--options

Reads configuration from file instead of from the default per-user configuration file. The default configuration file isnamed ‘gpgsm.conf’ and expected in the ‘.gnupg’ directory directly below the home directory of the user.

--homedir

Set the name of the home directory to dir. If this option is not used, the home directory defaults to ‘~/.gnupg’. It is onlyrecognized when given on the command line. It also overrides any home directory stated through the environment variable‘GNUPGHOME’ or (on Windows systems) by means of the Registry entry HKCU\Software\GNU\GnuPG:HomeDir.On Windows systems it is possible to install GnuPG as a portable application. In this case only this command line option isconsidered, all other ways to set a home directory are ignored.To install GnuPG as a portable application under Windows, create an empty file named ‘gpgconf.ctl’ in the same directory asthe tool ‘gpgconf.exe’. The root of the installation is then that directory; or, if ‘gpgconf.exe’ has been installed directlybelow a directory named ‘bin’, its parent directory. You also need to make sure that the following directories exist and arewritable: ‘ROOT/home’ for the GnuPG home and ‘ROOT/var/cache/gnupg’ for internal cache files.

--verbose

Outputs additional information while running. You can increase the verbosity by giving several verbose commands to gpgsm,such as '-vv'.

--policy-file

Change the default name of the policy file to filename.

--agent-program

Specify an agent program to be used for secret key operations. The default value is determined by running the command gpg‐conf. Note that the pipe symbol (|) is used for a regression test suite hack and may thus not be used in the file name.

--dirmngr-program

Specify a dirmngr program to be used for CRL checks. The default value is ‘/usr/bin/dirmngr’.

--prefer-system-dirmngr

This option is obsolete and ignored.

--disable-dirmngr

Entirely disable the use of the Dirmngr.

--no-autostart

Do not start the gpg-agent or the dirmngr if it has not yet been started and its service is required. This option is mostlyuseful on machines where the connection to gpg-agent has been redirected to another machines. If dirmngr is required on theremote machine, it may be started manually using gpgconf --launch dirmngr.

--no-secmem-warning

Do not print a warning when the so called "secure memory" cannot be used.

--log-file

When running in server mode, append all logging output to file. Use ‘socket://’ to log to socket.Certificate related options

--disable-policy-checks

By default policy checks are enabled. These options may be used to change it.

--disable-crl-checks

By default the CRL checks are enabled and the DirMngr is used to check for revoked certificates. The disable option is mostuseful with an off-line network connection to suppress this check.

--disable-trusted-cert-crl-check

By default the CRL for trusted root certificates are checked like for any other certificates. This allows a CA to revoke itsown certificates voluntary without the need of putting all ever issued certificates into a CRL. The disable option may beused to switch this extra check off. Due to the caching done by the Dirmngr, there will not be any noticeable performancegain. Note, that this also disables possible OCSP checks for trusted root certificates. A more specific way of disablingthis check is by adding the ``relax'' keyword to the root CA line of the ‘trustlist.txt’

--force-crl-refresh

Tell the dirmngr to reload the CRL for each request. For better performance, the dirmngr will actually optimize this by sup‐pressing the loading for short time intervals (e.g. 30 minutes). This option is useful to make sure that a fresh CRL is avail‐able for certificates hold in the keybox. The suggested way of doing this is by using it along with the option --with-valida‐tion for a key listing command. This option should not be used in a configuration file.

--disable-ocsp

By default OCSP checks are disabled. The enable option may be used to enable OCSP checks via Dirmngr. If CRL checks are alsoenabled, CRLs will be used as a fallback if for some reason an OCSP request will not succeed. Note, that you have to allowOCSP requests in Dirmngr's configuration too (option --allow-ocsp) and configure Dirmngr properly. If you do not do so youwill get the error code 'Not supported'.

--auto-issuer-key-retrieve

If a required certificate is missing while validating the chain of certificates, try to load that certificate from an externallocation. This usually means that Dirmngr is employed to search for the certificate. Note that this option makes a "web bug"like behavior possible. LDAP server operators can see which keys you request, so by sending you a message signed by a brandnew key (which you naturally will not have on your local keybox), the operator can tell both your IP address and the time whenyou verified the signature.

--validation-model

This option changes the default validation model. The only possible values are "shell" (which is the default), "chain" whichforces the use of the chain model and "steed" for a new simplified model. The chain model is also used if an option in the‘trustlist.txt’ or an attribute of the certificate requests it. However the standard model (shell) is in that case alwaystried first.

