(gnupg1.info.gz) Operational GPG Commands
Info Catalog
(gnupg1.info.gz) General GPG Commands
(gnupg1.info.gz) GPG Commands
(gnupg1.info.gz) OpenPGP Key Management
1.1.2 Commands to select the type of operation
----------------------------------------------
`--sign'
`-s'
Make a signature. This command may be combined with `--encrypt'
(for a signed and encrypted message), `--symmetric' (for a signed
and symmetrically encrypted message), or `--encrypt' and
`--symmetric' together (for a signed message that may be decrypted
via a secret key or a passphrase).
`--clearsign'
Make a clear text signature. The content in a clear text signature
is readable without any special software. OpenPGP software is only
needed to verify the signature. Clear text signatures may modify
end-of-line whitespace for platform independence and are not
intended to be reversible.
`--detach-sign'
`-b'
Make a detached signature.
`--encrypt'
`-e'
Encrypt data. This option may be combined with `--sign' (for a
signed and encrypted message), `--symmetric' (for a message that
may be decrypted via a secret key or a passphrase), or `--sign'
and `--symmetric' together (for a signed message that may be
decrypted via a secret key or a passphrase).
`--symmetric'
`-c'
Encrypt with a symmetric cipher using a passphrase. The default
symmetric cipher used is CAST5, but may be chosen with the
`--cipher-algo' option. This option may be combined with `--sign'
(for a signed and symmetrically encrypted message), `--encrypt'
(for a message that may be decrypted via a secret key or a
passphrase), or `--sign' and `--encrypt' together (for a signed
message that may be decrypted via a secret key or a passphrase).
`--store'
Store only (make a simple RFC1991 literal data packet).
`--decrypt'
`-d'
Decrypt the file given on the command line (or `stdin' if no file
is specified) and write it to stdout (or the file specified with
`--output'). If the decrypted file is signed, the signature is also
verified. This command differs from the default operation, as it
never writes to the filename which is included in the file and it
rejects files which don't begin with an encrypted message.
`--verify'
Assume that the first argument is a signed file or a detached
signature and verify it without generating any output. With no
arguments, the signature packet is read from stdin. If only a
sigfile is given, it may be a complete signature or a detached
signature, in which case the signed stuff is expected in a file
without the ".sig" or ".asc" extension. With more than 1
argument, the first should be a detached signature and the
remaining files are the signed stuff. To read the signed stuff
from stdin, use `-' as the second filename. For security reasons
a detached signature cannot read the signed material from stdin
without denoting it in the above way.
`--multifile'
This modifies certain other commands to accept multiple files for
processing on the command line or read from stdin with each
filename on a separate line. This allows for many files to be
processed at once. `--multifile' may currently be used along with
`--verify', `--encrypt', and `--decrypt'. Note that `--multifile
--verify' may not be used with detached signatures.
`--verify-files'
Identical to `--multifile --verify'.
`--encrypt-files'
Identical to `--multifile --encrypt'.
`--decrypt-files'
Identical to `--multifile --decrypt'.
`--list-keys'
`-k'
`--list-public-keys'
List all keys from the public keyrings, or just the keys given on
the command line. `-k' is slightly different from `--list-keys'
in that it allows only for one argument and takes the second
argument as the keyring to search. This is for command line
compatibility with PGP 2 and has been removed in `gpg2'.
Avoid using the output of this command in scripts or other
programs as it is likely to change as GnuPG changes. See
`--with-colons' for a machine-parseable key listing command that
is appropriate for use in scripts and other programs.
`--list-secret-keys'
`-K'
List all keys from the secret keyrings, or just the ones given on
the command line. A `#' after the letters `sec' means that the
secret key is not usable (for example, if it was created via
`--export-secret-subkeys').
`--list-sigs'
Same as `--list-keys', but the signatures are listed too.
For each signature listed, there are several flags in between the
"sig" tag and keyid. These flags give additional information about
each signature. From left to right, they are the numbers 1-3 for
certificate check level (see `--ask-cert-level'), "L" for a local
or non-exportable signature (see `--lsign-key'), "R" for a
nonRevocable signature (see the `--edit-key' command "nrsign"),
"P" for a signature that contains a policy URL (see
`--cert-policy-url'), "N" for a signature that contains a notation
(see `--cert-notation'), "X" for an eXpired signature (see
`--ask-cert-expire'), and the numbers 1-9 or "T" for 10 and above
to indicate trust signature levels (see the `--edit-key' command
"tsign").
`--check-sigs'
Same as `--list-sigs', but the signatures are verified.
`--fingerprint'
List all keys (or the specified ones) along with their
fingerprints. This is the same output as `--list-keys' but with
the additional output of a line with the fingerprint. May also be
combined with `--list-sigs' or `--check-sigs'. If this command is
given twice, the fingerprints of all secondary keys are listed too.
`--list-packets'
List only the sequence of packets. This is mainly useful for
debugging.
`--card-edit'
Present a menu to work with a smartcard. The subcommand "help"
provides an overview on available commands. For a detailed
description, please see the Card HOWTO at
http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
`--card-status'
Show the content of the smart card.
