d03ab969 |
1 | .\" -*-nroff-*- |
052b36d0 |
2 | .ie t \{\ |
3 | . ds ss \s8\u |
4 | . ds se \d\s0 |
1476eebc |
5 | . ds us \s8\d |
6 | . ds ue \u\s0 |
052b36d0 |
7 | .\} |
8 | .el \{\ |
9 | . ds ss ^ |
10 | . ds se |
1476eebc |
11 | . ds us _ |
12 | . ds se |
052b36d0 |
13 | .\} |
d03ab969 |
14 | .TH key 1 "5 June 1999" Catacomb |
15 | .SH NAME |
16 | key \- simple key management system |
17 | .SH SYNOPSIS |
18 | .B key |
19 | .RB [ \-k |
20 | .IR keyring ] |
21 | .I command |
22 | .PP |
23 | where |
24 | .I command |
25 | is one of: |
26 | .PP |
27 | .B add |
1476eebc |
28 | .RB [ \-lqLS ] |
052b36d0 |
29 | .RB [ \-a |
30 | .IR alg ] |
31 | .RB [ \-b | \-B |
d03ab969 |
32 | .IR bits ] |
052b36d0 |
33 | .RB [ \-p |
34 | .IR param ] |
35 | .RB [ \-r |
36 | .IR tag ] |
37 | .br |
38 | \h'8n' |
d03ab969 |
39 | .RB [ \-e |
40 | .IR expire ] |
052b36d0 |
41 | .RB [ \-t |
42 | .IR tag ] |
d03ab969 |
43 | .RB [ \-c |
44 | .IR comment ] |
45 | .I type |
46 | .IR attr ... |
47 | .br |
48 | .B expire |
052b36d0 |
49 | .IR tag ... |
d03ab969 |
50 | .br |
51 | .B delete |
052b36d0 |
52 | .IR tag ... |
53 | .br |
54 | .B tag |
55 | .I tag |
56 | .RI [ new-tag ] |
57 | .br |
58 | .B comment |
59 | .I tag |
60 | .RI [ comment ] |
d03ab969 |
61 | .br |
62 | .B setattr |
052b36d0 |
63 | .I tag |
d03ab969 |
64 | .IR attr ... |
65 | .br |
052b36d0 |
66 | .B lock |
67 | .I qtag |
68 | .br |
69 | .B unlock |
70 | .I qtag |
71 | .br |
d03ab969 |
72 | .B list |
052b36d0 |
73 | .RB [ \-uqv ] |
74 | .RB [ \-f |
75 | .IR filter ] |
76 | .RI [ tag ...] |
77 | .br |
78 | .B fingerprint |
79 | .RB [ \-f |
80 | .IR filter ] |
81 | .RI [ tag ...] |
d03ab969 |
82 | .br |
83 | .B tidy |
84 | .br |
85 | .B extract |
052b36d0 |
86 | .RB [ \-f |
87 | .IR filter ] |
d03ab969 |
88 | .I file |
052b36d0 |
89 | .RI [ tag ...] |
d03ab969 |
90 | .br |
91 | .B merge |
92 | .I file |
93 | .SH DESCRIPTION |
94 | The |
95 | .B key |
96 | command performs useful operations on Catacomb keyring files. It |
97 | provides a number of subcommands, by which the various operations may be |
98 | carried out. |
99 | .SS "Global options" |
100 | Before the command name, |
101 | .I "global options" |
102 | may be given. The following global options are supported: |
103 | .TP |
104 | .B "\-h, \-\-help" |
105 | Writes a brief summary of |
106 | .BR key 's |
107 | various options to standard output, and |
108 | returns a successful exit status. |
109 | .TP |
110 | .B "\-v, \-\-version" |
111 | Writes the program's version number to standard output, and returns a |
112 | successful exit status. |
113 | .TP |
114 | .B "\-u, \-\-usage" |
115 | Writes a very terse command line summary to standard output, and returns |
116 | a successful exit status. |
117 | .TP |
c9e31e42 |
118 | .BI "\-k, \-\-keyring " file |
d03ab969 |
119 | Names the keyring file which |
120 | .B key |
121 | is to process. The default keyring, used if this option doesn't specify |
122 | one, is the file named |
123 | .B keyring |
124 | in the current directory. The keyring must be stored in a regular file: |
125 | pipes, sockets, devices etc. are not allowed. |
126 | The |
127 | .B key |
128 | program attempts to lock the keyring before accessing it, using |
129 | .BR fcntl (2) |
130 | locking. It will however time out after a short while (10 seconds) and |
131 | report a failure. |
132 | .SS Concepts |
133 | In addition to the actual key data itself, a Catacomb key has a number |
134 | of other pieces of information attached to it: |
135 | .TP |
052b36d0 |
136 | .B "keyid" |
137 | Every key has a 32-bit identifying number, written in hexadecimal. |
138 | Keyids are not actually related to the key contents: they're generated |
139 | randomly. Applications use keyids to refer to specific keys; users are |
140 | probably better off with tags and types. A |
d03ab969 |
141 | .I deleted |
142 | key cannot be looked up by keyid. |
