Previous: , Up: GPGSM Options   [Contents][Index]

5.2.5 Doing things one usually do not want to do

--extra-digest-algo name

Sometimes signatures are broken in that they announce a different digest algorithm than actually used. gpgsm uses a one-pass data processing model and thus needs to rely on the announced digest algorithms to properly hash the data. As a workaround this option may be used to tell gpgsm to also hash the data using the algorithm name; this slows processing down a little bit but allows verification of such broken signatures. If gpgsm prints an error like “digest algo 8 has not been enabled” you may want to try this option, with ‘SHA256’ for name.

--faked-system-time epoch

This option is only useful for testing; it sets the system time back or forth to epoch which is the number of seconds elapsed since the year 1970. Alternatively epoch may be given as a full ISO time string (e.g. "20070924T154812").


Include ephemeral flagged keys in the output of key listings. Note that they are included anyway if the key specification for a listing is given as fingerprint or keygrip.

--debug-level level

Select the debug level for investigating problems. level may be a numeric value or by a keyword:


No debugging at all. A value of less than 1 may be used instead of the keyword.


Some basic debug messages. A value between 1 and 2 may be used instead of the keyword.


More verbose debug messages. A value between 3 and 5 may be used instead of the keyword.


Even more detailed messages. A value between 6 and 8 may be used instead of the keyword.


All of the debug messages you can get. A value greater than 8 may be used instead of the keyword. The creation of hash tracing files is only enabled if the keyword is used.

How these messages are mapped to the actual debugging flags is not specified and may change with newer releases of this program. They are however carefully selected to best aid in debugging.

--debug flags

This option is only useful for debugging and the behaviour may change at any time without notice; using --debug-levels is the preferred method to select the debug verbosity. FLAGS are bit encoded and may be given in usual C-Syntax. The currently defined bits are:

0 (1)

X.509 or OpenPGP protocol related data

1 (2)

values of big number integers

2 (4)

low level crypto operations

5 (32)

memory allocation

6 (64)


7 (128)

show memory statistics

9 (512)

write hashed data to files named dbgmd-000*

10 (1024)

trace Assuan protocol

Note, that all flags set using this option may get overridden by --debug-level.


Same as --debug=0xffffffff


Usually gpgsm tries to avoid dumping core by well written code and by disabling core dumps for security reasons. However, bugs are pretty durable beasts and to squash them it is sometimes useful to have a core dump. This option enables core dumps unless the Bad Thing happened before the option parsing.


This is actually not a debugging option but only useful as such. It lets gpgsm bypass all certificate chain validation checks.


This is actually not a debugging option but only useful as such. It lets gpgsm ignore all notAfter dates, this is used by the regression tests.

--passphrase-fd n

Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from STDIN. This can only be used if only one passphrase is supplied.

Note that this passphrase is only used if the option --batch has also been given.

--pinentry-mode mode

Set the pinentry mode to mode. Allowed values for mode are:


Use the default of the agent, which is ask.


Force the use of the Pinentry.


Emulate use of Pinentry’s cancel button.


Return a Pinentry error (“No Pinentry”).


Redirect Pinentry queries to the caller. Note that in contrast to Pinentry the user is not prompted again if he enters a bad password.

--request-origin origin

Tell gpgsm to assume that the operation ultimately originated at origin. Depending on the origin certain restrictions are applied and the Pinentry may include an extra note on the origin. Supported values for origin are: local which is the default, remote to indicate a remote origin or browser for an operation requested by a web browser.


Suppress the import of common certificates on keybox creation.

All the long options may also be given in the configuration file after stripping off the two leading dashes.

Previous: , Up: GPGSM Options   [Contents][Index]