--options

Reads configuration from file instead of from the default per-user configuration file. The default configuration file isnamed ‘dirmngr.conf’ and expected in the home directory.

--homedir

Set the name of the home directory to dir. This option is only effective when used on the command line. The default is thedirectory named ‘.gnupg’ directly below the home directory of the user unless the environment variable GNUPGHOME has been setin which case its value will be used. Many kinds of data are stored within this directory.

--verbose

Outputs additional information while running. You can increase the verbosity by giving several verbose commands to dirmngr,such as -vv.

--log-file

Append all logging output to file. This is very helpful in seeing what the agent actually does. Use ‘socket://’ to log tosocket.

--debug-level

Select the debug level for investigating problems. level may be a numeric value or by a keyword:none No debugging at all. A value of less than 1 may be used instead of the keyword.basic Some basic debug messages. A value between 1 and 2 may be used instead of the keyword.advancedMore verbose debug messages. A value between 3 and 5 may be used instead of the keyword.expert Even more detailed messages. A value between 6 and 8 may be used instead of the keyword.guru All of the debug messages you can get. A value greater than 8 may be used instead of the keyword. The creation of hashtracing files is only enabled if the keyword is used.How these messages are mapped to the actual debugging flags is not specified and may change with newer releases of this program. Theyare however carefully selected to best aid in debugging.

--debug

Set debugging flags. This option is only useful for debugging and its behavior may change with a new release. All flags areor-ed and may be given in C syntax (e.g. 0x0042) or as a comma separated list of flag names. To get a list of all supportedflags the single word "help" can be used.

--debug-all

Same as --debug=0xffffffff

--gnutls-debug

Enable debugging of GNUTLS at level.

--debug-wait

When running in server mode, wait n seconds before entering the actual processing loop and print the pid. This gives time toattach a debugger.

--disable-check-own-socket

On some platforms dirmngr is able to detect the removal of its socket file and shutdown itself. This option disable thisself-test for debugging purposes.

--force

Enabling this option forces loading of expired CRLs; this is only useful for debugging.

--no-use-tor

The option --use-tor switches Dirmngr and thus GnuPG into ``Tor mode'' to route all network access via Tor (an anonymity net‐work). Certain other features are disabled in this mode. The effect of --use-tor cannot be overridden by any other commandor even be reloading gpg-agent. The use of --no-use-tor disables the use of Tor. The default is to use Tor if it is avail‐able on startup or after reloading dirmngr.

--standard-resolver

This option forces the use of the system's standard DNS resolver code. This is mainly used for debugging. Note that on Win‐dows a standard resolver is not used and all DNS access will return the error ``Not Implemented'' if this function is used.

--recursive-resolver

When possible use a recursive resolver instead of a stub resolver.

--resolver-timeout

Set the timeout for the DNS resolver to N seconds. The default are 30 seconds.

--connect-quick-timeout

Set the timeout for HTTP and generic TCP connection attempts to N seconds. The value set with the quick variant is used whenthe --quick option has been given to certain Assuan commands. The quick value is capped at the value of the regular connecttimeout. The default values are 15 and 2 seconds. Note that the timeout values are for each connection attempt; the connec‐tion code will attempt to connect all addresses listed for a server.

--listen-backlog

Set the size of the queue for pending connections. The default is 64.

--allow-version-check

Allow Dirmngr to connect to https://versions.gnupg.org to get the list of current software versions. On debian-packaged ver‐sions, this option does nothing since software updates should be handled by the distribution. See the option --query-swdb ofthe command gpgconf for more details. Note, that regardless of this option a version check can always be triggered using thiscommand:gpg-connect-agent --dirmngr 'loadswdb --force' /bye

