File: tools.texi

package info (click to toggle)
gnupg2 2.2.12-1+deb10u1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 47,236 kB
  • sloc: ansic: 231,709; sh: 7,598; lisp: 6,034; makefile: 1,604; awk: 126; xml: 51; python: 16; sed: 16; php: 14; perl: 13
file content (2111 lines) | stat: -rw-r--r-- 63,706 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
@c Copyright (C) 2004, 2008 Free Software Foundation, Inc.
@c This is part of the GnuPG manual.
@c For copying conditions, see the file GnuPG.texi.

@include defs.inc

@node Helper Tools
@chapter Helper Tools

GnuPG comes with a couple of smaller tools:

@menu
* watchgnupg::            Read logs from a socket.
* gpgv::                  Verify OpenPGP signatures.
* addgnupghome::          Create .gnupg home directories.
* gpgconf::               Modify .gnupg home directories.
* applygnupgdefaults::    Run gpgconf for all users.
* gpg-preset-passphrase:: Put a passphrase into the cache.
* gpg-connect-agent::     Communicate with a running agent.
* dirmngr-client::        How to use the Dirmngr client tool.
* gpgparsemail::          Parse a mail message into an annotated format
* symcryptrun::           Call a simple symmetric encryption tool.
* gpgtar::                Encrypt or sign files into an archive.
@end menu

@c
@c  WATCHGNUPG
@c
@manpage watchgnupg.1
@node watchgnupg
@section Read logs from a socket
@ifset manverb
.B watchgnupg
\- Read and print logs from a socket
@end ifset

@mansect synopsis
@ifset manverb
.B  watchgnupg
.RB [ \-\-force ]
.RB [ \-\-verbose ]
.I socketname
@end ifset

@mansect description
Most of the main utilities are able to write their log files to a Unix
Domain socket if configured that way.  @command{watchgnupg} is a simple
listener for such a socket.  It ameliorates the output with a time stamp
and makes sure that long lines are not interspersed with log output from
other utilities.  This tool is not available for Windows.


@noindent
@command{watchgnupg} is commonly invoked as

@example
watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
@end example
@manpause

@noindent
This starts it on the current terminal for listening on the standard
logging socket (which is either @file{~/.gnupg/S.log} or
@file{/var/run/user/UID/gnupg/S.log}).

@mansect options
@noindent
@command{watchgnupg} understands these options:

@table @gnupgtabopt

@item --force
@opindex force
Delete an already existing socket file.

@anchor{option watchgnupg --tcp}
@item --tcp @var{n}
Instead of reading from a local socket, listen for connects on TCP port
@var{n}.

@item --time-only
@opindex time-only
Do not print the date part of the timestamp.

@item --verbose
@opindex verbose
Enable extra informational output.

@item --version
@opindex version
Print version of the program and exit.

@item --help
@opindex help
Display a brief help page and exit.

@end table

@noindent
@mansect examples
@chapheading Examples

@example
$ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
@end example

This waits for connections on the local socket
(e.g. @file{/home/foo/.gnupg/S.log}) and shows all log entries.  To
make this work the option @option{log-file} needs to be used with all
modules which logs are to be shown.  The suggested entry for the
configuration files is:

@example
log-file socket://
@end example

If the default socket as given above and returned by "echo $(gpgconf
--list-dirs socketdir)/S.log" is not desired an arbitrary socket name
can be specified, for example @file{socket:///home/foo/bar/mysocket}.
For debugging purposes it is also possible to do remote logging.  Take
care if you use this feature because the information is send in the
clear over the network.  Use this syntax in the conf files:

@example
log-file tcp://192.168.1.1:4711
@end example

You may use any port and not just 4711 as shown above; only IP
addresses are supported (v4 and v6) and no host names.  You need to
start @command{watchgnupg} with the @option{tcp} option.  Note that
under Windows the registry entry
@var{HKCU\Software\GNU\GnuPG:DefaultLogFile} can be used to change the
default log output from @code{stderr} to whatever is given by that
entry.  However the only useful entry is a TCP name for remote
debugging.


@mansect see also
@ifset isman
@command{gpg}(1),
@command{gpgsm}(1),
@command{gpg-agent}(1),
@command{scdaemon}(1)
@end ifset
@include see-also-note.texi


@c
@c  GPGV
@c
@include gpgv.texi


@c
@c    ADDGNUPGHOME
@c
@manpage addgnupghome.8
@node addgnupghome
@section Create .gnupg home directories
@ifset manverb
.B addgnupghome
\- Create .gnupg home directories
@end ifset

@mansect synopsis
@ifset manverb
.B  addgnupghome
.I account_1
.IR account_2 ... account_n
@end ifset

@mansect description
If GnuPG is installed on a system with existing user accounts, it is
sometimes required to populate the GnuPG home directory with existing
files.  Especially a @file{trustlist.txt} and a keybox with some
initial certificates are often desired.  This script helps to do this
by copying all files from @file{/etc/skel/.gnupg} to the home
directories of the accounts given on the command line.  It takes care
not to overwrite existing GnuPG home directories.

@noindent
@command{addgnupghome} is invoked by root as:

@example
addgnupghome account1 account2 ... accountn
@end example


@c
@c   GPGCONF
@c
@manpage gpgconf.1
@node gpgconf
@section Modify .gnupg home directories
@ifset manverb
.B gpgconf
\- Modify .gnupg home directories
@end ifset

@mansect synopsis
@ifset manverb
.B gpgconf
.RI [ options ]
.B \-\-list-components
.br
.B gpgconf
.RI [ options ]
.B \-\-list-options
.I component
.br
.B gpgconf
.RI [ options ]
.B \-\-change-options
.I component
@end ifset


@mansect description
The @command{gpgconf} is a utility to automatically and reasonable
safely query and modify configuration files in the @file{.gnupg} home
directory.  It is designed not to be invoked manually by the user, but
automatically by graphical user interfaces (GUI).@footnote{Please note
that currently no locking is done, so concurrent access should be
avoided.  There are some precautions to avoid corruption with
concurrent usage, but results may be inconsistent and some changes may
get lost.  The stateless design makes it difficult to provide more
guarantees.}

@command{gpgconf} provides access to the configuration of one or more
components of the GnuPG system.  These components correspond more or
less to the programs that exist in the GnuPG framework, like GPG,
GPGSM, DirMngr, etc.  But this is not a strict one-to-one
relationship.  Not all configuration options are available through
@command{gpgconf}.  @command{gpgconf} provides a generic and abstract
method to access the most important configuration options that can
feasibly be controlled via such a mechanism.

@command{gpgconf} can be used to gather and change the options
available in each component, and can also provide their default
values.  @command{gpgconf} will give detailed type information that
can be used to restrict the user's input without making an attempt to
commit the changes.

@command{gpgconf} provides the backend of a configuration editor.  The
configuration editor would usually be a graphical user interface
program that displays the current options, their default
values, and allows the user to make changes to the options.  These
changes can then be made active with @command{gpgconf} again.  Such a
program that uses @command{gpgconf} in this way will be called GUI
throughout this section.

