used by anonymous recipients (created by using
	@option{--throw-keyids} or @option{--hidden-recipient}) and might come
	handy in case where an encrypted message contains a bogus key ID.

	@item --skip-hidden-recipients
	@itemx --no-skip-hidden-recipients
	@opindex skip-hidden-recipients
	@opindex no-skip-hidden-recipients
	During decryption skip all anonymous recipients. This option helps in
	the case that people use the hidden recipients feature to hide there
	own encrypt-to key from others. If oneself has many secret keys this
	may lead to a major annoyance because all keys are tried in turn to
	decrypt something which was not really intended for it. The drawback
	of this option is that it is currently not possible to decrypt a
	message which includes real anonymous recipients.


	@end table

	@c *******************************************
	@c ****** INPUT AND OUTPUT *************
	@c *******************************************
	@node GPG Input and Output
	@subsection Input and Output

	@table @gnupgtabopt

	@item --armor
	@itemx -a
	@opindex armor
	Create ASCII armored output. The default is to create the binary
	OpenPGP format.

	@item --no-armor
	@opindex no-armor
	Assume the input data is not in ASCII armored format.

	@item --output @var{file}
	@itemx -o @var{file}
	@opindex output
	Write output to @var{file}.

	@item --max-output @code{n}
	@opindex max-output
	This option sets a limit on the number of bytes that will be generated
	when processing a file. Since OpenPGP supports various levels of
	compression, it is possible that the plaintext of a given message may be
	significantly larger than the original OpenPGP message. While GnuPG
	works properly with such messages, there is often a desire to set a
	maximum file size that will be generated before processing is forced to
	stop by the OS limits. Defaults to 0, which means "no limit".

	@item --import-options @code{parameters}
	@opindex import-options
	This is a space or comma delimited string that gives options for
	importing keys. Options can be prepended with a `no-' to give the
	opposite meaning. The options are:

	@table @asis

	@item import-local-sigs
	Allow importing key signatures marked as "local". This is not
	generally useful unless a shared keyring scheme is being used.
	Defaults to no.

	@item keep-ownertrust
	Normally possible still existing ownertrust values of a key are
	cleared if a key is imported. This is in general desirable so that
	a formerly deleted key does not automatically gain an ownertrust
	values merely due to import. On the other hand it is sometimes
	necessary to re-import a trusted set of keys again but keeping
	already assigned ownertrust values. This can be achived by using
	this option.

	@item repair-pks-subkey-bug
	During import, attempt to repair the damage caused by the PKS keyserver
	bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note
	that this cannot completely repair the damaged key as some crucial data
	is removed by the keyserver, but it does at least give you back one
	subkey. Defaults to no for regular @option{--import} and to yes for
	keyserver @option{--recv-keys}.

	@item merge-only
	During import, allow key updates to existing keys, but do not allow
	any new keys to be imported. Defaults to no.

	@item import-clean
	After import, compact (remove all signatures except the
	self-signature) any user IDs from the new key that are not usable.
	Then, remove any signatures from the new key that are not usable.
	This includes signatures that were issued by keys that are not present
	on the keyring. This option is the same as running the @option{--edit-key}
	command "clean" after import. Defaults to no.

	@item import-minimal
	Import the smallest key possible. This removes all signatures except
	the most recent self-signature on each user ID. This option is the
	same as running the @option{--edit-key} command "minimize" after import.
	Defaults to no.
	@end table

	@item --export-options @code{parameters}
	@opindex export-options
	This is a space or comma delimited string that gives options for
	exporting keys. Options can be prepended with a `no-' to give the
	opposite meaning. The options are:

	@table @asis

	@item export-local-sigs
	Allow exporting key signatures marked as "local". This is not
	generally useful unless a shared keyring scheme is being used.
	Defaults to no.

	@item export-attributes
	Include attribute user IDs (photo IDs) while exporting. This is
	useful to export keys if they are going to be used by an OpenPGP
	program that does not accept attribute user IDs. Defaults to yes.

	@item export-sensitive-revkeys
	Include designated revoker information that was marked as
	"sensitive". Defaults to no.

	@c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
	@c export-reset-subkey-passwd hack is not anymore justified. Such use
	@c cases need to be implemented using a specialized secret key export
	@c tool.
	@ifclear gpgtwoone
	@item export-reset-subkey-passwd
	When using the @option{--export-secret-subkeys} command, this option resets
	the passphrases for all exported subkeys to empty. This is useful
	when the exported subkey is to be used on an unattended machine where
	a passphrase doesn't necessarily make sense. Defaults to no.
	@end ifclear

	@item export-clean
	Compact (remove all signatures from) user IDs on the key being
	exported if the user IDs are not usable. Also, do not export any
	signatures that are not usable. This includes signatures that were
	issued by keys that are not present on the keyring. This option is
	the same as running the @option{--edit-key} command "clean" before export
	except that the local copy of the key is not modified. Defaults to
	no.

	@item export-minimal
	Export the smallest key possible. This removes all signatures except the
	most recent self-signature on each user ID. This option is the same as
	running the @option{--edit-key} command "minimize" before export except
	that the local copy of the key is not modified. Defaults to no.
	@end table

	@item --with-colons
	@opindex with-colons
	Print key listings delimited by colons. Note that the output will be
	encoded in UTF-8 regardless of any @option{--display-charset} setting. This
	format is useful when GnuPG is called from scripts and other programs
	as it is easily machine parsed. The details of this format are
	documented in the file @file{doc/DETAILS}, which is included in the GnuPG
	source distribution.


	@item --print-pka-records
	@opindex print-pka-records
	Modify the output of the list commands to print PKA records suitable
	to put into DNS zone files. An ORIGIN line is printed before each
	record to allow diverting the records to the corresponding zone file.

	@item --fixed-list-mode
	@opindex fixed-list-mode
	Do not merge primary user ID and primary key in @option{--with-colon}
	listing mode and print all timestamps as seconds since 1970-01-01.
	Since GnuPG 2.0.10, this mode is always used and thus this option is
	obsolete; it does not harm to use it though.

	@ifset gpgtwoone
	@item --legacy-list-mode
	@opindex legacy-list-mode
	Revert to the pre-2.1 public key list mode. This only affects the
	human readable output and not the machine interface
	(i.e. @code{--with-colons}). Note that the legacy format does not
	allow to convey suitable information for elliptic curves.
	@end ifset

	@item --with-fingerprint
	@opindex with-fingerprint
	Same as the command @option{--fingerprint} but changes only the format
	of the output and may be used together with another command.

	@ifset gpgtwoone

	@item --with-icao-spelling
	@opindex with-icao-spelling
	Print the ICAO spelling of the fingerprint in addition to the hex digits.

	@item --with-keygrip
	@opindex with-keygrip
	Include the keygrip in the key listings.

	@item --with-secret
	@opindex with-secret
	Include info about the presence of a secret key in public key listings
	done with @code{--with-colons}.

	@end ifset

	@end table

	@c *******************************************
	@c ****** OPENPGP OPTIONS **************
	@c *******************************************
	@node OpenPGP Options
	@subsection OpenPGP protocol specific options.

