gpg man page on Peanut

Printed from http://www.polarhome.com/service/man/?qf=gpg&af=0&tf=2&of=Peanut

gpg(1)									gpg(1)

NAME
       gpg — encryption and signing tool

SYNOPSIS
       gpg  [--homedir name]  [--options file]	[options]  command  [args]

DESCRIPTION
       gpg is the main program for the GnuPG system.

       This  man page only lists the commands and options available.  For more
       verbose documentation get the GNU Privacy Handbook (GPH) or one of  the
       other documents at http://www.gnupg.org/documentation/ .

       Please  remember	 that  option parsing stops as soon as a non option is
       encountered, you can explicitly stop option parsing by using  the  spe‐
       cial option "--".

COMMANDS
       gpg  may	 be run with no commands, in which case it will perform a rea‐
       sonable action depending on the type of file it is given as  input  (an
       encrypted  message  is  decrypted, a signature is verified, a file con‐
       taining keys is listed).

       gpg recognizes these commands:

       -s, --sign
		 Make a signature. This command may be combined with --encrypt
		 (for  a  signed  and  encrypted  message), --symmetric (for a
		 signed and symmetrically encrypted message), or --encrypt and
		 --symmetric  together	(for  a	 signed	 message  that	may be
		 decrypted via a secret key or a passphrase).

       --clearsign
		 Make a clear text signature.

       -b, --detach-sign
		 Make a detached signature.

       -e, --encrypt
		 Encrypt data. This option may be combined with --sign (for  a
		 signed	 and  encrypted	 message),  --symmetric (for a message
		 that may be decrypted via a secret key or a  passphrase),  or
		 --sign	 and  --symmetric  together (for a signed message that
		 may be decrypted via a secret key or a passphrase).

       -c, --symmetric
		 Encrypt with a symmetric  cipher  using  a  passphrase.   The
		 default  symmetric  cipher  used  is CAST5, but may be chosen
		 with the --cipher-algo option.	 This option may  be  combined
		 with  --sign  (for  a signed and symmetrically encrypted mes‐
		 sage), --encrypt (for a message that may be decrypted	via  a
		 secret key or a passphrase), or --sign and --encrypt together
		 (for a signed message that may be decrypted via a secret  key
		 or a passphrase).

       --store	 Store only (make a simple RFC1991 packet).

       --decrypt [file]
		 Decrypt  file (or stdin if no file is specified) and write it
		 to stdout (or the  file  specified  with  --output).  If  the
		 decrypted  file  is  signed,  the signature is also verified.
		 This command differs from the default operation, as it	 never
		 writes	 to  the filename which is included in the file and it
		 rejects files which don't begin with an encrypted message.

       --verify [[sigfile]  [signed-files]]
		 Assume that sigfile is a signature and verify it without gen‐
		 erating  any  output.	  With	no  arguments,	the  signature
		 packet is read from stdin.  If only a sigfile	is  given,  it
		 may be a complete signature or a detached signature, in which
		 case the signed stuff is  expected  in	 a  file  without  the
		 ".sig"	 or  ".asc" extension.	With more than 1 argument, the
		 first should be a detached signature and the remaining	 files
		 are  the  signed stuff.  To read the signed stuff from stdin,
		 use -	as  the	 second	 filename.   For  security  reasons  a
		 detached signature cannot read the signed material from stdin
		 without denoting it in the above way.

       --multifile
		 This modifies certain other commands to accept multiple files
		 for  processing  on  the command line or read from stdin with
		 each filename on a separate line.  This allows for many files
		 to  be	 processed at once.  --multifile may currently be used
		 along with --verify, --encrypt,  and  --decrypt.   Note  that
		 `--multifile  --verify'  may not be used with detached signa‐
		 tures.

       --verify-files [files]
		 Identical to `--multifile --verify'.

       --encrypt-files [files]
		 Identical to `--multifile --encrypt'.

       --decrypt-files [files]
		 Identical to `--multifile --decrypt'.

       --list-keys [names]

       --list-public-keys [names]
		 List all keys from the public	keyrings,  or  just  the  ones
		 given on the command line.

		 Avoid	using  the  output of this command in scripts or other
		 programs as it is likely to change  as	 GnuPG	changes.   See
		 --with-colons	for  a	machine-parseable  key listing command
		 that is appropriate for use in scripts and other programs.

       -K, --list-secret-keys [names]
		 List all keys from the secret	keyrings,  or  just  the  ones
		 given	on  the	 command  line.	 A '#' after the letters 'sec'
		 means that the secret key is not usable (for example,	if  it
		 was created via --export-secret-subkeys).

       --list-sigs [names]
		 Same as --list-keys, but the signatures are listed too.

		 For each signature listed, there are several flags in between
		 the "sig" tag and keyid.  These flags give additional	infor‐
		 mation	 about	each  signature.  From left to right, they are
		 the numbers 1-3 for certificate check level (see  --ask-cert-
		 level),  "L"  for  a  local  or non-exportable signature (see
		 --lsign-key), "R"  for	 a  nonRevocable  signature  (see  the
		 --edit-key  command  "nrsign"), "P" for a signature that con‐
		 tains a policy URL (see --cert-policy-url), "N" for a	signa‐
		 ture  that contains a notation (see --cert-notation), "X" for
		 an eXpired signature (see --ask-cert-expire), and the numbers
		 1-9  or "T" for 10 and above to indicate trust signature lev‐
		 els (see the --edit-key command "tsign").

       --check-sigs [names]
		 Same as --list-sigs, but the signatures are verified.

       --fingerprint [names]
		 List all keys with their fingerprints. This is the same  out‐
		 put  as  --list-keys but with the additional output of a line
		 with the fingerprint. May also be combined  with  --list-sigs
		 or --check-sigs.  If this command is given twice, the finger‐
		 prints of all secondary keys are listed too.

       --list-packets
		 List only the sequence of packets. This is mainly useful  for
		 debugging.

       --gen-key Generate  a  new key pair. This command is normally only used
		 interactively.

		 There is an experimental feature which allows you  to	create
		 keys  in  batch  mode. See the file doc/DETAILS in the source
		 distribution on how to use this.

       --edit-key name
		 Present a menu which enables you to do all key related tasks:

		 sign	   Make a signature on key of user name If the key  is
			   not	yet  signed  by the default user (or the users
			   given with -u), the program displays	 the  informa‐
			   tion	 of  the  key again, together with its finger‐
			   print and asks whether it should  be	 signed.  This
			   question  is	 repeated for all users specified with
			   -u.

		 lsign	   Same as "sign" but the signature is marked as  non-
			   exportable and will therefore never be used by oth‐
			   ers.	 This may be used to make keys valid  only  in
			   the local environment.

		 nrsign	   Same	 as "sign" but the signature is marked as non-
			   revocable and can therefore never be revoked.

		 tsign	   Make a trust signature.  This is a  signature  that
			   combines the notions of certification (like a regu‐
			   lar signature), and trust (like  the	 "trust"  com‐
			   mand).   It	is  generally  only useful in distinct
			   communities or groups.

		 Note that "l" (for local / non-exportable),  "nr"  (for  non-
		 revocable,  and  "t" (for trust) may be freely mixed and pre‐
		 fixed to "sign" to create a signature of any type desired.

		 revsig	   Revoke a signature.	For every signature which  has
			   been	 generated  by	one  of the secret keys, GnuPG
			   asks whether a  revocation  certificate  should  be
			   generated.

		 trust	   Change  the	owner  trust  value.  This updates the
			   trust-db immediately and no save is required.

		 disable

		 enable	   Disable or enable an entire key. A disabled key can
			   not normally be used for encryption.

		 adduid	   Create an alternate user id.

		 addphoto  Create  a  photographic  user id.  This will prompt
			   for a JPEG file that will be embedded into the user
			   ID.	 Note  that  a very large JPEG will make for a
			   very large key.  Also note that some programs  will
			   display  your JPEG unchanged (GnuPG), and some pro‐
			   grams will scale it to fit in a dialog box (PGP).

		 deluid	   Delete a user id.

		 delsig	   Delete a signature.

		 revuid	   Revoke a user id.

		 addkey	   Add a subkey to this key.

		 addcardkey
			   Generate a key on a card and add it to this key.

		 keytocard Transfer the selected secret key  (or  the  primary
			   key	if  no	key has been selected) to a smartcard.
			   The secret key in the keyring will be replaced by a
			   stub if the key could be stored successfully on the
			   card and you use the save command later.  Only cer‐
			   tain	 key  types may be transferred to the card.  A
			   sub menu allows you to select on what card to store
			   the	key.  Note that it is not possible to get that
			   key back from the card - if the  card  gets	broken
			   your	 secret	 key  will  be	lost unless you have a
			   backup somewhere.

		 bkuptocard file
			   Restore the given file to a card. This command  may
			   be  used to restore a backup key (as generated dur‐
			   ing card initialization) to a new card.  In	almost
			   all	cases  this  will  be  the encryption key. You
			   should use this command only with the corresponding
			   public  key	and  make  sure that the file given as
			   argument is indeed  the  backup  to	restore.   You
			   should  then select 2 to restore as encryption key.
			   You will first be asked to enter the passphrase  of
			   the	backup	key  and then for the Admin PIN of the
			   card.

		 delkey	   Remove a subkey.

		 addrevoker [sensitive]
			   Add a designated revoker.  This takes one  optional
			   argument:  "sensitive".  If a designated revoker is
			   marked as sensitive, it will	 not  be  exported  by
			   default (see export-options).

		 revkey	   Revoke a subkey.

		 expire	   Change  the	key  expiration	 time.	If a subkey is
			   selected, the expiration time of this  subkey  will
			   be  changed.	 With no selection, the key expiration
			   of the primary key is changed.

		 passwd	   Change the passphrase of the secret key.

		 primary   Flag the  current  user  id	as  the	 primary  one,
			   removes  the	 primary  user	id flag from all other
			   user ids and sets the  timestamp  of	 all  affected
			   self-signatures  one	 second ahead.	Note that set‐
			   ting a photo user ID as primary  makes  it  primary
			   over	 other	photo  user IDs, and setting a regular
			   user ID as primary makes it primary over other reg‐
			   ular user IDs.