@menu
* Invoking gpgconf::       List of all commands and options.
* Format conventions::     Formatting conventions relevant for all commands.
* Listing components::     List all gpgconf components.
* Checking programs::      Check all programs known to gpgconf.
* Listing options::        List all options of a component.
* Changing options::       Changing options of a component.
* Listing global options:: List all global options.
* Querying versions::      Get and compare software versions.
* Files used by gpgconf::  What files are used by gpgconf.
@end menu

@manpause
@node Invoking gpgconf
@subsection Invoking gpgconf

@mansect commands
One of the following commands must be given:

@table @gnupgtabopt

@item --list-components
List all components.  This is the default command used if none is
specified.

@item --check-programs
List all available backend programs and test whether they are runnable.

@item --list-options @var{component}
List all options of the component @var{component}.

@item --change-options @var{component}
Change the options of the component @var{component}.

@item --check-options @var{component}
Check the options for the component @var{component}.

@item --apply-profile @var{file}
Apply the configuration settings listed in @var{file} to the
configuration files.  If @var{file} has no suffix and no slashes the
command first tries to read a file with the suffix @code{.prf} from
the data directory (@code{gpgconf --list-dirs datadir}) before it
reads the file verbatim.  A profile is divided into sections using the
bracketed  component name.  Each section then lists the option which
shall go into the respective configuration file.

@item --apply-defaults
Update all configuration files with values taken from the global
configuration file (usually @file{/etc/gnupg/gpgconf.conf}).

@item --list-dirs [@var{names}]
Lists the directories used by @command{gpgconf}.  One directory is
listed per line, and each line consists of a colon-separated list where
the first field names the directory type (for example @code{sysconfdir})
and the second field contains the percent-escaped directory.  Although
they are not directories, the socket file names used by
@command{gpg-agent} and @command{dirmngr} are printed as well.  Note
that the socket file names and the @code{homedir} lines are the default
names and they may be overridden by command line switches.  If
@var{names} are given only the directories or file names specified by
the list names are printed without any escaping.

@item --list-config [@var{filename}]
List the global configuration file in a colon separated format.  If
@var{filename} is given, check that file instead.

@item --check-config [@var{filename}]
Run a syntax check on the global configuration file.  If @var{filename}
is given, check that file instead.


@item --query-swdb @var{package_name} [@var{version_string}]
Returns the current version for @var{package_name} and if
@var{version_string} is given also an indicator on whether an update
is available.  The actual file with the software version is
automatically downloaded and checked by @command{dirmngr}.
@command{dirmngr} uses a thresholds to avoid download the file too
often and it does this by default only if it can be done via Tor.  To
force an update of that file this command can be used:

@example
       gpg-connect-agent --dirmngr 'loadswdb --force' /bye
@end example


@item --reload [@var{component}]
@opindex reload
Reload all or the given component. This is basically the same as
sending a SIGHUP to the component.  Components which don't support
reloading are ignored.  Without @var{component} or by using "all" for
@var{component} all components which are daemons are reloaded.

@item --launch [@var{component}]
@opindex launch
If the @var{component} is not already running, start it.
@command{component} must be a daemon.  This is in general not required
because the system starts these daemons as needed.  However, external
software making direct use of @command{gpg-agent} or @command{dirmngr}
may use this command to ensure that they are started.  Using "all" for
@var{component} launches all components which are daemons.

@item --kill [@var{component}]
@opindex kill
Kill the given component that runs as a daemon, including
@command{gpg-agent}, @command{dirmngr}, and @command{scdaemon}.  A
@command{component} which does not run as a daemon will be ignored.
Using "all" for @var{component} kills all components running as
daemons.  Note that as of now reload and kill have the same effect for
@command{scdaemon}.

@item --create-socketdir
@opindex create-socketdir
Create a directory for sockets below /run/user or /var/run/user.  This
is command is only required if a non default home directory is used
and the /run based sockets shall be used.  For the default home
directory GnUPG creates a directory on the fly.

@item --remove-socketdir
@opindex remove-socketdir
Remove a directory created with command @option{--create-socketdir}.

@end table


@mansect options

The following options may be used:

@table @gnupgtabopt

@item -o @var{file}
@itemx --output @var{file}
Write output to @var{file}.  Default is to write to stdout.

@item -v
@itemx --verbose
Outputs additional information while running.  Specifically, this
extends numerical field values by human-readable descriptions.

@item -q
@itemx --quiet
@opindex quiet
Try to be as quiet as possible.

@include opt-homedir.texi

@item -n
@itemx --dry-run
Do not actually change anything.  This is currently only implemented
for @code{--change-options} and can be used for testing purposes.

@item -r
@itemx --runtime
Only used together with @code{--change-options}.  If one of the
modified options can be changed in a running daemon process, signal
the running daemon to ask it to reparse its configuration file after
changing.

This means that the changes will take effect at run-time, as far as
this is possible.  Otherwise, they will take effect at the next start
of the respective backend programs.

@item --status-fd @var{n}
@opindex status-fd
Write special status strings to the file descriptor @var{n}.  This
program returns the status messages SUCCESS or FAILURE which are
helpful when the caller uses a double fork approach and can't easily
get the return code of the process.

@manpause
@end table


@node Format conventions
@subsection Format conventions

Some lines in the output of @command{gpgconf} contain a list of
colon-separated fields.  The following conventions apply:

@itemize @bullet
@item
The GUI program is required to strip off trailing newline and/or
carriage return characters from the output.

@item
@command{gpgconf} will never leave out fields.  If a certain version
provides a certain field, this field will always be present in all
@command{gpgconf} versions from that time on.

@item
Future versions of @command{gpgconf} might append fields to the list.
New fields will always be separated from the previously last field by
a colon separator.  The GUI should be prepared to parse the last field
it knows about up until a colon or end of line.

@item
Not all fields are defined under all conditions.  You are required to
ignore the content of undefined fields.
@end itemize

There are several standard types for the content of a field:

@table @asis
@item verbatim
Some fields contain strings that are not escaped in any way.  Such
fields are described to be used @emph{verbatim}.  These fields will
never contain a colon character (for obvious reasons).  No de-escaping
or other formatting is required to use the field content.  This is for
easy parsing of the output, when it is known that the content can
never contain any special characters.

@item percent-escaped
Some fields contain strings that are described to be
@emph{percent-escaped}.  Such strings need to be de-escaped before
their content can be presented to the user.  A percent-escaped string
is de-escaped by replacing all occurrences of @code{%XY} by the byte
that has the hexadecimal value @code{XY}.  @code{X} and @code{Y} are
from the set @code{0-9a-f}.

@item localized
Some fields contain strings that are described to be @emph{localized}.
Such strings are translated to the active language and formatted in
the active character set.

@item @w{unsigned number}
Some fields contain an @emph{unsigned number}.  This number will
always fit into a 32-bit unsigned integer variable.  The number may be
followed by a space, followed by a human readable description of that
value (if the verbose option is used).  You should ignore everything
in the field that follows the number.

