manpagez: man pages & more
man gpg-agent(1)
Home | html | info | man
gpg-agent(1)                 GNU Privacy Guard 2.4                gpg-agent(1)


NAME

       gpg-agent - Secret key management for GnuPG


SYNOPSIS

       gpg-agent [--homedir dir] [--options file] [options]
       gpg-agent [--homedir dir] [--options file] [options] --server
       gpg-agent [--homedir dir] [--options file] [options] --daemon
       [command_line]



DESCRIPTION

       gpg-agent is a daemon to manage secret (private) keys independently
       from any protocol.  It is used as a backend for gpg and gpgsm as well
       as for a couple of other utilities.

       The agent is automatically started on demand by gpg, gpgsm, gpgconf, or
       gpg-connect-agent.  Thus there is no reason to start it manually.  In
       case you want to use the included Secure Shell Agent you may start the
       agent using:


         gpg-connect-agent /bye


       If you want to manually terminate the currently-running agent, you can
       safely do so with:

         gpgconf --kill gpg-agent


       You should always add the following lines to your .bashrc or whatever
       initialization file is used for all shell invocations:

         GPG_TTY=$(tty)
         export GPG_TTY


       It is important that this environment variable always reflects the
       output of the tty command.  For W32 systems this option is not
       required.

       Please make sure that a proper pinentry program has been installed
       under the default filename (which is system dependent) or use the
       option pinentry-program to specify the full name of that program.  It
       is often useful to install a symbolic link from the actual used
       pinentry (e.g. `/opt/local/bin/pinentry-gtk') to the expected one (e.g.
       `/opt/local/bin/pinentry').





COMMANDS

       Commands are not distinguished from options except for the fact that
       only one command is allowed.


       --version
              Print the program version and licensing information.  Note that
              you cannot abbreviate this command.


       --help
       -h     Print a usage message summarizing the most useful command-line
              options.  Note that you cannot abbreviate this command.


       --dump-options
              Print a list of all available options and commands.  Note that
              you cannot abbreviate this command.


       --server
              Run in server mode and wait for commands on the stdin.  The
              default mode is to create a socket and listen for commands
              there.


       --daemon [command line]
              Start the gpg-agent as a daemon; that is, detach it from the
              console and run it in the background.

              As an alternative you may create a new process as a child of
              gpg-agent: gpg-agent --daemon /bin/sh.  This way you get a new
              shell with the environment setup properly; after you exit from
              this shell, gpg-agent terminates within a few seconds.


       --supervised
              Run in the foreground, sending logs by default to stderr, and
              listening on provided file descriptors, which must already be
              bound to listening sockets.  This option is deprecated and not
              supported on Windows.

              If in `common.conf' the option no-autostart is set, any start
              attempts will be ignored.

              In --supervised mode, different file descriptors can be provided
              for use as different socket types (e.g. ssh, extra) as long as
              they are identified in the environment variable LISTEN_FDNAMES
              (see sd_listen_fds(3) on some Linux distributions for more
              information on this convention).


OPTIONS

       Options may either be used on the command line or, after stripping off
       the two leading dashes, in the configuration file.




       --options file
              Reads configuration from file instead of from the default per-
              user configuration file.  The default configuration file is
              named `gpg-agent.conf' and expected in the `.gnupg' directory
              directly below the home directory of the user.  This option is
              ignored if used in an options file.



       --homedir dir
              Set the name of the home directory to dir. If this option is not
              used, the home directory defaults to `~/.gnupg'.  It is only
              recognized when given on the command line.  It also overrides
              any home directory stated through the environment variable
              `GNUPGHOME' or (on Windows systems) by means of the Registry
              entry HKCU\Software\GNU\GnuPG:HomeDir.

              On Windows systems it is possible to install GnuPG as a portable
              application.  In this case only this command line option is
              considered, all other ways to set a home directory are ignored.



       -v
       --verbose
              Outputs additional information while running.  You can increase
              the verbosity by giving several verbose commands to gpg-agent,
              such as `-vv'.


