3.1.2 Commands to select the type of operation
- Make a signature. This command may be combined with --encrypt
(for a signed and encrypted message), --symmetric (for a
signed and symmetrically encrypted message), or --encrypt and
--symmetric together (for a signed message that may be
decrypted via a secret key or a passphrase). The key to be used for
signing is chosen by default or can be set with the
--local-user and --default-key options.
- Make a clear text signature. The content in a clear text signature is
readable without any special software. OpenPGP software is only needed
to verify the signature. Clear text signatures may modify end-of-line
whitespace for platform independence and are not intended to be
reversible. The key to be used for signing is chosen by default or
can be set with the --local-user and --default-key
- Make a detached signature.
- Encrypt data. This option may be combined with --sign (for a
signed and encrypted message), --symmetric (for a message that
may be decrypted via a secret key or a passphrase), or --sign
and --symmetric together (for a signed message that may be
decrypted via a secret key or a passphrase).
- Encrypt with a symmetric cipher using a passphrase. The default
symmetric cipher used is CAST5, but may be chosen with the
--cipher-algo option. This option may be combined with
--sign (for a signed and symmetrically encrypted message),
--encrypt (for a message that may be decrypted via a secret key
or a passphrase), or --sign and --encrypt together
(for a signed message that may be decrypted via a secret key or a
- Store only (make a simple RFC1991 literal data packet).
- Decrypt the file given on the command line (or STDIN if no file
is specified) and write it to STDOUT (or the file specified with
--output). If the decrypted file is signed, the signature is also
verified. This command differs from the default operation, as it never
writes to the filename which is included in the file and it rejects
files which don't begin with an encrypted message.
- Assume that the first argument is a signed file or a detached signature
and verify it without generating any output. With no arguments, the
signature packet is read from STDIN. If only a sigfile is given, it may
be a complete signature or a detached signature, in which case the
signed stuff is expected in a file without the ".sig" or ".asc"
extension. With more than 1 argument, the first should be a detached
signature and the remaining files are the signed stuff. To read the
signed stuff from STDIN, use ‘-’ as the second filename. For
security reasons a detached signature cannot read the signed material
from STDIN without denoting it in the above way.
Note: When verifying a cleartext signature, gpg verifies
only what makes up the cleartext signed data and not any extra data
outside of the cleartext signature or header lines following directly
the dash marker line. The option
--output may be used to write
out the actual signed data; but there are other pitfalls with this
format as well. It is suggested to avoid cleartext signatures in
favor of detached signatures.
- This modifies certain other commands to accept multiple files for
processing on the command line or read from STDIN with each filename on
a separate line. This allows for many files to be processed at
once. --multifile may currently be used along with
--verify, --encrypt, and --decrypt. Note that
--multifile --verify may not be used with detached signatures.
- Identical to --multifile --verify.
- Identical to --multifile --encrypt.
- Identical to --multifile --decrypt.
- List all keys from the public keyrings, or just the keys given on the
Avoid using the output of this command in scripts or other programs as
it is likely to change as GnuPG changes. See --with-colons for a
machine-parseable key listing command that is appropriate for use in
scripts and other programs.
- List all keys from the secret keyrings, or just the ones given on the
command line. A
# after the letters
sec means that the
secret key is not usable (for example, if it was created via
- Same as --list-keys, but the signatures are listed too.
This command has the same effect as
using --list-keys with --with-sig-list.
For each signature listed, there are several flags in between the "sig"
tag and keyid. These flags give additional information about each
signature. From left to right, they are the numbers 1-3 for certificate
check level (see --ask-cert-level), "L" for a local or
non-exportable signature (see --lsign-key), "R" for a
nonRevocable signature (see the --edit-key command "nrsign"),
"P" for a signature that contains a policy URL (see
--cert-policy-url), "N" for a signature that contains a
notation (see --cert-notation), "X" for an eXpired signature
(see --ask-cert-expire), and the numbers 1-9 or "T" for 10 and
above to indicate trust signature levels (see the --edit-key
- Same as --list-sigs, but the signatures are verified. Note
that for performance reasons the revocation status of a signing key is
This command has the same effect as
using --list-keys with --with-sig-check.
The status of the verification is indicated by a flag directly following
the "sig" tag (and thus before the flags described above for
--list-sigs). A "!" indicates that the signature has been
successfully verified, a "-" denotes a bad signature and a "%" is used
if an error occurred while checking the signature (e.g. a non supported
- Locate the keys given as arguments. This command basically uses the
same algorithm as used when locating keys for encryption or signing and
may thus be used to see what keys gpg2 might use. In
particular external methods as defined by --auto-key-locate may
be used to locate a key. Only public keys are listed.
- List all keys (or the specified ones) along with their
fingerprints. This is the same output as --list-keys but with
the additional output of a line with the fingerprint. May also be
combined with --list-sigs or --check-sigs. If this
command is given twice, the fingerprints of all secondary keys are
- List only the sequence of packets. This is mainly
useful for debugging.
