manpagez: man pages & more
info gnupg
Home | html | info | man

File: gnupg.info,  Node: Esoteric Options,  Prev: CMS Options,  Up: GPGSM Options

5.2.5 Doing things one usually do not want to do
------------------------------------------------

'--chuid UID'
     Change the current user to UID which may either be a number or a
     name.  This can be used from the root account to run gpgsm for
     another user.  If UID is not the current UID a standard PATH is set
     and the envvar GNUPGHOME is unset.  To override the latter the
     option '--homedir' can be used.  This option has only an effect
     when used on the command line.  This option has currently no effect
     at all on Windows.

'--extra-digest-algo NAME'
     Sometimes signatures are broken in that they announce a different
     digest algorithm than actually used.  'gpgsm' uses a one-pass data
     processing model and thus needs to rely on the announced digest
     algorithms to properly hash the data.  As a workaround this option
     may be used to tell 'gpgsm' to also hash the data using the
     algorithm NAME; this slows processing down a little bit but allows
     verification of such broken signatures.  If 'gpgsm' prints an error
     like "digest algo 8 has not been enabled" you may want to try this
     option, with 'SHA256' for NAME.

'--compliance STRING'
     Set the compliance mode.  Valid values are shown when using "help"
     for STRING.

'--min-rsa-length N'
     This option adjusts the compliance mode "de-vs" for stricter key
     size requirements.  For example, a value of 3000 turns rsa2048 and
     dsa2048 keys into non-VS-NfD compliant keys.

'--require-compliance'
     To check that data has been encrypted according to the rules of the
     current compliance mode, a gpgsm user needs to evaluate the status
     lines.  This is allows frontends to handle compliance check in a
     more flexible way.  However, for scripted use the required
     evaluation of the status-line requires quite some effort; this
     option can be used instead to make sure that the gpgsm process
     exits with a failure if the compliance rules are not fulfilled.
     Note that this option has currently an effect only in "de-vs" mode.

'--assert-signer FPR_OR_FILE'
     This option checks whether at least one valid signature on a file
     has been made with the specified key.  The key is either specified
     as a fingerprint or a file listing fingerprints.  The fingerprint
     must be given or listed in compact format (no colons or spaces in
     between).  As of now only SHA-1 fingerprints are allowed.  This
     option can be given multiple times and each fingerprint is checked
     against the signing key as well as the corresponding primary key.
     If FPR_OR_FILE specifies a file, empty lines are ignored as well as
     all lines starting with a hash sign.  With this option gpgsm is
     guaranteed to return with an exit code of 0 if and only if a
     signature has been encountered, is valid, and the key matches one
     of the fingerprints given by this option.

'--always-trust'
     Force encryption to the specified certificates without any
     validation of the certificate chain.  The only requirement is that
     the certificate is capable of encryption.  Note that this option is
     ineffective if '--require-compliance' is used.

'--ignore-cert-with-oid OID'
     Add OID to the list of OIDs to be checked while reading
     certificates from smartcards.  The OID is expected to be in dotted
     decimal form, like '2.5.29.3'.  This option may be used more than
     once.  As of now certificates with an extended key usage matching
     one of those OIDs are ignored during a '--learn-card' operation and
     not imported.  This option can help to keep the local key database
     clear of unneeded certificates stored on smartcards.

'--faked-system-time EPOCH'
     This option is only useful for testing; it sets the system time
     back or forth to EPOCH which is the number of seconds elapsed since
     the year 1970.  Alternatively EPOCH may be given as a full ISO time
     string (e.g.  "20070924T154812").

'--with-ephemeral-keys'
     Include ephemeral flagged keys in the output of key listings.  Note
     that they are included anyway if the key specification for a
     listing is given as fingerprint or keygrip.

'--compatibility-flags FLAGS'
     Set compatibility flags to work around problems due to
     non-compliant certificates or data.  The FLAGS are given as a comma
     separated list of flag names and are OR-ed together.  The special
     flag "none" clears the list and allows one to start over with an
     empty list.  To get a list of available flags the sole word "help"
     can be used.

'--debug-level LEVEL'
     Select the debug level for investigating problems.  LEVEL may be a
     numeric value or by a keyword:

     'none'
          No debugging at all.  A value of less than 1 may be used
          instead of the keyword.
     'basic'
          Some basic debug messages.  A value between 1 and 2 may be
          used instead of the keyword.
     'advanced'
          More verbose debug messages.  A value between 3 and 5 may be
          used instead of the keyword.
     'expert'
          Even more detailed messages.  A value between 6 and 8 may be
          used instead of the keyword.
     'guru'
          All of the debug messages you can get.  A value greater than 8
          may be used instead of the keyword.  The creation of hash
          tracing files is only enabled if the keyword is used.

     How these messages are mapped to the actual debugging flags is not
     specified and may change with newer releases of this program.  They
     are however carefully selected to best aid in debugging.

'--debug FLAGS'
     Set debug flags.  All flags are or-ed and FLAGS may be given in C
     syntax (e.g.  0x0042) or as a comma separated list of flag names.
     To get a list of all supported flags the single word "help" can be
     used.  This option is only useful for debugging and the behavior
     may change at any time without notice.

     Note, that all flags set using this option may get overridden by
     '--debug-level'.

'--debug-all'
     Same as '--debug=0xffffffff'

'--debug-allow-core-dump'
     Usually 'gpgsm' tries to avoid dumping core by well written code
     and by disabling core dumps for security reasons.  However, bugs
     are pretty durable beasts and to squash them it is sometimes useful
     to have a core dump.  This option enables core dumps unless the Bad
     Thing happened before the option parsing.

'--debug-no-chain-validation'
     This is actually not a debugging option but only useful as such.
     It lets 'gpgsm' bypass all certificate chain validation checks.

'--debug-ignore-expiration'
     This is actually not a debugging option but only useful as such.
     It lets 'gpgsm' ignore all notAfter dates, this is used by the
     regression tests.

'--passphrase-fd n'
     Read the passphrase from file descriptor 'n'.  Only the first line
     will be read from file descriptor 'n'.  If you use 0 for 'n', the
     passphrase will be read from STDIN. This can only be used if only
     one passphrase is supplied.

     Note that this passphrase is only used if the option '--batch' has
     also been given.

'--pinentry-mode mode'
     Set the pinentry mode to 'mode'.  Allowed values for 'mode' are:
     default
          Use the default of the agent, which is 'ask'.
     ask
          Force the use of the Pinentry.
     cancel
          Emulate use of Pinentry's cancel button.
     error
          Return a Pinentry error ("No Pinentry").
     loopback
          Redirect Pinentry queries to the caller.  Note that in
          contrast to Pinentry the user is not prompted again if he
          enters a bad password.

'--request-origin ORIGIN'
     Tell gpgsm to assume that the operation ultimately originated at
     ORIGIN.  Depending on the origin certain restrictions are applied
     and the Pinentry may include an extra note on the origin.
     Supported values for ORIGIN are: 'local' which is the default,
     'remote' to indicate a remote origin or 'browser' for an operation
     requested by a web browser.

'--no-common-certs-import'
     Suppress the import of common certificates on keybox creation.

   All the long options may also be given in the configuration file
after stripping off the two leading dashes.

© manpagez.com 2000-2024
Individual documents may contain additional copyright information.