gnupg: GPG Input and Output
4.2.3 Input and Output
----------------------
'--armor'
'-a'
Create ASCII armored output. The default is to create the binary
OpenPGP format.
'--no-armor'
Assume the input data is not in ASCII armored format.
'--output FILE'
'-o FILE'
Write output to FILE. To write to stdout use '-' as the filename.
'--max-output N'
This option sets a limit on the number of bytes that will be
generated when processing a file. Since OpenPGP supports various
levels of compression, it is possible that the plaintext of a given
message may be significantly larger than the original OpenPGP
message. While GnuPG works properly with such messages, there is
often a desire to set a maximum file size that will be generated
before processing is forced to stop by the OS limits. Defaults to
0, which means "no limit".
'--input-size-hint N'
This option can be used to tell GPG the size of the input data in
bytes. N must be a positive base-10 number. This option is only
useful if the input is not taken from a file. GPG may use this
hint to optimize its buffer allocation strategy. It is also used
by the '--status-fd' line "PROGRESS" to provide a value for "total"
if that is not available by other means.
'--key-origin STRING[,URL]'
gpg can track the origin of a key. Certain origins are implicitly
known (e.g. keyserver, web key directory) and set. For a standard
import the origin of the keys imported can be set with this option.
To list the possible values use "help" for STRING. Some origins
can store an optional URL argument. That URL can appended to
STRING after a comma.
'--import-options PARAMETERS'
This is a space or comma delimited string that gives options for
importing keys. Options can be prepended with a 'no-' to give the
opposite meaning. The options are:
import-local-sigs
Allow importing key signatures marked as "local". This is not
generally useful unless a shared keyring scheme is being used.
Defaults to no.
keep-ownertrust
Normally possible still existing ownertrust values of a key
are cleared if a key is imported. This is in general
desirable so that a formerly deleted key does not
automatically gain an ownertrust values merely due to import.
On the other hand it is sometimes necessary to re-import a
trusted set of keys again but keeping already assigned
ownertrust values. This can be achieved by using this option.
repair-pks-subkey-bug
During import, attempt to repair the damage caused by the PKS
keyserver bug (pre version 0.9.6) that mangles keys with
multiple subkeys. Note that this cannot completely repair the
damaged key as some crucial data is removed by the keyserver,
but it does at least give you back one subkey. Defaults to no
for regular '--import' and to yes for keyserver
'--receive-keys'.
import-show
show-only
Show a listing of the key as imported right before it is
stored. This can be combined with the option '--dry-run' to
only look at keys; the option 'show-only' is a shortcut for
this combination. The command '--show-keys' is another
shortcut for this. Note that suffixes like '#' for "sec" and
"sbb" lines may or may not be printed.
import-export
Run the entire import code but instead of storing the key to
the local keyring write it to the output. The export options
'export-pka' and 'export-dane' affect the output. This option
can be used to remove all invalid parts from a key without the
need to store it.
merge-only
During import, allow key updates to existing keys, but do not
allow any new keys to be imported. Defaults to no.
import-clean
After import, compact (remove all signatures except the
self-signature) any user IDs from the new key that are not
usable. Then, remove any signatures from the new key that are
not usable. This includes signatures that were issued by keys
that are not present on the keyring. This option is the same
as running the '--edit-key' command "clean" after import.
Defaults to no.
self-sigs-only
Accept only self-signatures while importing a key. All other
key signatures are skipped at an early import stage. This
option can be used with 'keyserver-options' to mitigate
attempts to flood a key with bogus signatures from a
keyserver. The drawback is that all other valid key
signatures, as required by the Web of Trust are also not
imported. Note that when using this option along with
import-clean it suppresses the final clean step after merging
the imported key into the existing key.
repair-keys
After import, fix various problems with the keys. For
example, this reorders signatures, and strips duplicate
signatures. Defaults to yes.
import-minimal
Import the smallest key possible. This removes all signatures
except the most recent self-signature on each user ID. This
option is the same as running the '--edit-key' command
"minimize" after import. Defaults to no.
restore
import-restore
Import in key restore mode. This imports all data which is
usually skipped during import; including all GnuPG specific
data. All other contradicting options are overridden.
'--import-filter {NAME=EXPR}'
'--export-filter {NAME=EXPR}'
These options define an import/export filter which are applied to
the imported/exported keyblock right before it will be
stored/written. NAME defines the type of filter to use, EXPR the
expression to evaluate. The option can be used several times which
then appends more expression to the same NAME.
The available filter types are:
keep-uid
This filter will keep a user id packet and its dependent
packets in the keyblock if the expression evaluates to true.
drop-subkey
This filter drops the selected subkeys. Currently only
implemented for -export-filter.
drop-sig
This filter drops the selected key signatures on user ids.
Self-signatures are not considered. Currently only
implemented for -import-filter.
For the syntax of the expression see the chapter "FILTER
EXPRESSIONS". The property names for the expressions depend on the
actual filter type and are indicated in the following table.