@item @w{signed number}
Some fields contain a @emph{signed number}.  This number will always
fit into a 32-bit signed integer variable.  The number may be followed
by a space, followed by a human readable description of that value (if
the verbose option is used).  You should ignore everything in the
field that follows the number.

@item @w{boolean value}
Some fields contain a @emph{boolean value}.  This is a number with
either the value 0 or 1.  The number may be followed by a space,
followed by a human readable description of that value (if the verbose
option is used).  You should ignore everything in the field that follows
the number; checking just the first character is sufficient in this
case.

@item option
Some fields contain an @emph{option} argument.  The format of an
option argument depends on the type of the option and on some flags:

@table @asis
@item no argument
The simplest case is that the option does not take an argument at all
(@var{type} @code{0}).  Then the option argument is an unsigned number
that specifies how often the option occurs.  If the @code{list} flag
is not set, then the only valid number is @code{1}.  Options that do
not take an argument never have the @code{default} or @code{optional
arg} flag set.

@item number
If the option takes a number argument (@var{alt-type} is @code{2} or
@code{3}), and it can only occur once (@code{list} flag is not set),
then the option argument is either empty (only allowed if the argument
is optional), or it is a number.  A number is a string that begins
with an optional minus character, followed by one or more digits.  The
number must fit into an integer variable (unsigned or signed,
depending on @var{alt-type}).

@item number list
If the option takes a number argument and it can occur more than once,
then the option argument is either empty, or it is a comma-separated
list of numbers as described above.

@item string
If the option takes a string argument (@var{alt-type} is 1), and it
can only occur once (@code{list} flag is not set) then the option
argument is either empty (only allowed if the argument is optional),
or it starts with a double quote character (@code{"}) followed by a
percent-escaped string that is the argument value.  Note that there is
only a leading double quote character, no trailing one.  The double
quote character is only needed to be able to differentiate between no
value and the empty string as value.

@item string list
If the option takes a string argument and it can occur more than once,
then the option argument is either empty, or it is a comma-separated
list of string arguments as described above.
@end table
@end table

The active language and character set are currently determined from
the locale environment of the @command{gpgconf} program.

@c FIXME: Document the active language and active character set.  Allow
@c to change it via the command line?


@mansect usage
@node Listing components
@subsection Listing components

The command @code{--list-components} will list all components that can
be configured with @command{gpgconf}.  Usually, one component will
correspond to one GnuPG-related program and contain the options of
that program's configuration file that can be modified using
@command{gpgconf}.  However, this is not necessarily the case.  A
component might also be a group of selected options from several
programs, or contain entirely virtual options that have a special
effect rather than changing exactly one option in one configuration
file.

A component is a set of configuration options that semantically belong
together.  Furthermore, several changes to a component can be made in
an atomic way with a single operation.  The GUI could for example
provide a menu with one entry for each component, or a window with one
tabulator sheet per component.

The command @code{--list-components} lists all available
components, one per line.  The format of each line is:

@code{@var{name}:@var{description}:@var{pgmname}:}

@table @var
@item name
This field contains a name tag of the component.  The name tag is used
to specify the component in all communication with @command{gpgconf}.
The name tag is to be used @emph{verbatim}.  It is thus not in any
escaped format.

@item description
The @emph{string} in this field contains a human-readable description
of the component.  It can be displayed to the user of the GUI for
informational purposes.  It is @emph{percent-escaped} and
@emph{localized}.

@item pgmname
The @emph{string} in this field contains the absolute name of the
program's file.  It can be used to unambiguously invoke that program.
It is @emph{percent-escaped}.
@end table

Example:
@example
$ gpgconf --list-components
gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
dirmngr:Directory Manager:/usr/local/bin/dirmngr:
@end example



@node Checking programs
@subsection Checking programs

The command @code{--check-programs} is similar to
@code{--list-components} but works on backend programs and not on
components.  It runs each program to test whether it is installed and
runnable.  This also includes a syntax check of all config file options
of the program.

The command @code{--check-programs} lists all available
programs, one per line.  The format of each line is:

@code{@var{name}:@var{description}:@var{pgmname}:@var{avail}:@var{okay}:@var{cfgfile}:@var{line}:@var{error}:}

@table @var
@item name
This field contains a name tag of the program which is identical to the
name of the component.  The name tag is to be used @emph{verbatim}.  It
is thus not in any escaped format.  This field may be empty to indicate
a continuation of error descriptions for the last name.  The description
and pgmname fields are then also empty.

@item description
The @emph{string} in this field contains a human-readable description
of the component.  It can be displayed to the user of the GUI for
informational purposes.  It is @emph{percent-escaped} and
@emph{localized}.

@item pgmname
The @emph{string} in this field contains the absolute name of the
program's file.  It can be used to unambiguously invoke that program.
It is @emph{percent-escaped}.

@item avail
The @emph{boolean value} in this field indicates whether the program is
installed and runnable.

@item okay
The @emph{boolean value} in this field indicates whether the program's
config file is syntactically okay.

@item cfgfile
If an error occurred in the configuration file (as indicated by a false
value in the field @code{okay}), this field has the name of the failing
configuration file.  It is @emph{percent-escaped}.

@item line
If an error occurred in the configuration file, this field has the line
number of the failing statement in the configuration file.
It is an @emph{unsigned number}.

@item error
If an error occurred in the configuration file, this field has the error
text of the failing statement in the configuration file.  It is
@emph{percent-escaped} and @emph{localized}.

@end table

@noindent
In the following example the @command{dirmngr} is not runnable and the
configuration file of @command{scdaemon} is not okay.

@example
$ gpgconf --check-programs
gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
@end example

@noindent
The command @w{@code{--check-options @var{component}}} will verify the
configuration file in the same manner as @code{--check-programs}, but
only for the component @var{component}.


@node Listing options
@subsection Listing options

Every component contains one or more options.  Options may be gathered
into option groups to allow the GUI to give visual hints to the user
about which options are related.

The command @code{@w{--list-options @var{component}}} lists
all options (and the groups they belong to) in the component
@var{component}, one per line.  @var{component} must be the string in
the field @var{name} in the output of the @code{--list-components}
command.

There is one line for each option and each group.  First come all
options that are not in any group.  Then comes a line describing a
group.  Then come all options that belong into each group.  Then comes
the next group and so on.  There does not need to be any group (and in
this case the output will stop after the last non-grouped option).

The format of each line is:

@code{@var{name}:@var{flags}:@var{level}:@var{description}:@var{type}:@var{alt-type}:@var{argname}:@var{default}:@var{argdef}:@var{value}}

@table @var
@item name
This field contains a name tag for the group or option.  The name tag
is used to specify the group or option in all communication with
@command{gpgconf}.  The name tag is to be used @emph{verbatim}.  It is
thus not in any escaped format.

@item flags
The flags field contains an @emph{unsigned number}.  Its value is the
OR-wise combination of the following flag values:

@table @code
@item group (1)
If this flag is set, this is a line describing a group and not an
option.
@end table

The following flag values are only defined for options (that is, if
the @code{group} flag is not used).