- Present a menu to work with a smartcard. The subcommand "help" provides
an overview on available commands. For a detailed description, please
see the Card HOWTO at
- Show the content of the smart card.
- Present a menu to allow changing the PIN of a smartcard. This
functionality is also available as the subcommand "passwd" with the
- Remove key from the public keyring. In batch mode either --yes is
required or the key must be specified by fingerprint. This is a
safeguard against accidental deletion of multiple keys.
- Remove key from the secret keyring. In batch mode the key
must be specified by fingerprint.
- Same as --delete-key, but if a secret key exists, it will be
removed first. In batch mode the key must be specified by fingerprint.
- Either export all keys from all keyrings (default keyrings and those
registered via option --keyring), or if at least one name is given,
those of the given name. The new keyring is written to STDOUT or to the
file given with option --output. Use together with
--armor to mail those keys.
--send-keys key IDs
- Similar to --export but sends the keys to a keyserver.
Fingerprints may be used instead of key IDs. Option --keyserver
must be used to give the name of this keyserver. Don't send your
complete keyring to a keyserver — select only those keys which are new
or changed by you. If no key IDs are given, gpg does nothing.
- Same as --export, but exports the secret keys instead. This is
normally not very useful and a security risk. The second form of the
command has the special property to render the secret part of the
primary key useless; this is a GNU extension to OpenPGP and other
implementations can not be expected to successfully import such a key.
See the option --simple-sk-checksum if you want to import such
an exported key with an older OpenPGP implementation.
- Import/merge keys. This adds the given keys to the
keyring. The fast version is currently just a synonym.
There are a few other options which control how this command works.
Most notable here is the --import-options merge-only option
which does not insert new keys but does only the merging of new
signatures, user-IDs and subkeys.
--recv-keys key IDs
- Import the keys with the given key IDs from a keyserver. Option
--keyserver must be used to give the name of this keyserver.
- Request updates from a keyserver for keys that already exist on the
local keyring. This is useful for updating a key with the latest
signatures, user IDs, etc. Calling this with no arguments will refresh
the entire keyring. Option --keyserver must be used to give the
name of the keyserver for all keys that do not have preferred keyservers
set (see --keyserver-options honor-keyserver-url).
- Search the keyserver for the given names. Multiple names given here will
be joined together to create the search string for the keyserver.
Option --keyserver must be used to give the name of this
keyserver. Keyservers that support different search methods allow using
the syntax specified in "How to specify a user ID" below. Note that
different keyserver types support different search methods. Currently
only LDAP supports them all.
- Retrieve keys located at the specified URIs. Note that different
installations of GnuPG may support different protocols (HTTP, FTP,
- Do trust database maintenance. This command iterates over all keys and
builds the Web of Trust. This is an interactive command because it may
have to ask for the "ownertrust" values for keys. The user has to give
an estimation of how far she trusts the owner of the displayed key to
correctly certify (sign) other keys. GnuPG only asks for the ownertrust
value if it has not yet been assigned to a key. Using the
--edit-key menu, the assigned value can be changed at any time.
- Do trust database maintenance without user interaction. From time to
time the trust database must be updated so that expired keys or
signatures and the resulting changes in the Web of Trust can be
tracked. Normally, GnuPG will calculate when this is required and do it
automatically unless --no-auto-check-trustdb is set. This
command can be used to force a trust database check at any time. The
processing is identical to that of --update-trustdb but it
skips keys with a not yet defined "ownertrust".
For use with cron jobs, this command can be used together with
--batch in which case the trust database check is done only if
a check is needed. To force a run even in batch mode add the option
- Send the ownertrust values to STDOUT. This is useful for backup purposes
as these values are the only ones which can't be re-created from a
corrupted trustdb. Example:
gpg2 --export-ownertrust > otrust.txt
- Update the trustdb with the ownertrust values stored in
STDIN if not given); existing values will be overwritten. In case of a
severely damaged trustdb and if you have a recent backup of the
ownertrust values (e.g. in the file otrust.txt, you may re-create
the trustdb using these commands:
gpg2 --import-ownertrust < otrust.txt
- When updating from version 1.0.6 to 1.0.7 this command should be used
to create signature caches in the keyring. It might be handy in other
- Print message digest of algorithm ALGO for all given files or STDIN.
With the second form (or a deprecated "*" as algo) digests for all
available algorithms are printed.
--gen-random 0|1|2 count
- Emit count random bytes of the given quality level 0, 1 or 2. If
count is not given or zero, an endless sequence of random bytes
will be emitted. If used with --armor the output will be
base64 encoded. PLEASE, don't use this command unless you know what
you are doing; it may remove precious entropy from the system!
--gen-prime mode bits
- Use the source, Luke :-). The output format is still subject to change.
- Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
This is a GnuPG extension to OpenPGP and in general not very useful.