       -q
       --quiet
              Try to be as quiet as possible.


       --batch
              Don't invoke a pinentry or do any other thing requiring human
              interaction.


       --faked-system-time epoch
              This option is only useful for testing; it sets the system time
              back or forth to epoch which is the number of seconds elapsed
              since the year 1970.


       --debug-level level
              Select the debug level for investigating problems. level may be
              a numeric value or a keyword:


              none   No debugging at all.  A value of less than 1 may be used
                     instead of the keyword.

              basic  Some basic debug messages.  A value between 1 and 2 may
                     be used instead of the keyword.

              advanced
                     More verbose debug messages.  A value between 3 and 5 may
                     be used instead of the keyword.

              expert Even more detailed messages.  A value between 6 and 8 may
                     be used instead of the keyword.

              guru   All of the debug messages you can get. A value greater
                     than 8 may be used instead of the keyword.  The creation
                     of hash tracing files is only enabled if the keyword is
                     used.

       How these messages are mapped to the actual debugging flags is not
       specified and may change with newer releases of this program. They are
       however carefully selected to best aid in debugging.


       --debug flags
              Set debug flags.  All flags are or-ed and flags may be given in
              C syntax (e.g. 0x0042) or as a comma separated list of flag
              names.  To get a list of all supported flags the single word
              "help" can be used. This option is only useful for debugging and
              the behavior may change at any time without notice.


       --debug-all
              Same as --debug=0xffffffff


       --debug-wait n
              When running in server mode, wait n seconds before entering the
              actual processing loop and print the pid.  This gives time to
              attach a debugger.


       --debug-quick-random
              This option inhibits the use of the very secure random quality
              level (Libgcrypt's GCRY_VERY_STRONG_RANDOM) and degrades all
              request down to standard random quality.  It is only used for
              testing and should not be used for any production quality keys.
              This option is only effective when given on the command line.

              On GNU/Linux, another way to quickly generate insecure keys is
              to use rngd to fill the kernel's entropy pool with lower quality
              random data.  rngd is typically provided by the rng-tools
              package.  It can be run as follows: `sudo rngd -f -r
              /dev/urandom'.


       --debug-pinentry
              This option enables extra debug information pertaining to the
              Pinentry.  As of now it is only useful when used along with
              --debug 1024.


       --no-detach
              Don't detach the process from the console.  This is mainly
              useful for debugging.


       --steal-socket
              In --daemon mode, gpg-agent detects an already running gpg-agent
              and does not allow one to start a new instance. This option can
              be used to override this check: the new gpg-agent process will
              try to take over the communication sockets from the already
              running process and start anyway.  This option should in general
              not be used.



       -s
       --sh
       -c
       --csh  Format the info output in daemon mode for use with the standard
              Bourne shell or the C-shell respectively.  The default is to
              guess it based on the environment variable SHELL which is
              correct in almost all cases.



       --grab
       --no-grab
              Tell the pinentry to grab the keyboard and mouse.  This option
              should be used on X-Servers to avoid X-sniffing attacks. Any use
              of the option --grab overrides an used option --no-grab.  The
              default is --no-grab.



       --log-file file
              Append all logging output to file.  This is very helpful in
              seeing what the agent actually does. Use `socket://' to log to
              socket.  If neither a log file nor a log file descriptor has
              been set on a Windows platform, the Registry entry
              HKCU\Software\GNU\GnuPG:DefaultLogFile, if set, is used to
              specify the logging output.




       --no-allow-mark-trusted
              Do not allow clients to mark keys as trusted, i.e. put them into
              the `trustlist.txt' file.  This makes it harder for users to
              inadvertently accept Root-CA keys.




       --no-user-trustlist
              Entirely ignore the user trust list and consider only the global
              trustlist (`/opt/local/etc/gnupg/trustlist.txt').  This implies
              the [option --no-allow-mark-trusted].