	@table @gnupgtabopt

	@item -t, --textmode
	@itemx --no-textmode
	@opindex textmode
	Treat input files as text and store them in the OpenPGP canonical text
	form with standard "CRLF" line endings. This also sets the necessary
	flags to inform the recipient that the encrypted or signed data is text
	and may need its line endings converted back to whatever the local
	system uses. This option is useful when communicating between two
	platforms that have different line ending conventions (UNIX-like to Mac,
	Mac to Windows, etc). @option{--no-textmode} disables this option, and
	is the default.

	@ifclear gpgtwoone
	@item --force-v3-sigs
	@itemx --no-force-v3-sigs
	@opindex force-v3-sigs
	OpenPGP states that an implementation should generate v4 signatures
	but PGP versions 5 through 7 only recognize v4 signatures on key
	material. This option forces v3 signatures for signatures on data.
	Note that this option implies @option{--no-ask-sig-expire}, and unsets
	@option{--sig-policy-url}, @option{--sig-notation}, and
	@option{--sig-keyserver-url}, as these features cannot be used with v3
	signatures. @option{--no-force-v3-sigs} disables this option.
	Defaults to no.

	@item --force-v4-certs
	@itemx --no-force-v4-certs
	@opindex force-v4-certs
	Always use v4 key signatures even on v3 keys. This option also
	changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1.
	@option{--no-force-v4-certs} disables this option.
	@end ifclear

	@ifset gpgtwoone
	@item --force-v3-sigs
	@itemx --no-force-v3-sigs
	@item --force-v4-certs
	@itemx --no-force-v4-certs
	These options are obsolete and have no effect since GnuPG 2.1.
	@end ifset

	@item --force-mdc
	@opindex force-mdc
	Force the use of encryption with a modification detection code. This
	is always used with the newer ciphers (those with a blocksize greater
	than 64 bits), or if all of the recipient keys indicate MDC support in
	their feature flags.

	@item --disable-mdc
	@opindex disable-mdc
	Disable the use of the modification detection code. Note that by
	using this option, the encrypted message becomes vulnerable to a
	message modification attack.

	@item --personal-cipher-preferences @code{string}
	@opindex personal-cipher-preferences
	Set the list of personal cipher preferences to @code{string}. Use
	@command{@gpgname --version} to get a list of available algorithms,
	and use @code{none} to set no preference at all. This allows the user
	to safely override the algorithm chosen by the recipient key
	preferences, as GPG will only select an algorithm that is usable by
	all recipients. The most highly ranked cipher in this list is also
	used for the @option{--symmetric} encryption command.

	@item --personal-digest-preferences @code{string}
	@opindex personal-digest-preferences
	Set the list of personal digest preferences to @code{string}. Use
	@command{@gpgname --version} to get a list of available algorithms,
	and use @code{none} to set no preference at all. This allows the user
	to safely override the algorithm chosen by the recipient key
	preferences, as GPG will only select an algorithm that is usable by
	all recipients. The most highly ranked digest algorithm in this list
	is also used when signing without encryption
	(e.g. @option{--clearsign} or @option{--sign}).

	@item --personal-compress-preferences @code{string}
	@opindex personal-compress-preferences
	Set the list of personal compression preferences to @code{string}.
	Use @command{@gpgname --version} to get a list of available
	algorithms, and use @code{none} to set no preference at all. This
	allows the user to safely override the algorithm chosen by the
	recipient key preferences, as GPG will only select an algorithm that
	is usable by all recipients. The most highly ranked compression
	algorithm in this list is also used when there are no recipient keys
	to consider (e.g. @option{--symmetric}).

	@item --s2k-cipher-algo @code{name}
	@opindex s2k-cipher-algo
	Use @code{name} as the cipher algorithm used to protect secret keys.
	-The default cipher is @value{DEFSYMENCALGO}. This cipher is also used for
	-conventional encryption if @option{--personal-cipher-preferences} and
	-@option{--cipher-algo} is not given.
	+The default cipher is @value{DEFSYMENCALGO}. This cipher is also used
	+for symmetric encryption with a passphrase if
	+@option{--personal-cipher-preferences} and @option{--cipher-algo} is
	+not given.

	@item --s2k-digest-algo @code{name}
	@opindex s2k-digest-algo
	Use @code{name} as the digest algorithm used to mangle the passphrases.
	The default algorithm is SHA-1.

	@item --s2k-mode @code{n}
	@opindex s2k-mode
	Selects how passphrases are mangled. If @code{n} is 0 a plain
	passphrase (which is not recommended) will be used, a 1 adds a salt to
	the passphrase and a 3 (the default) iterates the whole process a
	number of times (see --s2k-count). Unless @option{--rfc1991} is used,
	-this mode is also used for conventional encryption.
	+this mode is also used for symmetric encryption with a passphrase.

	@item --s2k-count @code{n}
	@opindex s2k-count
	Specify how many times the passphrase mangling is repeated. This
	value may range between 1024 and 65011712 inclusive. The default is
	inquired from gpg-agent. Note that not all values in the
	1024-65011712 range are legal and if an illegal value is selected,
	GnuPG will round up to the nearest legal value. This option is only
	meaningful if @option{--s2k-mode} is 3.


	@end table

	@c ***************************
	@c ***** Compliance ******
	@c ***************************
	@node Compliance Options
	@subsection Compliance options

	These options control what GnuPG is compliant to. Only one of these
	options may be active at a time. Note that the default setting of
	this is nearly always the correct one. See the INTEROPERABILITY WITH
	OTHER OPENPGP PROGRAMS section below before using one of these
	options.

	@table @gnupgtabopt

	@item --gnupg
	@opindex gnupg
	Use standard GnuPG behavior. This is essentially OpenPGP behavior
	(see @option{--openpgp}), but with some additional workarounds for common
	compatibility problems in different versions of PGP. This is the
	default option, so it is not generally needed, but it may be useful to
	override a different compliance option in the gpg.conf file.

	@item --openpgp
	@opindex openpgp
	Reset all packet, cipher and digest options to strict OpenPGP
	behavior. Use this option to reset all previous options like
	@option{--s2k-*}, @option{--cipher-algo}, @option{--digest-algo} and
	@option{--compress-algo} to OpenPGP compliant values. All PGP
	workarounds are disabled.

	@item --rfc4880
	@opindex rfc4880
	Reset all packet, cipher and digest options to strict RFC-4880
	behavior. Note that this is currently the same thing as
	@option{--openpgp}.

	@item --rfc2440
	@opindex rfc2440
	Reset all packet, cipher and digest options to strict RFC-2440
	behavior.

	@ifclear gpgtowone
	@item --rfc1991
	@opindex rfc1991
	Try to be more RFC-1991 (PGP 2.x) compliant. This option is
	deprecated will be removed in GnuPG 2.1.

	@item --pgp2
	@opindex pgp2
	Set up all options to be as PGP 2.x compliant as possible, and warn if
	an action is taken (e.g. encrypting to a non-RSA key) that will create
	a message that PGP 2.x will not be able to handle. Note that `PGP
	2.x' here means `MIT PGP 2.6.2'. There are other versions of PGP 2.x
	available, but the MIT release is a good common baseline.

	This option implies
	@option{--rfc1991 --disable-mdc --no-force-v4-certs
	--escape-from-lines --force-v3-sigs --allow-weak-digest-algos
	--cipher-algo IDEA --digest-algo MD5 --compress-algo ZIP}.
	It also disables @option{--textmode} when encrypting.

