DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

(gnupg1.info.gz) Operational GPG Commands

Info Catalog (gnupg1.info.gz) General GPG Commands (gnupg1.info.gz) GPG Commands (gnupg1.info.gz) OpenPGP Key Management
 
 1.1.2 Commands to select the type of operation
 ----------------------------------------------
 
 `--sign'
 `-s'
      Make a signature. This command may be combined with `--encrypt'
      (for a signed and encrypted message), `--symmetric' (for a signed
      and symmetrically encrypted message), or `--encrypt' and
      `--symmetric' together (for a signed message that may be decrypted
      via a secret key or a passphrase).
 
 `--clearsign'
      Make a clear text signature. The content in a clear text signature
      is readable without any special software. OpenPGP software is only
      needed to verify the signature. Clear text signatures may modify
      end-of-line whitespace for platform independence and are not
      intended to be reversible.
 
 `--detach-sign'
 `-b'
      Make a detached signature.
 
 `--encrypt'
 `-e'
      Encrypt data. This option may be combined with `--sign' (for a
      signed and encrypted message), `--symmetric' (for a message that
      may be decrypted via a secret key or a passphrase), or `--sign'
      and `--symmetric' together (for a signed message that may be
      decrypted via a secret key or a passphrase).
 
 `--symmetric'
 `-c'
      Encrypt with a symmetric cipher using a passphrase. The default
      symmetric cipher used is CAST5, but may be chosen with the
      `--cipher-algo' option. This option may be combined with `--sign'
      (for a signed and symmetrically encrypted message), `--encrypt'
      (for a message that may be decrypted via a secret key or a
      passphrase), or `--sign' and `--encrypt' together (for a signed
      message that may be decrypted via a secret key or a passphrase).
 
 `--store'
      Store only (make a simple RFC1991 literal data packet).
 
 `--decrypt'
 `-d'
      Decrypt the file given on the command line (or `stdin' if no file
      is specified) and write it to stdout (or the file specified with
      `--output'). If the decrypted file is signed, the signature is also
      verified. This command differs from the default operation, as it
      never writes to the filename which is included in the file and it
      rejects files which don't begin with an encrypted message.
 
 `--verify'
      Assume that the first argument is a signed file or a detached
      signature and verify it without generating any output. With no
      arguments, the signature packet is read from stdin. If only a
      sigfile is given, it may be a complete signature or a detached
      signature, in which case the signed stuff is expected in a file
      without the ".sig" or ".asc" extension.  With more than 1
      argument, the first should be a detached signature and the
      remaining files are the signed stuff. To read the signed stuff
      from stdin, use `-' as the second filename.  For security reasons
      a detached signature cannot read the signed material from stdin
      without denoting it in the above way.
 
 `--multifile'
      This modifies certain other commands to accept multiple files for
      processing on the command line or read from stdin with each
      filename on a separate line. This allows for many files to be
      processed at once. `--multifile' may currently be used along with
      `--verify', `--encrypt', and `--decrypt'. Note that `--multifile
      --verify' may not be used with detached signatures.
 
 `--verify-files'
      Identical to `--multifile --verify'.
 
 `--encrypt-files'
      Identical to `--multifile --encrypt'.
 
 `--decrypt-files'
      Identical to `--multifile --decrypt'.
 
 `--list-keys'
 `-k'
 `--list-public-keys'
      List all keys from the public keyrings, or just the keys given on
      the command line.  `-k' is slightly different from `--list-keys'
      in that it allows only for one argument and takes the second
      argument as the keyring to search.  This is for command line
      compatibility with PGP 2 and has been removed in `gpg2'.
 
      Avoid using the output of this command in scripts or other
      programs as it is likely to change as GnuPG changes. See
      `--with-colons' for a machine-parseable key listing command that
      is appropriate for use in scripts and other programs.
 
 `--list-secret-keys'
 `-K'
      List all keys from the secret keyrings, or just the ones given on
      the command line. A `#' after the letters `sec' means that the
      secret key is not usable (for example, if it was created via
      `--export-secret-subkeys').
 
 `--list-sigs'
      Same as `--list-keys', but the signatures are listed too.
 
      For each signature listed, there are several flags in between the
      "sig" tag and keyid. These flags give additional information about
      each signature. From left to right, they are the numbers 1-3 for
      certificate check level (see `--ask-cert-level'), "L" for a local
      or non-exportable signature (see `--lsign-key'), "R" for a
      nonRevocable signature (see the `--edit-key' command "nrsign"),
      "P" for a signature that contains a policy URL (see
      `--cert-policy-url'), "N" for a signature that contains a notation
      (see `--cert-notation'), "X" for an eXpired signature (see
      `--ask-cert-expire'), and the numbers 1-9 or "T" for 10 and above
      to indicate trust signature levels (see the `--edit-key' command
      "tsign").
 
 `--check-sigs'
      Same as `--list-sigs', but the signatures are verified.
 
 `--fingerprint'
      List all keys (or the specified ones) along with their
      fingerprints. This is the same output as `--list-keys' but with
      the additional output of a line with the fingerprint. May also be
      combined with `--list-sigs' or `--check-sigs'.  If this command is
      given twice, the fingerprints of all secondary keys are listed too.
 
 `--list-packets'
      List only the sequence of packets. This is mainly useful for
      debugging.
 
 `--card-edit'
      Present a menu to work with a smartcard. The subcommand "help"
      provides an overview on available commands. For a detailed
      description, please see the Card HOWTO at
      http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
 
 `--card-status'
      Show the content of the smart card.
 