@table @code
@item optional arg (2)
If this flag is set, the argument is optional.  This is never set for
@var{type} @code{0} (none) options.

@item list (4)
If this flag is set, the option can be given multiple times.

@item runtime (8)
If this flag is set, the option can be changed at runtime.

@item default (16)
If this flag is set, a default value is available.

@item default desc (32)
If this flag is set, a (runtime) default is available.  This and the
@code{default} flag are mutually exclusive.

@item no arg desc (64)
If this flag is set, and the @code{optional arg} flag is set, then the
option has a special meaning if no argument is given.

@item no change (128)
If this flag is set, @command{gpgconf} ignores requests to change the
value.  GUI frontends should grey out this option.  Note, that manual
changes of the configuration files are still possible.
@end table

@item level
This field is defined for options and for groups.  It contains an
@emph{unsigned number} that specifies the expert level under which
this group or option should be displayed.  The following expert levels
are defined for options (they have analogous meaning for groups):

@table @code
@item basic (0)
This option should always be offered to the user.

@item advanced (1)
This option may be offered to advanced users.

@item expert (2)
This option should only be offered to expert users.

@item invisible (3)
This option should normally never be displayed, not even to expert
users.

@item internal (4)
This option is for internal use only.  Ignore it.
@end table

The level of a group will always be the lowest level of all options it
contains.

@item description
This field is defined for options and groups.  The @emph{string} in
this field contains a human-readable description of the option or
group.  It can be displayed to the user of the GUI for informational
purposes.  It is @emph{percent-escaped} and @emph{localized}.

@item type
This field is only defined for options.  It contains an @emph{unsigned
number} that specifies the type of the option's argument, if any.  The
following types are defined:

Basic types:

@table @code
@item none (0)
No argument allowed.

@item string (1)
An @emph{unformatted string}.

@item int32 (2)
A @emph{signed number}.

@item uint32 (3)
An @emph{unsigned number}.
@end table

Complex types:

@table @code
@item pathname (32)
A @emph{string} that describes the pathname of a file.  The file does
not necessarily need to exist.

@item ldap server (33)
A @emph{string} that describes an LDAP server in the format:

@code{@var{hostname}:@var{port}:@var{username}:@var{password}:@var{base_dn}}

@item key fingerprint (34)
A @emph{string} with a 40 digit fingerprint specifying a certificate.

@item pub key (35)
A @emph{string} that describes a certificate by user ID, key ID or
fingerprint.

@item sec key (36)
A @emph{string} that describes a certificate with a key by user ID,
key ID or fingerprint.

@item alias list (37)
A @emph{string} that describes an alias list, like the one used with
gpg's group option.  The list consists of a key, an equal sign and space
separated values.
@end table

More types will be added in the future.  Please see the @var{alt-type}
field for information on how to cope with unknown types.

@item alt-type
This field is identical to @var{type}, except that only the types
@code{0} to @code{31} are allowed.  The GUI is expected to present the
user the option in the format specified by @var{type}.  But if the
argument type @var{type} is not supported by the GUI, it can still
display the option in the more generic basic type @var{alt-type}.  The
GUI must support all the defined basic types to be able to display all
options.  More basic types may be added in future versions.  If the
GUI encounters a basic type it doesn't support, it should report an
error and abort the operation.

@item argname
This field is only defined for options with an argument type
@var{type} that is not @code{0}.  In this case it may contain a
@emph{percent-escaped} and @emph{localized string} that gives a short
name for the argument.  The field may also be empty, though, in which
case a short name is not known.

@item default
This field is defined only for options for which the @code{default} or
@code{default desc} flag is set.  If the @code{default} flag is set,
its format is that of an @emph{option argument} (@pxref{Format
conventions}, for details).  If the default value is empty, then no
default is known.  Otherwise, the value specifies the default value
for this option.  If the @code{default desc} flag is set, the field is
either empty or contains a description of the effect if the option is
not given.

@item argdef
This field is defined only for options for which the @code{optional
arg} flag is set.  If the @code{no arg desc} flag is not set, its
format is that of an @emph{option argument} (@pxref{Format
conventions}, for details).  If the default value is empty, then no
default is known.  Otherwise, the value specifies the default argument
for this option.  If the @code{no arg desc} flag is set, the field is
either empty or contains a description of the effect of this option if
no argument is given.

@item value
This field is defined only for options.  Its format is that of an
@emph{option argument}.  If it is empty, then the option is not
explicitly set in the current configuration, and the default applies
(if any).  Otherwise, it contains the current value of the option.
Note that this field is also meaningful if the option itself does not
take a real argument (in this case, it contains the number of times
the option appears).
@end table


@node Changing options
@subsection Changing options

The command @w{@code{--change-options @var{component}}} will attempt
to change the options of the component @var{component} to the
specified values.  @var{component} must be the string in the field
@var{name} in the output of the @code{--list-components} command.  You
have to provide the options that shall be changed in the following
format on standard input:

@code{@var{name}:@var{flags}:@var{new-value}}

@table @var
@item name
This is the name of the option to change.  @var{name} must be the
string in the field @var{name} in the output of the
@code{--list-options} command.

@item flags
The flags field contains an @emph{unsigned number}.  Its value is the
OR-wise combination of the following flag values:

@table @code
@item default (16)
If this flag is set, the option is deleted and the default value is
used instead (if applicable).
@end table

@item new-value
The new value for the option.  This field is only defined if the
@code{default} flag is not set.  The format is that of an @emph{option
argument}.  If it is empty (or the field is omitted), the default
argument is used (only allowed if the argument is optional for this
option).  Otherwise, the option will be set to the specified value.
@end table

@noindent
The output of the command is the same as that of
@code{--check-options} for the modified configuration file.

Examples:

To set the force option, which is of basic type @code{none (0)}:

@example
$ echo 'force:0:1' | gpgconf --change-options dirmngr
@end example

To delete the force option:

@example
$ echo 'force:16:' | gpgconf --change-options dirmngr
@end example

The @code{--runtime} option can influence when the changes take
effect.


@node Listing global options
@subsection Listing global options

Sometimes it is useful for applications to look at the global options
file @file{gpgconf.conf}.
The colon separated listing format is record oriented and uses the first
field to identify the record type:

@table @code
@item k
This describes a key record to start the definition of a new ruleset for
a user/group.  The format of a key record is:

  @code{k:@var{user}:@var{group}:}

@table @var
@item user
This is the user field of the key.  It is percent escaped.  See the
definition of the gpgconf.conf format for details.

@item group
This is the group field of the key.  It is percent escaped.
@end table

@item r
This describes a rule record. All rule records up to the next key record
make up a rule set for that key.  The format of a rule record is:

  @code{r:::@var{component}:@var{option}:@var{flag}:@var{value}:}

@table @var
@item component
This is the component part of a rule.  It is a plain string.

@item option
This is the option part of a rule.  It is a plain string.