	This option is deprecated will be removed in GnuPG 2.1. The reason
	for dropping PGP-2 support is that the PGP 2 format is not anymore
	considered safe (for example due to the use of the broken MD5 algorithm).
	Note that the decryption of PGP-2 created messages will continue to work.
	@end ifclear

	@item --pgp6
	@opindex pgp6
	Set up all options to be as PGP 6 compliant as possible. This
	restricts you to the ciphers IDEA (if the IDEA plugin is installed),
	3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the
	compression algorithms none and ZIP. This also disables
	--throw-keyids, and making signatures with signing subkeys as PGP 6
	does not understand signatures made by signing subkeys.

	@ifclear gpgtwoone
	This option implies @option{--disable-mdc --escape-from-lines --force-v3-sigs}.
	@end ifclear
	@ifset gpgtwoone
	This option implies @option{--disable-mdc --escape-from-lines}.
	@end ifset

	@item --pgp7
	@opindex pgp7
	Set up all options to be as PGP 7 compliant as possible. This is
	identical to @option{--pgp6} except that MDCs are not disabled, and the
	list of allowable ciphers is expanded to add AES128, AES192, AES256, and
	TWOFISH.

	@item --pgp8
	@opindex pgp8
	Set up all options to be as PGP 8 compliant as possible. PGP 8 is a lot
	closer to the OpenPGP standard than previous versions of PGP, so all
	this does is disable @option{--throw-keyids} and set
	@option{--escape-from-lines}. All algorithms are allowed except for the
	SHA224, SHA384, and SHA512 digests.

	@end table


	@c *******************************************
	@c ****** ESOTERIC OPTIONS *************
	@c *******************************************
	@node GPG Esoteric Options
	@subsection Doing things one usually doesn't want to do.

	@table @gnupgtabopt

	@item -n
	@itemx --dry-run
	@opindex dry-run
	Don't make any changes (this is not completely implemented).

	@item --list-only
	@opindex list-only
	Changes the behaviour of some commands. This is like @option{--dry-run} but
	different in some cases. The semantic of this command may be extended in
	the future. Currently it only skips the actual decryption pass and
	therefore enables a fast listing of the encryption keys.

	@item -i
	@itemx --interactive
	@opindex interactive
	Prompt before overwriting any files.

	@item --debug-level @var{level}
	@opindex debug-level
	Select the debug level for investigating problems. @var{level} may be
	a numeric value or by a keyword:

	@table @code
	@item none
	No debugging at all. A value of less than 1 may be used instead of
	the keyword.
	@item basic
	Some basic debug messages. A value between 1 and 2 may be used
	instead of the keyword.
	@item advanced
	More verbose debug messages. A value between 3 and 5 may be used
	instead of the keyword.
	@item expert
	Even more detailed messages. A value between 6 and 8 may be used
	instead of the keyword.
	@item guru
	All of the debug messages you can get. A value greater than 8 may be
	used instead of the keyword. The creation of hash tracing files is
	only enabled if the keyword is used.
	@end table

	How these messages are mapped to the actual debugging flags is not
	specified and may change with newer releases of this program. They are
	however carefully selected to best aid in debugging.

	@item --debug @var{flags}
	@opindex debug
	Set debugging flags. All flags are or-ed and @var{flags} may
	be given in C syntax (e.g. 0x0042).

	@item --debug-all
	@opindex debug-all
	Set all useful debugging flags.

	@item --debug-iolbf
	@opindex debug-iolbf
	Set stdout into line buffered mode. This option is only honored when
	given on the command line.

	@item --faked-system-time @var{epoch}
	@opindex faked-system-time
	This option is only useful for testing; it sets the system time back or
	forth to @var{epoch} which is the number of seconds elapsed since the year
	1970. Alternatively @var{epoch} may be given as a full ISO time string
	(e.g. "20070924T154812").

	@item --enable-progress-filter
	@opindex enable-progress-filter
	Enable certain PROGRESS status outputs. This option allows frontends
	to display a progress indicator while gpg is processing larger files.
	There is a slight performance overhead using it.

	@item --status-fd @code{n}
	@opindex status-fd
	Write special status strings to the file descriptor @code{n}.
	See the file DETAILS in the documentation for a listing of them.

	@item --status-file @code{file}
	@opindex status-file
	Same as @option{--status-fd}, except the status data is written to file
	@code{file}.

	@item --logger-fd @code{n}
	@opindex logger-fd
	Write log output to file descriptor @code{n} and not to STDERR.

	@item --log-file @code{file}
	@itemx --logger-file @code{file}
	@opindex log-file
	Same as @option{--logger-fd}, except the logger data is written to file
	@code{file}. Note that @option{--log-file} is only implemented for
	GnuPG-2.

	@item --attribute-fd @code{n}
	@opindex attribute-fd
	Write attribute subpackets to the file descriptor @code{n}. This is most
	useful for use with @option{--status-fd}, since the status messages are
	needed to separate out the various subpackets from the stream delivered
	to the file descriptor.

	@item --attribute-file @code{file}
	@opindex attribute-file
	Same as @option{--attribute-fd}, except the attribute data is written to
	file @code{file}.

	@item --comment @code{string}
	@itemx --no-comments
	@opindex comment
	Use @code{string} as a comment string in clear text signatures and ASCII
	armored messages or keys (see @option{--armor}). The default behavior is
	not to use a comment string. @option{--comment} may be repeated multiple
	times to get multiple comment strings. @option{--no-comments} removes
	all comments. It is a good idea to keep the length of a single comment
	below 60 characters to avoid problems with mail programs wrapping such
	lines. Note that comment lines, like all other header lines, are not
	protected by the signature.

	@item --emit-version
	@itemx --no-emit-version
	@opindex emit-version
	Force inclusion of the version string in ASCII armored output. If
	given once only the name of the program and the major number is
	emitted (default), given twice the minor is also emitted, given triple
	the micro is added, and given quad an operating system identification
	is also emitted. @option{--no-emit-version} disables the version
	line.

	@item --sig-notation @code{name=value}
	@itemx --cert-notation @code{name=value}
	@itemx -N, --set-notation @code{name=value}
	@opindex sig-notation
	@opindex cert-notation
	@opindex set-notation
	Put the name value pair into the signature as notation data.
	@code{name} must consist only of printable characters or spaces, and
	must contain a '@@' character in the form keyname@@domain.example.com
	(substituting the appropriate keyname and domain name, of course). This
	is to help prevent pollution of the IETF reserved notation
	namespace. The @option{--expert} flag overrides the '@@'
	check. @code{value} may be any printable string; it will be encoded in
	UTF8, so you should check that your @option{--display-charset} is set
	correctly. If you prefix @code{name} with an exclamation mark (!), the
	notation data will be flagged as critical
	(rfc4880:5.2.3.16). @option{--sig-notation} sets a notation for data
	signatures. @option{--cert-notation} sets a notation for key signatures
	(certifications). @option{--set-notation} sets both.

	There are special codes that may be used in notation names. "%k" will
	be expanded into the key ID of the key being signed, "%K" into the
	long key ID of the key being signed, "%f" into the fingerprint of the
	key being signed, "%s" into the key ID of the key making the
	signature, "%S" into the long key ID of the key making the signature,
	"%g" into the fingerprint of the key making the signature (which might
	be a subkey), "%p" into the fingerprint of the primary key of the key
	making the signature, "%c" into the signature count from the OpenPGP
	smartcard, and "%%" results in a single "%". %k, %K, and %f are only
	meaningful when making a key signature (certification), and %c is only
	meaningful when using the OpenPGP smartcard.

