manpagez: man pages & more
info gnupg
Home | html | info | man

File: gnupg.info,  Node: GPG Input and Output,  Next: OpenPGP Options,  Prev: GPG Key related Options,  Up: GPG Options

4.2.3 Input and Output
----------------------

'--armor'
'-a'
     Create ASCII armored output.  The default is to create the binary
     OpenPGP format.

'--no-armor'
     Assume the input data is not in ASCII armored format.

'--output FILE'
'-o FILE'
     Write output to FILE.  To write to stdout use '-' as the filename.

'--max-output N'
     This option sets a limit on the number of bytes that will be
     generated when processing a file.  Since OpenPGP supports various
     levels of compression, it is possible that the plaintext of a given
     message may be significantly larger than the original OpenPGP
     message.  While GnuPG works properly with such messages, there is
     often a desire to set a maximum file size that will be generated
     before processing is forced to stop by the OS limits.  Defaults to
     0, which means "no limit".

'--chunk-size N'
     The AEAD encryption mode encrypts the data in chunks so that a
     receiving side can check for transmission errors or tampering at
     the end of each chunk and does not need to delay this until all
     data has been received.  The used chunk size is 2^N byte.  The
     lowest allowed value for N is 6 (64 byte) and the largest is the
     default of 22 which creates chunks not larger than 4 MiB.

'--input-size-hint N'
     This option can be used to tell GPG the size of the input data in
     bytes.  N must be a positive base-10 number.  This option is only
     useful if the input is not taken from a file.  GPG may use this
     hint to optimize its buffer allocation strategy.  It is also used
     by the '--status-fd' line "PROGRESS" to provide a value for "total"
     if that is not available by other means.

'--key-origin STRING[,URL]'
     gpg can track the origin of a key.  Certain origins are implicitly
     known (e.g.  keyserver, web key directory) and set.  For a standard
     import the origin of the keys imported can be set with this option.
     To list the possible values use "help" for STRING.  Some origins
     can store an optional URL argument.  That URL can appended to
     STRING after a comma.

'--import-options PARAMETERS'
     This is a space or comma delimited string that gives options for
     importing keys.  Options can be prepended with a 'no-' to give the
     opposite meaning.  The options are:

     import-local-sigs
          Allow importing key signatures marked as "local".  This is not
          generally useful unless a shared keyring scheme is being used.
          Defaults to no.

     keep-ownertrust
          Normally possible still existing ownertrust values of a key
          are cleared if a key is imported.  This is in general
          desirable so that a formerly deleted key does not
          automatically gain an ownertrust values merely due to import.
          On the other hand it is sometimes necessary to re-import a
          trusted set of keys again but keeping already assigned
          ownertrust values.  This can be achieved by using this option.

     repair-pks-subkey-bug
          During import, attempt to repair the damage caused by the PKS
          keyserver bug (pre version 0.9.6) that mangles keys with
          multiple subkeys.  Note that this cannot completely repair the
          damaged key as some crucial data is removed by the keyserver,
          but it does at least give you back one subkey.  Defaults to no
          for regular '--import' and to yes for keyserver
          '--receive-keys'.

     import-show
     show-only
          Show a listing of the key as imported right before it is
          stored.  This can be combined with the option '--dry-run' to
          only look at keys; the option 'show-only' is a shortcut for
          this combination.  The command '--show-keys' is another
          shortcut for this.  Note that suffixes like '#' for "sec" and
          "sbb" lines may or may not be printed.

     import-export
          Run the entire import code but instead of storing the key to
          the local keyring write it to the output.  The export option
          'export-dane' affect the output.  This option can for example
          be used to remove all invalid parts from a key without the
          need to store it.

     merge-only
          During import, allow key updates to existing keys, but do not
          allow any new keys to be imported.  Defaults to no.

     import-clean
          After import, compact (remove all signatures except the
          self-signature) any user IDs from the new key that are not
          usable.  Then, remove any signatures from the new key that are
          not usable.  This includes signatures that were issued by keys
          that are not present on the keyring.  This option is the same
          as running the '--edit-key' command "clean" after import.
          Defaults to no.

     self-sigs-only
          Accept only self-signatures while importing a key.  All other
          key signatures are skipped at an early import stage.  This
          option can be used with 'keyserver-options' to mitigate
          attempts to flood a key with bogus signatures from a
          keyserver.  The drawback is that all other valid key
          signatures, as required by the Web of Trust are also not
          imported.  Note that when using this option along with
          import-clean it suppresses the final clean step after merging
          the imported key into the existing key.