--ignore-cert-extension

Add oid to the list of ignored certificate extensions. The oid is expected to be in dotted decimal form, like 2.5.29.3. Thisoption may be used more than once. Critical flagged certificate extensions matching one of the OIDs in the list are treatedas if they are actually handled and thus the certificate will not be rejected due to an unknown critical extension. Use thisoption with care because extensions are usually flagged as critical for a reason.Input and Output

-a

Create PEM encoded output. Default is binary output.

--base64

Create Base-64 encoded output; i.e. PEM without the header lines.

--assume-armor

Assume the input data is PEM encoded. Default is to autodetect the encoding but this is may fail.

--assume-base64

Assume the input data is plain base-64 encoded.

--assume-binary

Assume the input data is binary encoded.

--p12-charset

gpgsm uses the UTF-8 encoding when encoding passphrases for PKCS#12 files. This option may be used to force the passphrase tobe encoded in the specified encoding name. This is useful if the application used to import the key uses a different encodingand thus will not be able to import a file generated by gpgsm. Commonly used values for name are Latin1 and CP850. Note thatgpgsm itself automagically imports any file with a passphrase encoded to the most commonly used encodings.

--default-key

Use user_id as the standard key for signing. This key is used if no other key has been defined as a signing key. Note, thatthe first --local-users option also sets this key if it has not yet been set; however --default-key always overrides this.

-u

Set the user(s) to be used for signing. The default is the first secret key found in the database.

-r

Encrypt to the user id name. There are several ways a user id may be given (see: [how-to-specify-a-user-id]).

-o

Write output to file. The default is to write it to stdout.

--with-key-data

Displays extra information with the --list-keys commands. Especially a line tagged grp is printed which tells you the keygripof a key. This string is for example used as the file name of the secret key. Implies --with-colons.

--with-validation

When doing a key listing, do a full validation check for each key and print the result. This is usually a slow operationbecause it requires a CRL lookup and other operations.When used along with --import, a validation of the certificate to import is done and only imported if it succeeds the test.Note that this does not affect an already available certificate in the DB. This option is therefore useful to simply verify acertificate.

--with-md5-fingerprint

For standard key listings, also print the MD5 fingerprint of the certificate.

--with-keygrip

Include the keygrip in standard key listings. Note that the keygrip is always listed in --with-colons mode.

--with-secret

Include info about the presence of a secret key in public key listings done with --with-colons.How to change how the CMS is created

--include-certs

Using n of -2 includes all certificate except for the root cert, -1 includes all certs, 0 does not include any certs, 1includes only the signers cert and all other positive values include up to n certificates starting with the signer cert. Thedefault is -2.

--cipher-algo

Use the cipher algorithm with the ASN.1 object identifier oid for encryption. For convenience the strings 3DES, AES andAES256 may be used instead of their OIDs. The default is AES (2.16.840.1.101.3.4.1.2).

--digest-algo

Use name as the message digest algorithm. Usually this algorithm is deduced from the respective signing certificate. Thisoption forces the use of the given algorithm and may lead to severe interoperability problems.Doing things one usually do not want to do

--extra-digest-algo

Sometimes signatures are broken in that they announce a different digest algorithm than actually used. gpgsm uses a one-passdata processing model and thus needs to rely on the announced digest algorithms to properly hash the data. As a workaroundthis option may be used to tell gpgsm to also hash the data using the algorithm name; this slows processing down a little bitbut allows verification of such broken signatures. If gpgsm prints an error like ``digest algo 8 has not been enabled'' youmay want to try this option, with 'SHA256' for name.

--faked-system-time

This option is only useful for testing; it sets the system time back or forth to epoch which is the number of seconds elapsedsince the year 1970. Alternatively epoch may be given as a full ISO time string (e.g. "20070924T154812").

--with-ephemeral-keys

Include ephemeral flagged keys in the output of key listings. Note that they are included anyway if the key specification fora listing is given as fingerprint or keygrip.

--debug-level

Select the debug level for investigating problems. level may be a numeric value or by a keyword:none No debugging at all. A value of less than 1 may be used instead of the keyword.basic Some basic debug messages. A value between 1 and 2 may be used instead of the keyword.advancedMore verbose debug messages. A value between 3 and 5 may be used instead of the keyword.expert Even more detailed messages. A value between 6 and 8 may be used instead of the keyword.guru All of the debug messages you can get. A value greater than 8 may be used instead of the keyword. The creation of hashtracing files is only enabled if the keyword is used.How these messages are mapped to the actual debugging flags is not specified and may change with newer releases of this program. Theyare however carefully selected to best aid in debugging.