	@item --sig-policy-url @code{string}
	@itemx --cert-policy-url @code{string}
	@itemx --set-policy-url @code{string}
	@opindex sig-policy-url
	@opindex cert-policy-url
	@opindex set-policy-url
	Use @code{string} as a Policy URL for signatures (rfc4880:5.2.3.20). If
	you prefix it with an exclamation mark (!), the policy URL packet will
	be flagged as critical. @option{--sig-policy-url} sets a policy url for
	data signatures. @option{--cert-policy-url} sets a policy url for key
	signatures (certifications). @option{--set-policy-url} sets both.

	The same %-expandos used for notation data are available here as well.

	@item --sig-keyserver-url @code{string}
	@opindex sig-keyserver-url
	Use @code{string} as a preferred keyserver URL for data signatures. If
	you prefix it with an exclamation mark (!), the keyserver URL packet
	will be flagged as critical.

	The same %-expandos used for notation data are available here as well.

	@item --set-filename @code{string}
	@opindex set-filename
	Use @code{string} as the filename which is stored inside messages.
	This overrides the default, which is to use the actual filename of the
	file being encrypted.

	@item --for-your-eyes-only
	@itemx --no-for-your-eyes-only
	@opindex for-your-eyes-only
	Set the `for your eyes only' flag in the message. This causes GnuPG to
	refuse to save the file unless the @option{--output} option is given,
	and PGP to use a "secure viewer" with a claimed Tempest-resistant font
	to display the message. This option overrides @option{--set-filename}.
	@option{--no-for-your-eyes-only} disables this option.

	@item --use-embedded-filename
	@itemx --no-use-embedded-filename
	@opindex use-embedded-filename
	Try to create a file with a name as embedded in the data. This can be
	a dangerous option as it allows to overwrite files. Defaults to no.

	@item --cipher-algo @code{name}
	@opindex cipher-algo
	Use @code{name} as cipher algorithm. Running the program with the
	command @option{--version} yields a list of supported algorithms. If
	this is not used the cipher algorithm is selected from the preferences
	stored with the key. In general, you do not want to use this option as
	it allows you to violate the OpenPGP standard.
	@option{--personal-cipher-preferences} is the safe way to accomplish the
	same thing.

	@item --digest-algo @code{name}
	@opindex digest-algo
	Use @code{name} as the message digest algorithm. Running the program
	with the command @option{--version} yields a list of supported algorithms. In
	general, you do not want to use this option as it allows you to
	violate the OpenPGP standard. @option{--personal-digest-preferences} is the
	safe way to accomplish the same thing.

	@item --compress-algo @code{name}
	@opindex compress-algo
	Use compression algorithm @code{name}. "zlib" is RFC-1950 ZLIB
	compression. "zip" is RFC-1951 ZIP compression which is used by PGP.
	"bzip2" is a more modern compression scheme that can compress some
	things better than zip or zlib, but at the cost of more memory used
	during compression and decompression. "uncompressed" or "none"
	disables compression. If this option is not used, the default
	behavior is to examine the recipient key preferences to see which
	algorithms the recipient supports. If all else fails, ZIP is used for
	maximum compatibility.

	ZLIB may give better compression results than ZIP, as the compression
	window size is not limited to 8k. BZIP2 may give even better
	compression results than that, but will use a significantly larger
	amount of memory while compressing and decompressing. This may be
	significant in low memory situations. Note, however, that PGP (all
	versions) only supports ZIP compression. Using any algorithm other
	than ZIP or "none" will make the message unreadable with PGP. In
	general, you do not want to use this option as it allows you to
	violate the OpenPGP standard. @option{--personal-compress-preferences} is the
	safe way to accomplish the same thing.

	@item --cert-digest-algo @code{name}
	@opindex cert-digest-algo
	Use @code{name} as the message digest algorithm used when signing a
	key. Running the program with the command @option{--version} yields a
	list of supported algorithms. Be aware that if you choose an algorithm
	that GnuPG supports but other OpenPGP implementations do not, then some
	users will not be able to use the key signatures you make, or quite
	possibly your entire key.

	@item --disable-cipher-algo @code{name}
	@opindex disable-cipher-algo
	Never allow the use of @code{name} as cipher algorithm.
	The given name will not be checked so that a later loaded algorithm
	will still get disabled.

	@item --disable-pubkey-algo @code{name}
	@opindex disable-pubkey-algo
	Never allow the use of @code{name} as public key algorithm.
	The given name will not be checked so that a later loaded algorithm
	will still get disabled.

	@item --throw-keyids
	@itemx --no-throw-keyids
	@opindex throw-keyids
	Do not put the recipient key IDs into encrypted messages. This helps to
	hide the receivers of the message and is a limited countermeasure
	against traffic analysis.@footnote{Using a little social engineering
	anyone who is able to decrypt the message can check whether one of the
	other recipients is the one he suspects.} On the receiving side, it may
	slow down the decryption process because all available secret keys must
	be tried. @option{--no-throw-keyids} disables this option. This option
	is essentially the same as using @option{--hidden-recipient} for all
	recipients.

	@item --not-dash-escaped
	@opindex not-dash-escaped
	This option changes the behavior of cleartext signatures
	so that they can be used for patch files. You should not
	send such an armored file via email because all spaces
	and line endings are hashed too. You can not use this
	option for data which has 5 dashes at the beginning of a
	line, patch files don't have this. A special armor header
	line tells GnuPG about this cleartext signature option.

	@item --escape-from-lines
	@itemx --no-escape-from-lines
	@opindex escape-from-lines
	Because some mailers change lines starting with "From " to ">From " it
	is good to handle such lines in a special way when creating cleartext
	signatures to prevent the mail system from breaking the signature. Note
	that all other PGP versions do it this way too. Enabled by
	default. @option{--no-escape-from-lines} disables this option.

	@item --passphrase-repeat @code{n}
	@opindex passphrase-repeat
	Specify how many times @command{@gpgname} will request a new
	passphrase be repeated. This is useful for helping memorize a
	passphrase. Defaults to 1 repetition.

	@item --passphrase-fd @code{n}
	@opindex passphrase-fd
	Read the passphrase from file descriptor @code{n}. Only the first line
	will be read from file descriptor @code{n}. If you use 0 for @code{n},
	the passphrase will be read from STDIN. This can only be used if only
	one passphrase is supplied.

	Note that this passphrase is only used if the option @option{--batch}
	has also been given. This is different from GnuPG version 1.x.

	@item --passphrase-file @code{file}
	@opindex passphrase-file
	Read the passphrase from file @code{file}. Only the first line will
	be read from file @code{file}. This can only be used if only one
	passphrase is supplied. Obviously, a passphrase stored in a file is
	of questionable security if other users can read this file. Don't use
	this option if you can avoid it.
	Note that this passphrase is only used if the option @option{--batch}
	has also been given. This is different from GnuPG version 1.x.

	@item --passphrase @code{string}
	@opindex passphrase
	Use @code{string} as the passphrase. This can only be used if only one
	passphrase is supplied. Obviously, this is of very questionable
	security on a multi-user system. Don't use this option if you can
	avoid it.
	Note that this passphrase is only used if the option @option{--batch}
	has also been given. This is different from GnuPG version 1.x.

