5.2.5 Doing things one usually do not want to do

--chuid uid

Change the current user to uid which may either be a number or a name. This can be used from the root account to run gpgsm for another user. If uid is not the current UID a standard PATH is set and the envvar GNUPGHOME is unset. To override the latter the option --homedir can be used. This option has only an effect when used on the command line. This option has currently no effect at all on Windows.

--extra-digest-algo name

Sometimes signatures are broken in that they announce a different digest algorithm than actually used. gpgsm uses a one-pass data processing model and thus needs to rely on the announced digest algorithms to properly hash the data. As a workaround this option may be used to tell gpgsm to also hash the data using the algorithm name; this slows processing down a little bit but allows verification of such broken signatures. If gpgsm prints an error like “digest algo 8 has not been enabled” you may want to try this option, with ‘SHA256’ for name.

--compliance string

Set the compliance mode. Valid values are shown when using "help" for string.

--min-rsa-length n

This option adjusts the compliance mode "de-vs" for stricter key size requirements. For example, a value of 3000 turns rsa2048 and dsa2048 keys into non-VS-NfD compliant keys.

--require-compliance

To check that data has been encrypted according to the rules of the current compliance mode, a gpgsm user needs to evaluate the status lines. This is allows frontends to handle compliance check in a more flexible way. However, for scripted use the required evaluation of the status-line requires quite some effort; this option can be used instead to make sure that the gpgsm process exits with a failure if the compliance rules are not fulfilled. Note that this option has currently an effect only in "de-vs" mode.

--assert-signer fpr_or_file

This option checks whether at least one valid signature on a file has been made with the specified key. The key is either specified as a fingerprint or a file listing fingerprints. The fingerprint must be given or listed in compact format (no colons or spaces in between). As of now only SHA-1 fingerprints are allowed. This option can be given multiple times and each fingerprint is checked against the signing key as well as the corresponding primary key. If fpr_or_file specifies a file, empty lines are ignored as well as all lines starting with a hash sign. With this option gpgsm is guaranteed to return with an exit code of 0 if and only if a signature has been encountered, is valid, and the key matches one of the fingerprints given by this option.

--always-trust

Force encryption to the specified certificates without any validation of the certificate chain. The only requirement is that the certificate is capable of encryption. Note that this option is ineffective if --require-compliance is used.

--ignore-cert-with-oid oid

Add oid to the list of OIDs to be checked while reading certificates from smartcards. The oid is expected to be in dotted decimal form, like 2.5.29.3. This option may be used more than once. As of now certificates with an extended key usage matching one of those OIDs are ignored during a --learn-card operation and not imported. This option can help to keep the local key database clear of unneeded certificates stored on smartcards.

--faked-system-time epoch

This option is only useful for testing; it sets the system time back or forth to epoch which is the number of seconds elapsed since the year 1970. Alternatively epoch may be given as a full ISO time string (e.g. "20070924T154812").

--with-ephemeral-keys

Include ephemeral flagged keys in the output of key listings. Note that they are included anyway if the key specification for a listing is given as fingerprint or keygrip.

--compatibility-flags flags

Set compatibility flags to work around problems due to non-compliant certificates or data. The flags are given as a comma separated list of flag names and are OR-ed together. The special flag "none" clears the list and allows one to start over with an empty list. To get a list of available flags the sole word "help" can be used.

--debug-level level

Select the debug level for investigating problems. level may be a numeric value or by a keyword:

none

No debugging at all. A value of less than 1 may be used instead of the keyword.

basic

Some basic debug messages. A value between 1 and 2 may be used instead of the keyword.

advanced

More verbose debug messages. A value between 3 and 5 may be used instead of the keyword.

expert

Even more detailed messages. A value between 6 and 8 may be used instead of the keyword.

guru

All of the debug messages you can get. A value greater than 8 may be used instead of the keyword. The creation of hash tracing files is only enabled if the keyword is used.

How these messages are mapped to the actual debugging flags is not specified and may change with newer releases of this program. They are however carefully selected to best aid in debugging.

--debug flags

Set debug flags. All flags are or-ed and flags may be given in C syntax (e.g. 0x0042) or as a comma separated list of flag names. To get a list of all supported flags the single word "help" can be used. This option is only useful for debugging and the behavior may change at any time without notice.

Note, that all flags set using this option may get overridden by --debug-level.

--debug-all

Same as --debug=0xffffffff

--debug-allow-core-dump

Usually gpgsm tries to avoid dumping core by well written code and by disabling core dumps for security reasons. However, bugs are pretty durable beasts and to squash them it is sometimes useful to have a core dump. This option enables core dumps unless the Bad Thing happened before the option parsing.

--debug-no-chain-validation

This is actually not a debugging option but only useful as such. It lets gpgsm bypass all certificate chain validation checks.

--debug-ignore-expiration

This is actually not a debugging option but only useful as such. It lets gpgsm ignore all notAfter dates, this is used by the regression tests.

--passphrase-fd n

Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from STDIN. This can only be used if only one passphrase is supplied.

Note that this passphrase is only used if the option --batch has also been given.

--pinentry-mode mode

Set the pinentry mode to mode. Allowed values for mode are:

default

Use the default of the agent, which is ask.

ask

Force the use of the Pinentry.

cancel

Emulate use of Pinentry’s cancel button.

error

Return a Pinentry error (“No Pinentry”).

loopback

Redirect Pinentry queries to the caller. Note that in contrast to Pinentry the user is not prompted again if he enters a bad password.

--request-origin origin

Tell gpgsm to assume that the operation ultimately originated at origin. Depending on the origin certain restrictions are applied and the Pinentry may include an extra note on the origin. Supported values for origin are: local which is the default, remote to indicate a remote origin or browser for an operation requested by a web browser.

--no-common-certs-import

Suppress the import of common certificates on keybox creation.

All the long options may also be given in the configuration file after stripping off the two leading dashes.