143 | .TP |
052b36d0 |
144 | .B "tag" |
145 | A key's tag is a unique string which can be used by users and |
146 | applications to identify the key. Tag strings may not contain spaces, |
147 | colons or dots. A |
148 | .I deleted |
149 | key cannot be looked up by tag. Whenever a tag name is wanted, a hex |
150 | keyid or key type string can be given instead. |
151 | .TP |
152 | .B "type" |
d03ab969 |
153 | A key's type string describes what the key may be used for. The type |
154 | string is arbitrary, except that it may not contain whitespace |
052b36d0 |
155 | characters, dots or colons. Applications use key types to obtain an |
156 | arbitrary but suitable key for some purpose. An |
d03ab969 |
157 | .I expired |
052b36d0 |
158 | key cannot be looked up by type, but may be looked up by keyid or tag. |
159 | .TP |
160 | .B "key encoding" |
161 | There are a number of different ways in which keys can be represented, |
162 | according to the uses to which the key will be put. Most symmetric |
163 | algorithms use |
164 | .I binary |
165 | keys. Keys used with number-theoretic systems (like most common |
166 | public-key systems) use |
167 | .I "multiprecision integer" |
168 | keys. Algorithms which require several key constituents (again, like |
169 | most public-key systems) use |
170 | .I structured |
171 | keys, which consist of a collection of named parts. Finally, keys |
172 | (including structured keys) can be encrypted. |
173 | .TP |
174 | .B "filter" |
175 | Keys and key components may be selected by a filter expression, a |
176 | sequence of flag names separated by commas. Flags are: |
177 | .BR binary , |
178 | .BR integer , |
179 | .B struct |
180 | or |
181 | .B encrypt |
182 | (describing the key encoding); |
183 | .BR symmetric , |
184 | .BR private , |
185 | .B public |
186 | or |
187 | .B shared |
188 | (describing the category of key); |
189 | .B burn |
190 | and its negation |
191 | .B \-burn |
192 | (whether the key should be erased from memory after use); and |
193 | .B secret |
194 | and its negation |
195 | .B \-secret |
196 | (whether the key is safe to divulge). |
197 | .TP |
198 | .B "qualified tag" |
199 | A key component may be identified by the key's tag (or keyid, or type). |
200 | Subcomponents of structured keys are identified by following the tag by |
201 | a dot and the name of the subcomponent. |
d03ab969 |
202 | .TP |
203 | .B "expiry time" |
204 | Most keys expire after a certain amount of time. Once a key has |
205 | expired, it will no longer be chosen as a result of a lookup by key |
206 | type. However, it is not deleted until its deletion time is also |
207 | reached. |
208 | .TP |
209 | .B "deletion time" |
210 | A key's deletion time is the latest expiry time of any of the objects |
211 | which require that key. For example, a key used for authenticating |
212 | cryptographic cookies should have its deletion time set to the longest |
052b36d0 |
213 | expiry time of any of the cookies it can authenticate. Once a key's |
214 | deletion time is passed, it can no longer be referred to by |
d03ab969 |
215 | applications, and will be removed from the keyring next time it's |
216 | written to disk. |
217 | .TP |
052b36d0 |
218 | .B "comment" |
d03ab969 |
219 | A key may be given a comment when it's created. The comment is for the |
220 | benefit of users, and isn't interpreted by applications at all. |
221 | (Hopefully.) |
222 | .TP |
052b36d0 |
223 | .B "attributes" |
d03ab969 |
224 | A key as zero or more name/value pairs. The names and values are |
225 | arbitrary strings, except they may not contain null bytes. Some |
226 | attributes may have meaning for particular applications or key types; |
227 | others may be assigned global meanings in future. |
228 | .SH "COMMAND REFERENCE" |
229 | .SS add |
230 | The |
231 | .B add |
232 | command creates a new key and adds it to the keyring. The command |