	@ifset gpgtwoone
	@item --pinentry-mode @code{mode}
	@opindex pinentry-mode
	Set the pinentry mode to @code{mode}. Allowed values for @code{mode}
	are:
	@table @asis
	@item default
	Use the default of the agent, which is @code{ask}.
	@item ask
	Force the use of the Pinentry.
	@item cancel
	Emulate use of Pinentry's cancel button.
	@item error
	Return a Pinentry error (``No Pinentry'').
	@item loopback
	Redirect Pinentry queries to the caller. Note that in contrast to
	Pinentry the user is not prompted again if he enters a bad password.
	@end table
	@end ifset

	@item --command-fd @code{n}
	@opindex command-fd
	This is a replacement for the deprecated shared-memory IPC mode.
	If this option is enabled, user input on questions is not expected
	from the TTY but from the given file descriptor. It should be used
	together with @option{--status-fd}. See the file doc/DETAILS in the source
	distribution for details on how to use it.

	@item --command-file @code{file}
	@opindex command-file
	Same as @option{--command-fd}, except the commands are read out of file
	@code{file}

	@item --allow-non-selfsigned-uid
	@itemx --no-allow-non-selfsigned-uid
	@opindex allow-non-selfsigned-uid
	Allow the import and use of keys with user IDs which are not
	self-signed. This is not recommended, as a non self-signed user ID is
	trivial to forge. @option{--no-allow-non-selfsigned-uid} disables.

	@item --allow-freeform-uid
	@opindex allow-freeform-uid
	Disable all checks on the form of the user ID while generating a new
	one. This option should only be used in very special environments as
	it does not ensure the de-facto standard format of user IDs.

	@item --ignore-time-conflict
	@opindex ignore-time-conflict
	GnuPG normally checks that the timestamps associated with keys and
	signatures have plausible values. However, sometimes a signature
	seems to be older than the key due to clock problems. This option
	makes these checks just a warning. See also @option{--ignore-valid-from} for
	timestamp issues on subkeys.

	@item --ignore-valid-from
	@opindex ignore-valid-from
	GnuPG normally does not select and use subkeys created in the future.
	This option allows the use of such keys and thus exhibits the
	pre-1.0.7 behaviour. You should not use this option unless there
	is some clock problem. See also @option{--ignore-time-conflict} for timestamp
	issues with signatures.

	@item --ignore-crc-error
	@opindex ignore-crc-error
	The ASCII armor used by OpenPGP is protected by a CRC checksum against
	transmission errors. Occasionally the CRC gets mangled somewhere on
	the transmission channel but the actual content (which is protected by
	the OpenPGP protocol anyway) is still okay. This option allows GnuPG
	to ignore CRC errors.

	@item --ignore-mdc-error
	@opindex ignore-mdc-error
	This option changes a MDC integrity protection failure into a warning.
	This can be useful if a message is partially corrupt, but it is
	necessary to get as much data as possible out of the corrupt message.
	However, be aware that a MDC protection failure may also mean that the
	message was tampered with intentionally by an attacker.

	@item --allow-weak-digest-algos
	@opindex allow-weak-digest-algos
	Signatures made with the broken MD5 algorithm are normally rejected
	with an ``invalid digest algorithm'' message. This option allows the
	verification of signatures made with such weak algorithms.

	@item --no-default-keyring
	@opindex no-default-keyring
	Do not add the default keyrings to the list of keyrings. Note that
	GnuPG will not operate without any keyrings, so if you use this option
	and do not provide alternate keyrings via @option{--keyring} or
	@option{--secret-keyring}, then GnuPG will still use the default public or
	secret keyrings.

	@item --skip-verify
	@opindex skip-verify
	Skip the signature verification step. This may be
	used to make the decryption faster if the signature
	verification is not needed.

	@item --with-key-data
	@opindex with-key-data
	Print key listings delimited by colons (like @option{--with-colons}) and
	print the public key data.

	@item --fast-list-mode
	@opindex fast-list-mode
	Changes the output of the list commands to work faster; this is achieved
	by leaving some parts empty. Some applications don't need the user ID
	and the trust information given in the listings. By using this options
	they can get a faster listing. The exact behaviour of this option may
	change in future versions. If you are missing some information, don't
	use this option.

	@item --no-literal
	@opindex no-literal
	This is not for normal use. Use the source to see for what it might be useful.

	@item --set-filesize
	@opindex set-filesize
	This is not for normal use. Use the source to see for what it might be useful.

	@item --show-session-key
	@opindex show-session-key
	Display the session key used for one message. See
	@option{--override-session-key} for the counterpart of this option.

	We think that Key Escrow is a Bad Thing; however the user should have
	the freedom to decide whether to go to prison or to reveal the content
	of one specific message without compromising all messages ever
	encrypted for one secret key.

	You can also use this option if you receive an encrypted message which
	is abusive or offensive, to prove to the administrators of the
	messaging system that the ciphertext transmitted corresponds to an
	inappropriate plaintext so they can take action against the offending
	user.

	@item --override-session-key @code{string}
	@opindex override-session-key
	Don't use the public key but the session key @code{string}. The format
	of this string is the same as the one printed by
	@option{--show-session-key}. This option is normally not used but comes
	handy in case someone forces you to reveal the content of an encrypted
	message; using this option you can do this without handing out the
	secret key.

	@item --ask-sig-expire
	@itemx --no-ask-sig-expire
	@opindex ask-sig-expire
	When making a data signature, prompt for an expiration time. If this
	option is not specified, the expiration time set via
	@option{--default-sig-expire} is used. @option{--no-ask-sig-expire}
	disables this option.

	@item --default-sig-expire
	@opindex default-sig-expire
	The default expiration time to use for signature expiration. Valid
	values are "0" for no expiration, a number followed by the letter d
	(for days), w (for weeks), m (for months), or y (for years) (for
	example "2m" for two months, or "5y" for five years), or an absolute
	date in the form YYYY-MM-DD. Defaults to "0".

	@item --ask-cert-expire
	@itemx --no-ask-cert-expire
	@opindex ask-cert-expire
	When making a key signature, prompt for an expiration time. If this
	option is not specified, the expiration time set via
	@option{--default-cert-expire} is used. @option{--no-ask-cert-expire}
	disables this option.

	@item --default-cert-expire
	@opindex default-cert-expire
	The default expiration time to use for key signature expiration.
	Valid values are "0" for no expiration, a number followed by the
	letter d (for days), w (for weeks), m (for months), or y (for years)
	(for example "2m" for two months, or "5y" for five years), or an
	absolute date in the form YYYY-MM-DD. Defaults to "0".

	@item --allow-secret-key-import
	@opindex allow-secret-key-import
	This is an obsolete option and is not used anywhere.

	@item --allow-multiple-messages
	@item --no-allow-multiple-messages
	@opindex allow-multiple-messages
	Allow processing of multiple OpenPGP messages contained in a single file
	or stream. Some programs that call GPG are not prepared to deal with
	multiple messages being processed together, so this option defaults to
	no. Note that versions of GPG prior to 1.4.7 always allowed multiple
	messages.

	Warning: Do not use this option unless you need it as a temporary
	workaround!