		 uid n	   Toggle selection of user id with index n.  Use 0 to
			   deselect all.

		 key n	   Toggle selection of subkey with index n.  Use 0  to
			   deselect all.

		 check	   Check all selected user ids.

		 showphoto Display the selected photographic user id.

		 pref	   List	 preferences  from the selected user ID.  This
			   shows the actual preferences, without including any
			   implied preferences.

		 showpref  More	 verbose  preferences listing for the selected
			   user ID.  This shows the preferences in  effect  by
			   including the implied preferences of 3DES (cipher),
			   SHA-1 (digest), and Uncompressed  (compression)  if
			   they	 are  not  already  included in the preference
			   list.

		 setpref string
			   Set the list of user ID preferences to string, this
			   should  be  a  string similar to the one printed by
			   "pref".  Using an empty string will set the default
			   preference  string,	using  "none"  will remove the
			   preferences.	 Use "gpg --version" to get a list  of
			   available  algorithms.   This command just initial‐
			   izes an internal list and does not change  anything
			   unless  another  command  (such as "updpref") which
			   changes the self-signatures is used.

		 updpref   Change the preferences of all user IDs (or just  of
			   the	selected  ones	to the current list of prefer‐
			   ences.  The timestamp of all	 affected  self-signa‐
			   tures  will	be  advanced by one second.  Note that
			   while  you  can  change  the	 preferences   on   an
			   attribute  user ID (aka "photo ID"), GnuPG does not
			   select keys via attribute user IDs so these prefer‐
			   ences will not be used by GnuPG.

		 keyserver Set	a  preferred  keyserver for the specified user
			   ID(s).  This allows other users to know  where  you
			   prefer  they	 get  your key from.  See --keyserver-
			   option honor-keyserver-url for  more	 on  how  this
			   works.   Note  that	some versions of PGP interpret
			   the presence of a keyserver URL as  an  instruction
			   to  enable PGP/MIME mail encoding.  Setting a value
			   of "none" removes a existing preferred keyserver.

		 toggle	   Toggle between public and secret key listing.

		 clean	   Cleans keys by removing unusable pieces.  This com‐
			   mand	 can  be used to keep keys neat and clean, and
			   it has no effect aside from that.

			   sigs	     Remove any signatures that are not usable
				     by	 the trust calculations.  For example,
				     this removes any signature that does  not
				     validate.	 It also removes any signature
				     that is superceded by a later  signature,
				     or signatures that were revoked.

			   uids	     Compact   (by   removing  all  signatures
				     except the selfsig) any user ID  that  is
				     no	  longer   usable  (e.g.  revoked,  or
				     expired).

		 If invoked with no arguments,	both  `sigs'  and  `uids'  are
		 cleaned.

		 save	   Save all changes to the key rings and quit.

		 quit	   Quit the program without updating the key rings.

		 The listing shows you the key with its secondary keys and all
		 user ids. Selected keys or  user  ids	are  indicated	by  an
		 asterisk.  The trust value is displayed with the primary key:
		 the first is the assigned owner trust and the second  is  the
		 calculated trust value.  Letters are used for the values:

		 -	   No ownertrust assigned / not yet calculated.

		 e	   Trust  calculation  has  failed; probably due to an
			   expired key.

		 q	   Not enough information for calculation.

		 n	   Never trust this key.

		 m	   Marginally trusted.

		 f	   Fully trusted.

		 u	   Ultimately trusted.

       --card-edit
		 Present a menu to work	 with  a  smartcard.   The  subcommand
		 "help"	 provides  an  overview	 on available commands.	 For a
		 detailed  description,	 please	 see   the   Card   HOWTO   at
		 http://www.gnupg.org/documentation/howtos.html#GnuPG-card‐
		 HOWTO .

       --card-status
		 Show the content of the smart card.

       --change-pin
		 Present a menu to allow changing  the	PIN  of	 a  smartcard.
		 This  functionality  is  also	available  as  the  subcommand
		 "passwd" with the --card-edit command.

       --sign-key name
		 Signs a public key with your secret key. This is  a  shortcut
		 version of the subcommand "sign" from --edit.

       --lsign-key name
		 Signs	a public key with your secret key but marks it as non-
		 exportable.  This is a shortcut  version  of  the  subcommand
		 "lsign" from --edit.

       --delete-key name
		 Remove	 key  from  the	 public keyring.  In batch mode either
		 --yes is required or the key must  be	specified  by  finger‐
		 print.	  This	is  a safeguard against accidental deletion of
		 multiple keys.

       --delete-secret-key name
		 Remove key from the secret and public keyring. In batch  mode
		 the key must be specified by fingerprint.

       --delete-secret-and-public-key name
		 Same  as --delete-key, but if a secret key exists, it will be
		 removed first. In batch mode the key  must  be	 specified  by
		 fingerprint.

       --gen-revoke name
		 Generate  a  revocation  certificate for the complete key. To
		 revoke a subkey or a signature, use the --edit command.

       --desig-revoke name
		 Generate a designated revocation certificate for a key.  This
		 allows	 a  user  (with	 the  permission  of the keyholder) to
		 revoke someone else's key.

       --export [names]
		 Either export all keys from all  keyrings  (default  keyrings
		 and  those  registered	 via option --keyring), or if at least
		 one name is given, those of the given name. The  new  keyring
		 is  written  to stdout or to the file given with option "out‐
		 put".	Use together with --armor to mail those keys.

       --send-keys [names]
		 Same as --export but sends the keys to a  keyserver.	Option
		 --keyserver  must be used to give the name of this keyserver.
		 Don't send your complete keyring to a keyserver - select only
		 those keys which are new or changed by you.

       --export-secret-keys [names]

       --export-secret-subkeys [names]
		 Same  as --export, but exports the secret keys instead.  This
		 is normally not very useful and a security risk.  The	second
		 form  of  the	command has the special property to render the
		 secret part of the primary key useless; this is a GNU	exten‐
		 sion to OpenPGP and other implementations can not be expected
		 to successfully import such a key.

		 See the option --simple-sk-checksum if	 you  want  to	import
		 such an exported key with an older OpenPGP implementation.

       --import [files]

       --fast-import [files]
		 Import/merge  keys.  This adds the given keys to the keyring.
		 The fast version is currently just a synonym.

		 There are a few other options which control how this  command
		 works.	  Most	notable	 here is the --keyserver-option merge-
		 only option which does not insert new keys but does only  the
		 merging of new signatures, user-IDs and subkeys.

       --recv-keys key IDs
		 Import	 the  keys  with  the  given key IDs from a keyserver.
		 Option --keyserver must be used to give the name of this key‐
		 server.

       --refresh-keys [key IDs]
		 Request  updates from a keyserver for keys that already exist
		 on the local keyring.	This is useful for updating a key with
		 the  latest  signatures, user IDs, etc.  Calling this with no
		 arguments will refresh the  entire  keyring.	Option	--key‐
		 server must be used to give the name of the keyserver for all
		 keys that do not have preferred keyservers  set  (see	--key‐
		 server-option honor-keyserver-url).

       --search-keys [names]
		 Search	 the  keyserver	 for  the given names.	Multiple names
		 given here will be  joined  together  to  create  the	search
		 string for the keyserver.  Option --keyserver must be used to
		 give the name of this keyserver.

       --update-trustdb
		 Do trust database maintenance.	 This  command	iterates  over
		 all  keys and builds the Web of Trust. This is an interactive
		 command because it may have to ask for the "ownertrust"  val‐
		 ues  for keys.	 The user has to give an estimation of how far
		 she trusts the owner of the displayed key to  correctly  cer‐
		 tify  (sign)  other keys.  GnuPG only asks for the ownertrust
		 value if it has not yet been assigned to a  key.   Using  the
		 --edit-key  menu,  the	 assigned  value can be changed at any
		 time.

       --check-trustdb
		 Do trust database maintenance without user interaction.  From
		 time  to  time	 the  trust  database  must be updated so that
		 expired keys or signatures and the resulting changes  in  the
		 Web  of Trust can be tracked.	Normally, GnuPG will calculate
		 when this is required and do it  automatically	 unless	 --no-
		 auto-check-trustdb is set.  This command can be used to force
		 a trust database check at any time.  The processing is	 iden‐
		 tical	to  that  of --update-trustdb but it skips keys with a
		 not yet defined "ownertrust".

		 For use with cron jobs, this command  can  be	used  together
		 with  --batch	in which case the trust database check is done
		 only if a check is needed.  To force a run even in batch mode
		 add the option --yes.

       --export-ownertrust
		 Send  the  ownertrust	values	to stdout.  This is useful for
		 backup purposes as these values are the only ones which can't
		 be re-created from a corrupted trust DB.

       --import-ownertrust [files]
		 Update the trustdb with the ownertrust values stored in files
		 (or stdin if not given); existing values will be overwritten.

       --rebuild-keydb-caches
		 When updating from version 1.0.6 to 1.0.7 this command should
		 be  used to create signature caches in the keyring.  It might
		 be handy in other situations too.

       --print-md algo [files]

       --print-mds [files]
		 Print message digest of algorithm ALGO for all given files or
		 stdin.	  With	the  second form (or a deprecated "*" as algo)
		 digests for all available algorithms are printed.

       --gen-random 0|1|2	   [count]
		 Emit COUNT random bytes of the given quality level. If	 count
		 is  not  given	 or  zero, an endless sequence of random bytes
		 will be emitted.  PLEASE, don't use this command  unless  you
		 know  what you are doing; it may remove precious entropy from
		 the system!

       --gen-prime mode		  bits		  [qbits]
		 Use the source, Luke :-). The output format is still  subject
		 to change.

       --version Print	version	 information  along  with  a list of supported
		 algorithms.

       --warranty
		 Print warranty information.

       -h, --help
		 Print usage information.  This is a  really  long  list  even
		 though	 it  doesn't list all options.	For every option, con‐
		 sult this manual.