233 | accepts the following options: |
234 | .TP |
052b36d0 |
235 | .BI "\-a, \-\-algorithm " alg |
236 | Selects a key generation algorithm. The default algorithm is |
237 | .BR binary ; |
238 | the different algorithms are described below. |
239 | .TP |
c9e31e42 |
240 | .BI "\-b, \-\-bits " bits |
d03ab969 |
241 | The length of the key to generate, in bits. The default, if this option |
052b36d0 |
242 | is not supplied, depends on the key-generation algorithm. |
243 | .TP |
244 | .BI "\-B, \-\-qbits " bits |
245 | The length of the subsidiary key or parameter, in bits. Not all |
246 | key-generation algorithms have a subsidiary key size. |
247 | .TP |
248 | .BI "\-p, \-\-parameters " tag |
249 | Selects a key containing parameter values to copy. Not all |
250 | key-generation algorithms allow the use of shared parameters. |
d03ab969 |
251 | .TP |
c9e31e42 |
252 | .BI "\-e, \-\-expire " expire |
d03ab969 |
253 | The expiry date for the generated key. This may be the string |
254 | .RB ` forever ' |
255 | if the key should never expire automatically, or any date acceptable to |
256 | the |
257 | .BR getdate (3) |
258 | library function. Briefly, |
259 | .B getdate |
260 | understands absolute dates such as |
261 | .RB ` 1999-08-02 ' |
262 | or |
263 | .RB ` "August 2nd, 1999" ', |
264 | and (perhaps more usefully) relative dates such as |
265 | .RB ` "+2 weeks" '. |
266 | The default is to allow a 2 week expiry, which isn't useful. |
267 | .TP |
c9e31e42 |
268 | .BI "\-c, \-\-comment " comment |
d03ab969 |
269 | Sets a comment for the key. The default is not to attach a comment. |
052b36d0 |
270 | .TP |
271 | .BI "\-t, \-\-tag " tag |
272 | Selects a tag string for the key. The default is not to set a tag. It |
273 | is an error to select a tag which already exists. |
274 | .TP |
275 | .BI "\-r, \-\-rand-id " tag |
276 | Selects the key to use for the random number generator. Catacomb's |
277 | random number generator can be |
278 | .IR keyed , |
279 | so that, even if the inputs to the generator are compromised, knowledge |
280 | of the key is also necessary to be able to predict the output. By |
281 | default, the latest-expiring key with type |
282 | .B catacomb-rand |
283 | is used, if present; if not, no key is used. |
284 | .TP |
285 | .BI "\-l, \-\-lock" |
286 | Requests that the secret parts of the newly-generated key be encrypted |
287 | using a passphrase. |
288 | .TP |
289 | .BI "\-q, \-\-quiet" |
290 | Suppresses the progress indication which is usually generated while |
291 | time-consuming key generation tasks are being performed. |
1476eebc |
292 | .TP |
293 | .BI "\-L, --lim-lee" |
294 | When generating Diffie-Hellman parameters, generate a Lim-Lee prime |
295 | rather than a random (or safe) prime. See the details on Diffie-Hellman |
296 | key generation below. |
297 | .TP |
298 | .BI "\-S, --subgroup" |
299 | When generating Diffie-Hellman parameters with a Lim-Lee prime, choose a |
300 | generator of a prime-order subgroup rather than a subgroup of order |
301 | .RI ( p "- 1)/2." |
d03ab969 |
302 | .PP |
303 | The key's type is given by the required |
304 | .I type |
305 | argument. Following the type are zero or more attributes, which are |
306 | attached to the key in the same way as for the |
307 | .B setattr |
308 | command. |
309 | .PP |
052b36d0 |
310 | The key-generation algorithms supported are as follows: |
311 | .TP |
312 | .B "binary" |
313 | Generates a plain binary key of the requested length. If the requested |
314 | key length is not a multiple of eight, the high-order bits of the first |
315 | octet of the key are zeroed. The default key length is 128 bits. |
316 | .TP |
317 | .B "des" |
318 | Generates a DES key, with parity bits. The key length must be 56, 112 |
319 | or 168; the default is 56. The low-order bit of each octet is ignored by |