	@item --enable-special-filenames
	@opindex enable-special-filenames
	This options enables a mode in which filenames of the form
	@file{-&n}, where n is a non-negative decimal number,
	refer to the file descriptor n and not to a file with that name.

	@item --no-expensive-trust-checks
	@opindex no-expensive-trust-checks
	Experimental use only.

	@item --preserve-permissions
	@opindex preserve-permissions
	Don't change the permissions of a secret keyring back to user
	read/write only. Use this option only if you really know what you are doing.

	@item --default-preference-list @code{string}
	@opindex default-preference-list
	Set the list of default preferences to @code{string}. This preference
	list is used for new keys and becomes the default for "setpref" in the
	edit menu.

	@item --default-keyserver-url @code{name}
	@opindex default-keyserver-url
	Set the default keyserver URL to @code{name}. This keyserver will be
	used as the keyserver URL when writing a new self-signature on a key,
	which includes key generation and changing preferences.

	@item --list-config
	@opindex list-config
	Display various internal configuration parameters of GnuPG. This option
	is intended for external programs that call GnuPG to perform tasks, and
	is thus not generally useful. See the file @file{doc/DETAILS} in the
	source distribution for the details of which configuration items may be
	listed. @option{--list-config} is only usable with
	@option{--with-colons} set.

	@item --list-gcrypt-config
	@opindex list-gcrypt-config
	Display various internal configuration parameters of Libgcrypt.

	@item --gpgconf-list
	@opindex gpgconf-list
	This command is similar to @option{--list-config} but in general only
	internally used by the @command{gpgconf} tool.

	@item --gpgconf-test
	@opindex gpgconf-test
	This is more or less dummy action. However it parses the configuration
	file and returns with failure if the configuration file would prevent
	@command{gpg} from startup. Thus it may be used to run a syntax check
	on the configuration file.

	@end table

	@c *******************************
	@c ***** Deprecated **********
	@c *******************************
	@node Deprecated Options
	@subsection Deprecated options

	@table @gnupgtabopt

	@item --show-photos
	@itemx --no-show-photos
	@opindex show-photos
	Causes @option{--list-keys}, @option{--list-sigs},
	@option{--list-public-keys}, @option{--list-secret-keys}, and verifying
	a signature to also display the photo ID attached to the key, if
	any. See also @option{--photo-viewer}. These options are deprecated. Use
	@option{--list-options [no-]show-photos} and/or @option{--verify-options
	[no-]show-photos} instead.

	@item --show-keyring
	@opindex show-keyring
	Display the keyring name at the head of key listings to show which
	keyring a given key resides on. This option is deprecated: use
	@option{--list-options [no-]show-keyring} instead.

	@item --always-trust
	@opindex always-trust
	Identical to @option{--trust-model always}. This option is deprecated.

	@item --show-notation
	@itemx --no-show-notation
	@opindex show-notation
	Show signature notations in the @option{--list-sigs} or @option{--check-sigs} listings
	as well as when verifying a signature with a notation in it. These
	options are deprecated. Use @option{--list-options [no-]show-notation}
	and/or @option{--verify-options [no-]show-notation} instead.

	@item --show-policy-url
	@itemx --no-show-policy-url
	@opindex show-policy-url
	Show policy URLs in the @option{--list-sigs} or @option{--check-sigs}
	listings as well as when verifying a signature with a policy URL in
	it. These options are deprecated. Use @option{--list-options
	[no-]show-policy-url} and/or @option{--verify-options
	[no-]show-policy-url} instead.


	@end table


	@c *******************************************
	@c ************* **************
	@c ************* FILES **************
	@c ************* **************
	@c *******************************************
	@mansect files
	@node GPG Configuration
	@section Configuration files

	There are a few configuration files to control certain aspects of
	@command{@gpgname}'s operation. Unless noted, they are expected in the
	current home directory (@pxref{option --homedir}).

	@table @file

	@item gpg.conf
	@cindex gpg.conf
	This is the standard configuration file read by @command{@gpgname} on
	startup. It may contain any valid long option; the leading two dashes
	may not be entered and the option may not be abbreviated. This default
	name may be changed on the command line (@pxref{gpg-option --options}).
	You should backup this file.

	@end table

	@c man:.RE
	Note that on larger installations, it is useful to put predefined files
	into the directory @file{/etc/skel/.gnupg/} so that newly created users
	start up with a working configuration.
	For existing users a small
	helper script is provided to create these files (@pxref{addgnupghome}).

	For internal purposes @command{@gpgname} creates and maintains a few other
	files; They all live in in the current home directory (@pxref{option
	--homedir}). Only the @command{@gpgname} may modify these files.


	@table @file
	@item ~/.gnupg/pubring.gpg
	The public keyring. You should backup this file.

	@item ~/.gnupg/pubring.gpg.lock
	The lock file for the public keyring.

	@ifset gpgtwoone
	@item ~/.gnupg/pubring.kbx
	The public keyring using a different format. This file is sharred
	with @command{gpgsm}. You should backup this file.

	@item ~/.gnupg/pubring.kbx.lock
	The lock file for @file{pubring.kbx}.
	@end ifset

	@item ~/.gnupg/secring.gpg
	@ifclear gpgtwoone
	The secret keyring. You should backup this file.
	@end ifclear
	@ifset gpgtwoone
	A secret keyring as used by GnuPG versions before 2.1. It is not
	used by GnuPG 2.1 and later.

	@item ~/.gnupg/.gpg-v21-migrated
	File indicating that a migration to GnuPG 2.1 has taken place.
	@end ifset

	@item ~/.gnupg/trustdb.gpg
	The trust database. There is no need to backup this file; it is better
	to backup the ownertrust values (@pxref{option --export-ownertrust}).

	@item ~/.gnupg/trustdb.gpg.lock
	The lock file for the trust database.

	@item ~/.gnupg/random_seed
	A file used to preserve the state of the internal random pool.

	@item ~/.gnupg/secring.gpg.lock
	The lock file for the secret keyring.

	@item ~/.gnupg/openpgp-revocs.d/
	This is the directory where gpg stores pre-generated revocation
	certificates. The file name corresponds to the OpenPGP fingerprint of
	the respective key. It is suggested to backup those certificates and
	if the primary private key is not stored on the disk to move them to
	an external storage device. Anyone who can access theses files is
	able to revoke the corresponding key. You may want to print them out.
	You should backup all files in this directory and take care to keep
	this backup closed away.

	@item /usr[/local]/share/gnupg/options.skel
	The skeleton options file.

	@item /usr[/local]/lib/gnupg/
	Default location for extensions.

	@end table

	@c man:.RE
	Operation is further controlled by a few environment variables:

	@table @asis

	@item HOME
	Used to locate the default home directory.

	@item GNUPGHOME
	If set directory used instead of "~/.gnupg".

	@item GPG_AGENT_INFO
	@ifset gpgtwoone
	This variable was used by GnuPG versions before 2.1
	@end ifset
	@ifclear gpgtwoone
	Used to locate the gpg-agent.

	The value consists of 3 colon delimited fields: The first is the path
	to the Unix Domain Socket, the second the PID of the gpg-agent and the
	protocol version which should be set to 1. When starting the gpg-agent
	as described in its documentation, this variable is set to the correct
	value. The option @option{--gpg-agent-info} can be used to override it.
	@end ifclear

	@item PINENTRY_USER_DATA
	This value is passed via gpg-agent to pinentry. It is useful to convey
	extra information to a custom pinentry.