       --sys-trustlist-name file
              Changes the default name for the global trustlist from
              "trustlist.txt" to file.  If file does not contain any slashes
              and does not start with "~/" it is searched in the system
              configuration directory (`/opt/local/etc/gnupg').



       --allow-preset-passphrase
              This option allows the use of gpg-preset-passphrase to seed the
              internal cache of gpg-agent with passphrases.



       --no-allow-loopback-pinentry

       --allow-loopback-pinentry
              Disallow or allow clients to use the loopback pinentry features;
              see the option pinentry-mode for details.  Allow is the default.

              The --force option of the Assuan command DELETE_KEY is also
              controlled by this option: The option is ignored if a loopback
              pinentry is disallowed.


       --no-allow-external-cache
              Tell Pinentry not to enable features which use an external cache
              for passphrases.

              Some desktop environments prefer to unlock all credentials with
              one master password and may have installed a Pinentry which
              employs an additional external cache to implement such a policy.
              By using this option the Pinentry is advised not to make use of
              such a cache and instead always ask the user for the requested
              passphrase.


       --allow-emacs-pinentry
              Tell Pinentry to allow features to divert the passphrase entry
              to a running Emacs instance.  How this is exactly handled
              depends on the version of the used Pinentry.


       --ignore-cache-for-signing
              This option will let gpg-agent bypass the passphrase cache for
              all signing operation.  Note that there is also a per-session
              option to control this behavior but this command line option
              takes precedence.


       --default-cache-ttl n
              Set the time a cache entry is valid to n seconds.  The default
              is 600 seconds.  Each time a cache entry is accessed, the
              entry's timer is reset.  To set an entry's maximum lifetime, use
              max-cache-ttl.  Note that a cached passphrase may not be evicted
              immediately from memory if no client requests a cache operation.
              This is due to an internal housekeeping function which is only
              run every few seconds.


       --default-cache-ttl-ssh n
              Set the time a cache entry used for SSH keys is valid to n
              seconds.  The default is 1800 seconds.  Each time a cache entry
              is accessed, the entry's timer is reset.  To set an entry's
              maximum lifetime, use max-cache-ttl-ssh.


       --max-cache-ttl n
              Set the maximum time a cache entry is valid to n seconds.  After
              this time a cache entry will be expired even if it has been
              accessed recently or has been set using gpg-preset-passphrase.
              The default is 2 hours (7200 seconds).


       --max-cache-ttl-ssh n
              Set the maximum time a cache entry used for SSH keys is valid to
              n seconds.  After this time a cache entry will be expired even
              if it has been accessed recently or has been set using
              gpg-preset-passphrase.  The default is 2 hours (7200 seconds).


       --enforce-passphrase-constraints
              Enforce the passphrase constraints by not allowing the user to
              bypass them using the ``Take it anyway'' button.


       --min-passphrase-len n
              Set the minimal length of a passphrase.  When entering a new
              passphrase shorter than this value a warning will be displayed.
              Defaults to 8.


       --min-passphrase-nonalpha n
              Set the minimal number of digits or special characters required
              in a passphrase.  When entering a new passphrase with less than
              this number of digits or special characters a warning will be
              displayed.  Defaults to 1.


       --check-passphrase-pattern file
       --check-sym-passphrase-pattern file
              Check the passphrase against the pattern given in file.  When
              entering a new passphrase matching one of these pattern a
              warning will be displayed.  If file does not contain any slashes
              and does not start with "~/" it is searched in the system
              configuration directory (`/opt/local/etc/gnupg').  The default
              is not to use any pattern file.  The second version of this
              option is only used when creating a new symmetric key to allow
              the use of different patterns for such passphrases.

              Security note: It is known that checking a passphrase against a
              list of pattern or even against a complete dictionary is not
              very effective to enforce good passphrases.  Users will soon
              figure up ways to bypass such a policy.  A better policy is to
              educate users on good security behavior and optionally to run a
              passphrase cracker regularly on all users passphrases to catch
              the very simple ones.


