Next: , Previous: , Up: GPG Options   [Contents][Index]


4.2.3 Input and Output

--armor
-a

Create ASCII armored output. The default is to create the binary OpenPGP format.

--no-armor

Assume the input data is not in ASCII armored format.

--output file
-o file

Write output to file. To write to stdout use - as the filename.

--max-output n

This option sets a limit on the number of bytes that will be generated when processing a file. Since OpenPGP supports various levels of compression, it is possible that the plaintext of a given message may be significantly larger than the original OpenPGP message. While GnuPG works properly with such messages, there is often a desire to set a maximum file size that will be generated before processing is forced to stop by the OS limits. Defaults to 0, which means "no limit".

--chunk-size n

The AEAD encryption mode encrypts the data in chunks so that a receiving side can check for transmission errors or tampering at the end of each chunk and does not need to delay this until all data has been received. The used chunk size is 2^n byte. The lowest allowed value for n is 6 (64 byte) and the largest is the default of 22 which creates chunks not larger than 4 MiB.

--input-size-hint n

This option can be used to tell GPG the size of the input data in bytes. n must be a positive base-10 number. This option is only useful if the input is not taken from a file. GPG may use this hint to optimize its buffer allocation strategy. It is also used by the --status-fd line “PROGRESS” to provide a value for “total” if that is not available by other means.

--key-origin string[,url]

gpg can track the origin of a key. Certain origins are implicitly known (e.g. keyserver, web key directory) and set. For a standard import the origin of the keys imported can be set with this option. To list the possible values use "help" for string. Some origins can store an optional url argument. That URL can appended to string after a comma.

--import-options parameters

This is a space or comma delimited string that gives options for importing keys. Options can be prepended with a ‘no-’ to give the opposite meaning. The options are:

import-local-sigs

Allow importing key signatures marked as "local". This is not generally useful unless a shared keyring scheme is being used. Defaults to no.

keep-ownertrust

Normally possible still existing ownertrust values of a key are cleared if a key is imported. This is in general desirable so that a formerly deleted key does not automatically gain an ownertrust values merely due to import. On the other hand it is sometimes necessary to re-import a trusted set of keys again but keeping already assigned ownertrust values. This can be achieved by using this option.

repair-pks-subkey-bug

During import, attempt to repair the damage caused by the PKS keyserver bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note that this cannot completely repair the damaged key as some crucial data is removed by the keyserver, but it does at least give you back one subkey. Defaults to no for regular --import and to yes for keyserver --receive-keys.

import-show
show-only

Show a listing of the key as imported right before it is stored. This can be combined with the option --dry-run to only look at keys; the option show-only is a shortcut for this combination. The command --show-keys is another shortcut for this. Note that suffixes like ’#’ for "sec" and "sbb" lines may or may not be printed.

import-export

Run the entire import code but instead of storing the key to the local keyring write it to the output. The export option export-dane affect the output. This option can for example be used to remove all invalid parts from a key without the need to store it.

merge-only

During import, allow key updates to existing keys, but do not allow any new keys to be imported. Defaults to no.

import-clean

After import, compact (remove all signatures except the self-signature) any user IDs from the new key that are not usable. Then, remove any signatures from the new key that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This option is the same as running the --edit-key command "clean" after import. Defaults to no.

self-sigs-only

Accept only self-signatures while importing a key. All other key signatures are skipped at an early import stage. This option can be used with keyserver-options to mitigate attempts to flood a key with bogus signatures from a keyserver. The drawback is that all other valid key signatures, as required by the Web of Trust are also not imported. Note that when using this option along with import-clean it suppresses the final clean step after merging the imported key into the existing key.

ignore-attributes

Ignore all attribute user IDs (photo IDs) and their signatures while importing a key.

repair-keys

After import, fix various problems with the keys. For example, this reorders signatures, and strips duplicate signatures. Defaults to yes.

bulk-import

When used the keyboxd (option use-keyboxd in common.conf) does the import within a single transaction.

import-minimal

Import the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the --edit-key command "minimize" after import. Defaults to no.

restore
import-restore

Import in key restore mode. This imports all data which is usually skipped during import; including all GnuPG specific data. All other contradicting options are overridden.

--import-filter {name=expr}
--export-filter {name=expr}

These options define an import/export filter which are applied to the imported/exported keyblock right before it will be stored/written. name defines the type of filter to use, expr the expression to evaluate. The option can be used several times which then appends more expression to the same name.

The available filter types are:

keep-uid

This filter will keep a user id packet and its dependent packets in the keyblock if the expression evaluates to true.

drop-subkey

This filter drops the selected subkeys. Currently only implemented for –export-filter.

drop-sig

This filter drops the selected key signatures on user ids. Self-signatures are not considered. Currently only implemented for –import-filter.

select

This filter is only implemented by --list-filter. All property names may be used.

For the syntax of the expression see the chapter "FILTER EXPRESSIONS". The property names for the expressions depend on the actual filter type and are indicated in the following table. Note that all property names may also be used by --list-filter.

Property names may be prefix with a scope delimited by a slash. Valid scopes are "pub" for public and secret primary keys, "sub" for public and secret subkeys, "uid" for for user-ID packets, and "sig" for signature packets. Invalid scopes are currently ignored.