320 | the DES algorithm; it is used to give each octet odd parity. |
321 | .TP |
322 | .B "rsa" |
323 | Generates a public/private key pair for use with the RSA algorithm. |
324 | .IP |
325 | The key components are |
326 | .I p |
327 | and |
328 | .IR q , |
329 | a pair of prime numbers; |
330 | .IR n , |
331 | the product of |
332 | .I p |
333 | and |
334 | .IR q ; |
335 | .IR e , |
336 | the public exponent; |
337 | .IR d , |
338 | the private exponent, chosen such that |
339 | .IR ed \ \(==\ 1 |
340 | (mod |
341 | .RI ( p \ \-\ 1)( q \ \-\ 1)); |
342 | and some other values useful for optimizing private-key operations: |
343 | .IR q \*(ss\-1\*(se\ mod\ p , |
344 | .IR d \ mod\ p \ \-\ 1, |
345 | and |
346 | .IR d \ mod\ q \ \-\ 1. |
347 | The values |
348 | .I n |
349 | and |
350 | .I e |
351 | constitute the public key; the rest must be kept secret. The key size |
352 | requested by the |
353 | .B \-b |
354 | option determines the size of the modulus |
355 | .IR n ; |
356 | the default is 1024 bits. |
357 | .IP |
358 | The key generation algorithm chooses |
359 | .I p |
360 | and |
361 | .I q |
362 | to be |
363 | .I strong |
364 | primes: both |
365 | .IR p \ \-\ 1 |
366 | and |
367 | .IR p \ +\ 1 |
368 | have large prime factors \- call them |
369 | .I r |
370 | and |
371 | .I s |
372 | respectively \- and |
373 | .IR r \ \-\ 1 |
374 | also has a large prime factor; |
375 | .I q |
376 | has similar properties. |
377 | .IP |
378 | The modulus |
379 | .I n |
380 | cannot be sensibly used as a shared parameter, since knowledge of |
381 | corrssponding public and private exponents is sufficient to be able to |
382 | factor the modulus and recover other users' private keys. |
383 | .TP |
384 | .B "dh-params" |
385 | Generates parameters for use with the Diffie-Hellman key exchange |
386 | protocol, and many related systems, such as ElGamal encryption and |
1476eebc |
387 | signatures, and even DSA. (The separate DSA algorithm uses the |
388 | generator described in FIPS186-1.) |
389 | .IP |
390 | The Diffie-Hellman parameters are a prime modulus |
391 | .I p |
052b36d0 |
392 | and a generator |
393 | .I g |
1476eebc |
394 | of a subgroup of |
395 | .BR Z / \c |
396 | .IB p Z |
397 | of order |
398 | .IR q . |
399 | The |
052b36d0 |
400 | .B \-b |
1476eebc |
401 | option controls the size of the modulus |
052b36d0 |
402 | .IR p ; |
1476eebc |
403 | the default size is 1024 bits. |
404 | .IP |
405 | If no |
052b36d0 |
406 | .I q |
1476eebc |
407 | size is selected using the |
052b36d0 |
408 | .B \-B |
1476eebc |
409 | option and the Lim-Lee prime option is disabled, then |
410 | .I p |
411 | is chosen to be a `safe' prime (i.e., |
052b36d0 |
412 | .IR p \ =\ 2 q \ +\ 1, |
1476eebc |
413 | with |
414 | .I q |
415 | prime). In this case, the value of |
416 | .I g |
417 | is fixed as 4. |
418 | .IP |
419 | If a size is chosen for |
420 | .I q |
421 | and Lim-Lee primes are not selected then the prime |
422 | .I q |
423 | is generated and |
424 | .I p |
425 | is chosen so that |
426 | .IR p \ \-\ 1 |
427 | is a multiple of |
428 | .IR q . |
429 | .IP |
430 | If the |
431 | .B \-L |
432 | option was given Lim-Lee primes are selected: the parameters are chosen |
433 | such that |
434 | .IR p \ =\ 2\ q \*(us0\*(ue\ q \*(us1\*(ue\ q \*(us2\*(ue\ ...\ +\ 1, |
435 | where the |
436 | .IR q \*(us i\*(ue |
437 | are primes at least as large as the setting given by the |
438 | .B \-B |
439 | option (or 256 bits, if no setting was given). |
052b36d0 |
440 | .IP |
1476eebc |
441 | If the |
442 | .B \-S |
443 | option was given, the generator |
444 | .I g |
445 | is chosen to generate the subgroup of order |
446 | .IR q \*(us0\*(ue; |
447 | otherwise, |
448 | .I g |
449 | will generate the group of order |
450 | .RI ( p \ \-\ 1)/2\ =\ q \*(us0\*(ue\ q \*(us1\*(ue\ q \*(us2\*(ue\ ... |
052b36d0 |
451 | .TP |
452 | .B "dh" |
453 | Generates a public/private key pair for use with offline Diffie-Hellman, |