--debug

This option is only useful for debugging and the behaviour may change at any time without notice; using --debug-levels is thepreferred method to select the debug verbosity. FLAGS are bit encoded and may be given in usual C-Syntax. The currentlydefined bits are:0 (1) X.509 or OpenPGP protocol related data1 (2) values of big number integers2 (4) low level crypto operations5 (32) memory allocation6 (64) caching7 (128)show memory statistics9 (512)write hashed data to files named dbgmd-000*10 (1024)trace Assuan protocolNote, that all flags set using this option may get overridden by --debug-level.

--debug-all

Same as --debug=0xffffffff

--debug-allow-core-dump

Usually gpgsm tries to avoid dumping core by well written code and by disabling core dumps for security reasons. However,bugs are pretty durable beasts and to squash them it is sometimes useful to have a core dump. This option enables core dumpsunless the Bad Thing happened before the option parsing.

--debug-no-chain-validation

This is actually not a debugging option but only useful as such. It lets gpgsm bypass all certificate chain validationchecks.

--debug-ignore-expiration

This is actually not a debugging option but only useful as such. It lets gpgsm ignore all notAfter dates, this is used by theregression tests.

--passphrase-fd

Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, thepassphrase will be read from STDIN. This can only be used if only one passphrase is supplied.Note that this passphrase is only used if the option --batch has also been given.

--pinentry-mode

Set the pinentry mode to mode. Allowed values for mode are:defaultUse the default of the agent, which is ask.ask Force the use of the Pinentry.cancel Emulate use of Pinentry's cancel button.error Return a Pinentry error (``No Pinentry'').loopbackRedirect Pinentry queries to the caller. Note that in contrast to Pinentry the user is not prompted again if he entersa bad password.

--no-common-certs-import

Suppress the import of common certificates on keybox creation.All the long options may also be given in the configuration file after stripping off the two leading dashes.HOW TO SPECIFY A USER IDThere are different ways to specify a user ID to GnuPG. Some of them are only valid for gpg others are only good for gpgsm. Here isthe entire list of ways to specify a key:By key Id.This format is deduced from the length of the string and its content or 0x prefix. The key Id of an X.509 certificate are thelow 64 bits of its SHA-1 fingerprint. The use of key Ids is just a shortcut, for all automated processing the fingerprintshould be used.When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key and not to tryand calculate which primary or secondary key to use.The last four lines of the example give the key ID in their long form as internally used by the OpenPGP protocol. You can seethe long key ID using the option --with-colons.234567C40F34E556E01347A56A0xAB123456234AABBCC34567C40F323456784E56EAB01AB3FED1347A56120x234AABBCC34567C4By fingerprint.This format is deduced from the length of the string and its content or the 0x prefix. Note, that only the 20 byte versionfingerprint is available with gpgsm (i.e. the SHA-1 hash of the certificate).When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key and not to tryand calculate which primary or secondary key to use.The best way to specify a key Id is by using the fingerprint. This avoids any ambiguities in case that there are duplicatedkey IDs.1234343434343434C434343434343434123434343434343C3434343434343734349A34340E12343434343434343434EAB34843434343434340xE12343434343434343434EAB3484343434343434gpgsm also accepts colons between each pair of hexadecimal digits because this is the de-facto standard on how to present X.509 fin‐gerprints. gpg also allows the use of the space separated SHA-1 fingerprint as printed by the key listing commands.By exact match on OpenPGP user ID.This is denoted by a leading equal sign. It does not make sense for X.509 certificates.=Heinrich Heine <heinrichh@uni-duesseldorf.de>By exact match on an email address.This is indicated by enclosing the email address in the usual way with left and right angles.<heinrichh@uni-duesseldorf.de>By partial match on an email address.This is indicated by prefixing the search string with an @. This uses a substring search but considers only the mail address(i.e. inside the angle brackets).@heinrichhBy exact match on the subject's DN.This is indicated by a leading slash, directly followed by the RFC-2253 encoded DN of the subject. Note that you can't usethe string printed by gpgsm --list-keys because that one has been reordered and modified for better readability; use --with-colons to print the raw (but standard escaped) RFC-2253 string./CN=Heinrich Heine,O=Poets,L=Paris,C=FRBy exact match on the issuer's DN.This is indicated by a leading hash mark, directly followed by a slash and then directly followed by the RFC-2253 encoded DNof the issuer. This should return the Root cert of the issuer. See note above.#/CN=Root Cert,O=Poets,L=Paris,C=FRBy exact match on serial number and issuer's DN.This is indicated by a hash mark, followed by the hexadecimal representation of the serial number, then followed by a slashand the RFC-2253 encoded DN of the issuer. See note above.#4F03/CN=Root Cert,O=Poets,L=Paris,C=FRBy keygrip.This is indicated by an ampersand followed by the 40 hex digits of a keygrip. gpgsm prints the keygrip when using the command

--dump-cert.