OPTIONS
       Long   options	can   be   put	 in   an   options    file    (default
       "~/.gnupg/gpg.conf").   Short option names will not work - for example,
       "armor" is a valid option for the options file, while "a" is  not.   Do
       not  write  the	2  dashes,  but	 simply the name of the option and any
       required arguments.  Lines with a hash ('#') as	the  first  non-white-
       space character are ignored.  Commands may be put in this file too, but
       that is not generally useful as the command will execute	 automatically
       with every execution of gpg.

       gpg recognizes these options:

       -a, --armor
		 Create ASCII armored output.

       -o, --output file
		 Write output to file.

       --max-output n
		 This  option sets a limit on the number of bytes that will be
		 generated when processing a  file.   Since  OpenPGP  supports
		 various levels of compression, it is possible that the plain‐
		 text of a given message may be significantly larger than  the
		 original  OpenPGP  message.   While GnuPG works properly with
		 such messages, there is often a desire to set a maximum  file
		 size  that  will  be generated before processing is forced to
		 stop by the OS	 limits.   Defaults  to	 0,  which  means  "no
		 limit".

       --mangle-dos-filenames

       --no-mangle-dos-filenames
		 Older	version	 of  Windows cannot handle filenames with more
		 than one dot.	--mangle-dos-filenames causes GnuPG to replace
		 (rather  than	add to) the extension of an output filename to
		 avoid this problem.  This option is off by default and has no
		 effect on non-Windows platforms.

       -u, --local-user name
		 Use  name  as	the  key  to sign with.	 Note that this option
		 overrides --default-key.

       --default-key name
		 Use name as the default key to sign with.  If this option  is
		 not  used,  the  default  key	is  the first key found in the
		 secret keyring.  Note that -u or --local-user overrides  this
		 option.

       -r, --recipient name
		 Encrypt  for user id name. If this option or --hidden-recipi‐
		 ent is not specified,	GnuPG  asks  for  the  user-id	unless
		 --default-recipient is given.

       -R, --hidden-recipient name
		 Encrypt  for user ID name, but hide the key ID of this user's
		 key.  This option helps to hide the receiver of  the  message
		 and is a limited countermeasure against traffic analysis.  If
		 this option or --recipient is not specified, GnuPG  asks  for
		 the user ID unless --default-recipient is given.

       --default-recipient name
		 Use  name  as	default recipient if option --recipient is not
		 used and don't ask if this is a valid one. name must be  non-
		 empty.

       --default-recipient-self
		 Use  the default key as default recipient if option --recipi‐
		 ent is not used and don't ask if this is  a  valid  one.  The
		 default  key  is the first one from the secret keyring or the
		 one set with --default-key.

       --no-default-recipient
		 Reset --default-recipient and --default-recipient-self.

       --encrypt-to name
		 Same as --recipient but this one is intended for use  in  the
		 options  file	and  may  be  used with your own user-id as an
		 "encrypt-to-self".  These keys are only used when  there  are
		 other recipients given either by use of --recipient or by the
		 asked user id.	 No trust checking is performed for these user
		 ids and even disabled keys can be used.

       --hidden-encrypt-to name
		 Same  as  --hidden-recipient but this one is intended for use
		 in the options file and may be used with your own user-id  as
		 a  hidden  "encrypt-to-self".	 These keys are only used when
		 there are other recipients given either by use of --recipient
		 or  by the asked user id.  No trust checking is performed for
		 these user ids and even disabled keys can be used.

       --no-encrypt-to
		 Disable the use of all --encrypt-to  and  --hidden-encrypt-to
		 keys.

       -v, --verbose
		 Give  more  information during processing. If used twice, the
		 input data is listed in detail.

       -q, --quiet
		 Try to be as quiet as possible.

       -z n

       --compress-level n

       --bzip2-compress-level n
		 Set compression level to n for the ZIP and  ZLIB  compression
		 algorithms.   The  default  is to use the default compression
		 level of zlib (normally 6).  --bzip2-compress-level sets  the
		 compression   level   for  the	 BZIP2	compression  algorithm
		 (defaulting to 6 as well).  This is a different  option  from
		 --compress-level  since  BZIP2	 uses  a significant amount of
		 memory for each additional compression level.	-z sets	 both.
		 A value of 0 for n disables compression.

       --bzip2-decompress-lowmem
		 Use  a	 different  decompression  method for BZIP2 compressed
		 files.	 This alternate method uses a bit more than  half  the
		 memory,  but  also  runs  at  half the speed.	This is useful
		 under extreme low memory  circumstances  when	the  file  was
		 originally compressed at a high --bzip2-compress-level.

       -t, --textmode

       --no-textmode
		 Treat	input  files  as  text	and  store them in the OpenPGP
		 canonical text form with standard "CRLF" line endings.	  This
		 also  sets  the  necessary flags to inform the recipient that
		 the encrypted or signed data is text and may  need  its  line
		 endings  converted  back  to  whatever the local system uses.
		 This option is useful when communicating  between  two	 plat‐
		 forms	that have different line ending conventions (UNIX-like
		 to Mac, Mac to Windows, etc).	 --no-textmode	disables  this
		 option, and is the default.

		 If -t (but not --textmode) is used together with armoring and
		 signing, this enables clearsigned messages.  This  kludge  is
		 needed	 for command-line compatibility with command-line ver‐
		 sions of PGP; normally you would use --sign or --clearsign to
		 select the type of the signature.

       -n, --dry-run
		 Don't make any changes (this is not completely implemented).

       -i, --interactive
		 Prompt before overwriting any files.

       --batch

       --no-batch
		 Use  batch  mode.   Never  ask, do not allow interactive com‐
		 mands.	 --no-batch disables this option.

       --no-tty	 Make sure that the TTY (terminal) is never used for any  out‐
		 put.  This option is needed in some cases because GnuPG some‐
		 times prints warnings to the TTY if --batch is used.

       --yes	 Assume "yes" on most questions.

       --no	 Assume "no" on most questions.

       --ask-cert-level

       --no-ask-cert-level
		 When making a	key  signature,	 prompt	 for  a	 certification
		 level.	  If  this  option is not specified, the certification
		 level used is set via --default-cert-level.   See  --default-
		 cert-level  for  information  on  the specific levels and how
		 they are  used.  --no-ask-cert-level  disables	 this  option.
		 This option defaults to no.

       --default-cert-level n
		 The default to use for the check level when signing a key.

		 0  means you make no particular claim as to how carefully you
		 verified the key.

		 1 means you believe the key is owned by the person who claims
		 to  own  it  but  you could not, or did not verify the key at
		 all.  This is useful for a "persona" verification, where  you
		 sign the key of a pseudonymous user.

		 2 means you did casual verification of the key.  For example,
		 this could mean that you verified that	 the  key  fingerprint
		 and checked the user ID on the key against a photo ID.

		 3 means you did extensive verification of the key.  For exam‐
		 ple, this could mean that you verified	 the  key  fingerprint
		 with the owner of the key in person, and that you checked, by
		 means of a hard to forge document with a photo ID (such as  a
		 passport)  that the name of the key owner matches the name in
		 the user ID on the key, and finally  that  you	 verified  (by
		 exchange  of email) that the email address on the key belongs
		 to the key owner.

		 Note that the examples given above for levels	2  and	3  are
		 just  that:  examples.	 In the end, it is up to you to decide
		 just what "casual" and "extensive" mean to you.

		 This option defaults to 0 (no particular claim).

       --min-cert-level
		 When building the trust database, treat any signatures with a
		 certification	level  below  this as invalid.	Defaults to 2,
		 which disregards level 1 signatures.  Note that level	0  "no
		 particular claim" signatures are always accepted.

       --trusted-key long key ID
		 Assume that the specified key (which must be given as a  full
		 8 byte key ID) is as trustworthy as one of  your  own	secret
		 keys.	This  option  is useful if you don't want to keep your
		 secret keys (or one of them) online but still want to be able
		 to  check  the	 validity of a given recipient's or signator's
		 key.

       --trust-model pgp|classic|always
		 Set what trust model GnuPG should follow.  The models are:

		 pgp	   This is the Web of Trust combined with trust signa‐
			   tures  as  used  in PGP 5.x and later.  This is the
			   default trust model.

		 classic   This is the standard Web of Trust as	 used  in  PGP
			   2.x and earlier.

		 direct	   Key	validity  is  set directly by the user and not
			   calculated via the Web of Trust.

		 always	   Skip key validation and assume that used  keys  are
			   always  fully  trusted.   You won't use this unless
			   you have installed some external validation scheme.
			   This	 option	 also suppresses the "[uncertain]" tag
			   printed with signature checks when there is no evi‐
			   dence that the user ID is bound to the key.

       --always-trust
		 Identical  to	`--trust-model always'.	 This option is depre‐
		 cated.

       --keyid-format short|0xshort|long|0xlong
		 Select how to display key IDs.	 "short"  is  the  traditional
		 8-character  key  ID.	 "long" is the more accurate (but less
		 convenient) 16-character key ID.  Add an "0x"	to  either  to
		 include  an  "0x"  at	the  beginning	of  the	 key ID, as in
		 0x99242560.

       --keyserver name
		 Use name as your keyserver.  This is the server that  --recv-
		 keys, --send-keys, and --search-keys will communicate with to
		 receive keys from, send keys to, and search for keys on.  The
		 format	  of   the   name  is  a  URI:	`scheme:[//]keyserver‐
		 name[:port]' The scheme is the type of keyserver:  "hkp"  for
		 the  HTTP (or compatible) keyservers, "ldap" for the NAI LDAP
		 keyserver, or "mailto" for the Graff email  keyserver.	  Note
		 that  your  particular	 installation  of GnuPG may have other
		 keyserver types available as  well.   Keyserver  schemes  are
		 case-insensitive.

		 Most keyservers synchronize with each other, so there is gen‐
		 erally no need to send keys to more  than  one	 server.   The
		 keyserver  "hkp://subkeys.pgp.net"  uses  round  robin DNS to
		 give a different keyserver each time you use it.