`--change-pin'
Present a menu to allow changing the PIN of a smartcard. This
functionality is also available as the subcommand "passwd" with the
`--card-edit' command.
`--delete-key `name''
Remove key from the public keyring. In batch mode either `--yes' is
required or the key must be specified by fingerprint. This is a
safeguard against accidental deletion of multiple keys.
`--delete-secret-key `name''
Remove key from the secret and public keyring. In batch mode the
key must be specified by fingerprint.
`--delete-secret-and-public-key `name''
Same as `--delete-key', but if a secret key exists, it will be
removed first. In batch mode the key must be specified by
fingerprint.
`--export'
Either export all keys from all keyrings (default keyrings and
those registered via option `--keyring'), or if at least one name
is given, those of the given name. The new keyring is written to
stdout or to the file given with option `--output'. Use together
with `--armor' to mail those keys.
`--send-keys `key IDs''
Similar to `--export' but sends the keys to a keyserver.
Fingerprints may be used instead of key IDs. Option `--keyserver'
must be used to give the name of this keyserver. Don't send your
complete keyring to a keyserver -- select only those keys which
are new or changed by you.
`--export-secret-keys'
`--export-secret-subkeys'
Same as `--export', but exports the secret keys instead. This is
normally not very useful and a security risk. The second form of
the command has the special property to render the secret part of
the primary key useless; this is a GNU extension to OpenPGP and
other implementations can not be expected to successfully import
such a key. See the option `--simple-sk-checksum' if you want to
import such an exported key with an older OpenPGP implementation.
`--import'
`--fast-import'
Import/merge keys. This adds the given keys to the keyring. The
fast version is currently just a synonym.
There are a few other options which control how this command works.
Most notable here is the `--keyserver-options merge-only' option
which does not insert new keys but does only the merging of new
signatures, user-IDs and subkeys.
`--recv-keys `key IDs''
Import the keys with the given key IDs from a keyserver. Option
`--keyserver' must be used to give the name of this keyserver.
`--refresh-keys'
Request updates from a keyserver for keys that already exist on the
local keyring. This is useful for updating a key with the latest
signatures, user IDs, etc. Calling this with no arguments will
refresh the entire keyring. Option `--keyserver' must be used to
give the name of the keyserver for all keys that do not have
preferred keyservers set (see `--keyserver-options
honor-keyserver-url').
`--search-keys `names''
Search the keyserver for the given names. Multiple names given
here will be joined together to create the search string for the
keyserver. Option `--keyserver' must be used to give the name of
this keyserver. Keyservers that support different search methods
allow using the syntax specified in "How to specify a user ID"
below. Note that different keyserver types support different
search methods. Currently only LDAP supports them all.
`--fetch-keys `URIs''
Retrieve keys located at the specified URIs. Note that different
installations of GnuPG may support different protocols (HTTP, FTP,
LDAP, etc.)
`--update-trustdb'
Do trust database maintenance. This command iterates over all keys
and builds the Web of Trust. This is an interactive command
because it may have to ask for the "ownertrust" values for keys.
The user has to give an estimation of how far she trusts the owner
of the displayed key to correctly certify (sign) other keys. GnuPG
only asks for the ownertrust value if it has not yet been assigned
to a key. Using the `--edit-key' menu, the assigned value can be
changed at any time.
`--check-trustdb'
Do trust database maintenance without user interaction. From time
to time the trust database must be updated so that expired keys or
signatures and the resulting changes in the Web of Trust can be
tracked. Normally, GnuPG will calculate when this is required and
do it automatically unless `--no-auto-check-trustdb' is set. This
command can be used to force a trust database check at any time.
The processing is identical to that of `--update-trustdb' but it
skips keys with a not yet defined "ownertrust".
For use with cron jobs, this command can be used together with
`--batch' in which case the trust database check is done only if a
check is needed. To force a run even in batch mode add the option
`--yes'.
`--export-ownertrust'
Send the ownertrust values to stdout. This is useful for backup
purposes as these values are the only ones which can't be
re-created from a corrupted trust DB.
`--import-ownertrust'
Update the trustdb with the ownertrust values stored in `files' (or
stdin if not given); existing values will be overwritten.
`--rebuild-keydb-caches'
When updating from version 1.0.6 to 1.0.7 this command should be
used to create signature caches in the keyring. It might be handy
in other situations too.
`--print-md `algo''
`--print-mds'
Print message digest of algorithm ALGO for all given files or
stdin. With the second form (or a deprecated "*" as algo) digests
for all available algorithms are printed.
`--gen-random `0|1|2''
Emit COUNT random bytes of the given quality level. If count is
not given or zero, an endless sequence of random bytes will be
emitted. PLEASE, don't use this command unless you know what you
are doing; it may remove precious entropy from the system!
`--gen-prime `mode' `bits''
Use the source, Luke :-). The output format is still subject to
change.
`--enarmor'
`--dearmor'
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
This is a GnuPG extension to OpenPGP and in general not very
useful.
Info Catalog
(gnupg1.info.gz) General GPG Commands
(gnupg1.info.gz) GPG Commands
(gnupg1.info.gz) OpenPGP Key Management
automatically generated byinfo2html