	@item COLUMNS
	@itemx LINES
	Used to size some displays to the full size of the screen.


	@item LANGUAGE
	Apart from its use by GNU, it is used in the W32 version to override the
	language selection done through the Registry. If used and set to a
	valid and available language name (@var{langid}), the file with the
	translation is loaded from

	@code{@var{gpgdir}/gnupg.nls/@var{langid}.mo}. Here @var{gpgdir} is the
	directory out of which the gpg binary has been loaded. If it can't be
	loaded the Registry is tried and as last resort the native Windows
	locale system is used.

	@end table


	@c *******************************************
	@c ************* **************
	@c ************* EXAMPLES **************
	@c ************* **************
	@c *******************************************
	@mansect examples
	@node GPG Examples
	@section Examples

	@table @asis

	@item gpg -se -r @code{Bob} @code{file}
	sign and encrypt for user Bob

	@item gpg --clearsign @code{file}
	make a clear text signature

	@item gpg -sb @code{file}
	make a detached signature

	@item gpg -u 0x12345678 -sb @code{file}
	make a detached signature with the key 0x12345678

	@item gpg --list-keys @code{user_ID}
	show keys

	@item gpg --fingerprint @code{user_ID}
	show fingerprint

	@item gpg --verify @code{pgpfile}
	@itemx gpg --verify @code{sigfile}
	Verify the signature of the file but do not output the data. The
	second form is used for detached signatures, where @code{sigfile}
	is the detached signature (either ASCII armored or binary) and
	are the signed data; if this is not given, the name of
	the file holding the signed data is constructed by cutting off the
	extension (".asc" or ".sig") of @code{sigfile} or by asking the
	user for the filename.
	@end table


	@c *******************************************
	@c ************* **************
	@c ************* USER ID **************
	@c ************* **************
	@c *******************************************
	@mansect how to specify a user id
	@ifset isman
	@include specify-user-id.texi
	@end ifset

	@mansect return value
	@chapheading RETURN VALUE

	The program returns 0 if everything was fine, 1 if at least
	a signature was bad, and other error codes for fatal errors.

	@mansect warnings
	@chapheading WARNINGS

	Use a good password for your user account and a good passphrase
	to protect your secret key. This passphrase is the weakest part of the
	whole system. Programs to do dictionary attacks on your secret keyring
	are very easy to write and so you should protect your "~/.gnupg/"
	directory very well.

	Keep in mind that, if this program is used over a network (telnet), it
	is very easy to spy out your passphrase!

	If you are going to verify detached signatures, make sure that the
	program knows about it; either give both filenames on the command line
	or use @samp{-} to specify STDIN.

	@mansect interoperability
	@chapheading INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS

	GnuPG tries to be a very flexible implementation of the OpenPGP
	standard. In particular, GnuPG implements many of the optional parts
	of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2
	compression algorithms. It is important to be aware that not all
	OpenPGP programs implement these optional algorithms and that by
	forcing their use via the @option{--cipher-algo},
	@option{--digest-algo}, @option{--cert-digest-algo}, or
	@option{--compress-algo} options in GnuPG, it is possible to create a
	perfectly valid OpenPGP message, but one that cannot be read by the
	intended recipient.

	There are dozens of variations of OpenPGP programs available, and each
	supports a slightly different subset of these optional algorithms.
	For example, until recently, no (unhacked) version of PGP supported
	the BLOWFISH cipher algorithm. A message using BLOWFISH simply could
	not be read by a PGP user. By default, GnuPG uses the standard
	OpenPGP preferences system that will always do the right thing and
	create messages that are usable by all recipients, regardless of which
	OpenPGP program they use. Only override this safe default if you
	really know what you are doing.

	If you absolutely must override the safe default, or if the preferences
	on a given key are invalid for some reason, you are far better off using
	the @option{--pgp6}, @option{--pgp7}, or @option{--pgp8} options. These
	options are safe as they do not force any particular algorithms in
	violation of OpenPGP, but rather reduce the available algorithms to a
	"PGP-safe" list.

	@mansect bugs
	@chapheading BUGS

	On older systems this program should be installed as setuid(root). This
	is necessary to lock memory pages. Locking memory pages prevents the
	operating system from writing memory pages (which may contain
	passphrases or other sensitive material) to disk. If you get no
	warning message about insecure memory your operating system supports
	locking without being root. The program drops root privileges as soon
	as locked memory is allocated.

	Note also that some systems (especially laptops) have the ability to
	``suspend to disk'' (also known as ``safe sleep'' or ``hibernate'').
	This writes all memory to disk before going into a low power or even
	powered off mode. Unless measures are taken in the operating system
	to protect the saved memory, passphrases or other sensitive material
	may be recoverable from it later.

	Before you report a bug you should first search the mailing list
	archives for similar problems and second check whether such a bug has
	already been reported to our bug tracker at http://bugs.gnupg.org .

	@c *******************************************
	@c ************* ************
	@c ************* UNATTENDED ************
	@c ************* ************
	@c *******************************************
	@manpause
	@node Unattended Usage of GPG
	@section Unattended Usage

	@command{gpg} is often used as a backend engine by other software. To help
	with this a machine interface has been defined to have an unambiguous
	way to do this. The options @option{--status-fd} and @option{--batch}
	are almost always required for this.

	@menu
	* Unattended GPG key generation:: Unattended key generation
	@end menu


	@node Unattended GPG key generation
	@subsection Unattended key generation

	The command @option{--gen-key} may be used along with the option
	@option{--batch} for unattended key generation. The parameters are
	either read from stdin or given as a file on the command line.
	The format of the parameter file is as follows:

	@itemize @bullet
	@item Text only, line length is limited to about 1000 characters.
	@item UTF-8 encoding must be used to specify non-ASCII characters.
	@item Empty lines are ignored.
	@item Leading and trailing while space is ignored.
	@item A hash sign as the first non white space character indicates
	a comment line.
	@item Control statements are indicated by a leading percent sign, the
	arguments are separated by white space from the keyword.
	@item Parameters are specified by a keyword, followed by a colon. Arguments
	are separated by white space.
	@item
	The first parameter must be @samp{Key-Type}; control statements may be
	placed anywhere.
	@item
	The order of the parameters does not matter except for @samp{Key-Type}
	which must be the first parameter. The parameters are only used for
	the generated keyblock (primary and subkeys); parameters from previous
	sets are not used. Some syntactically checks may be performed.
	@item
	Key generation takes place when either the end of the parameter file
	is reached, the next @samp{Key-Type} parameter is encountered or at the
	control statement @samp{%commit} is encountered.
	@end itemize

	@noindent
	Control statements:

	@table @asis

	@item %echo @var{text}
	Print @var{text} as diagnostic.

	@item %dry-run
	Suppress actual key generation (useful for syntax checking).

	@item %commit
	Perform the key generation. Note that an implicit commit is done at
	the next @asis{Key-Type} parameter.