       --keyserver-options parameters
		 This is a space or comma delimited string that gives  options
		 for  the keyserver.  Options can be prepended with a `no-' to
		 give the opposite meaning.  Valid import-options  or  export-
		 options  may  be  used	 here  as  well	 to apply to importing
		 (--recv-key) or exporting (--send-key)	 a  key	 from  a  key‐
		 server.   While  not  all  options are available for all key‐
		 server types, some common options are:

		 include-revoked
			   When	 searching  for	 a  key	 with	--search-keys,
			   include  keys  that	are marked on the keyserver as
			   revoked.  Note that not all keyservers  differenti‐
			   ate	between	 revoked  and  unrevoked keys, and for
			   such keyservers this option is  meaningless.	  Note
			   also that most keyservers do not have cryptographic
			   verification of key	revocations,  and  so  turning
			   this	 option	 off  may result in skipping keys that
			   are incorrectly marked as revoked.  Defaults to on.

		 include-disabled
			   When	 searching  for	 a  key	 with	--search-keys,
			   include  keys  that	are marked on the keyserver as
			   disabled.  Note that this option is not  used  with
			   HKP keyservers.

		 honor-keyserver-url
			   When	 using	--refresh-keys, if the key in question
			   has a preferred keyserver set, then use  that  pre‐
			   ferred keyserver to refresh the key from.  Defaults
			   to yes.

		 include-subkeys
			   When receiving a key, include subkeys as  potential
			   targets.   Note  that  this option is not used with
			   HKP keyservers, as they do not  support  retrieving
			   keys by subkey id.

		 use-temp-files
			   On  most  Unix-like	platforms,  GnuPG communicates
			   with the keyserver helper program via pipes,	 which
			   is  the  most efficient method.  This option forces
			   GnuPG to use temporary files	 to  communicate.   On
			   some	 platforms  (such  as Win32 and RISC OS), this
			   option is always enabled.

		 keep-temp-files
			   If using `use-temp-files', do not delete  the  temp
			   files  after	 using them.  This option is useful to
			   learn the keyserver communication protocol by read‐
			   ing the temporary files.

		 verbose   Tell	 the  keyserver helper program to be more ver‐
			   bose.  This option can be repeated  multiple	 times
			   to increase the verbosity level.

		 timeout   Tell the keyserver helper program how long (in sec‐
			   onds) to try and perform a keyserver action	before
			   giving  up.	 Note that performing multiple actions
			   at the  same	 time  uses  this  timeout  value  per
			   action.  For example, when retrieving multiple keys
			   via --recv-keys, the timeout applies separately  to
			   each key retrieval, and not to the --recv-keys com‐
			   mand as a whole.  Defaults to 30 seconds.

		 http-proxy[=value]
			   For HTTP-like keyserver schemes that (such  as  HKP
			   and	HTTP itself), try to access the keyserver over
			   a proxy.  If a value is specified, use this as  the
			   HTTP	 proxy.	  If no value is specified, try to use
			   the value of the environment variable "http_proxy".

		 auto-key-retrieve
			   This option enables	the  automatic	retrieving  of
			   keys	 from  a  keyserver  when verifying signatures
			   made by keys that are not on the local keyring.

			   Note that this option makes a "web bug" like behav‐
			   ior	possible.   Keyserver  operators can see which
			   keys you request,  so  by  sending  you  a  message
			   signed by a brand new key (which you naturally will
			   not have on your local keyring), the	 operator  can
			   tell	 both  your  IP	 address and the time when you
			   verified the signature.

       --import-options parameters
		 This is a space or comma delimited string that gives  options
		 for importing keys.  Options can be prepended with a `no-' to
		 give the opposite meaning.  The options are:

		 import-local-sigs
			   Allow importing key signatures marked  as  "local".
			   This	 is  not  generally  useful  unless  a	shared
			   keyring scheme is being used.  Defaults to no.

		 repair-pks-subkey-bug
			   During import, attempt to repair the damage	caused
			   by  the  PKS keyserver bug (pre version 0.9.6) that
			   mangles keys with multiple subkeys.	Note that this
			   cannot  completely  repair  the damaged key as some
			   crucial data is removed by the  keyserver,  but  it
			   does	 at  least give you back one subkey.  Defaults
			   to no for regular --import and to yes for keyserver
			   --recv-keys.

		 merge-only
			   During  import, allow key updates to existing keys,
			   but do not allow  any  new  keys  to	 be  imported.
			   Defaults to no.

		 import-clean-sigs
			   After  import,  remove  any signatures from the new
			   key that are not usable.  This is the same as  run‐
			   ning	 the  --edit-key  command  "clean  sigs" after
			   import.  Defaults to no.

		 import-clean-uids
			   After import, compact (remove all signatures	 from)
			   any	user IDs from the new key that are not usable.
			   This is the same as running the --edit-key  command
			   "clean uids" after import.  Defaults to no.

       --export-options parameters
		 This  is a space or comma delimited string that gives options
		 for exporting keys.  Options can be prepended with a `no-' to
		 give the opposite meaning.  The options are:

		 export-local-sigs
			   Allow  exporting  key signatures marked as "local".
			   This	 is  not  generally  useful  unless  a	shared
			   keyring scheme is being used.  Defaults to no.

		 export-attributes
			   Include   attribute	user  IDs  (photo  IDs)	 while
			   exporting.  This is useful to export keys  if  they
			   are	going  to  be  used by an OpenPGP program that
			   does not accept attribute user  IDs.	  Defaults  to
			   yes.

		 export-sensitive-revkeys
			   Include  designated	revoker	 information  that was
			   marked as "sensitive".  Defaults to no.

		 export-minimal
			   Export the smallest key possible.   Currently  this
			   is  done by leaving out any signatures that are not
			   self-signatures.  Defaults to no.

		 export-clean-sigs
			   Do not export any signatures that are  not  usable.
			   This	 is the same as running the --edit-key command
			   "clean sigs" before export.	Defaults to no.

		 export-clean-uids
			   Compact (remove all signatures from)	 user  IDs  on
			   the	key  being  exported  if  the user IDs are not
			   usable.  This is the same as running the --edit-key
			   command  "clean  uids"  before export.  Defaults to
			   no.

		 export-reset-subkey-passwd
			   When using the  "--export-secret-subkeys"  command,
			   this option resets the passphrases for all exported
			   subkeys to empty.  This is useful when the exported
			   subkey is to be used on an unattended amchine where
			   a passphrase won't make sense. Defaults to no.

       --list-options parameters
		 This is a space or comma delimited string that gives  options
		 used  when listing keys and signatures (that is, --list-keys,
		 --list-sigs, --list-public-keys, --list-secret-keys, and  the
		 --edit-key functions).	 Options can be prepended with a `no-'
		 to give the opposite meaning.	The options are:

		 show-photos
			   Causes  --list-keys,	 --list-sigs,	--list-public-
			   keys,  and  --list-secret-keys to display any photo
			   IDs attached to the key.  Defaults to no.  See also
			   --photo-viewer.

		 show-policy-urls
			   Show policy URLs in the --list-sigs or --check-sigs
			   listings.  Defaults to no.

		 show-notations

		 show-std-notations

		 show-user-notations
			   Show all, IETF standard, or user-defined  signature
			   notations  in the --list-sigs or --check-sigs list‐
			   ings.  Defaults to no.

		 show-keyserver-urls
			   Show any preferred keyserver URL in the --list-sigs
			   or --check-sigs listings.  Defaults to no.

		 show-uid-validity
			   Display  the calculated validity of user IDs during
			   key listings.  Defaults to no.

		 show-unusable-uids
			   Show revoked and expired user IDs in key  listings.
			   Defaults to no.

		 show-unusable-subkeys
			   Show	 revoked  and expired subkeys in key listings.
			   Defaults to no.

		 show-keyring
			   Display the keyring name at the head of  key	 list‐
			   ings	 to show which keyring a given key resides on.
			   Defaults to no.

		 show-sig-expire
			   Show signature expiration  dates  (if  any)	during
			   --list-sigs	or --check-sigs listings.  Defaults to
			   no.

		 show-sig-subpackets
			   Include signature subpackets in  the	 key  listing.
			   This	 option	 can take an optional argument list of
			   the subpackets to list.  If no argument is  passed,
			   list	 all subpackets.  Defaults to no.  This option
			   is only meaningful when using  --with-colons	 along
			   with --list-sigs or --check-sigs.

       --verify-options parameters
		 This  is a space or comma delimited string that gives options
		 used when verifying signatures.   Options  can	 be  prepended
		 with a `no-' to give the opposite meaning.  The options are:

		 show-photos
			   Display  any	 photo	IDs  present  on  the key that
			   issued the signature.  Defaults to  no.   See  also
			   --photo-viewer.

		 show-policy-urls
			   Show	 policy	 URLs in the signature being verified.
			   Defaults to no.

		 show-notations

		 show-std-notations

		 show-user-notations
			   Show all, IETF standard, or user-defined  signature
			   notations   in   the	  signature   being  verified.
			   Defaults to IETF standard.

		 show-keyserver-urls
			   Show any preferred keyserver URL in	the  signature
			   being verified.  Defaults to no.

		 show-uid-validity
			   Display  the calculated validity of the user IDs on
			   the key that issued the signature.  Defaults to no.

		 show-unusable-uids
			   Show revoked and expired user IDs during  signature
			   verification.  Defaults to no.

       --show-photos

       --no-show-photos
		 Causes	 --list-keys, --list-sigs, --list-public-keys, --list-
		 secret-keys, and verifying a signature to  also  display  the
		 photo	ID  attached  to  the  key, if any.  See also --photo-
		 viewer.  These options are deprecated.	  Use  `--list-options
		 [no-]show-photos'  and/or `--verify-options [no-]show-photos'
		 instead.

       --photo-viewer string
		 This is the command line that should be run to view  a	 photo
		 ID.   "%i"  will  be  expanded	 to  a filename containing the
		 photo.	 "%I" does the same,  except  the  file	 will  not  be
		 deleted  once the viewer exits.  Other flags are "%k" for the
		 key ID, "%K" for the long key ID, "%f" for  the  key  finger‐
		 print, "%t" for the extension of the image type (e.g. "jpg"),
		 "%T" for the MIME type of the image (e.g. "image/jpeg"),  and
		 "%%"  for  an	actual	percent sign.  If neither %i or %I are
		 present, then the photo will be supplied  to  the  viewer  on
		 standard input.

		 The  default viewer is "xloadimage -fork -quiet -title 'KeyID
		 0x%k' stdin".	Note that if your image viewer program is  not
		 secure, then executing it from GnuPG does not make it secure.