@item flag
This is the flags part of a rule.  There may be only one flag per rule
but by using the same component and option, several flags may be
assigned to an option.  It is a plain string.

@item value
This is the optional value for the option.  It is a percent escaped
string with a single quotation mark to indicate a string.  The quotation
mark is only required to distinguish between no value specified and an
empty string.
@end table

@end table

@noindent
Unknown record types should be ignored.  Note that there is intentionally
no feature to change the global option file through @command{gpgconf}.


@node Querying versions
@subsection Get and compare software versions.

The GnuPG Project operates a server to query the current versions of
software packages related to GnuPG.  @command{gpgconf} can be used to
access this online database.  To allow for offline operations, this
feature works by having @command{dirmngr} download a file from
@code{https://versions.gnupg.org}, checking the signature of that file
and storing the file in the GnuPG home directory.  If
@command{gpgconf} is used and @command{dirmngr} is running, it may ask
@command{dirmngr} to refresh that file before itself uses the file.

The command @option{--query-swdb} returns information for the given
package in a colon delimited format:

@table @var

@item name
This is the name of the package as requested.  Note that "gnupg" is a
special name which is replaced by the actual package implementing this
version of GnuPG.  For this name it is also not required to specify a
version because @command{gpgconf} takes its own version in this case.

@item iversion
The currently installed version or an empty string.  The value is
taken from the command line argument but may be provided by gpg
if not given.

@item status
The status of the software package according to this table:
@table @code
@item -
No information available.  This is either because no current version
has been specified or due to an error.
@item ?
The given name is not known in the online database.
@item u
An update of the software is available.
@item c
The installed version of the software is current.
@item n
The installed version is already newer than the released version.
@end table

@item urgency
If the value (the empty string should be considered as zero) is
greater than zero an important update is available.

@item error
This returns an @command{gpg-error} error code to distinguish between
various failure modes.

@item filedate
This gives the date of the file with the version numbers in standard
ISO format (@code{yyyymmddThhmmss}).  The date has been extracted by
@command{dirmngr} from the signature of the file.

@item verified
This gives the date in ISO format the file was downloaded.  This value
can be used to evaluate the freshness of the information.

@item version
This returns the version string for the requested software from the
file.

@item reldate
This returns the release date in ISO format.

@item size
This returns the size of the package as decimal number of bytes.

@item hash
This returns a hexified SHA-2 hash of the package.

@end table

@noindent
More fields may be added in future to the output.


@mansect files
@node Files used by gpgconf
@subsection Files used by gpgconf

@table @file

@item /etc/gnupg/gpgconf.conf
@cindex gpgconf.conf
  If this file exists, it is processed as a global configuration file.
  A commented example can be found in the @file{examples} directory of
  the distribution.

@item @var{GNUPGHOME}/swdb.lst
@cindex swdb.lst
  A file with current software versions.  @command{dirmngr} creates
  this file on demand from an online resource.

@end table


@mansect see also
@ifset isman
@command{gpg}(1),
@command{gpgsm}(1),
@command{gpg-agent}(1),
@command{scdaemon}(1),
@command{dirmngr}(1)
@end ifset
@include see-also-note.texi



@c
@c    APPLYGNUPGDEFAULTS
@c
@manpage applygnupgdefaults.8
@node applygnupgdefaults
@section Run gpgconf for all users
@ifset manverb
.B applygnupgdefaults
\- Run gpgconf --apply-defaults for all users.
@end ifset

@mansect synopsis
@ifset manverb
.B  applygnupgdefaults
@end ifset

@mansect description
This script is a wrapper around @command{gpgconf} to run it with the
command @code{--apply-defaults} for all real users with an existing
GnuPG home directory.  Admins might want to use this script to update he
GnuPG configuration files for all users after
@file{/etc/gnupg/gpgconf.conf} has been changed.  This allows enforcing
certain policies for all users.  Note, that this is not a bulletproof way to
force a user to use certain options.  A user may always directly edit
the configuration files and bypass gpgconf.

@noindent
@command{applygnupgdefaults} is invoked by root as:

@example
applygnupgdefaults
@end example


@c
@c   GPG-PRESET-PASSPHRASE
@c
@node gpg-preset-passphrase
@section Put a passphrase into the cache
@manpage gpg-preset-passphrase.1
@ifset manverb
.B gpg-preset-passphrase
\- Put a passphrase into gpg-agent's cache
@end ifset

@mansect synopsis
@ifset manverb
.B  gpg-preset-passphrase
.RI [ options ]
.RI [ command ]
.I cache-id
@end ifset

@mansect description
The @command{gpg-preset-passphrase} is a utility to seed the internal
cache of a running @command{gpg-agent} with passphrases.  It is mainly
useful for unattended machines, where the usual @command{pinentry} tool
may not be used and the passphrases for the to be used keys are given at
machine startup.

This program works with GnuPG 2 and later.  GnuPG 1.x is not supported.

Passphrases set with this utility don't expire unless the
@option{--forget} option is used to explicitly clear them from the
cache --- or @command{gpg-agent} is either restarted or reloaded (by
sending a SIGHUP to it).  Note that the maximum cache time as set with
@option{--max-cache-ttl} is still honored.  It is necessary to allow
this passphrase presetting by starting @command{gpg-agent} with the
@option{--allow-preset-passphrase}.

@menu
* Invoking gpg-preset-passphrase::   List of all commands and options.
@end menu

@manpause
@node Invoking gpg-preset-passphrase
@subsection List of all commands and options
@mancont

@noindent
@command{gpg-preset-passphrase} is invoked this way:

@example
gpg-preset-passphrase [options] [command] @var{cacheid}
@end example

@var{cacheid} is either a 40 character keygrip of hexadecimal
characters identifying the key for which the passphrase should be set
or cleared.  The keygrip is listed along with the key when running the
command: @code{gpgsm --with-keygrip --list-secret-keys}.
Alternatively an arbitrary string may be used to identify a
passphrase; it is suggested that such a string is prefixed with the
name of the application (e.g @code{foo:12346}).  Scripts should always
use the option @option{--with-colons}, which provides the keygrip in a
"grp" line (cf. @file{doc/DETAILS})/

@noindent
One of the following command options must be given:

@table @gnupgtabopt
@item --preset
@opindex preset
Preset a passphrase. This is what you usually will
use. @command{gpg-preset-passphrase} will then read the passphrase from
@code{stdin}.

@item --forget
@opindex forget
Flush the passphrase for the given cache ID from the cache.

@end table

@noindent
The following additional options may be used:

@table @gnupgtabopt
@item -v
@itemx --verbose
@opindex verbose
Output additional information while running.