       --max-passphrase-days n
              Ask the user to change the passphrase if n days have passed
              since the last change.  With --enforce-passphrase-constraints
              set the user may not bypass this check.


       --enable-passphrase-history
              This option does nothing yet.


       --pinentry-invisible-char char
              This option asks the Pinentry to use char for displaying hidden
              characters.  char must be one character UTF-8 string.  A
              Pinentry may or may not honor this request.


       --pinentry-timeout n
              This option asks the Pinentry to timeout after n seconds with no
              user input.  The default value of 0 does not ask the pinentry to
              timeout, however a Pinentry may use its own default timeout
              value in this case.  A Pinentry may or may not honor this
              request.


       --pinentry-formatted-passphrase
              This option asks the Pinentry to enable passphrase formatting
              when asking the user for a new passphrase and masking of the
              passphrase is turned off.

              If passphrase formatting is enabled, then all non-breaking space
              characters are stripped from the entered passphrase.  Passphrase
              formatting is mostly useful in combination with passphrases
              generated with the GENPIN feature of some Pinentries.  Note that
              such a generated passphrase, if not modified by the user, skips
              all passphrase constraints checking because such constraints
              would actually weaken the generated passphrase.


       --pinentry-program filename
              Use program filename as the PIN entry.  The default is
              installation dependent.  With the default configuration the name
              of the default pinentry is `pinentry'; if that file does not
              exist but a `pinentry-basic' exist the latter is used.

              On a Windows platform the default is to use the first existing
              program from this list: `bin\pinentry.exe',
              `..\Gpg4win\bin\pinentry.exe', `..\Gpg4win\pinentry.exe',
              `..\GNU\GnuPG\pinentry.exe', `..\GNU\bin\pinentry.exe',
              `bin\pinentry-basic.exe' where the file names are relative to
              the GnuPG installation directory.



       --pinentry-touch-file filename
              By default the filename of the socket gpg-agent is listening for
              requests is passed to Pinentry, so that it can touch that file
              before exiting (it does this only in curses mode).  This option
              changes the file passed to Pinentry to filename.  The special
              name /dev/null may be used to completely disable this feature.
              Note that Pinentry will not create that file, it will only
              change the modification and access time.



       --scdaemon-program filename
              Use program filename as the Smartcard daemon.  The default is
              installation dependent and can be shown with the gpgconf
              command.


       --disable-scdaemon
              Do not make use of the scdaemon tool.  This option has the
              effect of disabling the ability to do smartcard operations.
              Note, that enabling this option at runtime does not kill an
              already forked scdaemon.


       --disable-check-own-socket
              gpg-agent employs a periodic self-test to detect a stolen
              socket.  This usually means a second instance of gpg-agent has
              taken over the socket and gpg-agent will then terminate itself.
              This option may be used to disable this self-test for debugging
              purposes.


       --use-standard-socket
       --no-use-standard-socket
       --use-standard-socket-p
              Since GnuPG 2.1 the standard socket is always used.  These
              options have no more effect.  The command gpg-agent
              --use-standard-socket-p will thus always return success.


       --display string
       --ttyname string
       --ttytype string
       --lc-ctype string
       --lc-messages string
       --xauthority string
              These options are used with the server mode to pass localization
              information.


       --keep-tty
       --keep-display
              Ignore requests to change the current tty or X window system's
              DISPLAY variable respectively.  This is useful to lock the
              pinentry to pop up at the tty or display you started the agent.


       --listen-backlog n
              Set the size of the queue for pending connections.  The default
              is 64.



       --extra-socket name
              The extra socket is created by default, you may use this option
              to change the name of the socket.  To disable the creation of
              the socket use ``none'' or ``/dev/null'' for name.

              Also listen on native gpg-agent connections on the given socket.
              The intended use for this extra socket is to setup a Unix domain
              socket forwarding from a remote machine to this socket on the
              local machine.  A gpg running on the remote machine may then
              connect to the local gpg-agent and use its private keys.  This
              enables decrypting or signing data on a remote machine without
              exposing the private keys to the remote machine.