       --exec-path string
		 Sets  a  list	of directories to search for photo viewers and
		 keyserver helpers.  If not provided,  keyserver  helpers  use
		 the  compiled-in default directory, and photo viewers use the
		 $PATH environment variable.  Note, that on  W32  system  this
		 value is ignored when searching for keyserver helpers.

       --show-keyring
		 Display  the keyring name at the head of key listings to show
		 which keyring a given key resides on.	This option is	depre‐
		 cated: use `--list-options [no-]show-keyring' instead.

       --keyring file
		 Add  file  to	the  current list of keyrings.	If file begins
		 with a tilde and a slash, these are  replaced	by  the	 $HOME
		 directory.  If	 the  filename does not contain a slash, it is
		 assumed to be in the  GnuPG  home  directory  ("~/.gnupg"  if
		 --homedir or $GNUPGHOME is not used).

		 Note  that  this  adds a keyring to the current list.	If the
		 intent is to use the specified keyring alone,	use  --keyring
		 along with --no-default-keyring.

       --secret-keyring file
		 Same as --keyring but for the secret keyrings.

       --primary-keyring file
		 Designate  file  as  the  primary public keyring.  This means
		 that newly imported keys (via --import or  keyserver  --recv-
		 from) will go to this keyring.

       --trustdb-name file
		 Use file instead of the default trustdb.  If file begins with
		 a tilde and a slash, these are replaced by the	 $HOME	direc‐
		 tory. If the filename does not contain a slash, it is assumed
		 to be in the GnuPG home directory ("~/.gnupg" if --homedir or
		 $GNUPGHOME is not used).

       --homedir directory
		 Set  the  name	 of  the  home	directory to directory If this
		 option is not used it defaults to  "~/.gnupg".	 It  does  not
		 make sense to use this in a options file. This also overrides
		 the environment variable $GNUPGHOME.

       --pcsc-driver file
		 Use file to access the smartcard reader.  The current default
		 is  `libpcsclite.so'.	Instead of using this option you might
		 also want to install a symbolic link to the default file name
		 (e.g. from `libpcsclite.so.1').

       --ctapi-driver file
		 Use file to access the smartcard reader.  The current default
		 is `libtowitoko.so'.  Note that the use of this interface  is
		 deprecated; it may be removed in future releases.

       --disable-ccid
		 Disable  the  integrated  support for CCID compliant readers.
		 This allows to fall back to one of the other drivers even  if
		 the  internal	CCID driver can handle the reader.  Note, that
		 CCID support is only available if  libusb  was	 available  at
		 build time.

       --reader-port number_or_string
		 This  option may be used to specify the port of the card ter‐
		 minal.	 A value of 0 refers to the first serial  device;  add
		 32768 to access USB devices.  The default is 32768 (first USB
		 device).  PC/SC or CCID readers might need a string here; run
		 the  program in verbose mode to get a list of available read‐
		 ers.  The default is then the first reader found.

       --display-charset name
		 Set the name of the native character set.  This  is  used  to
		 convert  some	informational  strings	like  user  IDs to the
		 proper UTF-8 encoding.	 If  this  option  is  not  used,  the
		 default  character set is determined from the current locale.
		 A verbosity level of 3 shows the chosen  set.	 Valid	values
		 for name are:

		 iso-8859-1
			   This is the Latin 1 set.

		 iso-8859-2
			   The Latin 2 set.

		 iso-8859-15
			   This is currently an alias for the Latin 1 set.

		 koi8-r	   The usual Russian set (rfc1489).

		 utf-8	   Bypass all translations and assume that the OS uses
			   native UTF-8 encoding.

       --utf8-strings

       --no-utf8-strings
		 Assume that command line arguments are given as UTF8 strings.
		 The  default  (--no-utf8-strings) is to assume that arguments
		 are encoded in the character set as specified	by  --display-
		 charset.  These options affect all following arguments.  Both
		 options may be used multiple times.

       --options file
		 Read options from file and do not try to read them  from  the
		 default  options  file	 in  the homedir (see --homedir). This
		 option is ignored if used in an options file.

       --no-options
		 Shortcut for "--options /dev/null".  This option is  detected
		 before	 an attempt to open an option file.  Using this option
		 will also prevent the creation of a "~./gnupg" homedir.

       --load-extension name
		 Load an extension module. If name does not contain a slash it
		 is  searched  for  in the directory configured when GnuPG was
		 built (generally "/usr/local/lib/gnupg").  Extensions are not
		 generally  useful anymore, and the use of this option is dep‐
		 recated.

       --debug flags
		 Set debugging flags. All flags are or-ed  and	flags  may  be
		 given in C syntax (e.g. 0x0042).

       --debug-all
		 Set all useful debugging flags.

       --debug-ccid-driver
		 Enable	 debug output from the included CCID driver for smart‐
		 cards.	 Note that this option is only available on some  sys‐
		 tem.

       --enable-progress-filter
		 Enable	 certain  PROGRESS status outputs.  This option allows
		 frontends to display a progress indicator while gpg  is  pro‐
		 cessing larger files.	There is a slight performance overhead
		 using it.

       --status-fd n
		 Write special status strings to the file descriptor  n.   See
		 the file DETAILS in the documentation for a listing of them.

       --logger-fd n
		 Write log output to file descriptor n and not to stderr.

       --attribute-fd n
		 Write attribute subpackets to the file descriptor n.  This is
		 most useful for use with --status-fd, since the  status  mes‐
		 sages	are needed to separate out the various subpackets from
		 the stream delivered to the file descriptor.

       --comment string

       --no-comments
		 Use string as a comment string in clear text  signatures  and
		 ASCII	armored	 messages  or keys (see --armor).  The default
		 behavior is not to use a comment string.   --comment  may  be
		 repeated  multiple  times  to	get  multiple comment strings.
		 --no-comments removes all comments.  It is  a	good  idea  to
		 keep  the  length  of a single comment below 60 characters to
		 avoid problems with mail programs wrapping such lines.	  Note
		 that comment lines, like all other header lines, are not pro‐
		 tected by the signature.

       --emit-version

       --no-emit-version
		 Force inclusion of the version string in ASCII	 armored  out‐
		 put.  --no-emit-version disables this option.

       --sig-notation name=value

       --cert-notation name=value

       -N, --set-notation name=value
		 Put  the name value pair into the signature as notation data.
		 name must consist only of printable characters or spaces, and
		 must contain a '@' character in the form keyname@domain.exam‐
		 ple.com (substituting	the  appropriate  keyname  and	domain
		 name,	of  course).  This is to help prevent pollution of the
		 IETF reserved notation namespace.  The	 --expert  flag	 over‐
		 rides	the  '@' check.	 value may be any printable string; it
		 will be encoded in UTF8, so you should check that your --dis‐
		 play-charset  is  set	correctly.  If you prefix name with an
		 exclamation mark (!), the notation data will  be  flagged  as
		 critical  (rfc2440:5.2.3.15).	--sig-notation sets a notation
		 for data signatures.  --cert-notation sets a notation for key
		 signatures (certifications).  --set-notation sets both.

		 There	are  special codes that may be used in notation names.
		 "%k" will be expanded into  the  key  ID  of  the  key	 being
		 signed,  "%K"	into  the long key ID of the key being signed,
		 "%f" into the fingerprint of the key being signed, "%s"  into
		 the  key  ID  of  the key making the signature, "%S" into the
		 long key ID of the key making the signature,  "%g"  into  the
		 fingerprint of the key making the signature (which might be a
		 subkey), "%p" into the fingerprint of the primary key of  the
		 key  making the signature, "%c" into the signature count from
		 the OpenPGP smartcard, and "%%" results in a single "%".  %k,
		 %K,  and  %f  are only meaningful when making a key signature
		 (certification), and %c is only  meaningful  when  using  the
		 OpenPGP smartcard.

       --show-notation

       --no-show-notation
		 Show  signature  notations in the --list-sigs or --check-sigs
		 listings as well as when verifying a signature with  a	 nota‐
		 tion  in  it.	 These	options	 are deprecated.  Use `--list-
		 options    [no-]show-notation'	   and/or    `--verify-options
		 [no-]show-notation' instead.

       --sig-policy-url string

       --cert-policy-url string

       --set-policy-url string
		 Use string as a Policy URL for signatures (rfc2440:5.2.3.19).
		 If you prefix it with an exclamation mark (!), the policy URL
		 packet	 will be flagged as critical.  --sig-policy-url sets a
		 policy url for data  signatures.   --cert-policy-url  sets  a
		 policy	 url  for key signatures (certifications).  --set-pol‐
		 icy-url sets both.

		 The same %-expandos used for notation data are available here
		 as well.

       --show-policy-url

       --no-show-policy-url
		 Show  policy URLs in the --list-sigs or --check-sigs listings
		 as well as when verifying a signature with a  policy  URL  in
		 it.   These  options  are  deprecated.	  Use  `--list-options
		 [no-]show-policy-url' and/or `--verify-options [no-]show-pol‐
		 icy-url' instead.

       --sig-keyserver-url string
		 Use  string as a preferred keyserver URL for data signatures.
		 If you prefix it with an exclamation mark, the keyserver  URL
		 packet will be flagged as critical.

		 The same %-expandos used for notation data are available here
		 as well.

       --set-filename string
		 Use string as the filename which is stored  inside  messages.
		 This  overrides the default, which is to use the actual file‐
		 name of the file being encrypted.

       --for-your-eyes-only

       --no-for-your-eyes-only
		 Set the `for your eyes	 only'	flag  in  the  message.	  This
		 causes	 GnuPG	to refuse to save the file unless the --output
		 option is given, and PGP to use the "secure  viewer"  with  a
		 Tempest-resistant  font  to display the message.  This option
		 overrides --set-filename.   --no-for-your-eyes-only  disables
		 this option.

       --use-embedded-filename

       --no-use-embedded-filename
		 Try  to  create  a  file with a name as embedded in the data.
		 This can be a dangerous option	 as  it	 allows	 to  overwrite
		 files.	 Defaults to no.

       --completes-needed n
		 Number	 of  completely	 trusted  users to introduce a new key
		 signer (defaults to 1).

