pubring.gpg
andsecring.gpg
. The only difference is that secring stored in additionto the public part also the private part of the key pair. The secretkeyring thus contained only the keys for which a private key isavailable, that is the user’s key. It required a lot of code to keepboth versions of the key in sync and led to sometimes surprisinginconsistencies.secring.gpg
and converts the keys on-the-fly to thethe key store of gpg-agent (this is the private-keys-v1.d
directory below the GnuPG home directory (~/.gnupg
)). This is doneonly once and an existing secring.gpg
is then not anymore touched bygpg. This allows co-existence of older GnuPG versions with GnuPG2.1. However, any change to the private keys using the new gpg willnot show up when using pre-2.1 versions of GnuPG and vice versa.--export-secret-keys
still creates an OpenPGPcompliant file with the secret keys. This is achieved by askinggpg-agent to convert a key and return it in the OpenPGP protectedformat. The export operation requires that the passphrase for the keyis entered so that gpg-agent is able to change the protection fromits internal format to the OpenPGP required format.--allow-weak-digest-algos
option). A better solution is tore-encrypt the data using a modern key.--full-gen-key
along with the option--expert
is the enabler:--yes
. If youwant some more control, you may not use --batch
and gpg will ask forconfirmation and show the resulting key:--check-sigs
as usual:--quick-lsign-key
instead.--quick-addkey
command which are described in the manual.no-grab
may be required for inthe gpg-agent.conf
file to actually make use of the paste feature.GPG_AGENT_INFO
) totell the other GnuPG modules how to connect to the agent. However,correctly managing the start up and this environment variable iscumbersome so that an easier method is required. Since GnuPG2.0.16 the --use-standard-socket
option already allowed to start theagent on the fly; however the environment variable was still required.GPG_AGENT_INFO
has been completelyremoved and the variable is ignored. Instead a fixed Unix domainsocket named S.gpg-agent
in the GnuPG home directory (by default~/.gnupg
) is used. The agent is also started on demand by all toolsrequiring services from the agent.--enable-ssh-support
is used the auto-start mechanismdoes not work because ssh does not know about this mechanism.Instead it is required that the environment variable SSH_AUTH_SOCK
is set to the S.gpg-agent.ssh
socket in the GnuPG home directory.Further gpg-agent must be started: Either by using a GnuPG commandwhich implicitly starts gpg-agent or by using gpgconf --launchgpg-agent
to explicitly start it if not yet done.gpg-connect-agent
tool is used:pubring.gpg
is found, gpg defaults to the new keyboxformat and creates a pubring.kbx
keybox file. If such a keybox filealready exists, for example due to the use of gpgsm, it will also beused for OpenPGP keys. However, if a pubring.gpg
is found and nokeybox file with OpenPGP keys exists, the old pubring.gpg
will beused. Take care: GnuPG versions before 2.1 will always use thepubring.gpg
file and not know anything about keys stored in thekeybox file.pubring.gpg
file to the keybox format, youfirst backup the ownertrust values, then rename the file to (forexample) publickeys
, so it won’t be recognized by any GnuPG version,then run import, and finally restore the ownertrust values:publickeys
file back so that it can be usedby older GnuPG versions. Remember that in this case you have twoindependent copies of the public keys. The ownertrust values are keptby all gpg versions in the file trustdb.gpg
but the aboveprecautions need to be taken to keep them over an import.openpgp-revocs.d
directory belowthe GnuPG home directory. Brief instructions on how to use thisrevocation certificate are put at the top of the file.--with-fingerprint
the non-compactformat is used. The --keyid-format
option can be used to switchback to the discouraged format which prints only the key id.show-uid-validity
is implicitly used for the--list-options
.--with-colons
options didnot change. However a couple of new fields have been added, forexample if the new option --with-secret
is used the “S/N of a tokenfield” indicates the presence of a secret key even in a public keylisting. This option is supported by recent GPGME versions and makeswriting of key manager software easier.--recipient-file
(or short -f
) and --hidden-recipient-file
(orshort -F
). The file must containing exactly one key in binary orarmored format. All keys specified with those options are alwaysconsidered fully valid. These option may be mixed with the regularoptions to specify a key. Along with the new convenience option--no-keyring
it is now possible to encrypt data without maintaininga local keyring.keys.gpg
to smallkey.gpg
while also removingall key signatures except for the latest self-signatures. This caneven be further restricted to copy only a specific user ID to theoutput file:--import-filter
option is used to remove all user IDsexcept for those which have the mail address “[email protected]”. Thesame is also possible while exporting a key:--enable-putty-support
allows gpg-agent toact as a replacement for Putty’s authentication agent Pageant. Itis the Windows counterpart for the --enable-ssh-support
option asused on Unix.--export-ssh-key
makes it easy to export an sshpublic key in the format used for ssh’s authorized_keys
file. Bydefault the command exports the newest subkey with an authorizationusage flags. A special syntax can be used to export other subkeys.This command is available since 2.1.11 and replaces the former debugutility gpgkey2ssh.--export-secret-key-p8
and –export-secret-key-raw=may be used to export a secret key directly in PKCS#8 or PKCS#1format. Thus X.509 certificates for TLS use may be managed by gpgsmand directly exported in a format suitable for OpenSSL based servers.