     ignore-attributes
          Ignore all attribute user IDs (photo IDs) and their signatures
          while importing a key.

     repair-keys
          After import, fix various problems with the keys.  For
          example, this reorders signatures, and strips duplicate
          signatures.  Defaults to yes.

     bulk-import
          When used the keyboxd (option 'use-keyboxd' in 'common.conf')
          does the import within a single transaction.

     import-minimal
          Import the smallest key possible.  This removes all signatures
          except the most recent self-signature on each user ID. This
          option is the same as running the '--edit-key' command
          "minimize" after import.  Defaults to no.

     restore
     import-restore
          Import in key restore mode.  This imports all data which is
          usually skipped during import; including all GnuPG specific
          data.  All other contradicting options are overridden.

'--import-filter {NAME=EXPR}'
'--export-filter {NAME=EXPR}'
     These options define an import/export filter which are applied to
     the imported/exported keyblock right before it will be
     stored/written.  NAME defines the type of filter to use, EXPR the
     expression to evaluate.  The option can be used several times which
     then appends more expression to the same NAME.

     The available filter types are:

     keep-uid
          This filter will keep a user id packet and its dependent
          packets in the keyblock if the expression evaluates to true.

     drop-subkey
          This filter drops the selected subkeys.  Currently only
          implemented for -export-filter.

     drop-sig
          This filter drops the selected key signatures on user ids.
          Self-signatures are not considered.  Currently only
          implemented for -import-filter.

     select
          This filter is only implemented by '--list-filter'.  All
          property names may be used.

     For the syntax of the expression see the chapter "FILTER
     EXPRESSIONS". The property names for the expressions depend on the
     actual filter type and are indicated in the following table.  Note
     that all property names may also be used by '--list-filter'.

     Property names may be prefix with a scope delimited by a slash.
     Valid scopes are "pub" for public and secret primary keys, "sub"
     for public and secret subkeys, "uid" for for user-ID packets, and
     "sig" for signature packets.  Invalid scopes are currently ignored.

     The available properties are:

     uid
          A string with the user id.  (keep-uid)

     mbox
          The addr-spec part of a user id with mailbox or the empty
          string.  (keep-uid)

     algostr
          A string with the key algorithm description.  For example
          "rsa3072" or "ed25519".

     key_algo
          A number with the public key algorithm of a key or subkey
          packet.  (drop-subkey)

     key_size
          A number with the effective key size of a key or subkey
          packet.  (drop-subkey)

     key_created
     key_created_d
          The first is the timestamp a public key or subkey packet was
          created.  The second is the same but given as an ISO string,
          e.g.  "2016-08-17".  (drop-subkey)

     key_expires
     key_expires_d
          The expiration time of a public key or subkey or 0 if it does
          not expire.  The second is the same but given as an ISO date
          string or an empty string e.g.  "2038-01-19".

     fpr
          The hexified fingerprint of the current subkey or primary key.
          (drop-subkey)

     primary
          Boolean indicating whether the user id is the primary one.
          (keep-uid)

     expired
          Boolean indicating whether a user id (keep-uid), a key
          (drop-subkey), or a signature (drop-sig) expired.

     revoked
          Boolean indicating whether a user id (keep-uid) or a key
          (drop-subkey) has been revoked.

     disabled
          Boolean indicating whether a primary key is disabled.

     secret
          Boolean indicating whether a key or subkey is a secret one.
          (drop-subkey)

     usage
          A string indicating the usage flags for the subkey, from the
          sequence "ecsa?".  For example, a subkey capable of just
          signing and authentication would be an exact match for "sa".
          (drop-subkey)

     sig_created
     sig_created_d
          The first is the timestamp a signature packet was created.
          The second is the same but given as an ISO date string, e.g.
          "2016-08-17".  (drop-sig)

     sig_expires
     sig_expires_d
          The expiration time of a signature packet or 0 if it does not
          expire.  The second is the same but given as an ISO date
          string or an empty string e.g.  "2038-01-19".

     sig_algo
          A number with the public key algorithm of a signature packet.
          (drop-sig)

     sig_digest_algo
          A number with the digest algorithm of a signature packet.
          (drop-sig)

     origin
          A string with the key origin or a question mark.  For example
          the string "wkd" is used if a key originated from a Web Key
          Directory lookup.

     lastupd
          The timestamp the key was last updated from a keyserver or the
          Web Key Directory.

     url
          A string with the the URL associated wit the last key lookup.