@item -P @var{string}
@itemx --passphrase @var{string}
@opindex passphrase
Instead of reading the passphrase from @code{stdin}, use the supplied
@var{string} as passphrase.  Note that this makes the passphrase visible
for other users.
@end table

@mansect see also
@ifset isman
@command{gpg}(1),
@command{gpgsm}(1),
@command{gpg-agent}(1),
@command{scdaemon}(1)
@end ifset
@include see-also-note.texi




@c
@c   GPG-CONNECT-AGENT
@c
@node gpg-connect-agent
@section Communicate with a running agent
@manpage gpg-connect-agent.1
@ifset manverb
.B gpg-connect-agent
\- Communicate with a running agent
@end ifset

@mansect synopsis
@ifset manverb
.B  gpg-connect-agent
.RI [ options ] [commands]
@end ifset

@mansect description
The @command{gpg-connect-agent} is a utility to communicate with a
running @command{gpg-agent}.  It is useful to check out the commands
@command{gpg-agent} provides using the Assuan interface.  It might
also be useful for scripting simple applications.  Input is expected
at stdin and output gets printed to stdout.

It is very similar to running @command{gpg-agent} in server mode; but
here we connect to a running instance.

@menu
* Invoking gpg-connect-agent::       List of all options.
* Controlling gpg-connect-agent::    Control commands.
@end menu

@manpause
@node Invoking gpg-connect-agent
@subsection List of all options

@noindent
@command{gpg-connect-agent} is invoked this way:

@example
gpg-connect-agent [options] [commands]
@end example
@mancont

@noindent
The following options may be used:

@table @gnupgtabopt
@item -v
@itemx --verbose
@opindex verbose
Output additional information while running.

@item -q
@item --quiet
@opindex q
@opindex quiet
Try to be as quiet as possible.

@include opt-homedir.texi

@item --agent-program @var{file}
@opindex agent-program
Specify the agent program to be started if none is running.  The
default value is determined by running @command{gpgconf} with the
option @option{--list-dirs}.  Note that the pipe symbol (@code{|}) is
used for a regression test suite hack and may thus not be used in the
file name.

@item --dirmngr-program @var{file}
@opindex dirmngr-program
Specify the directory manager (keyserver client) program to be started
if none is running.  This has only an effect if used together with the
option @option{--dirmngr}.

@item --dirmngr
@opindex dirmngr
Connect to a running directory manager (keyserver client) instead of
to the gpg-agent.  If a dirmngr is not running, start it.

@item -S
@itemx --raw-socket @var{name}
@opindex raw-socket
Connect to socket @var{name} assuming this is an Assuan style server.
Do not run any special initializations or environment checks.  This may
be used to directly connect to any Assuan style socket server.

@item -E
@itemx --exec
@opindex exec
Take the rest of the command line as a program and it's arguments and
execute it as an Assuan server. Here is how you would run @command{gpgsm}:
@smallexample
 gpg-connect-agent --exec gpgsm --server
@end smallexample
Note that you may not use options on the command line in this case.

@item --no-ext-connect
@opindex no-ext-connect
When using @option{-S} or @option{--exec}, @command{gpg-connect-agent}
connects to the Assuan server in extended mode to allow descriptor
passing.  This option makes it use the old mode.

@item --no-autostart
@opindex no-autostart
Do not start the gpg-agent or the dirmngr if it has not yet been
started.

@item -r @var{file}
@itemx --run @var{file}
@opindex run
Run the commands from @var{file} at startup and then continue with the
regular input method.  Note, that commands given on the command line are
executed after this file.

@item -s
@itemx --subst
@opindex subst
Run the command @code{/subst} at startup.

@item --hex
@opindex hex
Print data lines in a hex format and the ASCII representation of
non-control characters.

@item --decode
@opindex decode
Decode data lines.  That is to remove percent escapes but make sure that
a new line always starts with a D and a space.

@end table

@mansect control commands
@node Controlling gpg-connect-agent
@subsection Control commands

While reading Assuan commands, gpg-agent also allows a few special
commands to control its operation.  These control commands all start
with a slash (@code{/}).

@table @code

@item /echo @var{args}
Just print @var{args}.

@item /let @var{name} @var{value}
Set the variable @var{name} to @var{value}.  Variables are only
substituted on the input if the @command{/subst} has been used.
Variables are referenced by prefixing the name with a dollar sign and
optionally include the name in curly braces.  The rules for a valid name
are identically to those of the standard bourne shell.  This is not yet
enforced but may be in the future.  When used with curly braces no
leading or trailing white space is allowed.

If a variable is not found, it is searched in the environment and if
found copied to the table of variables.

Variable functions are available: The name of the function must be
followed by at least one space and the at least one argument.  The
following functions are available:

@table @code
@item get
Return a value described by the argument.  Available arguments are:

@table @code
@item cwd
The current working directory.
@item homedir
The gnupg homedir.
@item sysconfdir
GnuPG's system configuration directory.
@item bindir
GnuPG's binary directory.
@item libdir
GnuPG's library directory.
@item libexecdir
GnuPG's library directory for executable files.
@item datadir
GnuPG's data directory.
@item serverpid
The PID of the current server. Command @command{/serverpid} must
have been given to return a useful value.
@end table

@item unescape @var{args}
Remove C-style escapes from @var{args}.  Note that @code{\0} and
@code{\x00} terminate the returned string implicitly.  The string to be
converted are the entire arguments right behind the delimiting space of
the function name.

@item unpercent @var{args}
@itemx unpercent+ @var{args}
Remove percent style escaping from @var{args}.  Note that @code{%00}
terminates the string implicitly.  The string to be converted are the
entire arguments right behind the delimiting space of the function
name. @code{unpercent+} also maps plus signs to a spaces.

@item percent @var{args}
@itemx percent+ @var{args}
Escape the @var{args} using percent style escaping.  Tabs, formfeeds,
linefeeds, carriage returns and colons are escaped. @code{percent+} also
maps spaces to plus signs.

@item errcode @var{arg}
@itemx errsource @var{arg}
@itemx errstring @var{arg}
Assume @var{arg} is an integer and evaluate it using @code{strtol}.  Return
the gpg-error error code, error source or a formatted string with the
error code and error source.


@item +
@itemx -
@itemx *
@itemx /
@itemx %
Evaluate all arguments as long integers using @code{strtol} and apply
this operator.  A division by zero yields an empty string.

@item !
@itemx |
@itemx &
Evaluate all arguments as long integers using @code{strtol} and apply
the logical operators NOT, OR or AND.  The NOT operator works on the
last argument only.


@end table


@item /definq @var{name} @var{var}
Use content of the variable @var{var} for inquiries with @var{name}.
@var{name} may be an asterisk (@code{*}) to match any inquiry.


@item /definqfile @var{name} @var{file}
Use content of @var{file} for inquiries with @var{name}.
@var{name} may be an asterisk (@code{*}) to match any inquiry.

@item /definqprog @var{name} @var{prog}
Run @var{prog} for inquiries matching @var{name} and pass the
entire line to it as command line arguments.

@item /datafile @var{name}
Write all data lines from the server to the file @var{name}.  The file
is opened for writing and created if it does not exists.  An existing
file is first truncated to 0.  The data written to the file fully
decoded.  Using a single dash for @var{name} writes to stdout.  The
file is kept open until a new file is set using this command or this
command is used without an argument.