The available properties are:

uid

A string with the user id. (keep-uid)

mbox

The addr-spec part of a user id with mailbox or the empty string. (keep-uid)

algostr

A string with the key algorithm description. For example "rsa3072" or "ed25519".

key_algo

A number with the public key algorithm of a key or subkey packet. (drop-subkey)

key_size

A number with the effective key size of a key or subkey packet. (drop-subkey)

key_created
key_created_d

The first is the timestamp a public key or subkey packet was created. The second is the same but given as an ISO string, e.g. "2016-08-17". (drop-subkey)

key_expires
key_expires_d

The expiration time of a public key or subkey or 0 if it does not expire. The second is the same but given as an ISO date string or an empty string e.g. "2038-01-19".

fpr

The hexified fingerprint of the current subkey or primary key. (drop-subkey)

primary

Boolean indicating whether the user id is the primary one. (keep-uid)

expired

Boolean indicating whether a user id (keep-uid), a key (drop-subkey), or a signature (drop-sig) expired.

revoked

Boolean indicating whether a user id (keep-uid) or a key (drop-subkey) has been revoked.

disabled

Boolean indicating whether a primary key is disabled.

secret

Boolean indicating whether a key or subkey is a secret one. (drop-subkey)

usage

A string indicating the usage flags for the subkey, from the sequence “ecsa?”. For example, a subkey capable of just signing and authentication would be an exact match for “sa”. (drop-subkey)

sig_created
sig_created_d

The first is the timestamp a signature packet was created. The second is the same but given as an ISO date string, e.g. "2016-08-17". (drop-sig)

sig_expires
sig_expires_d

The expiration time of a signature packet or 0 if it does not expire. The second is the same but given as an ISO date string or an empty string e.g. "2038-01-19".

sig_algo

A number with the public key algorithm of a signature packet. (drop-sig)

sig_digest_algo

A number with the digest algorithm of a signature packet. (drop-sig)

origin

A string with the key origin or a question mark. For example the string “wkd” is used if a key originated from a Web Key Directory lookup.

lastupd

The timestamp the key was last updated from a keyserver or the Web Key Directory.

url

A string with the the URL associated wit the last key lookup.

--export-options parameters

This is a space or comma delimited string that gives options for exporting keys. Options can be prepended with a ‘no-’ to give the opposite meaning. The options are:

export-local-sigs

Allow exporting key signatures marked as "local". This is not generally useful unless a shared keyring scheme is being used. Defaults to no.

export-attributes

Include attribute user IDs (photo IDs) while exporting. Not including attribute user IDs is useful to export keys that are going to be used by an OpenPGP program that does not accept attribute user IDs. Defaults to yes.

export-sensitive-revkeys

Include designated revoker information that was marked as "sensitive". Defaults to no.

backup
export-backup

Export for use as a backup. The exported data includes all data which is needed to restore the key or keys later with GnuPG. The format is basically the OpenPGP format but enhanced with GnuPG specific data. All other contradicting options are overridden.

export-clean

Compact (remove all signatures from) user IDs on the key being exported if the user IDs are not usable. Also, do not export any signatures that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This option is the same as running the --edit-key command "clean" before export except that the local copy of the key is not modified. Defaults to no.

export-minimal

Export the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the --edit-key command "minimize" before export except that the local copy of the key is not modified. Defaults to no.

export-revocs

Export only standalone revocation certificates of the key. This option does not export revocations of 3rd party certificate revocations.

export-dane

Instead of outputting the key material output OpenPGP DANE records suitable to put into DNS zone files. An ORIGIN line is printed before each record to allow diverting the records to the corresponding zone file.

mode1003

Enable the use of a new secret key export format. This format avoids the re-encryption as required with the current OpenPGP format and also improves the security of the secret key if it has been protected with a passphrase. Note that an unprotected key is exported as-is and thus not secure; the general rule to convey secret keys in an OpenPGP encrypted file still applies with this mode. Versions of GnuPG before 2.4.0 are not able to import such a secret file.

--with-colons

Print key listings delimited by colons. Note that the output will be encoded in UTF-8 regardless of any --display-charset setting. This format is useful when GnuPG is called from scripts and other programs as it is easily machine parsed. The details of this format are documented in the file doc/DETAILS, which is included in the GnuPG source distribution.

--fixed-list-mode

Do not merge primary user ID and primary key in --with-colon listing mode and print all timestamps as seconds since 1970-01-01. Since GnuPG 2.0.10, this mode is always used and thus this option is obsolete; it does not harm to use it though.

--legacy-list-mode

Revert to the pre-2.1 public key list mode. This only affects the human readable output and not the machine interface (i.e. --with-colons). Note that the legacy format does not convey suitable information for elliptic curves.

--with-fingerprint

Same as the command --fingerprint but changes only the format of the output and may be used together with another command.

--with-subkey-fingerprint

If a fingerprint is printed for the primary key, this option forces printing of the fingerprint for all subkeys. This could also be achieved by using the --with-fingerprint twice but by using this option along with keyid-format "none" a compact fingerprint is printed.

--with-v5-fingerprint

In a colon mode listing emit "fp2" lines for version 4 OpenPGP keys having a v5 style fingerprint of the key.

--with-icao-spelling

Print the ICAO spelling of the fingerprint in addition to the hex digits.

--with-keygrip

Include the keygrip in the key listings. In --with-colons mode this is implicitly enable for secret keys.

--with-key-origin

Include the locally held information on the origin and last update of a key in a key listing. In --with-colons mode this is always printed. This data is currently experimental and shall not be considered part of the stable API.

--with-wkd-hash

Print a Web Key Directory identifier along with each user ID in key listings. This is an experimental feature and semantics may change.

--with-secret

Include info about the presence of a secret key in public key listings done with --with-colons.


Next: , Previous: , Up: GPG Options   [Contents][Index]