'--export-options PARAMETERS'
     This is a space or comma delimited string that gives options for
     exporting keys.  Options can be prepended with a 'no-' to give the
     opposite meaning.  The options are:

     export-local-sigs
          Allow exporting key signatures marked as "local".  This is not
          generally useful unless a shared keyring scheme is being used.
          Defaults to no.

     export-attributes
          Include attribute user IDs (photo IDs) while exporting.  Not
          including attribute user IDs is useful to export keys that are
          going to be used by an OpenPGP program that does not accept
          attribute user IDs.  Defaults to yes.

     export-sensitive-revkeys
          Include designated revoker information that was marked as
          "sensitive".  Defaults to no.

     backup
     export-backup
          Export for use as a backup.  The exported data includes all
          data which is needed to restore the key or keys later with
          GnuPG. The format is basically the OpenPGP format but enhanced
          with GnuPG specific data.  All other contradicting options are
          overridden.

     export-clean
          Compact (remove all signatures from) user IDs on the key being
          exported if the user IDs are not usable.  Also, do not export
          any signatures that are not usable.  This includes signatures
          that were issued by keys that are not present on the keyring.
          This option is the same as running the '--edit-key' command
          "clean" before export except that the local copy of the key is
          not modified.  Defaults to no.

     export-minimal
          Export the smallest key possible.  This removes all signatures
          except the most recent self-signature on each user ID. This
          option is the same as running the '--edit-key' command
          "minimize" before export except that the local copy of the key
          is not modified.  Defaults to no.

     export-revocs
          Export only standalone revocation certificates of the key.
          This option does not export revocations of 3rd party
          certificate revocations.

     export-dane
          Instead of outputting the key material output OpenPGP DANE
          records suitable to put into DNS zone files.  An ORIGIN line
          is printed before each record to allow diverting the records
          to the corresponding zone file.

     mode1003
          Enable the use of a new secret key export format.  This format
          avoids the re-encryption as required with the current OpenPGP
          format and also improves the security of the secret key if it
          has been protected with a passphrase.  Note that an
          unprotected key is exported as-is and thus not secure; the
          general rule to convey secret keys in an OpenPGP encrypted
          file still applies with this mode.  Versions of GnuPG before
          2.4.0 are not able to import such a secret file.

'--with-colons'
     Print key listings delimited by colons.  Note that the output will
     be encoded in UTF-8 regardless of any '--display-charset' setting.
     This format is useful when GnuPG is called from scripts and other
     programs as it is easily machine parsed.  The details of this
     format are documented in the file 'doc/DETAILS', which is included
     in the GnuPG source distribution.

'--fixed-list-mode'
     Do not merge primary user ID and primary key in '--with-colon'
     listing mode and print all timestamps as seconds since 1970-01-01.
     Since GnuPG 2.0.10, this mode is always used and thus this option
     is obsolete; it does not harm to use it though.

'--legacy-list-mode'
     Revert to the pre-2.1 public key list mode.  This only affects the
     human readable output and not the machine interface (i.e.
     '--with-colons').  Note that the legacy format does not convey
     suitable information for elliptic curves.

'--with-fingerprint'
     Same as the command '--fingerprint' but changes only the format of
     the output and may be used together with another command.

'--with-subkey-fingerprint'
     If a fingerprint is printed for the primary key, this option forces
     printing of the fingerprint for all subkeys.  This could also be
     achieved by using the '--with-fingerprint' twice but by using this
     option along with keyid-format "none" a compact fingerprint is
     printed.

'--with-v5-fingerprint'
     In a colon mode listing emit "fp2" lines for version 4 OpenPGP keys
     having a v5 style fingerprint of the key.

'--with-icao-spelling'
     Print the ICAO spelling of the fingerprint in addition to the hex
     digits.

'--with-keygrip'
     Include the keygrip in the key listings.  In '--with-colons' mode
     this is implicitly enable for secret keys.

'--with-key-origin'
     Include the locally held information on the origin and last update
     of a key in a key listing.  In '--with-colons' mode this is always
     printed.  This data is currently experimental and shall not be
     considered part of the stable API.

'--with-wkd-hash'
     Print a Web Key Directory identifier along with each user ID in key
     listings.  This is an experimental feature and semantics may
     change.

'--with-secret'
     Include info about the presence of a secret key in public key
     listings done with '--with-colons'.

© manpagez.com 2000-2024
Individual documents may contain additional copyright information.