454 | ElGamal, DSA or similar discrete-logarithm-based systems. It selects a |
455 | private key |
456 | .IR x \ <\ q , |
457 | and computes the public key |
458 | .IR y \ =\ g\*(ssx\*(se \ mod\ p . |
459 | .TP |
460 | .B "dsa-param" |
461 | Generates parameters for the DSA algorithm. DSA parameters are also |
462 | suitable for use with Diffie-Hellman and ElGamal system. |
463 | .IP |
464 | The main difference between DSA and Diffie-Hellman parameter generation |
465 | is thatthe DSA parameter generation |
466 | algorithm creates a |
467 | .I seed |
468 | from which the parameters are derived, and, assuming that the SHA-1 hash |
469 | function is strong, it's not feasible to construct a seed from which |
470 | deliberately weak parameters are derived. The algorithm used is the one |
471 | described in the DSA standard, FIPS\ 186, extended only to allow |
472 | sequential search for a prime |
473 | .I q |
474 | and to allow arbitrary parameter sizes. The seed is stored, |
475 | Base64-encoded, as the value of the attribute |
476 | .BR seed . |
477 | .IP |
478 | The default lengths for |
479 | .I p |
480 | and |
481 | .I q |
482 | are 768 and 160 bits respectively, since the DSA standard specifies that |
483 | .I q |
484 | be 160 bits, and the choice of 768 bits for |
485 | .I p |
486 | gives commensurate security. |
487 | .TP |
488 | .B "dsa" |
489 | Generates a public/private key pair for DSA. As for Diffie-Hellman |
490 | keys, it selects a |
491 | private key |
492 | .IR x \ <\ q , |
493 | and computes the public key |
494 | .IR y \ =\ g\*(ssx\*(se \ mod\ p . |
495 | .TP |
496 | .B "bbs" |
497 | Generates a public/private key pair for the Blum-Blum-Shub random-number |
498 | generator, and the Blum-Goldwasser semantically-secure public-key |
499 | encryption system. |
500 | .IP |
501 | The key components are prime numbers |
502 | .I p |
503 | and |
504 | .IR q , |
505 | both congruent to 3 (mod\ 4), and their product |
506 | .IR n . |
507 | The public key is simply the modulus |
508 | .IR n ; |
509 | the factors |
510 | .I p |
511 | and |
512 | .I q |
513 | are the private key. |
514 | .IP |
515 | The key-generation algorithm ensures that the two primes |
516 | .I p |
517 | and |
518 | .I q |
519 | are |
520 | .I strong |
521 | (see the discussion of strong primes above, in the section on RSA keys), |
522 | and that |
523 | .RI ( p \ \-\ 1)/2 |
524 | and |
525 | .RI ( q \ \-\ 1)/2 |
526 | are relatively prime, giving a maximum possible period length. |
527 | .IP |
528 | The key size requested by the |
529 | .B \-b |
530 | option determines the length of the modulus |
531 | .IR n ; |
532 | the default length is 1024 bits. |
533 | .SS "expire" |
d03ab969 |
534 | Forces keys to immediately expire. An expired key is not chosen when a |
535 | program requests a key by its type. The keys to expire are listed by |
536 | their |
052b36d0 |
537 | .IR tag s. |
538 | .SS "delete" |
d03ab969 |
539 | Deletes keys immediately. The keys to delete are listed by their |
052b36d0 |
540 | .IR tag s. |
d03ab969 |
541 | Be careful when deleting keys. It might be a better idea |
542 | to expire keys rather than deleting them. |
052b36d0 |
543 | .SS "tag" |
544 | Sets, deletes or changes the tag attached to a key. The first tag or |
545 | keyid names the key to be modified; the second, if present specifies the |
546 | new tag to be set. If no second argument is given, the existing tag, if |
547 | any, is removed and no new tag is set. |
548 | .SS "setattr" |
d03ab969 |
549 | Attaches attributes to a key. The key to which the attributes should be |
550 | attached is given by its |
052b36d0 |
551 | .IR tag . |
d03ab969 |
552 | Each attribute has the form |
553 | .IB name = value\fR. |
554 | An attribute can be deleted by assigning it an empty value. Although |
555 | the keyring file format is capable of representing an attribute with an |