       --marginals-needed n
		 Number of marginally trusted users to	introduce  a  new  key
		 signer (defaults to 3)

       --max-cert-depth n
		 Maximum depth of a certification chain (default is 5).

       --cipher-algo name
		 Use   name  as cipher algorithm. Running the program with the
		 command --version yields a list of supported  algorithms.  If
		 this  is  not	used the cipher algorithm is selected from the
		 preferences stored with the key.

       --digest-algo name
		 Use name as the message digest algorithm. Running the program
		 with  the  command --version yields a list of supported algo‐
		 rithms.

       --compress-algo name
		 Use compression algorithm name.  "zlib" is RFC-1950 ZLIB com‐
		 pression.  "zip" is RFC-1951 ZIP compression which is used by
		 PGP.  "bzip2" is a more modern compression  scheme  that  can
		 compress some things better than zip or zlib, but at the cost
		 of more memory used  during  compression  and	decompression.
		 "uncompressed"	 or  "none"  disables  compression.   If  this
		 option is not used, the default behavior is  to  examine  the
		 recipient key preferences to see which algorithms the recipi‐
		 ent supports.	If all else fails, ZIP	is  used  for  maximum
		 compatibility.

		 ZLIB  may  give  better  compression results than ZIP, as the
		 compression window size is not limited to 8k.	BZIP2 may give
		 even  better  compression  results  than that, but will use a
		 significantly larger amount of memory while  compressing  and
		 decompressing.	  This may be significant in low memory situa‐
		 tions.	 Note, however, that PGP (all versions) only  supports
		 ZIP  compression.   Using  any	 algorithm  other  than ZIP or
		 "none" will make the message unreadable with PGP.

       --cert-digest-algo name
		 Use name as the message digest algorithm used when signing  a
		 key.  Running the program with the command --version yields a
		 list of supported algorithms.	Be aware that if you choose an
		 algorithm  that  GnuPG supports but other OpenPGP implementa‐
		 tions do not, then some users will not be able to use the key
		 signatures you make, or quite possibly your entire key.

       --s2k-cipher-algo name
		 Use name as the cipher algorithm used to protect secret keys.
		 The default cipher is CAST5.  This cipher is  also  used  for
		 conventional  encryption if --personal-cipher-preferences and
		 --cipher-algo is not given.

       --s2k-digest-algo name
		 Use  name  as	the  digest  algorithm	used  to  mangle   the
		 passphrases.  The default algorithm is SHA-1.

       --s2k-mode n
		 Selects  how  passphrases  are	 mangled.  If  n  is 0 a plain
		 passphrase (which is not recommended) will be used, a 1  adds
		 a  salt  to the passphrase and a 3 (the default) iterates the
		 whole process a couple of times.  Unless --rfc1991  is	 used,
		 this mode is also used for conventional encryption.

       --simple-sk-checksum
		 Secret	 keys  are integrity protected by using a SHA-1 check‐
		 sum.  This method is part of the  upcoming  enhanced  OpenPGP
		 specification	but  GnuPG already uses it as a countermeasure
		 against certain attacks.  Old applications  don't  understand
		 this new format, so this option may be used to switch back to
		 the old behaviour.  Using this option bears a security	 risk.
		 Note that using this option only takes effect when the secret
		 key is encrypted - the simplest way to make this happen is to
		 change	 the  passphrase  on  the key (even changing it to the
		 same value is acceptable).

       --disable-cipher-algo name
		 Never allow the use of name as cipher algorithm.   The	 given
		 name  will  not  be  checked so that a later loaded algorithm
		 will still get disabled.

       --disable-pubkey-algo name
		 Never allow the use of name as	 public	 key  algorithm.   The
		 given	name  will not be checked so that a later loaded algo‐
		 rithm will still get disabled.

       --no-sig-cache
		 Do not cache  the  verification  status  of  key  signatures.
		 Caching  gives	 a  much  better  performance in key listings.
		 However, if you suspect that your public keyring is not  save
		 against  write modifications, you can use this option to dis‐
		 able the caching.  It probably does not make sense to disable
		 it because all kind of damage can be done if someone else has
		 write access to your public keyring.

       --no-sig-create-check
		 GnuPG normally verifies each signature right  after  creation
		 to protect against bugs and hardware malfunctions which could
		 leak out bits from the secret key.  This  extra  verification
		 needs some time (about 115% for DSA keys), and so this option
		 can be used to disable it.  However, due to the fact that the
		 signature creation needs manual interaction, this performance
		 penalty does not matter in most settings.

       --auto-check-trustdb

       --no-auto-check-trustdb
		 If GnuPG feels that its information about the	Web  of	 Trust
		 has  to be updated, it automatically runs the --check-trustdb
		 command internally.  This may be a  time  consuming  process.
		 --no-auto-check-trustdb disables this option.

       --throw-keyids

       --no-throw-keyids
		 Do  not  put  the  recipient key IDs into encrypted messages.
		 This helps to hide the receivers of the message and is a lim‐
		 ited countermeasure against traffic analysis.	On the receiv‐
		 ing side, it may slow down the decryption process because all
		 available  secret keys must be tried.	--no-throw-keyids dis‐
		 ables this option.  This option is essentially	 the  same  as
		 using --hidden-recipient for all recipients.

       --not-dash-escaped
		 This  option  changes the behavior of cleartext signatures so
		 that they can be used for patch files. You  should  not  send
		 such  an  armored  file via email because all spaces and line
		 endings are hashed too.  You can not use this option for data
		 which	has  5	dashes at the beginning of a line, patch files
		 don't have this. A special  armor  header  line  tells	 GnuPG
		 about this cleartext signature option.

       --escape-from-lines

       --no-escape-from-lines
		 Because  some	mailers	 change lines starting with "From " to
		 ">From " it is good to handle such lines  in  a  special  way
		 when creating cleartext signatures to prevent the mail system
		 from breaking the signature.  Note that all  other  PGP  ver‐
		 sions	do it this way too.  Enabled by default.  --no-escape-
		 from-lines disables this option.

       --passphrase-fd n
		 Read the passphrase from file descriptor n. If you use 0  for
		 n,  the passphrase will be read from stdin.  This can only be
		 used if only one passphrase  is  supplied.   Don't  use  this
		 option if you can avoid it.

       --command-fd n
		 This  is  a  replacement for the deprecated shared-memory IPC
		 mode.	If this option is enabled, user input on questions  is
		 not expected from the TTY but from the given file descriptor.
		 It should be used together with  --status-fd.	See  the  file
		 doc/DETAILS  in the source distribution for details on how to
		 use it.

       --use-agent

       --no-use-agent
		 Try to use the GnuPG-Agent. Please note that  this  agent  is
		 still under development.  With this option, GnuPG first tries
		 to connect to the agent before	 it  asks  for	a  passphrase.
		 --no-use-agent disables this option.

       --gpg-agent-info
		 Override    the    value    of	  the	environment   variable
		 GPG_AGENT_INFO.  This is only used when --use-agent has  been
		 given

       Compliance options
		 These	options	 control what GnuPG is compliant to.  Only one
		 of these options may be active at  a  time.   Note  that  the
		 default  setting  of  this  is nearly always the correct one.
		 See the INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS  section
		 below before using one of these options.

		 --gnupg   Use	standard  GnuPG behavior.  This is essentially
			   OpenPGP behavior (see  --openpgp),  but  with  some
			   additional  workarounds  for	 common	 compatibility
			   problems in different versions of PGP.  This is the
			   default  option, so it is not generally needed, but
			   it may be useful to override a different compliance
			   option in the gpg.conf file.

		 --openpgp Reset  all  packet,	cipher	and  digest options to
			   strict OpenPGP behavior.  Use this option to	 reset
			   all	 previous  options  like  --rfc1991,  --force-
			   v3-sigs, --s2k-*, --cipher-algo, --digest-algo  and
			   --compress-algo  to	OpenPGP compliant values.  All
			   PGP workarounds are disabled.

		 --rfc2440 Reset all packet,  cipher  and  digest  options  to
			   strict  RFC-2440  behavior.	Note that this is cur‐
			   rently the same thing as --openpgp.

		 --rfc1991 Try to be more RFC-1991 (PGP 2.x) compliant.

		 --pgp2	   Set up all options to be as PGP  2.x	 compliant  as
			   possible,  and  warn	 if  an	 action is taken (e.g.
			   encrypting to a non-RSA key)	 that  will  create  a
			   message  that  PGP  2.x will not be able to handle.
			   Note that `PGP 2.x' here  means  `MIT  PGP  2.6.2'.
			   There  are other versions of PGP 2.x available, but
			   the MIT release is a good common baseline.

			   This option implies `--rfc1991 --disable-mdc	 --no-
			   force-v4-certs  --no-sk-comment --escape-from-lines
			   --force-v3-sigs --no-ask-sig-expire	--no-ask-cert-
			   expire  --cipher-algo IDEA --digest-algo MD5 --com‐
			   press-algo 1'.  It also  disables  --textmode  when
			   encrypting.

		 --pgp6	   Set up all options to be as PGP 6 compliant as pos‐
			   sible.  This restricts you to the ciphers IDEA  (if
			   the IDEA plugin is installed), 3DES, and CAST5, the
			   hashes MD5, SHA1 and RIPEMD160, and the compression
			   algorithms	none  and  ZIP.	  This	also  disables
			   --throw-keyids, and making signatures with  signing
			   subkeys  as	PGP  6	does not understand signatures
			   made by signing subkeys.

			   This option implies `--disable-mdc  --no-sk-comment
			   --escape-from-lines	--force-v3-sigs	 --no-ask-sig-
			   expire'

		 --pgp7	   Set up all options to be as PGP 7 compliant as pos‐
			   sible.   This  is  identical	 to --pgp6 except that
			   MDCs are not disabled, and the  list	 of  allowable
			   ciphers  is expanded to add AES128, AES192, AES256,
			   and TWOFISH.

		 --pgp8	   Set up all options to be as PGP 8 compliant as pos‐
			   sible.   PGP 8 is a lot closer to the OpenPGP stan‐
			   dard than previous versions of  PGP,	 so  all  this
			   does	 is  disable  --throw-keyids and set --escape-
			   from-lines.	All algorithms are allowed except  for
			   the SHA384 and SHA512 digests.