@item /showdef
Print all definitions

@item /cleardef
Delete all definitions

@item /sendfd @var{file} @var{mode}
Open @var{file} in @var{mode} (which needs to be a valid @code{fopen}
mode string) and send the file descriptor to the server.  This is
usually followed by a command like @code{INPUT FD} to set the
input source for other commands.

@item /recvfd
Not yet implemented.

@item /open @var{var} @var{file} [@var{mode}]
Open @var{file} and assign the file descriptor to @var{var}.  Warning:
This command is experimental and might change in future versions.

@item /close @var{fd}
Close the file descriptor @var{fd}.  Warning: This command is
experimental and might change in future versions.

@item /showopen
Show a list of open files.

@item /serverpid
Send the Assuan command @command{GETINFO pid} to the server and store
the returned PID for internal purposes.

@item /sleep
Sleep for a second.

@item /hex
@itemx /nohex
Same as the command line option @option{--hex}.

@item /decode
@itemx /nodecode
Same as the command line option @option{--decode}.

@item /subst
@itemx /nosubst
Enable and disable variable substitution.  It defaults to disabled
unless the command line option @option{--subst} has been used.
If /subst as been enabled once, leading whitespace is removed from
input lines which makes scripts easier to read.

@item /while @var{condition}
@itemx /end
These commands provide a way for executing loops.  All lines between
the @code{while} and the corresponding @code{end} are executed as long
as the evaluation of @var{condition} yields a non-zero value or is the
string @code{true} or @code{yes}.  The evaluation is done by passing
@var{condition} to the @code{strtol} function.  Example:

@smallexample
  /subst
  /let i 3
  /while $i
    /echo loop counter is $i
    /let i $@{- $i 1@}
  /end
@end smallexample

@item /if @var{condition}
@itemx /end
These commands provide a way for conditional execution.  All lines between
the @code{if} and the corresponding @code{end} are executed only if
the evaluation of @var{condition} yields a non-zero value or is the
string @code{true} or @code{yes}.  The evaluation is done by passing
@var{condition} to the @code{strtol} function.

@item /run @var{file}
Run commands from @var{file}.

@item /bye
Terminate the connection and the program.

@item /help
Print a list of available control commands.

@end table


@ifset isman
@mansect see also
@command{gpg-agent}(1),
@command{scdaemon}(1)
@include see-also-note.texi
@end ifset

@c
@c   DIRMNGR-CLIENT
@c
@node dirmngr-client
@section The Dirmngr Client Tool

@manpage dirmngr-client.1
@ifset manverb
.B dirmngr-client
\- Tool to access the Dirmngr services
@end ifset

@mansect synopsis
@ifset manverb
.B  dirmngr-client
.RI [ options ]
.RI [ certfile | pattern ]
@end ifset

@mansect description
The @command{dirmngr-client} is a simple tool to contact a running
dirmngr and test whether a certificate has been revoked --- either by
being listed in the corresponding CRL or by running the OCSP protocol.
If no dirmngr is running, a new instances will be started but this is
in general not a good idea due to the huge performance overhead.

@noindent
The usual way to run this tool is either:

@example
dirmngr-client @var{acert}
@end example

@noindent
or

@example
dirmngr-client <@var{acert}
@end example

Where @var{acert} is one DER encoded (binary) X.509 certificates to be
tested.
@ifclear isman
The return value of this command is
@end ifclear

@mansect return value
@ifset isman
@command{dirmngr-client} returns these values:
@end ifset
@table @code

@item 0
The certificate under question is valid; i.e. there is a valid CRL
available and it is not listed there or the OCSP request returned that
that certificate is valid.

@item 1
The certificate has been revoked

@item 2 (and other values)
There was a problem checking the revocation state of the certificate.
A message to stderr has given more detailed information.  Most likely
this is due to a missing or expired CRL or due to a network problem.

@end table

@mansect options
@noindent
@command{dirmngr-client} may be called with the following options:


@table @gnupgtabopt
@item --version
@opindex version
Print the program version and licensing information.  Note that you cannot
abbreviate this command.

@item --help, -h
@opindex help
Print a usage message summarizing the most useful command-line options.
Note that you cannot abbreviate this command.

@item --quiet, -q
@opindex quiet
Make the output extra brief by suppressing any informational messages.

@item -v
@item --verbose
@opindex v
@opindex verbose
Outputs additional information while running.
You can increase the verbosity by giving several
verbose commands to @sc{dirmngr}, such as @samp{-vv}.

@item --pem
@opindex pem
Assume that the given certificate is in PEM (armored) format.

@item --ocsp
@opindex ocsp
Do the check using the OCSP protocol and ignore any CRLs.

@item --force-default-responder
@opindex force-default-responder
When checking using the OCSP protocol, force the use of the default OCSP
responder.  That is not to use the Reponder as given by the certificate.

@item --ping
@opindex ping
Check whether the dirmngr daemon is up and running.

@item --cache-cert
@opindex cache-cert
Put the given certificate into the cache of a running dirmngr.  This is
mainly useful for debugging.

@item --validate
@opindex validate
Validate the given certificate using dirmngr's internal validation code.
This is mainly useful for debugging.

@item --load-crl
@opindex load-crl
This command expects a list of filenames with DER encoded CRL files.
With the option @option{--url} URLs are expected in place of filenames
and they are loaded directly from the given location.  All CRLs will be
validated and then loaded into dirmngr's cache.

@item --lookup
@opindex lookup
Take the remaining arguments and run a lookup command on each of them.
The results are Base-64 encoded outputs (without header lines).  This
may be used to retrieve certificates from a server. However the output
format is not very well suited if more than one certificate is returned.

@item --url
@itemx -u
@opindex url
Modify the @command{lookup} and @command{load-crl} commands to take an URL.

@item --local
@itemx -l
@opindex url
Let the @command{lookup} command only search the local cache.

@item --squid-mode
@opindex squid-mode
Run @sc{dirmngr-client} in a mode suitable as a helper program for
Squid's @option{external_acl_type} option.


@end table

@ifset isman
@mansect see also
@command{dirmngr}(8),
@command{gpgsm}(1)
@include see-also-note.texi
@end ifset


@c
@c   GPGPARSEMAIL
@c
@node gpgparsemail
@section Parse a mail message into an annotated format

@manpage gpgparsemail.1
@ifset manverb
.B gpgparsemail
\- Parse a mail message into an annotated format
@end ifset

@mansect synopsis
@ifset manverb
.B  gpgparsemail
.RI [ options ]
.RI [ file ]
@end ifset

@mansect description
The @command{gpgparsemail} is a utility currently only useful for
debugging.  Run it with @code{--help} for usage information.