556 | empty value as distinct from a nonexistant attribute, this interface |
557 | does not allow empty attributes to be set. |
052b36d0 |
558 | .SS "comment" |
559 | Sets, deletes or changes the comment attached to a key. The first |
560 | argument is a key tag or keyid which names the key to be modified; the |
561 | second, if present, is the new comment. If no second argument is given, |
562 | the existing comment, if any, is removed, and no new comment is set. |
563 | .SS "lock" |
564 | Locks a key or key component using a passphrase. If the key is already |
565 | locked, the existing passphrase is requested, and a new passphrase is |
566 | set. |
567 | .SS "unlock" |
568 | Unlocks a passphrase-locked key or key component. If the key is not |
569 | locked, an error is reported. |
570 | .SS "list" |
d03ab969 |
571 | Lists the keys in the keyring. A couple of options are supported: |
572 | .TP |
573 | .B "\-v, \-\-verbose" |
574 | Increases the amount of information displayed for each key. Repeat for |
575 | a greater effect. |
576 | .TP |
577 | .B "\-q, \-\-quiet" |
578 | Decreases the amount of information displayed for each key. Each use |
579 | cancels a |
580 | .RB ` \-v ' |
581 | option. |
c9e31e42 |
582 | .TP |
583 | .B "\-u, \-\-utc" |
584 | Display key expiry times as UTC rather than using the local time zone. |
052b36d0 |
585 | .TP |
586 | .BI "\-f, \-\-filter " filter |
587 | Specifies a filter. Only keys and key components which match the filter |
588 | are listed. |
d03ab969 |
589 | .PP |
590 | By default, a single line of output is generated for each, showing |
591 | keyids, types, expiry and deletion dates, and comments. Additional |
592 | .RB ` \-v ' |
593 | options show more information, such as the exact time of day for expiry |
052b36d0 |
594 | and deletion, key attributes, and a dump of the actual key data. If the |
595 | verbosity level is sufficiently high, passphrases are requested to |
596 | decrypt locked keys. Make sure nobody is looking over your shoulder |
597 | when you do this! |
598 | .SS "fingerprint" |
599 | Reports a fingerprint (secure hash) on components of requested keys. |
600 | The following option is supported: |
601 | .TP |
602 | .BI "\-f, \-\-filter " filter |
603 | Specifies a filter. Only keys and key components which match the filter |
604 | are fingerprinted. The default is to only fingerprint nonsecret |
605 | components. |
606 | .PP |
607 | The keys to be fingerprinted are named by their tags or keyids given as |
608 | command line arguments. If no key tags are given, all keys which match |
609 | the filter are fingerprinted. |
610 | .SS "tidy" |
d03ab969 |
611 | Simply reads the keyring from file and writes it back again. This has |
612 | the effect of removing any deleted keys from the file. |
052b36d0 |
613 | .SS "extract" |
614 | Writes a selection of keys to a file. An option is supported: |
615 | .TP |
616 | .BI "\-f, \-\-filter " filter |
617 | Specifies a filter. Only keys and key components which match the filter |
618 | are written. |
619 | .PP |
620 | Keys extracted are written to the file named by the first argument, |
d03ab969 |
621 | which may be |
622 | .RB ` \- ' |
623 | to designate standard output. The keys to extract are listed by their |
052b36d0 |
624 | tags; if no tags are given, all keys which match the filter are |
625 | extracted. The output is a valid keyring file. |
626 | .SS "merge" |
d03ab969 |
627 | Merges the keys from the named |
628 | .IR file , |
629 | which may be |
630 | .RB ` \- ' |
631 | to designate standard input, with the keyring. Keys already in the |
632 | keyring are not overwritten: you must explicitly remove them first if |
633 | you want them to be replaced during the merge. |
d03ab969 |
634 | .SH "SEE ALSO" |
635 | .BR keyring (5). |
636 | .SH AUTHOR |
637 | Mark Wooding, <mdw@nsict.org> |
638 | |