       --enable-extended-key-format
       --disable-extended-key-format
              These options are obsolete and have no effect.  The extended key
              format is used for years now and has been supported since
              2.1.12.  Existing keys in the old format are migrated to the new
              format as soon as they are touched.




       --enable-ssh-support
       --enable-win32-openssh-support
       --enable-putty-support

              On Unix platforms the OpenSSH Agent protocol is always enabled,
              but gpg-agent will only set the SSH_AUTH_SOCK variable if the
              option enable-ssh-support is given.  Some Linux distributions
              use the presence of this option to decide whether the old ssh-
              agent shall be started.

              On Windows support for the native ssh implementation must be
              enabled using the the option enable-win32-openssh-support.  For
              using gpg-agent as a replacement for PuTTY's Pageant, the option
              enable-putty-support must be enabled.

              In this mode of operation, the agent does not only implement the
              gpg-agent protocol, but also the agent protocol used by OpenSSH
              (through a separate socket or via Named Pipes) or the protocol
              used by PuTTY.  Consequently, this allows one to use the gpg-
              agent as a drop-in replacement for the ssh-agent.

              SSH keys, which are to be used through the agent, need to be
              added to the gpg-agent initially through the ssh-add utility.
              When a key is added, ssh-add will ask for the password of the
              provided key file and send the unprotected key material to the
              agent; this causes the gpg-agent to ask for a passphrase, which
              is to be used for encrypting the newly received key and storing
              it in a gpg-agent specific directory.

              Once a key has been added to the gpg-agent this way, the gpg-
              agent will be ready to use the key.

              Note: in case the gpg-agent receives a signature request, the
              user might need to be prompted for a passphrase, which is
              necessary for decrypting the stored key.  Since the ssh-agent
              protocol does not contain a mechanism for telling the agent on
              which display/terminal it is running, gpg-agent's ssh-support
              will use the TTY or X display where gpg-agent has been started.
              To switch this display to the current one, the following command
              may be used:

         gpg-connect-agent updatestartuptty /bye

       Although all GnuPG components try to start the gpg-agent as needed,
       this is not possible for the ssh support because ssh does not know
       about it.  Thus if no GnuPG tool which accesses the agent has been run,
       there is no guarantee that ssh is able to use gpg-agent for
       authentication.  To fix this you may start gpg-agent if needed using
       this simple command:

         gpg-connect-agent /bye

       Adding the --verbose shows the progress of starting the agent.

       The --enable-putty-support is only available under Windows and allows
       the use of gpg-agent with the ssh implementation putty.  This is
       similar to the regular ssh-agent support but makes use of Windows
       message queue as required by putty.


       The order in which keys are presented to ssh are:


              Negative Use-for-ssh values
                           If a key file has the attribute "Use-for-ssh" and
                     its value is
                           negative, these keys are presented first to ssh.
                     The negative
                           values are capped at -999 with -999 being lower
                     ranked than -1.
                           These values can be used to prefer on-disk keys
                     over keys taken
                           from active cards.


              Active cards
                           Active cards (inserted into a card reader or
                     plugged in tokens)
                           are always tried; they are ordered by their serial
                     numbers.


              Keys listed in the sshcontrol file
                           Non-disabled keys from the sshcontrol file are
                     presented in the
                           order they appear in this file.  Note that the
                     sshcontrol file
                           is deprecated.


              Positive Use-for-ssh values
                           If a key file has the attribute "Use-for-ssh" and
                     its value is
                           "yes", "true", or any positive number the key is
                     presented in
                           the order of their values.  "yes" and "true" have a
                     value of 1;
                           other values are capped at 99999.


       Editing the "Use-for-ssh" values can be done with an editor or using
       gpg-connect-agent and "KEYATTR" (Remember to append a colon to the key;
       i.e. use "Use-for-ssh:").




       --ssh-fingerprint-digest

              Select the digest algorithm used to compute ssh fingerprints
              that are communicated to the user, e.g. in pinentry dialogs.
              OpenSSH has transitioned from using MD5 to the more secure
              SHA256.