@c
@c   SYMCRYPTRUN
@c
@node symcryptrun
@section Call a simple symmetric encryption tool
@manpage symcryptrun.1
@ifset manverb
.B symcryptrun
\- Call a simple symmetric encryption tool
@end ifset

@mansect synopsis
@ifset manverb
.B  symcryptrun
.B \-\-class
.I class
.B \-\-program
.I program
.B \-\-keyfile
.I keyfile
.RB [ --decrypt | --encrypt ]
.RI [ inputfile ]
@end ifset

@mansect description
Sometimes simple encryption tools are already in use for a long time
and there might be a desire to integrate them into the GnuPG
framework.  The protocols and encryption methods might be non-standard
or not even properly documented, so that a full-fledged encryption
tool with an interface like @command{gpg} is not doable.
@command{symcryptrun} provides a solution: It operates by calling the
external encryption/decryption module and provides a passphrase for a
key using the standard @command{pinentry} based mechanism through
@command{gpg-agent}.

Note, that @command{symcryptrun} is only available if GnuPG has been
configured with @samp{--enable-symcryptrun} at build time.

@menu
* Invoking symcryptrun::   List of all commands and options.
@end menu

@manpause
@node Invoking symcryptrun
@subsection List of all commands and options

@noindent
@command{symcryptrun} is invoked this way:

@example
symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE
   [--decrypt | --encrypt] [inputfile]
@end example
@mancont

For encryption, the plain text must be provided on STDIN or as the
argument @var{inputfile}, and the ciphertext will be output to STDOUT.
For decryption vice versa.

@var{CLASS} describes the calling conventions of the external tool.
Currently it must be given as @samp{confucius}.  @var{PROGRAM} is
the full filename of that external tool.

For the class @samp{confucius} the option @option{--keyfile} is
required; @var{keyfile} is the name of a file containing the secret key,
which may be protected by a passphrase.  For detailed calling
conventions, see the source code.

@noindent
Note, that @command{gpg-agent} must be running before starting
@command{symcryptrun}.

@noindent
The following additional options may be used:

@table @gnupgtabopt
@item -v
@itemx --verbose
@opindex verbose
Output additional information while running.

@item -q
@item --quiet
@opindex q
@opindex quiet
Try to be as quiet as possible.

@include opt-homedir.texi


@item --log-file @var{file}
@opindex log-file
Append all logging output to @var{file}.  Use @file{socket://} to log
to socket.  Default is to write logging information to STDERR.

@end table

@noindent
The possible exit status codes of @command{symcryptrun} are:

@table @code
@item 0
        Success.
@item 1
        Some error occurred.
@item 2
        No valid passphrase was provided.
@item 3
        The operation was canceled by the user.

@end table

@mansect see also
@ifset isman
@command{gpg}(1),
@command{gpgsm}(1),
@command{gpg-agent}(1),
@end ifset
@include see-also-note.texi


@c
@c  GPGTAR
@c
@manpage gpgtar.1
@node gpgtar
@section Encrypt or sign files into an archive
@ifset manverb
.B gpgtar
\- Encrypt or sign files into an archive
@end ifset

@mansect synopsis
@ifset manverb
.B  gpgtar
.RI [ options ]
.I filename1
.I [ filename2, ... ]
.I directory1
.I [ directory2, ... ]
@end ifset

@mansect description
@command{gpgtar} encrypts or signs files into an archive.  It is an
gpg-ized tar using the same format as used by PGP's PGP Zip.

@manpause
@noindent
@command{gpgtar} is invoked this way:

@example
gpgtar [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...]
@end example

@mansect options
@noindent
@command{gpgtar} understands these options:

@table @gnupgtabopt

@item --create
@opindex create
Put given files and directories into a vanilla ``ustar'' archive.

@item --extract
@opindex extract
Extract all files from a vanilla ``ustar'' archive.

@item --encrypt
@itemx -e
@opindex encrypt
Encrypt given files and directories into an archive.  This option may
be combined with option @option{--symmetric} for an archive that may
be decrypted via a secret key or a passphrase.

@item --decrypt
@itemx -d
@opindex decrypt
Extract all files from an encrypted archive.

@item --sign
@itemx -s
Make a signed archive from the given files and directories.  This can
be combined with option @option{--encrypt} to create a signed and then
encrypted archive.

@item --list-archive
@itemx -t
@opindex list-archive
List the contents of the specified archive.

@item --symmetric
@itemx -c
Encrypt with a symmetric cipher using a passphrase.  The default
symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the
@option{--cipher-algo} option to @command{gpg}.

@item --recipient @var{user}
@itemx -r @var{user}
@opindex recipient
Encrypt for user id @var{user}. For details see @command{gpg}.

@item --local-user @var{user}
@itemx -u @var{user}
@opindex local-user
Use @var{user} as the key to sign with.  For details see @command{gpg}.

@item --output @var{file}
@itemx -o @var{file}
@opindex output
Write the archive to the specified file @var{file}.

@item --verbose
@itemx -v
@opindex verbose
Enable extra informational output.

@item --quiet
@itemx -q
@opindex quiet
Try to be as quiet as possible.

@item --skip-crypto
@opindex skip-crypto
Skip all crypto operations and create or extract vanilla ``ustar''
archives.

@item --dry-run
@opindex dry-run
Do not actually output the extracted files.

@item --directory @var{dir}
@itemx -C @var{dir}
@opindex directory
Extract the files into the directory @var{dir}.  The
default is to take the directory name from
the input filename.  If no input filename is known a directory named
@file{GPGARCH} is used.

@item --files-from @var{file}
@itemx -T @var{file}
Take the file names to work from the file @var{file}; one file per
line.

@item --null
@opindex null
Modify option @option{--files-from} to use a binary nul instead of a
linefeed to separate file names.

@item --openpgp
@opindex openpgp
This option has no effect because OpenPGP encryption and signing is
the default.

@item --cms
@opindex cms
This option is reserved and shall not be used.  It will eventually be
used to encrypt or sign using the CMS protocol; but that is not yet
implemented.


@item --set-filename @var{file}
@opindex set-filename
Use the last component of @var{file} as the output directory.  The
default is to take the directory name from the input filename.  If no
input filename is known a directory named @file{GPGARCH} is used.
This option is deprecated in favor of option @option{--directory}.

@item --gpg @var{gpgcmd}
@opindex gpg
Use the specified command @var{gpgcmd} instead of @command{gpg}.

@item --gpg-args @var{args}
@opindex gpg-args
Pass the specified extra options to @command{gpg}.

@item --tar-args @var{args}
@opindex tar-args
Assume @var{args} are standard options of the command @command{tar}
and parse them.  The only supported tar options are "--directory",
"--files-from", and "--null" This is an obsolete options because those
supported tar options can also be given directly.

@item --version
@opindex version
Print version of the program and exit.

@item --help
@opindex help
Display a brief help page and exit.

@end table

@mansect diagnostics
@noindent
The program returns 0 if everything was fine, 1 otherwise.


@mansect examples
@ifclear isman
@noindent
Some examples:

@end ifclear
@noindent
Encrypt the contents of directory @file{mydocs} for user Bob to file
@file{test1}:

@example
gpgtar --encrypt --output test1 -r Bob mydocs
@end example

@noindent
List the contents of archive @file{test1}:

@example
gpgtar --list-archive test1
@end example


@mansect see also
@ifset isman
@command{gpg}(1),
@command{tar}(1),
@end ifset
@include see-also-note.texi