File: gnupg.info, Node: GPG Input and Output, Next: OpenPGP Options, Prev: GPG Key related Options, Up: GPG Options 4.2.3 Input and Output ---------------------- '--armor' '-a' Create ASCII armored output. The default is to create the binary OpenPGP format. '--no-armor' Assume the input data is not in ASCII armored format. '--output FILE' '-o FILE' Write output to FILE. To write to stdout use '-' as the filename. '--max-output N' This option sets a limit on the number of bytes that will be generated when processing a file. Since OpenPGP supports various levels of compression, it is possible that the plaintext of a given message may be significantly larger than the original OpenPGP message. While GnuPG works properly with such messages, there is often a desire to set a maximum file size that will be generated before processing is forced to stop by the OS limits. Defaults to 0, which means "no limit". '--chunk-size N' The AEAD encryption mode encrypts the data in chunks so that a receiving side can check for transmission errors or tampering at the end of each chunk and does not need to delay this until all data has been received. The used chunk size is 2^N byte. The lowest allowed value for N is 6 (64 byte) and the largest is the default of 22 which creates chunks not larger than 4 MiB. '--input-size-hint N' This option can be used to tell GPG the size of the input data in bytes. N must be a positive base-10 number. This option is only useful if the input is not taken from a file. GPG may use this hint to optimize its buffer allocation strategy. It is also used by the '--status-fd' line "PROGRESS" to provide a value for "total" if that is not available by other means. '--key-origin STRING[,URL]' gpg can track the origin of a key. Certain origins are implicitly known (e.g. keyserver, web key directory) and set. For a standard import the origin of the keys imported can be set with this option. To list the possible values use "help" for STRING. Some origins can store an optional URL argument. That URL can appended to STRING after a comma. '--import-options PARAMETERS' This is a space or comma delimited string that gives options for importing keys. Options can be prepended with a 'no-' to give the opposite meaning. The options are: import-local-sigs Allow importing key signatures marked as "local". This is not generally useful unless a shared keyring scheme is being used. Defaults to no. keep-ownertrust Normally possible still existing ownertrust values of a key are cleared if a key is imported. This is in general desirable so that a formerly deleted key does not automatically gain an ownertrust values merely due to import. On the other hand it is sometimes necessary to re-import a trusted set of keys again but keeping already assigned ownertrust values. This can be achieved by using this option. repair-pks-subkey-bug During import, attempt to repair the damage caused by the PKS keyserver bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note that this cannot completely repair the damaged key as some crucial data is removed by the keyserver, but it does at least give you back one subkey. Defaults to no for regular '--import' and to yes for keyserver '--receive-keys'. import-show show-only Show a listing of the key as imported right before it is stored. This can be combined with the option '--dry-run' to only look at keys; the option 'show-only' is a shortcut for this combination. The command '--show-keys' is another shortcut for this. Note that suffixes like '#' for "sec" and "sbb" lines may or may not be printed. import-export Run the entire import code but instead of storing the key to the local keyring write it to the output. The export option 'export-dane' affect the output. This option can for example be used to remove all invalid parts from a key without the need to store it. merge-only During import, allow key updates to existing keys, but do not allow any new keys to be imported. Defaults to no. import-clean After import, compact (remove all signatures except the self-signature) any user IDs from the new key that are not usable. Then, remove any signatures from the new key that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This option is the same as running the '--edit-key' command "clean" after import. Defaults to no. self-sigs-only Accept only self-signatures while importing a key. All other key signatures are skipped at an early import stage. This option can be used with 'keyserver-options' to mitigate attempts to flood a key with bogus signatures from a keyserver. The drawback is that all other valid key signatures, as required by the Web of Trust are also not imported. Note that when using this option along with import-clean it suppresses the final clean step after merging the imported key into the existing key. ignore-attributes Ignore all attribute user IDs (photo IDs) and their signatures while importing a key. repair-keys After import, fix various problems with the keys. For example, this reorders signatures, and strips duplicate signatures. Defaults to yes. bulk-import When used the keyboxd (option 'use-keyboxd' in 'common.conf') does the import within a single transaction. import-minimal Import the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the '--edit-key' command "minimize" after import. Defaults to no. restore import-restore Import in key restore mode. This imports all data which is usually skipped during import; including all GnuPG specific data. All other contradicting options are overridden. '--import-filter {NAME=EXPR}' '--export-filter {NAME=EXPR}' These options define an import/export filter which are applied to the imported/exported keyblock right before it will be stored/written. NAME defines the type of filter to use, EXPR the expression to evaluate. The option can be used several times which then appends more expression to the same NAME. The available filter types are: keep-uid This filter will keep a user id packet and its dependent packets in the keyblock if the expression evaluates to true. drop-subkey This filter drops the selected subkeys. Currently only implemented for -export-filter. drop-sig This filter drops the selected key signatures on user ids. Self-signatures are not considered. Currently only implemented for -import-filter. select This filter is only implemented by '--list-filter'. All property names may be used. For the syntax of the expression see the chapter "FILTER EXPRESSIONS". The property names for the expressions depend on the actual filter type and are indicated in the following table. Note that all property names may also be used by '--list-filter'. Property names may be prefix with a scope delimited by a slash. Valid scopes are "pub" for public and secret primary keys, "sub" for public and secret subkeys, "uid" for for user-ID packets, and "sig" for signature packets. Invalid scopes are currently ignored. The available