       --force-v3-sigs

       --no-force-v3-sigs
		 OpenPGP states that an implementation should generate v4 sig‐
		 natures but PGP versions 5 through 7 only recognize v4 signa‐
		 tures	on key material.  This option forces v3 signatures for
		 signatures on data.  Note that this option  overrides	--ask-
		 sig-expire,  as  v3  signatures cannot have expiration dates.
		 --no-force-v3-sigs disables this option.

       --force-v4-certs

       --no-force-v4-certs
		 Always use v4 key signatures even on v3  keys.	  This	option
		 also  changes the default hash algorithm for v3 RSA keys from
		 MD5 to SHA-1.	--no-force-v4-certs disables this option.

       --force-mdc
		 Force the use of encryption  with  a  modification  detection
		 code.	This is always used with the newer ciphers (those with
		 a blocksize greater than 64 bits), or if all of the recipient
		 keys indicate MDC support in their feature flags.

       --disable-mdc
		 Disable  the  use  of	the modification detection code.  Note
		 that by using this option, the encrypted message becomes vul‐
		 nerable to a message modification attack.

       --allow-non-selfsigned-uid

       --no-allow-non-selfsigned-uid
		 Allow	the import and use of keys with user IDs which are not
		 self-signed.  This is not recommended, as a  non  self-signed
		 user  ID  is trivial to forge.	 --no-allow-non-selfsigned-uid
		 disables.

       --allow-freeform-uid
		 Disable all checks on the form of the user ID while  generat‐
		 ing  a new one.  This option should only be used in very spe‐
		 cial environments as it does not ensure the de-facto standard
		 format of user IDs.

       --ignore-time-conflict
		 GnuPG	normally  checks  that	the timestamps associated with
		 keys and signatures have plausible  values.   However,	 some‐
		 times a signature seems to be older than the key due to clock
		 problems.  This option makes these  checks  just  a  warning.
		 See also --ignore-valid-from for timestamp issues on subkeys.

       --ignore-valid-from
		 GnuPG normally does not select and use subkeys created in the
		 future.  This option allows the use of	 such  keys  and  thus
		 exhibits  the	pre-1.0.7  behaviour.  You should not use this
		 option unless you there is  some  clock  problem.   See  also
		 --ignore-time-conflict for timestamp issues with signatures.

       --ignore-crc-error
		 The  ASCII armor used by OpenPGP is protected by a CRC check‐
		 sum against transmission errors.  Occasionally the  CRC  gets
		 mangled  somewhere on the transmission channel but the actual
		 content (which is protected by the OpenPGP  protocol  anyway)
		 is  still  okay.   This  option  allows  GnuPG	 to ignore CRC
		 errors.

       --ignore-mdc-error
		 This option changes a MDC integrity protection failure into a
		 warning.   This  can be useful if a message is partially cor‐
		 rupt, but it is necessary to get as much data as possible out
		 of the corrupt message.  However, be aware that a MDC protec‐
		 tion failure may also mean that the message was tampered with
		 intentionally by an attacker.

       --lock-once
		 Lock  the databases the first time a lock is requested and do
		 not release the lock until the process terminates.

       --lock-multiple
		 Release the locks every time a lock is no longer needed.  Use
		 this to override a previous --lock-once from a config file.

       --lock-never
		 Disable locking entirely.  This option should be used only in
		 very special environments, where it can be assured that  only
		 one process is accessing those files.	A bootable floppy with
		 a stand-alone	encryption  system  will  probably  use	 this.
		 Improper  usage  of this option may lead to data and key cor‐
		 ruption.

       --exit-on-status-write-error
		 This option will cause write errors on the status FD to imme‐
		 diately  terminate  the  process.  That should in fact be the
		 default but it never worked this way  and  thus  we  need  an
		 option	 to enable this, so that the change won't break appli‐
		 cations which close their end of a status fd  connected  pipe
		 too  early.   Using this option along with --enable-progress-
		 filter may be used to cleanly cancel long running gpg	opera‐
		 tions.

       --limit-card-insert-tries n
		 With  n greater than 0 the number of prompts asking to insert
		 a smartcard gets limited to N-1.  Thus with a value of 1  gpg
		 won't	at  all ask to insert a card if none has been inserted
		 at startup. This option is useful in the  configuration  file
		 in case an application does not know about the smartcard sup‐
		 port and waits ad infinitum for an inserted card.

       --no-random-seed-file
		 GnuPG uses a file to store  its  internal  random  pool  over
		 invocations.	This  makes  random generation faster; however
		 sometimes write operations are not desired.  This option  can
		 be used to achieve that with the cost of slower random gener‐
		 ation.

       --no-verbose
		 Reset verbose level to 0.

       --no-greeting
		 Suppress the initial copyright message.

       --no-secmem-warning
		 Suppress the warning about "using insecure memory".

       --no-permission-warning
		 Suppress the warning about unsafe  file  and  home  directory
		 (--homedir)  permissions.   Note  that	 the permission checks
		 that GnuPG performs are not intended to be authoritative, but
		 rather they simply warn about certain common permission prob‐
		 lems.	Do not assume that the lack of a  warning  means  that
		 your system is secure.

		 Note that the warning for unsafe --homedir permissions cannot
		 be supressed in the gpg.conf file, as	this  would  allow  an
		 attacker  to  place an unsafe gpg.conf file in place, and use
		 this file to supress warnings about  itself.	The  --homedir
		 permissions  warning  may  only  be  supressed on the command
		 line.

       --no-mdc-warning
		 Suppress the warning about missing MDC integrity protection.

       --require-secmem

       --no-require-secmem
		 Refuse to run if GnuPG cannot get secure memory.  Defaults to
		 no (i.e. run, but give a warning).

       --no-armor
		 Assume the input data is not in ASCII armored format.

       --no-default-keyring
		 Do  not  add  the  default  keyrings to the list of keyrings.
		 Note that GnuPG will not operate without any keyrings, so  if
		 you use this option and do not provide alternate keyrings via
		 --keyring or --secret-keyring, then GnuPG will still use  the
		 default public or secret keyrings.

       --skip-verify
		 Skip  the  signature  verification step.  This may be used to
		 make the decryption faster if the signature  verification  is
		 not needed.

       --with-colons
		 Print key listings delimited by colons.  Note that the output
		 will be encoded in UTF-8 regardless of any  --display-charset
		 setting.   This  format  is  useful when GnuPG is called from
		 scripts and other programs as it is  easily  machine  parsed.
		 The  details  of  this	 format	 are  documented  in  the file
		 doc/DETAILS, which is included in the GnuPG source  distribu‐
		 tion.

       --with-key-data
		 Print	key  listings delimited by colons (like --with-colons)
		 and print the public key data.

       --with-fingerprint
		 Same as the command --fingerprint but changes only the format
		 of the output and may be used together with another command.

       --fast-list-mode
		 Changes  the output of the list commands to work faster; this
		 is achieved by leaving some parts empty.   Some  applications
		 don't need the user ID and the trust information given in the
		 listings.  By using this options they can get a faster	 list‐
		 ing.  The exact behaviour of this option may change in future
		 versions.

       --fixed-list-mode
		 Do not merge primary user ID and primary key in  --with-colon
		 listing  mode	and  print  all	 timestamps  as	 seconds since
		 1970-01-01.

       --list-only
		 Changes the behaviour of some commands.  This is like	--dry-
		 run  but  different in some cases.  The semantic of this com‐
		 mand may be extended in the future.  Currently it only	 skips
		 the actual decryption pass and therefore enables a fast list‐
		 ing of the encryption keys.

       --no-literal
		 This is not for normal use.  Use the source to see  for  what
		 it might be useful.

       --set-filesize
		 This  is  not for normal use.	Use the source to see for what
		 it might be useful.

       --show-session-key
		 Display the session key used for one message. See --override-
		 session-key for the counterpart of this option.

		 We  think  that  Key  Escrow is a Bad Thing; however the user
		 should have the freedom to decide whether to go to prison  or
		 to reveal the content of one specific message without compro‐
		 mising all messages ever encrypted for one secret key.	 DON'T
		 USE IT UNLESS YOU ARE REALLY FORCED TO DO SO.

       --override-session-key string
		 Don't	use  the  public  key but the session key string.  The
		 format of this string is the  same  as	 the  one  printed  by
		 --show-session-key.   This  option  is	 normally not used but
		 comes handy in case someone forces you to reveal the  content
		 of  an	 encrypted  message; using this option you can do this
		 without handing out the secret key.

       --ask-sig-expire

       --no-ask-sig-expire
		 When making a data signature, prompt for an expiration	 time.
		 If  this option is not specified, the expiration time set via
		 --default-sig-expire is used.	 --no-ask-sig-expire  disables
		 this option.

       --default-sig-expire
		 The  default expiration time to use for signature expiration.
		 Valid values are "0" for no expiration, a number followed  by
		 the  letter d (for days), w (for weeks), m (for months), or y
		 (for years) (for example "2m" for two	months,	 or  "5y"  for
		 five  years),	or  an	absolute  date in the form YYYY-MM-DD.
		 Defaults to "0".

       --ask-cert-expire

       --no-ask-cert-expire
		 When making a key signature, prompt for an  expiration	 time.
		 If  this option is not specified, the expiration time set via
		 --default-cert-expire is used.	 --no-ask-cert-expire disables
		 this option.

       --default-cert-expire
		 The  default expiration time to use for key signature expira‐
		 tion.	Valid values are "0" for no expiration, a number  fol‐
		 lowed	by  the	 letter	 d  (for  days), w (for weeks), m (for
		 months), or y (for years) (for example "2m" for  two  months,
		 or  "5y"  for	five  years),  or an absolute date in the form
		 YYYY-MM-DD.  Defaults to "0".

       --expert

       --no-expert
		 Allow the user to do certain nonsensical  or  "silly"	things
		 like  signing	an  expired  or revoked key, or certain poten‐
		 tially incompatible things like generating unusual key types.
		 This also disables certain warning messages about potentially
		 incompatible actions.	As the name implies,  this  option  is
		 for experts only.  If you don't fully understand the implica‐
		 tions of what it allows you to do,  leave  this  off.	 --no-
		 expert disables this option.