--keyserver

Use name as your keyserver. This is the server that gpg communicates with to receive keys, send keys, and search for keys.The format of the name is a URI: `scheme:[//]keyservername[:port]' The scheme is the type of keyserver: "hkp" for the HTTP (orcompatible) keyservers, "ldap" for the LDAP keyservers, or "mailto" for the Graff email keyserver. Note that your particularinstallation of GnuPG may have other keyserver types available as well. Keyserver schemes are case-insensitive. After the key‐server name, optional keyserver configuration options may be provided. These are the same as the --keyserver-options of gpg,but apply only to this particular keyserver.Most keyservers synchronize with each other, so there is generally no need to send keys to more than one server. The keyserverhkp://keys.gnupg.net uses round robin DNS to give a different keyserver each time you use it.If exactly two keyservers are configured and only one is a Tor hidden service (.onion), Dirmngr selects the keyserver to usedepending on whether Tor is locally running or not. The check for a running Tor is done for each new connection.If no keyserver is explicitly configured, dirmngr will use the built-in default of hkps://hkps.pool.sks-keyservers.net.

--nameserver

In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve DNS names. If the default public resolver, which is8.8.8.8, shall not be used a different one can be given using this option. Note that a numerical IP address must be given(IPv6 or IPv4) and that no error checking is done for ipaddr.

--disable-ipv6

Disable the use of all IPv4 or IPv6 addresses.

--disable-ldap

Entirely disables the use of LDAP.

--disable-http

Entirely disables the use of HTTP.

--ignore-http-dp

When looking for the location of a CRL, the to be tested certificate usually contains so called CRL Distribution Point (DP)entries which are URLs describing the way to access the CRL. The first found DP entry is used. With this option all entriesusing the HTTP scheme are ignored when looking for a suitable DP.

--ignore-ldap-dp

This is similar to --ignore-http-dp but ignores entries using the LDAP scheme. Both options may be combined resulting inignoring DPs entirely.

--ignore-ocsp-service-url

Ignore all OCSP URLs contained in the certificate. The effect is to force the use of the default responder.

--honor-http-proxy

If the environment variable ‘http_proxy’ has been set, use its value to access HTTP servers.

--http-proxy

Use host and port to access HTTP servers. The use of this option overrides the environment variable ‘http_proxy’ regardlesswhether --honor-http-proxy has been set.

--ldap-proxy

Use host and port to connect to LDAP servers. If port is omitted, port 389 (standard LDAP port) is used. This overrides anyspecified host and port part in a LDAP URL and will also be used if host and port have been omitted from the URL.

--only-ldap-proxy

Never use anything else but the LDAP "proxy" as configured with --ldap-proxy. Usually dirmngr tries to use other configuredLDAP server if the connection using the "proxy" failed.

--ldapserverlist-file

Read the list of LDAP servers to consult for CRLs and certificates from file instead of the default per-user ldap server listfile. The default value for file is ‘dirmngr_ldapservers.conf’.This server list file contains one LDAP server per line in the formathostname:port:username:password:base_dnLines starting with a '#' are comments.Note that as usual all strings entered are expected to be UTF-8 encoded. Obviously this will lead to problems if the passwordhas originally been encoded as Latin-1. There is no other solution here than to put such a password in the binary encodinginto the file (i.e. non-ascii characters won't show up readable). ([The gpgconf tool might be helpful for frontends as itenables editing this configuration file using percent-escaped strings.])

--ldaptimeout

Specify the number of seconds to wait for an LDAP query before timing out. The default are 15 seconds. 0 will never timeout.

--add-servers

This option makes dirmngr add any servers it discovers when validating certificates against CRLs to the internal list ofservers to consult for certificates and CRLs.This option is useful when trying to validate a certificate that has a CRL distribution point that points to a server that isnot already listed in the ldapserverlist. Dirmngr will always go to this server and try to download the CRL, but chances arehigh that the certificate used to sign the CRL is located on the same server. So if dirmngr doesn't add that new server tolist, it will often not be able to verify the signature of the CRL unless the --add-servers option is used.Note: The current version of dirmngr has this option disabled by default.

--allow-ocsp

This option enables OCSP support if requested by the client.OCSP requests are rejected by default because they may violate the privacy of the user; for example it is possible to trackthe time when a user is reading a mail.

--ocsp-responder

Use url as the default OCSP Responder if the certificate does not contain information about an assigned responder. Note, that

--ocsp-signer

must also be set to a valid certificate.

--ocsp-max-clock-skew

The number of seconds a skew between the OCSP responder and them local clock is accepted. Default is 600 (10 minutes).