       --auto-expand-secmem n
              Allow Libgcrypt to expand its secure memory area as required.
              The optional value n is a non-negative integer with a suggested
              size in bytes of each additionally allocated secure memory area.
              The value is rounded up to the next 32 KiB; usual C style
              prefixes are allowed.  For an heavy loaded gpg-agent with many
              concurrent connection this option avoids sign or decrypt errors
              due to out of secure memory error returns.


       --s2k-calibration milliseconds
              Change the default calibration time to milliseconds.  The given
              value is capped at 60 seconds; a value of 0 resets to the
              compiled-in default.  This option is re-read on a SIGHUP (or
              gpgconf --reload gpg-agent) and the S2K count is then re-
              calibrated.


       --s2k-count n
              Specify the iteration count used to protect the passphrase.
              This option can be used to override the auto-calibration done by
              default.  The auto-calibration computes a count which requires
              by default 100ms to mangle a given passphrase.  See also
              --s2k-calibration.

              To view the actually used iteration count and the milliseconds
              required for an S2K operation use:

         gpg-connect-agent 'GETINFO s2k_count' /bye
         gpg-connect-agent 'GETINFO s2k_time' /bye

       To view the auto-calibrated count use:

         gpg-connect-agent 'GETINFO s2k_count_cal' /bye






EXAMPLES

       It is important to set the environment variable GPG_TTY in your login
       shell, for example in the `~/.bashrc' init script:

           export GPG_TTY=$(tty)

       If you enabled the Ssh Agent Support, you also need to tell ssh about
       it by adding this to your init script:

         unset SSH_AGENT_PID
         if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
           export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
         fi





FILES

       There are a few configuration files needed for the operation of the
       agent. By default they may all be found in the current home directory
       (see: [option --homedir]).



       gpg-agent.conf
                This is the standard configuration file read by gpg-agent on
                startup.  It may contain any valid long option; the leading
                two dashes may not be entered and the option may not be
              abbreviated.
                This file is also read after a SIGHUP however only a few
                options will actually have an effect.  This default name may
              be
                changed on the command line (see: [option --options]).
                You should backup this file.


       trustlist.txt
                This is the list of trusted keys.  You should backup this
              file.

                Comment lines, indicated by a leading hash mark, as well as
              empty
                lines are ignored.  To mark a key as trusted you need to enter
              its
                fingerprint followed by a space and a capital letter S.
              Colons
                may optionally be used to separate the bytes of a fingerprint;
              this
                enables cutting and pasting the fingerprint from a key listing
              output.  If
                the line is prefixed with a ! the key is explicitly marked as
                not trusted.

                Here is an example where two keys are marked as ultimately
              trusted
                and one as not trusted:

                  .RS 2
                # CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
                A6935DD34EF3087973C706FC311AA2CCF733765B S

                # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
                DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S

                # CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
                !14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
                .fi

       Before entering a key into this file, you need to ensure its
       authenticity.  How to do this depends on your organisation; your
       administrator might have already entered those keys which are deemed
       trustworthy enough into this file.  Places where to look for the
       fingerprint of a root certificate are letters received from the CA or
       the website of the CA (after making 100% sure that this is indeed the
       website of that CA).  You may want to consider disallowing interactive
       updates of this file by using the [option --no-allow-mark-trusted].
       It might even be advisable to change the permissions to read-only so
       that this file can't be changed inadvertently.

       As a special feature a line include-default will include a global
       list of trusted certificates (e.g. `/opt/local/etc/gnupg/trustlist.txt').
       This global list is also used if the local list is not available;
       the [option --no-user-trustlist] enforces the use of only
       this global list.