       --allow-secret-key-import
		 This is an obsolete option and is not used anywhere.

       --try-all-secrets
		 Don't look at the key ID as stored in the message but try all
		 secret keys in turn to find the right	decryption  key.  This
		 option	 forces	 the behaviour as used by anonymous recipients
		 (created by using --throw-keyids) and	might  come  handy  in
		 case where an encrypted message contains a bogus key ID.

       --enable-special-filenames
		 This  options	enables	 a mode in which filenames of the form
		 -&n, where n is a non-negative decimal number, refer  to  the
		 file descriptor n and not to a file with that name.

       --no-expensive-trust-checks
		 Experimental use only.

       --group name=value1 [value2 value3 ...]
		 Sets  up  a named group, which is similar to aliases in email
		 programs.  Any time the group name  is	 a  recipient  (-r  or
		 --recipient),	it  will  be expanded to the values specified.
		 Multiple groups with the same name are	 automatically	merged
		 into a single group.

		 The  values are key IDs or fingerprints, but any key descrip‐
		 tion is accepted.  Note that a value with spaces in  it  will
		 be  treated as two different values.  Note also there is only
		 one level of expansion - you cannot make an group that points
		 to another group.  When used from the command line, it may be
		 necessary to quote the argument to this option to prevent the
		 shell from treating it as multiple arguments.

       --ungroup name
		 Remove a given entry from the --group list.

       --no-groups
		 Remove all entries from the --group list.

       --preserve-permissions
		 Don't change the permissions of a secret keyring back to user
		 read/write only.  Use this option only	 if  you  really  know
		 what you are doing.

       --personal-cipher-preferences string
		 Set  the  list of personal cipher preferences to string, this
		 list should be a string similar to the	 one  printed  by  the
		 command  "pref"  in  the  edit menu.  This allows the user to
		 factor in their own preferred algorithms when algorithms  are
		 chosen via recipient key preferences.	The most highly ranked
		 cipher in this list is also used for the --symmetric  encryp‐
		 tion command.

       --personal-digest-preferences string
		 Set  the  list of personal digest preferences to string, this
		 list should be a string similar to the	 one  printed  by  the
		 command  "pref"  in  the  edit menu.  This allows the user to
		 factor in their own preferred algorithms when algorithms  are
		 chosen via recipient key preferences.	The most highly ranked
		 digest algorithm in this list is algo used when signing with‐
		 out  encryption  (e.g.	 --clearsign  or --sign).  The default
		 value is SHA-1.

       --personal-compress-preferences string
		 Set the list of personal compression preferences  to  string,
		 this  list  should  be a string similar to the one printed by
		 the command "pref" in the edit menu.  This allows the user to
		 factor	 in their own preferred algorithms when algorithms are
		 chosen via recipient key preferences.	The most highly ranked
		 algorithm in this list is also used when there are no recipi‐
		 ent keys to consider (e.g. --symmetric).

       --default-preference-list string
		 Set the list of default  preferences  to  string,  this  list
		 should	 be a string similar to the one printed by the command
		 "pref" in the edit menu.  This affects	 both  key  generation
		 and "updpref" in the edit menu.

       --list-config [names]
		 Display  various  internal configuration parameters of GnuPG.
		 This option is intended for external programs that call GnuPG
		 to  perform tasks, and is thus not generally useful.  See the
		 file doc/DETAILS in the source distribution for  the  details
		 of which configuration items may be listed.  --list-config is
		 only usable with --with-colons set.

How to specify a user ID
       There are different ways to specify a user ID to GnuPG; here  are  some
       examples:

       234567C4

       0F34E556E

       01347A56A

       0xAB123456
		 Here the key ID is given in the usual short form.

       234AABBCC34567C4

       0F323456784E56EAB

       01AB3FED1347A5612

       0x234AABBCC34567C4
		 Here  the key ID is given in the long form as used by OpenPGP
		 (you can get the long key ID using the option --with-colons).

       1234343434343434C434343434343434

       123434343434343C3434343434343734349A3434

       0E12343434343434343434EAB3484343434343434

       0xE12343434343434343434EAB3484343434343434
		 The best way to specify a key ID is by using the  fingerprint
		 of  the  key.	This avoids any ambiguities in case that there
		 are duplicated key IDs (which are really rare	for  the  long
		 key IDs).

       =Heinrich Heine <heinrichh@uni-duesseldorf.de>
		 Using	an  exact  to  match string.  The equal sign indicates
		 this.

       <heinrichh@uni-duesseldorf.de>
		 Using the email address part which  must  match  exactly. The
		 left angle bracket indicates this email address mode.

       +Heinrich Heine duesseldorf
		 All  words  must  match  exactly (not case sensitive) but can
		 appear in any order in the user ID.  Words are any  sequences
		 of  letters,  digits,	the underscore and all characters with
		 bit 7 set.

       Heine

       *Heine	 By case insensitive substring matching.  This is the  default
		 mode but applications may want to explicitly indicate this by
		 putting the asterisk in front.

       Note that you can append an exclamation mark (!) to key IDs or  finger‐
       prints.	 This  flag  tells  GnuPG to use the specified primary or sec‐
       ondary key and not to try and calculate which primary or secondary  key
       to use.

RETURN VALUE
       The program returns 0 if everything was fine, 1 if at least a signature
       was bad, and other error codes for fatal errors.

EXAMPLES
       gpg -se -r Bob file
		 sign and encrypt for user Bob

       gpg --clearsign file
		 make a clear text signature

       gpg -sb	file
		 make a detached signature

       gpg --list-keys	user_ID
		 show keys

       gpg --fingerprint  user_ID
		 show fingerprint

       gpg --verify  pgpfile

       gpg --verify  sigfile [files]
		 Verify the signature of the file but do not output the	 data.
		 The  second  form is used for detached signatures, where sig‐
		 file is the  detached	signature  (either  ASCII  armored  or
		 binary)  and  [files]	are  the  signed  data; if this is not
		 given, the name of the file holding the signed data  is  con‐
		 structed  by  cutting off the extension (".asc" or ".sig") of
		 sigfile or by asking the user for the filename.

ENVIRONMENT
       HOME	 Used to locate the default home directory.

       GNUPGHOME If set directory used instead of "~/.gnupg".

       GPG_AGENT_INFO
		 Used to locate the gpg-agent; only honored  when  --use-agent
		 is  set.  The value consists of 3 colon delimited fields: The
		 first is the path to the Unix Domain Socket, the  second  the
		 PID of the gpg-agent and the protocol version which should be
		 set to 1.  When starting the gpg-agent as  described  in  its
		 documentation,	 this  variable	 is  set to the correct value.
		 The option --gpg-agent-info can be used to override it.

       http_proxy
		 Only honored when the	keyserver-option  honor-http-proxy  is
		 set.

       COLUMNS

       LINES	 Used to size some displays to the full size of the screen.

FILES
       ~/.gnupg/secring.gpg
		 The secret keyring

       ~/.gnupg/secring.gpg.lock
		 and the lock file

       ~/.gnupg/pubring.gpg
		 The public keyring

       ~/.gnupg/pubring.gpg.lock
		 and the lock file

       ~/.gnupg/trustdb.gpg
		 The trust database

       ~/.gnupg/trustdb.gpg.lock
		 and the lock file

       ~/.gnupg/random_seed
		 used to preserve the internal random pool

       ~/.gnupg/gpg.conf
		 Default configuration file

       ~/.gnupg/options
		 Old  style configuration file; only used when gpg.conf is not
		 found

       /usr[/local]/share/gnupg/options.skel
		 Skeleton options file

       /usr[/local]/lib/gnupg/
		 Default location for extensions

WARNINGS
       Use a *good* password for your user account and a *good* passphrase  to
       protect	your  secret  key.  This passphrase is the weakest part of the
       whole system.  Programs to do dictionary attacks on your secret keyring
       are  very  easy	to  write  and	so you should protect your "~/.gnupg/"
       directory very well.

       Keep in mind that, if this program is used over a network (telnet),  it
       is *very* easy to spy out your passphrase!

       If you are going to verify detached signatures, make sure that the pro‐
       gram knows about it; either give both filenames on the command line  or
       use - to specify stdin.

INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS
       GnuPG  tries  to be a very flexible implementation of the OpenPGP stan‐
       dard.  In particular, GnuPG implements many of the  optional  parts  of
       the standard, such as the SHA-512 hash, and the ZLIB and BZIP2 compres‐
       sion algorithms.	 It is important to be aware that not all OpenPGP pro‐
       grams implement these optional algorithms and that by forcing their use
       via the --cipher-algo,  --digest-algo,  --cert-digest-algo,  or	--com‐
       press-algo options in GnuPG, it is possible to create a perfectly valid
       OpenPGP message, but one that cannot be read by the intended recipient.

       There are dozens of variations of OpenPGP programs available, and  each
       supports a slightly different subset of these optional algorithms.  For
       example, until recently, no (unhacked) version  of  PGP	supported  the
       BLOWFISH	 cipher	 algorithm.  A message using BLOWFISH simply could not
       be read by a PGP user.  By default, GnuPG  uses	the  standard  OpenPGP
       preferences  system that will always do the right thing and create mes‐
       sages that are usable by all recipients, regardless  of	which  OpenPGP
       program	they  use.  Only override this safe default if you really know
       what you are doing.

       If you absolutely must override the safe default, or if the preferences
       on  a  given  key  are  invalid for some reason, you are far better off
       using the --pgp6, --pgp7, or --pgp8 options.  These options are safe as
       they  do	 not  force any particular algorithms in violation of OpenPGP,
       but rather reduce the available algorithms to a "PGP-safe" list.

BUGS
       On many systems this program should be installed as setuid(root).  This
       is  necessary  to lock memory pages.  Locking memory pages prevents the
       operating  system  from	writing	 memory	 pages	(which	 may   contain
       passphrases  or other sensitive material) to disk.  If you get no warn‐
       ing message about insecure memory your operating system supports	 lock‐
       ing  without  being root.  The program drops root privileges as soon as
       locked memory is allocated.

									gpg(1)
[top]

List of man pages available for Peanut

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net