 `--change-pin'
      Present a menu to allow changing the PIN of a smartcard. This
      functionality is also available as the subcommand "passwd" with the
      `--card-edit' command.
 
 `--delete-key `name''
      Remove key from the public keyring. In batch mode either `--yes' is
      required or the key must be specified by fingerprint. This is a
      safeguard against accidental deletion of multiple keys.
 
 `--delete-secret-key `name''
      Remove key from the secret and public keyring. In batch mode the
      key must be specified by fingerprint.
 
 `--delete-secret-and-public-key `name''
      Same as `--delete-key', but if a secret key exists, it will be
      removed first. In batch mode the key must be specified by
      fingerprint.
 
 `--export'
      Either export all keys from all keyrings (default keyrings and
      those registered via option `--keyring'), or if at least one name
      is given, those of the given name. The new keyring is written to
      stdout or to the file given with option `--output'. Use together
      with `--armor' to mail those keys.
 
 `--send-keys `key IDs''
      Similar to `--export' but sends the keys to a keyserver.
      Fingerprints may be used instead of key IDs. Option `--keyserver'
      must be used to give the name of this keyserver. Don't send your
      complete keyring to a keyserver -- select only those keys which
      are new or changed by you.
 
 `--export-secret-keys'
 `--export-secret-subkeys'
      Same as `--export', but exports the secret keys instead.  This is
      normally not very useful and a security risk.  The second form of
      the command has the special property to render the secret part of
      the primary key useless; this is a GNU extension to OpenPGP and
      other implementations can not be expected to successfully import
      such a key.  See the option `--simple-sk-checksum' if you want to
      import such an exported key with an older OpenPGP implementation.
 
 `--import'
 `--fast-import'
      Import/merge keys. This adds the given keys to the keyring. The
      fast version is currently just a synonym.
 
      There are a few other options which control how this command works.
      Most notable here is the `--keyserver-options merge-only' option
      which does not insert new keys but does only the merging of new
      signatures, user-IDs and subkeys.
 
 `--recv-keys `key IDs''
      Import the keys with the given key IDs from a keyserver. Option
      `--keyserver' must be used to give the name of this keyserver.
 
 `--refresh-keys'
      Request updates from a keyserver for keys that already exist on the
      local keyring. This is useful for updating a key with the latest
      signatures, user IDs, etc. Calling this with no arguments will
      refresh the entire keyring. Option `--keyserver' must be used to
      give the name of the keyserver for all keys that do not have
      preferred keyservers set (see `--keyserver-options
      honor-keyserver-url').
 
 `--search-keys `names''
      Search the keyserver for the given names. Multiple names given
      here will be joined together to create the search string for the
      keyserver.  Option `--keyserver' must be used to give the name of
      this keyserver.  Keyservers that support different search methods
      allow using the syntax specified in "How to specify a user ID"
      below. Note that different keyserver types support different
      search methods. Currently only LDAP supports them all.
 
 `--fetch-keys `URIs''
      Retrieve keys located at the specified URIs. Note that different
      installations of GnuPG may support different protocols (HTTP, FTP,
      LDAP, etc.)
 
 `--update-trustdb'
      Do trust database maintenance. This command iterates over all keys
      and builds the Web of Trust. This is an interactive command
      because it may have to ask for the "ownertrust" values for keys.
      The user has to give an estimation of how far she trusts the owner
      of the displayed key to correctly certify (sign) other keys. GnuPG
      only asks for the ownertrust value if it has not yet been assigned
      to a key. Using the `--edit-key' menu, the assigned value can be
      changed at any time.
 
 `--check-trustdb'
      Do trust database maintenance without user interaction. From time
      to time the trust database must be updated so that expired keys or
      signatures and the resulting changes in the Web of Trust can be
      tracked. Normally, GnuPG will calculate when this is required and
      do it automatically unless `--no-auto-check-trustdb' is set. This
      command can be used to force a trust database check at any time.
      The processing is identical to that of `--update-trustdb' but it
      skips keys with a not yet defined "ownertrust".
 
      For use with cron jobs, this command can be used together with
      `--batch' in which case the trust database check is done only if a
      check is needed. To force a run even in batch mode add the option
      `--yes'.
 
 `--export-ownertrust'
      Send the ownertrust values to stdout. This is useful for backup
      purposes as these values are the only ones which can't be
      re-created from a corrupted trust DB.
 
 `--import-ownertrust'
      Update the trustdb with the ownertrust values stored in `files' (or
      stdin if not given); existing values will be overwritten.
 
 `--rebuild-keydb-caches'
      When updating from version 1.0.6 to 1.0.7 this command should be
      used to create signature caches in the keyring. It might be handy
      in other situations too.
 
 `--print-md `algo''
 `--print-mds'
      Print message digest of algorithm ALGO for all given files or
      stdin.  With the second form (or a deprecated "*" as algo) digests
      for all available algorithms are printed.
 
 `--gen-random `0|1|2''
      Emit COUNT random bytes of the given quality level. If count is
      not given or zero, an endless sequence of random bytes will be
      emitted.  PLEASE, don't use this command unless you know what you
      are doing; it may remove precious entropy from the system!
 
 `--gen-prime `mode'  `bits''
      Use the source, Luke :-). The output format is still subject to
      change.
 
 `--enarmor'
 
 `--dearmor'
      Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
      This is a GnuPG extension to OpenPGP and in general not very
      useful.
 
 
Info Catalog (gnupg1.info.gz) General GPG Commands (gnupg1.info.gz) GPG Commands (gnupg1.info.gz) OpenPGP Key Management
automatically generated byinfo2html