The available properties are:
uid
A string with the user id. (keep-uid)
mbox
The addr-spec part of a user id with mailbox or the empty
string. (keep-uid)
key_algo
A number with the public key algorithm of a key or subkey
packet. (drop-subkey)
key_created
key_created_d
The first is the timestamp a public key or subkey packet was
created. The second is the same but given as an ISO string,
e.g. "2016-08-17". (drop-subkey)
fpr
The hexified fingerprint of the current subkey or primary key.
(drop-subkey)
primary
Boolean indicating whether the user id is the primary one.
(keep-uid)
expired
Boolean indicating whether a user id (keep-uid), a key
(drop-subkey), or a signature (drop-sig) expired.
revoked
Boolean indicating whether a user id (keep-uid) or a key
(drop-subkey) has been revoked.
disabled
Boolean indicating whether a primary key is disabled. (not
used)
secret
Boolean indicating whether a key or subkey is a secret one.
(drop-subkey)
usage
A string indicating the usage flags for the subkey, from the
sequence "ecsa?". For example, a subkey capable of just
signing and authentication would be an exact match for "sa".
(drop-subkey)
sig_created
sig_created_d
The first is the timestamp a signature packet was created.
The second is the same but given as an ISO date string, e.g.
"2016-08-17". (drop-sig)
sig_algo
A number with the public key algorithm of a signature packet.
(drop-sig)
sig_digest_algo
A number with the digest algorithm of a signature packet.
(drop-sig)
'--export-options PARAMETERS'
This is a space or comma delimited string that gives options for
exporting keys. Options can be prepended with a 'no-' to give the
opposite meaning. The options are:
export-local-sigs
Allow exporting key signatures marked as "local". This is not
generally useful unless a shared keyring scheme is being used.
Defaults to no.
export-attributes
Include attribute user IDs (photo IDs) while exporting. Not
including attribute user IDs is useful to export keys that are
going to be used by an OpenPGP program that does not accept
attribute user IDs. Defaults to yes.
export-sensitive-revkeys
Include designated revoker information that was marked as
"sensitive". Defaults to no.
backup
export-backup
Export for use as a backup. The exported data includes all
data which is needed to restore the key or keys later with
GnuPG. The format is basically the OpenPGP format but enhanced
with GnuPG specific data. All other contradicting options are
overridden.
export-clean
Compact (remove all signatures from) user IDs on the key being
exported if the user IDs are not usable. Also, do not export
any signatures that are not usable. This includes signatures
that were issued by keys that are not present on the keyring.
This option is the same as running the '--edit-key' command
"clean" before export except that the local copy of the key is
not modified. Defaults to no.
export-minimal
Export the smallest key possible. This removes all signatures
except the most recent self-signature on each user ID. This
option is the same as running the '--edit-key' command
"minimize" before export except that the local copy of the key
is not modified. Defaults to no.
export-pka
Instead of outputting the key material output PKA records
suitable to put into DNS zone files. An ORIGIN line is
printed before each record to allow diverting the records to
the corresponding zone file.
export-dane
Instead of outputting the key material output OpenPGP DANE
records suitable to put into DNS zone files. An ORIGIN line
is printed before each record to allow diverting the records
to the corresponding zone file.
'--with-colons'
Print key listings delimited by colons. Note that the output will
be encoded in UTF-8 regardless of any '--display-charset' setting.
This format is useful when GnuPG is called from scripts and other
programs as it is easily machine parsed. The details of this
format are documented in the file 'doc/DETAILS', which is included
in the GnuPG source distribution.
'--fixed-list-mode'
Do not merge primary user ID and primary key in '--with-colon'
listing mode and print all timestamps as seconds since 1970-01-01.
Since GnuPG 2.0.10, this mode is always used and thus this option
is obsolete; it does not harm to use it though.
'--legacy-list-mode'
Revert to the pre-2.1 public key list mode. This only affects the
human readable output and not the machine interface (i.e.
'--with-colons'). Note that the legacy format does not convey
suitable information for elliptic curves.
'--with-fingerprint'
Same as the command '--fingerprint' but changes only the format of
the output and may be used together with another command.
'--with-subkey-fingerprint'
If a fingerprint is printed for the primary key, this option forces
printing of the fingerprint for all subkeys. This could also be
achieved by using the '--with-fingerprint' twice but by using this
option along with keyid-format "none" a compact fingerprint is
printed.
'--with-icao-spelling'
Print the ICAO spelling of the fingerprint in addition to the hex
digits.
'--with-keygrip'
Include the keygrip in the key listings. In '--with-colons' mode
this is implicitly enable for secret keys.
'--with-key-origin'
Include the locally held information on the origin and last update
of a key in a key listing. In '--with-colons' mode this is always
printed. This data is currently experimental and shall not be
considered part of the stable API.
'--with-wkd-hash'
Print a Web Key Directory identifier along with each user ID in key
listings. This is an experimental feature and semantics may
change.
'--with-secret'
Include info about the presence of a secret key in public key
listings done with '--with-colons'.