properties are: uid A string with the user id. (keep-uid) mbox The addr-spec part of a user id with mailbox or the empty string. (keep-uid) algostr A string with the key algorithm description. For example "rsa3072" or "ed25519". key_algo A number with the public key algorithm of a key or subkey packet. (drop-subkey) key_size A number with the effective key size of a key or subkey packet. (drop-subkey) key_created key_created_d The first is the timestamp a public key or subkey packet was created. The second is the same but given as an ISO string, e.g. "2016-08-17". (drop-subkey) key_expires key_expires_d The expiration time of a public key or subkey or 0 if it does not expire. The second is the same but given as an ISO date string or an empty string e.g. "2038-01-19". fpr The hexified fingerprint of the current subkey or primary key. (drop-subkey) primary Boolean indicating whether the user id is the primary one. (keep-uid) expired Boolean indicating whether a user id (keep-uid), a key (drop-subkey), or a signature (drop-sig) expired. revoked Boolean indicating whether a user id (keep-uid) or a key (drop-subkey) has been revoked. disabled Boolean indicating whether a primary key is disabled. secret Boolean indicating whether a key or subkey is a secret one. (drop-subkey) usage A string indicating the usage flags for the subkey, from the sequence "ecsa?". For example, a subkey capable of just signing and authentication would be an exact match for "sa". (drop-subkey) sig_created sig_created_d The first is the timestamp a signature packet was created. The second is the same but given as an ISO date string, e.g. "2016-08-17". (drop-sig) sig_expires sig_expires_d The expiration time of a signature packet or 0 if it does not expire. The second is the same but given as an ISO date string or an empty string e.g. "2038-01-19". sig_algo A number with the public key algorithm of a signature packet. (drop-sig) sig_digest_algo A number with the digest algorithm of a signature packet. (drop-sig) origin A string with the key origin or a question mark. For example the string "wkd" is used if a key originated from a Web Key Directory lookup. lastupd The timestamp the key was last updated from a keyserver or the Web Key Directory. url A string with the the URL associated wit the last key lookup. '--export-options PARAMETERS' This is a space or comma delimited string that gives options for exporting keys. Options can be prepended with a 'no-' to give the opposite meaning. The options are: export-local-sigs Allow exporting key signatures marked as "local". This is not generally useful unless a shared keyring scheme is being used. Defaults to no. export-attributes Include attribute user IDs (photo IDs) while exporting. Not including attribute user IDs is useful to export keys that are going to be used by an OpenPGP program that does not accept attribute user IDs. Defaults to yes. export-sensitive-revkeys Include designated revoker information that was marked as "sensitive". Defaults to no. backup export-backup Export for use as a backup. The exported data includes all data which is needed to restore the key or keys later with GnuPG. The format is basically the OpenPGP format but enhanced with GnuPG specific data. All other contradicting options are overridden. export-clean Compact (remove all signatures from) user IDs on the key being exported if the user IDs are not usable. Also, do not export any signatures that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This option is the same as running the '--edit-key' command "clean" before export except that the local copy of the key is not modified. Defaults to no. export-minimal Export the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the '--edit-key' command "minimize" before export except that the local copy of the key is not modified. Defaults to no. export-revocs Export only standalone revocation certificates of the key. This option does not export revocations of 3rd party certificate revocations. export-dane Instead of outputting the key material output OpenPGP DANE records suitable to put into DNS zone files. An ORIGIN line is printed before each record to allow diverting the records to the corresponding zone file. mode1003 Enable the use of a new secret key export format. This format avoids the re-encryption as required with the current OpenPGP format and also improves the security of the secret key if it has been protected with a passphrase. Note that an unprotected key is exported as-is and thus not secure; the general rule to convey secret keys in an OpenPGP encrypted file still applies with this mode. Versions of GnuPG before 2.4.0 are not able to import such a secret file. '--with-colons' Print key listings delimited by colons. Note that the output will be encoded in UTF-8 regardless of any '--display-charset' setting. This format is useful when GnuPG is called from scripts and other programs as it is easily machine parsed. The details of this format are documented in the file 'doc/DETAILS', which is included in the GnuPG source distribution. '--fixed-list-mode' Do not merge primary user ID and primary key in '--with-colon' listing mode and print all timestamps as seconds since 1970-01-01. Since GnuPG 2.0.10, this mode is always used and thus this option is obsolete; it does not harm to use it though. '--legacy-list-mode' Revert to the pre-2.1 public key list mode. This only affects the human readable output and not the machine interface (i.e. '--with-colons'). Note that the legacy format does not convey suitable information for elliptic curves. '--with-fingerprint' Same as the command '--fingerprint' but changes only the format of the output and may be used together with another command. '--with-subkey-fingerprint' If a fingerprint is printed for the primary key, this option forces printing of the fingerprint for all subkeys. This could also be achieved by using the '--with-fingerprint' twice but by using this option along with keyid-format "none" a compact fingerprint is printed. '--with-v5-fingerprint' In a colon mode listing emit "fp2" lines for version 4 OpenPGP keys having a v5 style fingerprint of the key. '--with-icao-spelling' Print the ICAO spelling of the fingerprint in addition to the hex digits. '--with-keygrip' Include the keygrip in the key listings. In '--with-colons' mode this is implicitly enable for secret keys. '--with-key-origin' Include the locally held information on the origin and last update of a key in a key listing. In '--with-colons' mode this is always printed. This data is currently experimental and shall not be considered part of the stable API. '--with-wkd-hash' Print a Web Key Directory identifier along with each user ID in key listings. This is an experimental feature and semantics may change. '--with-secret' Include info about the presence of a secret key in public key listings done with '--with-colons'.