&D75F22C3F86E355877348498CDC92BD21010A480By substring match.This is the default mode but applications may want to explicitly indicate this by putting the asterisk in front. Match is notcase sensitive.Heine*Heine. and + prefixesThese prefixes are reserved for looking up mails anchored at the end and for a word search mode. They are not yet implementedand using them is undefined.Please note that we have reused the hash mark identifier which was used in old GnuPG versions to indicate the so called local-id. It is not anymore used and there should be no conflict when used with X.509 stuff.Using the RFC-2253 format of DNs has the drawback that it is not possible to map them back to the original encoding, howeverwe don't have to do this because our key database stores this encoding as meta data.EXAMPLES$ gpgsm -er goo@bar.net <plaintext >ciphertextFILESThere are a few configuration files to control certain aspects of gpgsm's operation. Unless noted, they are expected in the currenthome directory (see: [option --homedir]).gpgsm.confThis is the standard configuration file read by gpgsm on startup. It may contain any valid long option; the leading twodashes may not be entered and the option may not be abbreviated. This default name may be changed on the command line (see:[gpgsm-option --options]). You should backup this file.policies.txtThis is a list of allowed CA policies. This file should list the object identifiers of the policies line by line. Emptylines and lines starting with a hash mark are ignored. Policies missing in this file and not marked as critical in the cer‐tificate will print only a warning; certificates with policies marked as critical and not listed in this file will fail thesignature verification. You should backup this file.For example, to allow only the policy 2.289.9.9, the file should look like this:# Allowed policies2.289.9.9qualified.txtThis is the list of root certificates used for qualified certificates. They are defined as certificates capable of creatinglegally binding signatures in the same way as handwritten signatures are. Comments start with a hash mark and empty lines areignored. Lines do have a length limit but this is not a serious limitation as the format of the entries is fixed and checkedby gpgsm: A non-comment line starts with optional whitespace, followed by exactly 40 hex characters, white space and a lower‐cased 2 letter country code. Additional data delimited with by a white space is current ignored but might late be used forother purposes.Note that even if a certificate is listed in this file, this does not mean that the certificate is trusted; in general thecertificates listed in this file need to be listed also in ‘trustlist.txt’.This is a global file an installed in the data directory (e.g. ‘/usr/share/gnupg/qualified.txt’). GnuPG installs a suitablefile with root certificates as used in Germany. As new Root-CA certificates may be issued over time, these entries may needto be updated; new distributions of this software should come with an updated list but it is still the responsibility of theAdministrator to check that this list is correct.Every time gpgsm uses a certificate for signing or verification this file will be consulted to check whether the certificateunder question has ultimately been issued by one of these CAs. If this is the case the user will be informed that the veri‐fied signature represents a legally binding (``qualified'') signature. When creating a signature using such a certificate anextra prompt will be issued to let the user confirm that such a legally binding signature shall really be created.Because this software has not yet been approved for use with such certificates, appropriate notices will be shown to indicatethis fact.help.txtThis is plain text file with a few help entries used with pinentry as well as a large list of help items for gpg and gpgsm.The standard file has English help texts; to install localized versions use filenames like ‘help.LL.txt’ with LL denoting thelocale. GnuPG comes with a set of predefined help files in the data directory (e.g. ‘/usr/share/gnupg/gnupg/help.de.txt’) andallows overriding of any help item by help files stored in the system configuration directory (e.g. ‘/etc/gnupg/help.de.txt’).For a reference of the help file's syntax, please see the installed ‘help.txt’ file.com-certs.pemThis file is a collection of common certificates used to populated a newly created ‘pubring.kbx’. An administrator mayreplace this file with a custom one. The format is a concatenation of PEM encoded X.509 certificates. This global file isinstalled in the data directory (e.g. ‘/usr/share/gnupg/com-certs.pem’).Note that on larger installations, it is useful to put predefined files into the directory ‘/etc/skel/.gnupg/’ so that newly createdusers start up with a working configuration. For existing users a small helper script is provided to create these files (see:[addgnupghome]).For internal purposes gpgsm creates and maintains a few other files; they all live in the current home directory (see: [option

--homedir]).

pubring.kbxThis a database file storing the certificates as well as meta information. For debugging purposes the tool kbxutil may beused to show the internal structure of this file. You should backup this file.random_seedThis content of this file is used to maintain the internal state of the random number generator across invocations. The samefile is used by other programs of this software too.S.gpg-agentIf this file exists gpgsm will first try to connect to this socket for accessing gpg-agent before starting a new gpg-agentinstance. Under Windows this socket (which in reality be a plain file describing a regular TCP listening port) is the stan‐dard way of connecting the gpg-agent.