       It is possible to add further flags after the S for use by the
       caller:



              relax  Relax checking of some root certificate requirements.  As of now this
                     flag allows the use of root certificates with a missing basicConstraints
                     attribute (despite that it is a MUST for CA certificates) and disables
                     CRL checking for the root certificate.


              cm     If validation of a certificate finally issued by a CA with this flag set
                     fails, try again using the chain validation model.


              qual   The CA is allowed to issue certificates for qualified signatures.
                     This flag has an effect only if used in the global list.  This is now
                     the preferred way to mark such CA; the old way of having a separate
                     file `qualified.txt' is still supported.


              de-vs  The CA is part of an approved PKI for the German classification level
                     VS-NfD.  It is only valid in the global trustlist.  As of now this is
                     used only for documentation purpose.




       sshcontrol
              This file is used when support for the secure shell agent protocol has
              been enabled (see: [option --enable-ssh-support]). Only keys present in
              this file are used in the SSH protocol.  You should backup this file.

              This file is deprecated in favor of the "Use-for-ssh" attribute in the
              key files.

              The ssh-add tool may be used to add new entries to this file;
              you may also add them manually.  Comment lines, indicated by a leading
              hash mark, as well as empty lines are ignored.  An entry starts with
              optional whitespace, followed by the keygrip of the key given as 40 hex
              digits, optionally followed by the caching TTL in seconds and another
              optional field for arbitrary flags.  A non-zero TTL overrides the global
              default as set by --default-cache-ttl-ssh.

              The only flag support is confirm.  If this flag is found for a
              key, each use of the key will pop up a pinentry to confirm the use of
              that key.  The flag is automatically set if a new key was loaded into
              gpg-agent using the option -c of the ssh-add
              command.

              The keygrip may be prefixed with a ! to disable an entry.

              The following example lists exactly one key.  Note that keys available
              through a OpenPGP smartcard in the active smartcard reader are
              implicitly added to this list; i.e. there is no need to list them.

                # Key added on: 2011-07-20 20:38:46
                # Fingerprint:  5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
                34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm


       private-keys-v1.d/

                This is the directory where gpg-agent stores the private keys.
              Each
                key is stored in a file with the name made up of the keygrip
              and the
                suffix `key'.  You should backup all files in this directory
                and take great care to keep this backup closed away.



       Note that on larger installations, it is useful to put predefined files
       into the directory `/opt/local/etc/skel/.gnupg' so that newly created
       users start up with a working configuration.  For existing users the a
       small helper script is provided to create these files (see:
       [addgnupghome]).





SIGNALS

       A running gpg-agent may be controlled by signals, i.e. using the kill
       command to send a signal to the process.

       Here is a list of supported signals:



       SIGHUP This signal flushes all cached passphrases and if the program
              has been started with a configuration file, the configuration
              file is read again.  Only certain options are honored: quiet,
              verbose, debug, debug-all, debug-level, debug-pinentry, no-grab,
              pinentry-program, pinentry-invisible-char, default-cache-ttl,
              max-cache-ttl, ignore-cache-for-signing, s2k-count,
              no-allow-external-cache, allow-emacs-pinentry,
              no-allow-mark-trusted, disable-scdaemon, and
              disable-check-own-socket.  scdaemon-program is also supported
              but due to the current implementation, which calls the scdaemon
              only once, it is not of much use unless you manually kill the
              scdaemon.



       SIGTERM
              Shuts down the process but waits until all current requests are
              fulfilled.  If the process has received 3 of these signals and
              requests are still pending, a shutdown is forced.


       SIGINT Shuts down the process immediately.


       SIGUSR1
              Dump internal information to the log file.


       SIGUSR2
              This signal is used for internal purposes.





SEE ALSO

       gpg(1), gpgsm(1), gpgconf(1), gpg-connect-agent(1), scdaemon(1)

       The full documentation for this tool is maintained as a Texinfo manual.
       If GnuPG and the info program are properly installed at your site, the
       command

         info gnupg

       should give you access to the complete manual including a menu
       structure and an index.

GnuPG 2.4.5                       2024-03-04                      gpg-agent(1)

gnupg 2.4.5 - Generated Sat Mar 16 18:43:03 CDT 2024
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.