--ocsp-max-period

Seconds a response is at maximum considered valid after the time given in the thisUpdate field. Default is 7776000 (90 days).

--ocsp-current-period

The number of seconds an OCSP response is considered valid after the time given in the NEXT_UPDATE datum. Default is 10800 (3hours).

--max-replies

Do not return more that n items in one query. The default is 10.

--ignore-cert-extension

Add oid to the list of ignored certificate extensions. The oid is expected to be in dotted decimal form, like 2.5.29.3. Thisoption may be used more than once. Critical flagged certificate extensions matching one of the OIDs in the list are treatedas if they are actually handled and thus the certificate won't be rejected due to an unknown critical extension. Use thisoption with care because extensions are usually flagged as critical for a reason.

--hkp-cacert

Use the root certificates in file for verification of the TLS certificates used with hkps (keyserver access over TLS). If thefile is in PEM format a suffix of .pem is expected for file. This option may be given multiple times to add more root cer‐tificates. Tilde expansion is supported.If no hkp-cacert directive is present, dirmngr will make a reasonable choice: if the keyserver in question is the special poolhkps.pool.sks-keyservers.net, it will use the bundled root certificate for that pool. Otherwise, it will use the system CAs.EXAMPLESHere is an example on how to show dirmngr's internal table of OpenPGP keyserver addresses. The output is intended for debugging pur‐poses and not part of a defined API.gpg-connect-agent --dirmngr 'keyserver --hosttable' /byeTo inhibit the use of a particular host you have noticed in one of the keyserver pools, you may usegpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /byeThe description of the keyserver command can be printed usinggpg-connect-agent --dirmngr 'help keyserver' /byeFILESDirmngr makes use of several directories when running in daemon mode: There are a few configuration files whih control the operationof dirmngr. By default they may all be found in the current home directory (see: [option --homedir]).dirmngr.confThis is the standard configuration file read by dirmngr on startup. It may contain any valid long option; the leading twodashes may not be entered and the option may not be abbreviated. This file is also read after a SIGHUP however not alloptions will actually have an effect. This default name may be changed on the command line (see: [option --options]). Youshould backup this file./etc/gnupg/trusted-certsThis directory should be filled with certificates of Root CAs you are trusting in checking the CRLs and signing OCSPResponses.Usually these are the same certificates you use with the applications making use of dirmngr. It is expected that each ofthese certificate files contain exactly one DER encoded certificate in a file with the suffix ‘.crt’ or ‘.der’. dirmngr readsthose certificates on startup and when given a SIGHUP. Certificates which are not readable or do not make up a proper X.509certificate are ignored; see the log file for details.Applications using dirmngr (e.g. gpgsm) can request these certificates to complete a trust chain in the same way as with theextra-certs directory (see below).Note that for OCSP responses the certificate specified using the option --ocsp-signer is always considered valid to sign OCSPrequests./etc/gnupg/extra-certsThis directory may contain extra certificates which are preloaded into the internal cache on startup. Applications using dirm‐ngr (e.g. gpgsm) can request cached certificates to complete a trust chain. This is convenient in cases you have a coupleintermediate CA certificates or certificates usually used to sign OCSP responses. These certificates are first tried beforegoing out to the net to look for them. These certificates must also be DER encoded and suffixed with ‘.crt’ or ‘.der’.~/.gnupg/crls.dThis directory is used to store cached CRLs. The ‘crls.d’ part will be created by dirmngr if it does not exists but you needto make sure that the upper directory exists.SIGNALSA running dirmngr may be controlled by signals, i.e. using the kill command to send a signal to the process.Here is a list of supported signals:SIGHUP This signal flushes all internally cached CRLs as well as any cached certificates. Then the certificate cache is reinitial‐ized as on startup. Options are re-read from the configuration file. Instead of sending this signal it is better to usegpgconf --reload dirmngrSIGTERMShuts down the process but waits until all current requests are fulfilled. If the process has received 3 of these signals andrequests are still pending, a shutdown is forced. You may also usegpgconf --kill dirmngrinstead of this signalSIGINT Shuts down the process immediately.SIGUSR1This prints some caching statistics to the log file.