	@item %pubring @var{filename}
	@itemx %secring @var{filename}
	Do not write the key to the default or commandline given keyring but
	to @var{filename}. This must be given before the first commit to take
	place, duplicate specification of the same filename is ignored, the
	last filename before a commit is used. The filename is used until a
	new filename is used (at commit points) and all keys are written to
	that file. If a new filename is given, this file is created (and
	overwrites an existing one). For GnuPG versions prior to 2.1, both
	control statements must be given. For GnuPG 2.1 and later
	@samp{%secring} is a no-op.

	@item %ask-passphrase
	@itemx %no-ask-passphrase
	@ifclear gpgtwoone
	Enable (or disable) a mode where the command @option{passphrase} is
	ignored and instead the usual passphrase dialog is used. This does
	not make sense for batch key generation; however the unattended key
	generation feature is also used by GUIs and this feature relinquishes
	the GUI from implementing its own passphrase entry code. These are
	global control statements and affect all future key generations.
	@end ifclear
	@ifset gpgtwoone
	This option is a no-op for GnuPG 2.1 and later.
	@end ifset

	@item %no-protection
	Using this option allows the creation of keys without any passphrase
	protection. This option is mainly intended for regression tests.

	@item %transient-key
	If given the keys are created using a faster and a somewhat less
	secure random number generator. This option may be used for keys
	which are only used for a short time and do not require full
	cryptographic strength. It takes only effect if used together with
	the control statement @samp{%no-protection}.

	@end table

	@noindent
	General Parameters:

	@table @asis

	@item Key-Type: @var{algo}
	Starts a new parameter block by giving the type of the primary
	key. The algorithm must be capable of signing. This is a required
	parameter. @var{algo} may either be an OpenPGP algorithm number or a
	string with the algorithm name. The special value @samp{default} may
	be used for @var{algo} to create the default key type; in this case a
	@samp{Key-Usage} shall not be given and @samp{default} also be used
	for @samp{Subkey-Type}.

	@item Key-Length: @var{nbits}
	The requested length of the generated key in bits. The default is
	returned by running the command @samp{gpg2 --gpgconf-list}.

	@item Key-Grip: @var{hexstring}
	This is optional and used to generate a CSR or certificate for an
	already existing key. Key-Length will be ignored when given.

	@item Key-Usage: @var{usage-list}
	Space or comma delimited list of key usages. Allowed values are
	@samp{encrypt}, @samp{sign}, and @samp{auth}. This is used to
	generate the key flags. Please make sure that the algorithm is
	capable of this usage. Note that OpenPGP requires that all primary
	keys are capable of certification, so no matter what usage is given
	here, the @samp{cert} flag will be on. If no @samp{Key-Usage} is
	specified and the @samp{Key-Type} is not @samp{default}, all allowed
	usages for that particular algorithm are used; if it is not given but
	@samp{default} is used the usage will be @samp{sign}.

	@item Subkey-Type: @var{algo}
	This generates a secondary key (subkey). Currently only one subkey
	can be handled. See also @samp{Key-Type} above.

	@item Subkey-Length: @var{nbits}
	Length of the secondary key (subkey) in bits. The default is returned
	by running the command @samp{gpg2 --gpgconf-list}".

	@item Subkey-Usage: @var{usage-list}
	Key usage lists for a subkey; similar to @samp{Key-Usage}.

	@item Passphrase: @var{string}
	If you want to specify a passphrase for the secret key, enter it here.
	Default is to use the Pinentry dialog to ask for a passphrase.

	@item Name-Real: @var{name}
	@itemx Name-Comment: @var{comment}
	@itemx Name-Email: @var{email}
	The three parts of a user name. Remember to use UTF-8 encoding here.
	If you don't give any of them, no user ID is created.

	@item Expire-Date: @var{iso-date}\|(@var{number}[d\|w\|m\|y])
	Set the expiration date for the key (and the subkey). It may either
	be entered in ISO date format (e.g. "20000815T145012") or as number of
	days, weeks, month or years after the creation date. The special
	notation "seconds=N" is also allowed to specify a number of seconds
	since creation. Without a letter days are assumed. Note that there
	is no check done on the overflow of the type used by OpenPGP for
	timestamps. Thus you better make sure that the given value make
	sense. Although OpenPGP works with time intervals, GnuPG uses an
	absolute value internally and thus the last year we can represent is
	2105.

	@item Creation-Date: @var{iso-date}
	Set the creation date of the key as stored in the key information and
	which is also part of the fingerprint calculation. Either a date like
	"1986-04-26" or a full timestamp like "19860426T042640" may be used.
	The time is considered to be UTC. The special notation "seconds=N"
	may be used to directly specify a the number of seconds since Epoch
	(Unix time). If it is not given the current time is used.

	@item Preferences: @var{string}
	Set the cipher, hash, and compression preference values for this key.
	This expects the same type of string as the sub-command @samp{setpref}
	in the @option{--edit-key} menu.

	@item Revoker: @var{algo}:@var{fpr} [sensitive]
	Add a designated revoker to the generated key. Algo is the public key
	algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)
	@var{fpr} is the fingerprint of the designated revoker. The optional
	@samp{sensitive} flag marks the designated revoker as sensitive
	information. Only v4 keys may be designated revokers.

	@item Keyserver: @var{string}
	This is an optional parameter that specifies the preferred keyserver
	URL for the key.

	@item Handle: @var{string}
	This is an optional parameter only used with the status lines
	KEY_CREATED and KEY_NOT_CREATED. @var{string} may be up to 100
	characters and should not contain spaces. It is useful for batch key
	generation to associate a key parameter block with a status line.

	@end table

	@noindent
	Here is an example on how to create a key:
	@smallexample
	$ cat >foo <<EOF
	%echo Generating a basic OpenPGP key
	Key-Type: DSA
	Key-Length: 1024
	Subkey-Type: ELG-E
	Subkey-Length: 1024
	Name-Real: Joe Tester
	Name-Comment: with stupid passphrase
	Name-Email: joe@@foo.bar
	Expire-Date: 0
	Passphrase: abc
	%pubring foo.pub
	%secring foo.sec
	# Do a commit here, so that we can later print "done" :-)
	%commit
	%echo done
	EOF
	$ gpg2 --batch --gen-key foo
	[...]
	$ gpg2 --no-default-keyring --secret-keyring ./foo.sec \
	--keyring ./foo.pub --list-secret-keys
	/home/wk/work/gnupg-stable/scratch/foo.sec
	------------------------------------------
	sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@@foo.bar>
	ssb 1024g/8F70E2C0 2000-03-09
	@end smallexample


	@noindent
	If you want to create a key with the default algorithms you would use
	these parameters:
	@smallexample
	%echo Generating a default key
	Key-Type: default
	Subkey-Type: default
	Name-Real: Joe Tester
	Name-Comment: with stupid passphrase
	Name-Email: joe@@foo.bar
	Expire-Date: 0
	Passphrase: abc
	%pubring foo.pub
	%secring foo.sec
	# Do a commit here, so that we can later print "done" :-)
	%commit
	%echo done
	@end smallexample




	@mansect see also
	@ifset isman
	@command{gpgv}(1),
	@command{gpgsm}(1),
	@command{gpg-agent}(1)
	@end ifset
	@include see-also-note.texi

File Metadata

Mime Type: text/x-diff
Expires: Mon, Dec 1, 10:32 PM (1 d, 14 h)
Storage Engine: local-disk
Storage Format: Raw Data
Storage Handle: 0f/be/fef1bf799b06bcac1ea7833dc30a

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions