doc: gpg(1): Escape minus characterHEADmaster

This allows to portably search within the manual page (or info
page), or also copy-paste directly from the rendered output.

See man-pages(7):
   Generating optimal glyphs
       Where  a real minus character is required (e.g., for num‐
       bers such as -1, for man page cross  references  such  as
       utf-8(7),  or  when  writing  options that have a leading
       dash, such as in ls -l), use the following  form  in  the
       man page source:

           \-

       This guideline applies also to code examples.

       The  use  of  real  minus signs serves the following pur‐
       poses:

       *  To provide better renderings on various targets  other
          than  ASCII  terminals,  notably  in  PDF  and on Uni‐
          code/UTF-8‐capable terminals.

       *  To generate glyphs  that  when  copied  from  rendered
          pages will produce real minus signs when pasted into a
          terminal.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>

1 files changed, 1307 insertions, 1307 deletions

diff --git a/doc/gpg.texi b/doc/gpg.texi
index f6c445658..5e18dfb63 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -68,7 +68,7 @@ There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x.  GnuPG
 2.x supports modern encryption algorithms and thus should be preferred
 over GnuPG 1.x.  You only need to use GnuPG 1.x if your platform
 doesn't support GnuPG 2.x, or you need support for some features that
-GnuPG 2.x has deprecated, e.g., decrypting data created with PGP-2
+GnuPG 2.x has deprecated, e.g., decrypting data created with PGP\-2
 keys.
 
 @ifclear gpgtwohack
@@ -117,7 +117,7 @@ print a warning perform a reasonable action depending on the type of
 file it is given as input (an encrypted message is decrypted, a
 signature is verified, a file containing keys is listed, etc.).
 
-If you run into any problems, please add the option @option{--verbose}
+If you run into any problems, please add the option @option{\-\-verbose}
 to the invocation to see more diagnostics.
 
 
@@ -135,24 +135,24 @@ to the invocation to see more diagnostics.
 @subsection Commands not specific to the function
 
 @table @gnupgtabopt
-@item --version
+@item \-\-version
 @opindex version
 Print the program version and licensing information.  Note that you
 cannot abbreviate this command.
 
-@item --help
-@itemx -h
+@item \-\-help
+@itemx \-h
 @opindex help
 Print a usage message summarizing the most useful command-line options.
 Note that you cannot arbitrarily abbreviate this command
-(though you can use its short form @option{-h}).
+(though you can use its short form @option{\-h}).
 
-@item --warranty
+@item \-\-warranty
 @opindex warranty
 Print warranty information.
 
-@item --dump-options
-@opindex dump-options
+@item \-\-dump\-options
+@opindex dump\-options
 Print a list of all available options and commands.  Note that you cannot
 abbreviate this command.
 @end table
@@ -167,76 +167,76 @@ abbreviate this command.
 
 @table @gnupgtabopt
 
-@item --sign
-@itemx -s
+@item \-\-sign
+@itemx \-s
 @opindex sign
-Sign a message. This command may be combined with @option{--encrypt}
-(to sign and encrypt a message), @option{--symmetric} (to sign and
-symmetrically encrypt a message), or both @option{--encrypt} and
-@option{--symmetric} (to sign and encrypt a message that can be
+Sign a message. This command may be combined with @option{\-\-encrypt}
+(to sign and encrypt a message), @option{\-\-symmetric} (to sign and
+symmetrically encrypt a message), or both @option{\-\-encrypt} and
+@option{\-\-symmetric} (to sign and encrypt a message that can be
 decrypted using a secret key or a passphrase).  The signing key is
 chosen by default or can be set explicitly using the
-@option{--local-user} and @option{--default-key} options.
+@option{\-\-local\-user} and @option{\-\-default\-key} options.
 
-@item --clear-sign
-@opindex clear-sign
-@itemx --clearsign
+@item \-\-clear\-sign
+@opindex clear\-sign
+@itemx \-\-clearsign
 @opindex clearsign
 Make a cleartext signature.  The content in a cleartext signature is
 readable without any special software. OpenPGP software is only needed
 to verify the signature.  cleartext signatures may modify end-of-line
 whitespace for platform independence and are not intended to be
 reversible.  The signing key is chosen by default or can be set
-explicitly using the @option{--local-user} and @option{--default-key}
+explicitly using the @option{\-\-local\-user} and @option{\-\-default\-key}
 options.
 
 
-@item --detach-sign
-@itemx -b
-@opindex detach-sign
+@item \-\-detach\-sign
+@itemx \-b
+@opindex detach\-sign
 Make a detached signature.
 
-@item --encrypt
-@itemx -e
+@item \-\-encrypt
+@itemx \-e
 @opindex encrypt
 Encrypt data to one or more public keys. This command may be combined
-with @option{--sign} (to sign and encrypt a message),
-@option{--symmetric} (to encrypt a message that can be decrypted using a
-secret key or a passphrase), or @option{--sign} and
-@option{--symmetric} together (for a signed message that can be
-decrypted using a secret key or a passphrase).  @option{--recipient}
+with @option{\-\-sign} (to sign and encrypt a message),
+@option{\-\-symmetric} (to encrypt a message that can be decrypted using a
+secret key or a passphrase), or @option{\-\-sign} and
+@option{\-\-symmetric} together (for a signed message that can be
+decrypted using a secret key or a passphrase).  @option{\-\-recipient}
 and related options specify which public keys to use for encryption.
 
-@item --symmetric
-@itemx -c
+@item \-\-symmetric
+@itemx \-c
 @opindex symmetric
 Encrypt with a symmetric cipher using a passphrase. The default
 symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the
-@option{--cipher-algo} option. This command may be combined with
-@option{--sign} (for a signed and symmetrically encrypted message),
-@option{--encrypt} (for a message that may be decrypted via a secret key
-or a passphrase), or @option{--sign} and @option{--encrypt} together
+@option{\-\-cipher\-algo} option. This command may be combined with
+@option{\-\-sign} (for a signed and symmetrically encrypted message),
+@option{\-\-encrypt} (for a message that may be decrypted via a secret key
+or a passphrase), or @option{\-\-sign} and @option{\-\-encrypt} together
 (for a signed message that may be decrypted via a secret key or a
 passphrase).  @command{@gpgname} caches the passphrase used for
 symmetric encryption so that a decrypt operation may not require that
 the user needs to enter the passphrase.  The option
-@option{--no-symkey-cache} can be used to disable this feature.
+@option{\-\-no\-symkey\-cache} can be used to disable this feature.
 
-@item --store
+@item \-\-store
 @opindex store
 Store only (make a simple literal data packet).
 
-@item --decrypt
-@itemx -d
+@item \-\-decrypt
+@itemx \-d
 @opindex decrypt
 Decrypt the file given on the command line (or STDIN if no file
 is specified) and write it to STDOUT (or the file specified with
-@option{--output}). If the decrypted file is signed, the signature is also
+@option{\-\-output}). If the decrypted file is signed, the signature is also
 verified. This command differs from the default operation, as it never
 writes to the filename which is included in the file and it rejects
 files that don't begin with an encrypted message.
 
-@item --verify
+@item \-\-verify
 @opindex verify
 Assume that the first argument is a signed file and verify it without
 generating any output.  With no arguments, the signature packet is
@@ -245,11 +245,11 @@ expected to include a complete signature.
 
 With more than one argument, the first argument should specify a file
 with a detached signature and the remaining files should contain the
-signed data. To read the signed data from STDIN, use @samp{-} as the
+signed data. To read the signed data from STDIN, use @samp{\-} as the
 second filename.  For security reasons, a detached signature will not
 read the signed material from STDIN if not explicitly specified.
 
-Note: If the option @option{--batch} is not used, @command{@gpgname}
+Note: If the option @option{\-\-batch} is not used, @command{@gpgname}
 may assume that a single argument is a file with a detached signature,
 and it will try to find a matching data file by stripping certain
 suffixes.  Using this historical feature to verify a detached
@@ -259,7 +259,7 @@ explicitly.
 Note: When verifying a cleartext signature, @command{@gpgname} verifies
 only what makes up the cleartext signed data and not any extra data
 outside of the cleartext signature or the header lines directly following
-the dash marker line.  The option @code{--output} may be used to write
+the dash marker line.  The option @code{\-\-output} may be used to write
 out the actual signed data, but there are other pitfalls with this
 format as well.  It is suggested to avoid cleartext signatures in
 favor of detached signatures.
@@ -271,191 +271,191 @@ returns with success only for a good signature.  It has its own manual
 page.
 
 
-@item --multifile
+@item \-\-multifile
 @opindex multifile
 This modifies certain other commands to accept multiple files for
 processing on the command line or read from STDIN with each filename on
 a separate line. This allows for many files to be processed at
-once. @option{--multifile} may currently be used along with
-@option{--verify}, @option{--encrypt}, and @option{--decrypt}. Note that
-@option{--multifile --verify} may not be used with detached signatures.
-
-@item --verify-files
-@opindex verify-files
-Identical to @option{--multifile --verify}.
-
-@item --encrypt-files
-@opindex encrypt-files
-Identical to @option{--multifile --encrypt}.
-
-@item --decrypt-files
-@opindex decrypt-files
-Identical to @option{--multifile --decrypt}.
-
-@item --list-keys
-@itemx -k
-@itemx --list-public-keys
-@opindex list-keys
+once. @option{\-\-multifile} may currently be used along with
+@option{\-\-verify}, @option{\-\-encrypt}, and @option{\-\-decrypt}. Note that
+@option{\-\-multifile \-\-verify} may not be used with detached signatures.
+
+@item \-\-verify\-files
+@opindex verify\-files
+Identical to @option{\-\-multifile \-\-verify}.
+
+@item \-\-encrypt\-files
+@opindex encrypt\-files
+Identical to @option{\-\-multifile \-\-encrypt}.
+
+@item \-\-decrypt\-files
+@opindex decrypt\-files
+Identical to @option{\-\-multifile \-\-decrypt}.
+
+@item \-\-list\-keys
+@itemx \-k
+@itemx \-\-list\-public\-keys
+@opindex list\-keys
 List the specified keys.  If no keys are specified, then all keys from
 the configured public keyrings are listed.
 
 Never use the output of this command in scripts or other programs.
 The output is intended only for humans and its format is likely to
-change.  The @option{--with-colons} option emits the output in a
+change.  The @option{\-\-with\-colons} option emits the output in a
 stable, machine-parseable format, which is intended for use by scripts
 and other programs.
 
-@item --list-secret-keys
-@itemx -K
-@opindex list-secret-keys
+@item \-\-list\-secret\-keys
+@itemx \-K
+@opindex list\-secret\-keys
 List the specified secret keys.  If no keys are specified, then all
 known secret keys are listed.  A @code{#} after the initial tags
 @code{sec} or @code{ssb} means that the secret key or subkey is
 currently not usable.  We also say that this key has been taken
 offline (for example, a primary key can be taken offline by exporting
-the key using the command @option{--export-secret-subkeys}).  A
+the key using the command @option{\-\-export\-secret\-subkeys}).  A
 @code{>} after these tags indicate that the key is stored on a
-smartcard.  See also @option{--list-keys}.
+smartcard.  See also @option{\-\-list\-keys}.
 
-@item --check-signatures
-@opindex check-signatures
-@itemx --check-sigs
-@opindex check-sigs
-Same as @option{--list-keys}, but the key signatures are verified and
+@item \-\-check\-signatures
+@opindex check\-signatures
+@itemx \-\-check\-sigs
+@opindex check\-sigs
+Same as @option{\-\-list\-keys}, but the key signatures are verified and
 listed too.  Note that for performance reasons the revocation status
 of a signing key is not shown.  This command has the same effect as
-using @option{--list-keys} with @option{--with-sig-check}.
+using @option{\-\-list\-keys} with @option{\-\-with\-sig\-check}.
 
 The status of the verification is indicated by a flag directly
 following the "sig" tag (and thus before the flags described below.  A
-"!" indicates that the signature has been successfully verified, a "-"
+"!" indicates that the signature has been successfully verified, a "\-"
 denotes a bad signature and a "%" is used if an error occurred while
 checking the signature (e.g. a non supported algorithm).  Signatures
 where the public key is not available are not listed; to see their
-keyids the command @option{--list-sigs} can be used.
+keyids the command @option{\-\-list\-sigs} can be used.
 
 For each signature listed, there are several flags in between the
 signature status flag and keyid.  These flags give additional
 information about each key signature.  From left to right, they are
 the numbers 1-3 for certificate check level (see
-@option{--ask-cert-level}), "L" for a local or non-exportable
-signature (see @option{--lsign-key}), "R" for a nonRevocable signature
-(see the @option{--edit-key} command "nrsign"), "P" for a signature
-that contains a policy URL (see @option{--cert-policy-url}), "N" for a
-signature that contains a notation (see @option{--cert-notation}), "X"
-for an eXpired signature (see @option{--ask-cert-expire}), and the
+@option{\-\-ask\-cert\-level}), "L" for a local or non-exportable
+signature (see @option{\-\-lsign\-key}), "R" for a nonRevocable signature
+(see the @option{\-\-edit\-key} command "nrsign"), "P" for a signature
+that contains a policy URL (see @option{\-\-cert\-policy\-url}), "N" for a
+signature that contains a notation (see @option{\-\-cert\-notation}), "X"
+for an eXpired signature (see @option{\-\-ask\-cert\-expire}), and the
 numbers 1-9 or "T" for 10 and above to indicate trust signature levels
-(see the @option{--edit-key} command "tsign").
+(see the @option{\-\-edit\-key} command "tsign").
 
 
-@item --locate-keys
-@itemx --locate-external-keys
-@opindex locate-keys
-@opindex locate-external-keys
+@item \-\-locate\-keys
+@itemx \-\-locate\-external\-keys
+@opindex locate\-keys
+@opindex locate\-external\-keys
 Locate the keys given as arguments.  This command basically uses the
 same algorithm as used when locating keys for encryption and may thus
 be used to see what keys @command{@gpgname} might use.  In particular
-external methods as defined by @option{--auto-key-locate} are used to
+external methods as defined by @option{\-\-auto\-key\-locate} are used to
 locate a key if the arguments comain valid mail addresses.  Only
 public keys are listed.
 
-The variant @option{--locate-external-keys} does not consider a
+The variant @option{\-\-locate\-external\-keys} does not consider a
 locally existing key and can thus be used to force the refresh of a
 key via the defined external methods.  If a fingerprint is given and
-and the methods defined by --auto-key-locate define LDAP servers, the
+and the methods defined by \-\-auto\-key\-locate define LDAP servers, the
 key is fetched from these resources; defined non-LDAP keyservers are
 skipped.
 
 
-@item --show-keys
-@opindex show-keys
+@item \-\-show\-keys
+@opindex show\-keys
 This commands takes OpenPGP keys as input and prints information about
-them in the same way the command @option{--list-keys} does for locally
-stored key.  In addition the list options @code{show-unusable-uids},
-@code{show-unusable-subkeys}, @code{show-notations} and
-@code{show-policy-urls} are also enabled.  As usual for automated
+them in the same way the command @option{\-\-list\-keys} does for locally
+stored key.  In addition the list options @code{show\-unusable\-uids},
+@code{show\-unusable\-subkeys}, @code{show\-notations} and
+@code{show\-policy\-urls} are also enabled.  As usual for automated
 processing, this command should be combined with the option
-@option{--with-colons}.
+@option{\-\-with\-colons}.
 
-@item --fingerprint
+@item \-\-fingerprint
 @opindex fingerprint
 List all keys (or the specified ones) along with their
-fingerprints. This is the same output as @option{--list-keys} but with
+fingerprints. This is the same output as @option{\-\-list\-keys} but with
 the additional output of a line with the fingerprint. May also be
-combined with @option{--check-signatures}.  If this
+combined with @option{\-\-check\-signatures}.  If this
 command is given twice, the fingerprints of all secondary keys are
 listed too.  This command also forces pretty printing of fingerprints
 if the keyid format has been set to "none".
 
-@item --list-packets
-@opindex list-packets
+@item \-\-list\-packets
+@opindex list\-packets
 List only the sequence of packets.  This command is only useful for
-debugging.  When used with option @option{--verbose} the actual MPI
+debugging.  When used with option @option{\-\-verbose} the actual MPI
 values are dumped and not only their lengths.  Note that the output of
 this command may change with new releases.
 
 
-@item --edit-card
-@opindex edit-card
-@itemx --card-edit
-@opindex card-edit
+@item \-\-edit\-card
+@opindex edit\-card
+@itemx \-\-card\-edit
+@opindex card\-edit
 Present a menu to work with a smartcard. The subcommand "help" provides
 an overview on available commands. For a detailed description, please
 see the Card HOWTO at
-https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
+https://gnupg.org/documentation/howtos.html#GnuPG\-cardHOWTO .
 
-@item --card-status
-@opindex card-status
+@item \-\-card\-status
+@opindex card\-status
 Show the content of the smart card.
 
-@item --change-pin
-@opindex change-pin
+@item \-\-change\-pin
+@opindex change\-pin
 Present a menu to allow changing the PIN of a smartcard. This
 functionality is also available as the subcommand "passwd" with the
-@option{--edit-card} command.
+@option{\-\-edit\-card} command.
 
-@item --delete-keys @var{name}
-@opindex delete-keys
-Remove key from the public keyring. In batch mode either @option{--yes} is
+@item \-\-delete\-keys @var{name}
+@opindex delete\-keys
+Remove key from the public keyring. In batch mode either @option{\-\-yes} is
 required or the key must be specified by fingerprint. This is a
 safeguard against accidental deletion of multiple keys.  If the
 exclamation mark syntax is used with the fingerprint of a subkey only
 that subkey is deleted; if the exclamation mark is used with the
 fingerprint of the primary key the entire public key is deleted.
 
-@item --delete-secret-keys @var{name}
-@opindex delete-secret-keys
+@item \-\-delete\-secret\-keys @var{name}
+@opindex delete\-secret\-keys
 Remove key from the secret keyring. In batch mode the key must be
-specified by fingerprint.  The option @option{--yes} can be used to
-advise gpg-agent not to request a confirmation.  This extra
+specified by fingerprint.  The option @option{\-\-yes} can be used to
+advise gpg\-agent not to request a confirmation.  This extra
 pre-caution is done because @command{@gpgname} can't be sure that the
-secret key (as controlled by gpg-agent) is only used for the given
+secret key (as controlled by gpg\-agent) is only used for the given
 OpenPGP public key.  If the exclamation mark syntax is used with the
 fingerprint of a subkey only the secret part of that subkey is
 deleted; if the exclamation mark is used with the fingerprint of the
 primary key only the secret part of the primary key is deleted.
 
 
-@item --delete-secret-and-public-key @var{name}
-@opindex delete-secret-and-public-key
-Same as @option{--delete-key}, but if a secret key exists, it will be
+@item \-\-delete\-secret\-and\-public\-key @var{name}
+@opindex delete\-secret\-and\-public\-key
+Same as @option{\-\-delete\-key}, but if a secret key exists, it will be
 removed first. In batch mode the key must be specified by fingerprint.
-The option @option{--yes} can be used to advise gpg-agent not to
+The option @option{\-\-yes} can be used to advise gpg\-agent not to
 request a confirmation.
 
-@item --export
+@item \-\-export
 @opindex export
 Either export all keys from all keyrings (default keyring and those
-registered via option @option{--keyring}), or if at least one name is given,
+registered via option @option{\-\-keyring}), or if at least one name is given,
 those of the given name. The exported keys are written to STDOUT or to the
-file given with option @option{--output}.  Use together with
-@option{--armor} to mail those keys.
+file given with option @option{\-\-output}.  Use together with
+@option{\-\-armor} to mail those keys.
 
-@item --send-keys @var{keyIDs}
-@opindex send-keys
-Similar to @option{--export} but sends the keys to a keyserver.
+@item \-\-send\-keys @var{keyIDs}
+@opindex send\-keys
+Similar to @option{\-\-export} but sends the keys to a keyserver.
 Fingerprints may be used instead of key IDs.
-Don't send your complete keyring to a keyserver --- select
+Don't send your complete keyring to a keyserver \-\-\- select
 only those keys which are new or changed by you.  If no @var{keyIDs}
 are given, @command{@gpgname} does nothing.
 
@@ -464,14 +464,14 @@ not possible to ever delete keys once they have been send to a
 keyserver.
 
 
-@item --export-secret-keys
-@itemx --export-secret-subkeys
-@opindex export-secret-keys
-@opindex export-secret-subkeys
-Same as @option{--export}, but exports the secret keys instead.  The
+@item \-\-export\-secret\-keys
+@itemx \-\-export\-secret\-subkeys
+@opindex export\-secret\-keys
+@opindex export\-secret\-subkeys
+Same as @option{\-\-export}, but exports the secret keys instead.  The
 exported keys are written to STDOUT or to the file given with option
-@option{--output}.  This command is often used along with the option
-@option{--armor} to allow for easy printing of the key for paper backup;
+@option{\-\-output}.  This command is often used along with the option
+@option{\-\-armor} to allow for easy printing of the key for paper backup;
 however the external tool @command{paperkey} does a better job of
 creating backups on paper.  Note that exporting a secret key can be a
 security risk if the exported keys are sent over an insecure channel.
@@ -487,12 +487,12 @@ GnuPG may ask you to enter the passphrase for the key.  This is
 required, because the internal protection method of the secret key is
 different from the one specified by the OpenPGP protocol.
 
-@item --export-ssh-key
-@opindex export-ssh-key
+@item \-\-export\-ssh\-key
+@opindex export\-ssh\-key
 This command is used to export a key in the OpenSSH public key format.
 It requires the specification of one key by the usual means and
 exports the latest valid subkey which has an authentication capability
-to STDOUT or to the file given with option @option{--output}.  That
+to STDOUT or to the file given with option @option{\-\-output}.  That
 output can directly be added to ssh's @file{authorized_key} file.
 
 By specifying the key to export using a key ID or a fingerprint
@@ -500,89 +500,89 @@ suffixed with an exclamation mark (!), a specific subkey or the
 primary key can be exported.  This does not even require that the key
 has the authentication capability flag set.
 
-@item --import
-@itemx --fast-import
+@item \-\-import
+@itemx \-\-fast\-import
 @opindex import
 Import/merge keys. This adds the given keys to the
 keyring. The fast version is currently just a synonym.
 
 There are a few other options which control how this command works.
-Most notable here is the @option{--import-options merge-only} option
+Most notable here is the @option{\-\-import\-options merge\-only} option
 which does not insert new keys but does only the merging of new
 signatures, user-IDs and subkeys.
 
-@item --receive-keys @var{keyIDs}
-@opindex receive-keys
-@itemx --recv-keys @var{keyIDs}
-@opindex recv-keys
+@item \-\-receive\-keys @var{keyIDs}
+@opindex receive\-keys
+@itemx \-\-recv\-keys @var{keyIDs}
+@opindex recv\-keys
 Import the keys with the given @var{keyIDs} from a keyserver.
 
-@item --refresh-keys
-@opindex refresh-keys
+@item \-\-refresh\-keys
+@opindex refresh\-keys
 Request updates from a keyserver for keys that already exist on the
 local keyring. This is useful for updating a key with the latest
 signatures, user IDs, etc. Calling this with no arguments will refresh
 the entire keyring.
 
-@item --search-keys @var{names}
-@opindex search-keys
+@item \-\-search\-keys @var{names}
+@opindex search\-keys
 Search the keyserver for the given @var{names}. Multiple names given
 here will be joined together to create the search string for the
 keyserver.  Note that keyservers search for @var{names} in a different
 and simpler way than gpg does.  The best choice is to use a mail
 address.  Due to data privacy reasons keyservers may even not even
 allow searching by user id or mail address and thus may only return
-results when being used with the @option{--recv-key} command to
+results when being used with the @option{\-\-recv\-key} command to
 search by key fingerprint or keyid.
 
-@item --fetch-keys @var{URIs}
-@opindex fetch-keys
+@item \-\-fetch\-keys @var{URIs}
+@opindex fetch\-keys
 Retrieve keys located at the specified @var{URIs}. Note that different
 installations of GnuPG may support different protocols (HTTP, FTP,
 LDAP, etc.).  When using HTTPS the system provided root certificates
 are used by this command.
 
-@item --update-trustdb
-@opindex update-trustdb
+@item \-\-update\-trustdb
+@opindex update\-trustdb
 Do trust database maintenance. This command iterates over all keys and
 builds the Web of Trust. This is an interactive command because it may
 have to ask for the "ownertrust" values for keys. The user has to give
 an estimation of how far she trusts the owner of the displayed key to
 correctly certify (sign) other keys. GnuPG only asks for the ownertrust
 value if it has not yet been assigned to a key. Using the
-@option{--edit-key} menu, the assigned value can be changed at any time.
+@option{\-\-edit\-key} menu, the assigned value can be changed at any time.
 
-@item --check-trustdb
-@opindex check-trustdb
+@item \-\-check\-trustdb
+@opindex check\-trustdb
 Do trust database maintenance without user interaction. From time to
 time the trust database must be updated so that expired keys or
 signatures and the resulting changes in the Web of Trust can be
 tracked. Normally, GnuPG will calculate when this is required and do it
-automatically unless @option{--no-auto-check-trustdb} is set. This
+automatically unless @option{\-\-no\-auto\-check\-trustdb} is set. This
 command can be used to force a trust database check at any time. The
-processing is identical to that of @option{--update-trustdb} but it
+processing is identical to that of @option{\-\-update\-trustdb} but it
 skips keys with a not yet defined "ownertrust".
 
 For use with cron jobs, this command can be used together with
-@option{--batch} in which case the trust database check is done only if
+@option{\-\-batch} in which case the trust database check is done only if
 a check is needed. To force a run even in batch mode add the option
-@option{--yes}.
+@option{\-\-yes}.
 
-@anchor{option --export-ownertrust}
-@item --export-ownertrust
-@opindex export-ownertrust
+@anchor{option \-\-export\-ownertrust}
+@item \-\-export\-ownertrust
+@opindex export\-ownertrust
 Send the ownertrust values to STDOUT. This is useful for backup purposes
 as these values are the only ones which can't be re-created from a
 corrupted trustdb.  Example:
 @c man:.RS
 @example
-  @gpgname{} --export-ownertrust > otrust.txt
+  @gpgname{} \-\-export\-ownertrust > otrust.txt
 @end example
 @c man:.RE
 
 
-@item --import-ownertrust
-@opindex import-ownertrust
+@item \-\-import\-ownertrust
+@opindex import\-ownertrust
 Update the trustdb with the ownertrust values stored in @code{files} (or
 STDIN if not given); existing values will be overwritten.  In case of a
 severely damaged trustdb and if you have a recent backup of the
@@ -592,63 +592,63 @@ the trustdb using these commands:
 @example
   cd ~/.gnupg
   rm trustdb.gpg
-  @gpgname{} --import-ownertrust < otrust.txt
+  @gpgname{} \-\-import\-ownertrust < otrust.txt
 @end example
 @c man:.RE
 
 
-@item --rebuild-keydb-caches
-@opindex rebuild-keydb-caches
+@item \-\-rebuild\-keydb\-caches
+@opindex rebuild\-keydb\-caches
 When updating from version 1.0.6 to 1.0.7 this command should be used
 to create signature caches in the keyring. It might be handy in other
 situations too.
 
-@item --print-md @var{algo}
-@itemx --print-mds
-@opindex print-md
+@item \-\-print\-md @var{algo}
+@itemx \-\-print\-mds
+@opindex print\-md
 Print message digest of algorithm @var{algo} for all given files or STDIN.
 With the second form (or a deprecated "*" for @var{algo}) digests for all
 available algorithms are printed.
 
-@item --gen-random @var{0|1|2} @var{count}
-@opindex gen-random
+@item \-\-gen\-random @var{0|1|2} @var{count}
+@opindex gen\-random
 Emit @var{count} random bytes of the given quality level 0, 1 or 2. If
 @var{count} is not given or zero, an endless sequence of random bytes
-will be emitted.  If used with @option{--armor} the output will be
+will be emitted.  If used with @option{\-\-armor} the output will be
 base64 encoded.  PLEASE, don't use this command unless you know what
 you are doing; it may remove precious entropy from the system!
 
-@item --gen-prime @var{mode}  @var{bits}
-@opindex gen-prime
+@item \-\-gen\-prime @var{mode}  @var{bits}
+@opindex gen\-prime
 Use the source, Luke :-). The output format is subject to change
 with ant release.
 
 
-@item --enarmor
-@itemx --dearmor
+@item \-\-enarmor
+@itemx \-\-dearmor
 @opindex enarmor
 @opindex dearmor
 Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
 This is a GnuPG extension to OpenPGP and in general not very useful.
-The @option{--dearmor} command can also be used to dearmor PEM armors.
+The @option{\-\-dearmor} command can also be used to dearmor PEM armors.
 
-@item --unwrap
+@item \-\-unwrap
 @opindex unwrap
-This command is similar to @option{--decrypt} with the change that the
+This command is similar to @option{\-\-decrypt} with the change that the
 output is not the usual plaintext but the original message with the
 decryption layer removed.  Thus the output will be an OpenPGP data
 structure which often means a signed OpenPGP message.  Note that this
 command may or may not remove a compression layer which is often found
 beneath the encryption layer.
 
-@item --tofu-policy @{auto|good|unknown|bad|ask@}  @var{keys}
-@opindex tofu-policy
+@item \-\-tofu\-policy @{auto|good|unknown|bad|ask@}  @var{keys}
+@opindex tofu\-policy
 Set the TOFU policy for all the bindings associated with the specified
 @var{keys}.  For more information about the meaning of the policies,
-@pxref{trust-model-tofu}.  The @var{keys} may be specified either by their
+@pxref{trust\-model\-tofu}.  The @var{keys} may be specified either by their
 fingerprint (preferred) or their keyid.
 
-@c @item --server
+@c @item \-\-server
 @c @opindex server
 @c Run gpg in server mode.  This feature is not yet ready for use and
 @c thus not documented.
@@ -666,14 +666,14 @@ This section explains the main commands for key management.
 
 @table @gnupgtabopt
 
-@item --quick-generate-key @var{user-id} [@var{algo} [@var{usage} [@var{expire}]]]
-@itemx --quick-gen-key
-@opindex quick-generate-key
-@opindex quick-gen-key
+@item \-\-quick\-generate\-key @var{user\-id} [@var{algo} [@var{usage} [@var{expire}]]]
+@itemx \-\-quick\-gen\-key
+@opindex quick\-generate\-key
+@opindex quick\-gen\-key
 This is a simple command to generate a standard key with one user id.
-In contrast to @option{--generate-key} the key is generated directly
+In contrast to @option{\-\-generate\-key} the key is generated directly
 without the need to answer a bunch of prompts.  Unless the option
-@option{--yes} is given, the key creation will be canceled if the
+@option{\-\-yes} is given, the key creation will be canceled if the
 given user id already exists in the keyring.
 
 If invoked directly on the console without any special options an
@@ -684,27 +684,27 @@ force the creation of the key will show up.
 If @var{algo} or @var{usage} are given, only the primary key is
 created and no prompts are shown.  To specify an expiration date but
 still create a primary and subkey use ``default'' or
-``future-default'' for @var{algo} and ``default'' for @var{usage}.
+``future\-default'' for @var{algo} and ``default'' for @var{usage}.
 For a description of these optional arguments see the command
-@code{--quick-add-key}.  The @var{usage} accepts also the value
+@code{\-\-quick\-add\-key}.  The @var{usage} accepts also the value
 ``cert'' which can be used to create a certification only primary key;
 the default is to a create certification and signing key.
 
 The @var{expire} argument can be used to specify an expiration date
 for the key.  Several formats are supported; commonly the ISO formats
-``YYYY-MM-DD'' or ``YYYYMMDDThhmmss'' are used.  To make the key
+``YYYY\-MM\-DD'' or ``YYYYMMDDThhmmss'' are used.  To make the key
 expire in N seconds, N days, N weeks, N months, or N years use
 ``seconds=N'', ``Nd'', ``Nw'', ``Nm'', or ``Ny'' respectively.  Not
-specifying a value, or using ``-'' results in a key expiring in a
+specifying a value, or using ``\-'' results in a key expiring in a
 reasonable default interval.  The values ``never'', ``none'' can be
 used for no expiration date.
 
-If this command is used with @option{--batch},
-@option{--pinentry-mode} has been set to @code{loopback}, and one of
-the passphrase options (@option{--passphrase},
-@option{--passphrase-fd}, or @option{--passphrase-file}) is used, the
+If this command is used with @option{\-\-batch},
+@option{\-\-pinentry\-mode} has been set to @code{loopback}, and one of
+the passphrase options (@option{\-\-passphrase},
+@option{\-\-passphrase\-fd}, or @option{\-\-passphrase\-file}) is used, the
 supplied passphrase is used for the new key and the agent does not ask
-for it.  To create a key without any protection @code{--passphrase ''}
+for it.  To create a key without any protection @code{\-\-passphrase ''}
 may be used.
 
 To create an OpenPGP key from the keys available on the currently
@@ -712,16 +712,16 @@ inserted smartcard, the special string ``card'' can be used for
 @var{algo}.  If the card features an encryption and a signing key, gpg
 will figure them out and creates an OpenPGP key consisting of the
 usual primary key and one subkey.  This works only with certain
-smartcards.  Note that the interactive @option{--full-gen-key} command
+smartcards.  Note that the interactive @option{\-\-full\-gen\-key} command
 allows to do the same but with greater flexibility in the selection of
 the smartcard keys.
 
 Note that it is possible to create a primary key and a subkey using
 non-default algorithms by using ``default'' and changing the default
-parameters using the option @option{--default-new-key-algo}.
+parameters using the option @option{\-\-default\-new\-key\-algo}.
 
-@item --quick-set-expire @var{fpr} @var{expire} [*|@var{subfprs}]
-@opindex quick-set-expire
+@item \-\-quick\-set\-expire @var{fpr} @var{expire} [*|@var{subfprs}]
+@opindex quick\-set\-expire
 With two arguments given, directly set the expiration time of the
 primary key identified by @var{fpr} to @var{expire}.  To remove the
 expiration time @code{0} can be used.  With three arguments and the
@@ -732,8 +732,8 @@ non-revoked subkeys matching these fingerprints are set to
 @var{expire}.
 
 
-@item --quick-add-key @var{fpr} [@var{algo} [@var{usage} [@var{expire}]]]
-@opindex quick-add-key
+@item \-\-quick\-add\-key @var{fpr} [@var{algo} [@var{usage} [@var{expire}]]]
+@opindex quick\-add\-key
 Directly add a subkey to the key identified by the fingerprint
 @var{fpr}.  Without the optional arguments an encryption subkey is
 added.  If any of the arguments are given a more specific subkey is
@@ -741,19 +741,19 @@ added.
 
 @var{algo} may be any of the supported algorithms or curve names
 given in the format as used by key listings.  To use the default
-algorithm the string ``default'' or ``-'' can be used.  Supported
+algorithm the string ``default'' or ``\-'' can be used.  Supported
 algorithms are ``rsa'', ``dsa'', ``elg'', ``ed25519'', ``cv25519'',
 and other ECC curves.  For example the string ``rsa'' adds an RSA key
 with the default key length; a string ``rsa4096'' requests that the
-key length is 4096 bits.  The string ``future-default'' is an alias
+key length is 4096 bits.  The string ``future\-default'' is an alias
 for the algorithm which will likely be used as default algorithm in
 future versions of gpg.  To list the supported ECC curves the command
-@code{gpg --with-colons --list-config curve} can be used.
+@code{gpg \-\-with\-colons \-\-list\-config curve} can be used.
 
 Depending on the given @var{algo} the subkey may either be an
 encryption subkey or a signing subkey.  If an algorithm is capable of
 signing and encryption and such a subkey is desired, a @var{usage}
-string must be given.  This string is either ``default'' or ``-'' to
+string must be given.  This string is either ``default'' or ``\-'' to
 keep the default or a comma delimited list (or space delimited list)
 of keywords: ``sign'' for a signing subkey, ``auth'' for an
 authentication subkey, and ``encr'' for an encryption subkey
@@ -762,62 +762,62 @@ combinations depend on the algorithm.
 
 The @var{expire} argument can be used to specify an expiration date
 for the key.  Several formats are supported; commonly the ISO formats
-``YYYY-MM-DD'' or ``YYYYMMDDThhmmss'' are used.  To make the key
+``YYYY\-MM\-DD'' or ``YYYYMMDDThhmmss'' are used.  To make the key
 expire in N seconds, N days, N weeks, N months, or N years use
 ``seconds=N'', ``Nd'', ``Nw'', ``Nm'', or ``Ny'' respectively.  Not
-specifying a value, or using ``-'' results in a key expiring in a
+specifying a value, or using ``\-'' results in a key expiring in a
 reasonable default interval.  The values ``never'', ``none'' can be
 used for no expiration date.
 
-@item --generate-key
-@opindex generate-key
-@itemx --gen-key
-@opindex gen-key
+@item \-\-generate\-key
+@opindex generate\-key
+@itemx \-\-gen\-key
+@opindex gen\-key
 Generate a new key pair using the current default parameters.  This is
 the standard command to create a new key.  In addition to the key a
 revocation certificate is created and stored in the
-@file{openpgp-revocs.d} directory below the GnuPG home directory.
+@file{openpgp\-revocs.d} directory below the GnuPG home directory.
 
-@item --full-generate-key
-@opindex full-generate-key
-@itemx --full-gen-key
-@opindex full-gen-key
+@item \-\-full\-generate\-key
+@opindex full\-generate\-key
+@itemx \-\-full\-gen\-key
+@opindex full\-gen\-key
 Generate a new key pair with dialogs for all options.  This is an
-extended version of @option{--generate-key}.
+extended version of @option{\-\-generate\-key}.
 
 There is also a feature which allows you to create keys in batch
 mode. See the manual section ``Unattended key generation'' on how
 to use this.
 
 
-@item --generate-revocation @var{name}
-@opindex generate-revocation
-@itemx --gen-revoke @var{name}
-@opindex gen-revoke
+@item \-\-generate\-revocation @var{name}
+@opindex generate\-revocation
+@itemx \-\-gen\-revoke @var{name}
+@opindex gen\-revoke
 Generate a revocation certificate for the complete key.  To only revoke
-a subkey or a key signature, use the @option{--edit} command.
+a subkey or a key signature, use the @option{\-\-edit} command.
 
 This command merely creates the revocation certificate so that it can
 be used to revoke the key if that is ever needed.  To actually revoke
 a key the created revocation certificate needs to be merged with the
 key to revoke.  This is done by importing the revocation certificate
-using the @option{--import} command.  Then the revoked key needs to be
+using the @option{\-\-import} command.  Then the revoked key needs to be
 published, which is best done by sending the key to a keyserver
-(command @option{--send-key}) and by exporting (@option{--export}) it
+(command @option{\-\-send\-key}) and by exporting (@option{\-\-export}) it
 to a file which is then send to frequent communication partners.
 
 
-@item --generate-designated-revocation @var{name}
-@opindex generate-designated-revocation
-@itemx --desig-revoke @var{name}
-@opindex desig-revoke
+@item \-\-generate\-designated\-revocation @var{name}
+@opindex generate\-designated\-revocation
+@itemx \-\-desig\-revoke @var{name}
+@opindex desig\-revoke
 Generate a designated revocation certificate for a key. This allows a
 user (with the permission of the keyholder) to revoke someone else's
 key.
 
 
-@item --edit-key
-@opindex edit-key
+@item \-\-edit\-key
+@opindex edit\-key
 Present a menu which enables you to do most of the key management
 related tasks.  It expects the specification of a key on the command
 line.
@@ -838,11 +838,11 @@ line.
   @item sign
   @opindex keyedit:sign
   Make a signature on key of user @code{name}. If the key is not yet
-  signed by the default user (or the users given with @option{-u}), the program
+  signed by the default user (or the users given with @option{\-u}), the program
   displays the information of the key again, together with its
   fingerprint and asks whether it should be signed. This question is
   repeated for all users specified with
-  @option{-u}.
+  @option{\-u}.
 
   @item lsign
   @opindex keyedit:lsign
@@ -861,7 +861,7 @@ line.
   of certification (like a regular signature), and trust (like the
   "trust" command). It is generally only useful in distinct communities
   or groups.  For more information please read the sections
-  ``Trust Signature'' and ``Regular Expression'' in RFC-4880.
+  ``Trust Signature'' and ``Regular Expression'' in RFC\-4880.
 @end table
 
 @c man:.RS
@@ -870,7 +870,7 @@ and "t" (for trust) may be freely mixed and prefixed to "sign" to
 create a signature of any type desired.
 @c man:.RE
 
-If the option @option{--only-sign-text-ids} is specified, then any
+If the option @option{\-\-only\-sign\-text\-ids} is specified, then any
 non-text based user ids (e.g., photo IDs) will not be selected for
 signing.
 
@@ -932,16 +932,16 @@ signing.
   @opindex keyedit:keyserver
   Set a preferred keyserver for the specified user ID(s). This allows
   other users to know where you prefer they get your key from. See
-  @option{--keyserver-options honor-keyserver-url} for more on how this
+  @option{\-\-keyserver\-options honor\-keyserver\-url} for more on how this
   works.  Setting a value of "none" removes an existing preferred
   keyserver.
 
   @item notation
   @opindex keyedit:notation
   Set a name=value notation for the specified user ID(s). See
-  @option{--cert-notation} for more on how this works. Setting a value of
+  @option{\-\-cert\-notation} for more on how this works. Setting a value of
   "none" removes all notations, setting a notation prefixed with a minus
-  sign (-) removes that notation, and setting a notation name (without the
+  sign (\-) removes that notation, and setting a notation name (without the
   =value) prefixed with a minus sign removes all notations with that name.
 
   @item pref
@@ -953,7 +953,7 @@ signing.
   @opindex keyedit:showpref
   More verbose preferences listing for the selected user ID. This shows
   the preferences in effect by including the implied preferences of 3DES
-  (cipher), SHA-1 (digest), and Uncompressed (compression) if they are
+  (cipher), SHA\-1 (digest), and Uncompressed (compression) if they are
   not already included in the preference list. In addition, the
   preferred keyserver and signature notations (if any) are shown.
 
@@ -962,9 +962,9 @@ signing.
   Set the list of user ID preferences to @var{string} for all (or just
   the selected) user IDs. Calling setpref with no arguments sets the
   preference list to the default (either built-in or set via
-  @option{--default-preference-list}), and calling setpref with "none"
+  @option{\-\-default\-preference\-list}), and calling setpref with "none"
   as the argument sets an empty preference list. Use @command{@gpgname
-  --version} to get a list of available algorithms. Note that while you
+  \-\-version} to get a list of available algorithms. Note that while you
   can change the preferences on an attribute user ID (aka "photo ID"),
   GnuPG does not select keys via attribute user IDs so these preferences
   will not be used by GnuPG.
@@ -1048,7 +1048,7 @@ signing.
 
   @item trust
   @opindex keyedit:trust
-  Change the owner trust value for the key. This updates the trust-db
+  Change the owner trust value for the key. This updates the trust\-db
   immediately and no save is required.
 
   @item disable
@@ -1062,7 +1062,7 @@ signing.
   @opindex keyedit:addrevoker
   Add a designated revoker to the key. This takes one optional argument:
   "sensitive". If a designated revoker is marked as sensitive, it will
-  not be exported by default (see export-options).
+  not be exported by default (see export\-options).
 
   @item passwd
   @opindex keyedit:passwd
@@ -1086,8 +1086,8 @@ signing.
   Make the key as small as possible. This removes all signatures from
   each user ID except for the most recent self-signature.
 
-  @item change-usage
-  @opindex keyedit:change-usage
+  @item change\-usage
+  @opindex keyedit:change\-usage
   Change the usage flags (capabilities) of the primary key or of
   subkeys.  These usage flags (e.g. Certify, Sign, Authenticate,
   Encrypt) are set during key creation.  Sometimes it is useful to
@@ -1095,12 +1095,12 @@ signing.
   Authenticate) after they have been created.  Please take care when
   doing this; the allowed usage flags depend on the key algorithm.
 
-  @item cross-certify
-  @opindex keyedit:cross-certify
+  @item cross\-certify
+  @opindex keyedit:cross\-certify
   Add cross-certification signatures to signing subkeys that may not
   currently have them. Cross-certification signatures protect against a
   subtle attack against signing subkeys. See
-  @option{--require-cross-certification}.  All new keys generated have
+  @option{\-\-require\-cross\-certification}.  All new keys generated have
   this signature by default, so this command is only useful to bring
   older keys up to date.
 
@@ -1121,25 +1121,25 @@ user IDs are indicated by an asterisk.  The trust
 value is displayed with the primary key: "trust" is the assigned owner
 trust and "validity" is the calculated validity of the key.  Validity
 values are also displayed for all user IDs.
-For possible values of trust, @pxref{trust-values}.
+For possible values of trust, @pxref{trust\-values}.
 @c man:.RE
-@c ******** End Edit-key Options **********
+@c ******** End Edit\-key Options **********
 
-@item --sign-key @var{name}
-@opindex sign-key
+@item \-\-sign\-key @var{name}
+@opindex sign\-key
 Signs a public key with your secret key. This is a shortcut version of
-the subcommand "sign" from @option{--edit-key}.
+the subcommand "sign" from @option{\-\-edit\-key}.
 
-@item --lsign-key @var{name}
-@opindex lsign-key
+@item \-\-lsign\-key @var{name}
+@opindex lsign\-key
 Signs a public key with your secret key but marks it as
 non-exportable. This is a shortcut version of the subcommand "lsign"
-from @option{--edit-key}.
+from @option{\-\-edit\-key}.
 
-@item --quick-sign-key @var{fpr} [@var{names}]
-@itemx --quick-lsign-key @var{fpr} [@var{names}]
-@opindex quick-sign-key
-@opindex quick-lsign-key
+@item \-\-quick\-sign\-key @var{fpr} [@var{names}]
+@itemx \-\-quick\-lsign\-key @var{fpr} [@var{names}]
+@opindex quick\-sign\-key
+@opindex quick\-lsign\-key
 Directly sign a key from the passphrase without any further user
 interaction.  The @var{fpr} must be the verified primary fingerprint
 of a key in the local keyring. If no @var{names} are given, all
@@ -1148,47 +1148,47 @@ ids matching one of these names are signed.  By default, or if a name
 is prefixed with a '*', a case insensitive substring match is used.
 If a name is prefixed with a '=' a case sensitive exact match is done.
 
-The command @option{--quick-lsign-key} marks the signatures as
+The command @option{\-\-quick\-lsign\-key} marks the signatures as
 non-exportable.  If such a non-exportable signature already exists the
-@option{--quick-sign-key} turns it into a exportable signature.  If
+@option{\-\-quick\-sign\-key} turns it into a exportable signature.  If
 you need to update an existing signature, for example to add or change
-notation data, you need to use the option @option{--force-sign-key}.
+notation data, you need to use the option @option{\-\-force\-sign\-key}.
 
 This command uses reasonable defaults and thus does not provide the
-full flexibility of the "sign" subcommand from @option{--edit-key}.
+full flexibility of the "sign" subcommand from @option{\-\-edit\-key}.
 Its intended use is to help unattended key signing by utilizing a list
 of verified fingerprints.
 
-@item --quick-add-uid  @var{user-id} @var{new-user-id}
-@opindex quick-add-uid
+@item \-\-quick\-add\-uid  @var{user-id} @var{new-user-id}
+@opindex quick\-add\-uid
 This command adds a new user id to an existing key.  In contrast to
-the interactive sub-command @code{adduid} of @option{--edit-key} the
+the interactive sub-command @code{adduid} of @option{\-\-edit\-key} the
 @var{new-user-id} is added verbatim with only leading and trailing
-white space removed, it is expected to be UTF-8 encoded, and no checks
+white space removed, it is expected to be UTF\-8 encoded, and no checks
 on its form are applied.
 
-@item --quick-revoke-uid  @var{user-id} @var{user-id-to-revoke}
-@opindex quick-revoke-uid
+@item \-\-quick\-revoke\-uid  @var{user-id} @var{user-id-to-revoke}
+@opindex quick\-revoke\-uid
 This command revokes a user ID on an existing key.  It cannot be used
 to revoke the last user ID on key (some non-revoked user ID must
 remain), with revocation reason ``User ID is no longer valid''.  If
 you want to specify a different revocation reason, or to supply
 supplementary revocation text, you should use the interactive
-sub-command @code{revuid} of @option{--edit-key}.
+sub-command @code{revuid} of @option{\-\-edit\-key}.
 
-@item --quick-revoke-sig  @var{fpr} @var{signing-fpr} [@var{names}]
-@opindex quick-revoke-sig
+@item \-\-quick\-revoke\-sig  @var{fpr} @var{signing-fpr} [@var{names}]
+@opindex quick\-revoke\-sig
 This command revokes the key signatures made by @var{signing-fpr} from
 the key specified by the fingerprint @var{fpr}.  With @var{names}
 given only the signatures on user ids of the key matching any of the
-given names are affected (see @option{--quick-sign-key}).  If a
+given names are affected (see @option{\-\-quick\-sign\-key}).  If a
 revocation already exists a notice is printed instead of creating a
 new revocation; no error is returned in this case.  Note that key
 signature revocations may be superseded by a newer key signature and
 in turn again revoked.
 
-@item --quick-set-primary-uid  @var{user-id} @var{primary-user-id}
-@opindex quick-set-primary-uid
+@item \-\-quick\-set\-primary\-uid  @var{user-id} @var{primary-user-id}
+@opindex quick\-set\-primary\-uid
 This command sets or updates the primary user ID flag on an existing
 key.  @var{user-id} specifies the key and @var{primary-user-id} the
 user ID which shall be flagged as the primary user ID.  The primary
@@ -1196,14 +1196,14 @@ user ID flag is removed from all other user ids and the timestamp of
 all affected self-signatures is set one second ahead.
 
 
-@item --change-passphrase @var{user-id}
-@opindex change-passphrase
-@itemx --passwd @var{user-id}
+@item \-\-change\-passphrase @var{user-id}
+@opindex change\-passphrase
+@itemx \-\-passwd @var{user-id}
 @opindex passwd
 Change the passphrase of the secret key belonging to the certificate
 specified as @var{user-id}.  This is a shortcut for the sub-command
-@code{passwd} of the @option{--edit-key} menu.  When using together with the
-option @option{--dry-run} this will not actually change the passphrase
+@code{passwd} of the @option{\-\-edit\-key} menu.  When using together with the
+option @option{\-\-dry\-run} this will not actually change the passphrase
 but check that the current passphrase is correct.
 
 @end table
@@ -1242,7 +1242,7 @@ every execution of gpg.
 
 Please remember that option parsing stops as soon as a non-option is
 encountered, you can explicitly stop parsing by using the special option
-@option{--}.
+@option{\-\-}.
 
 @c *******************************************
 @c ********  CONFIGURATION OPTIONS  **********
@@ -1255,52 +1255,52 @@ are usually found in the option file.
 
 @table @gnupgtabopt
 
-@item --default-key @var{name}
-@opindex default-key
+@item \-\-default\-key @var{name}
+@opindex default\-key
 Use @var{name} as the default key to sign with. If this option is not
 used, the default key is the first key found in the secret keyring.
-Note that @option{-u} or @option{--local-user} overrides this option.
+Note that @option{\-u} or @option{\-\-local\-user} overrides this option.
 This option may be given multiple times.  In this case, the last key
 for which a secret key is available is used.  If there is no secret
 key available for any of the specified values, GnuPG will not emit an
 error message but continue as if this option wasn't given.
 
-@item --default-recipient @var{name}
-@opindex default-recipient
-Use @var{name} as default recipient if option @option{--recipient} is
+@item \-\-default\-recipient @var{name}
+@opindex default\-recipient
+Use @var{name} as default recipient if option @option{\-\-recipient} is
 not used and don't ask if this is a valid one. @var{name} must be
 non-empty.
 
-@item --default-recipient-self
-@opindex default-recipient-self
-Use the default key as default recipient if option @option{--recipient} is not
+@item \-\-default\-recipient\-self
+@opindex default\-recipient\-self
+Use the default key as default recipient if option @option{\-\-recipient} is not
 used and don't ask if this is a valid one. The default key is the first
-one from the secret keyring or the one set with @option{--default-key}.
+one from the secret keyring or the one set with @option{\-\-default\-key}.
 
-@item --no-default-recipient
-@opindex no-default-recipient
-Reset @option{--default-recipient} and @option{--default-recipient-self}.
+@item \-\-no\-default\-recipient
+@opindex no\-default\-recipient
+Reset @option{\-\-default\-recipient} and @option{\-\-default\-recipient\-self}.
 Should not be used in an option file.
 
-@item -v, --verbose
+@item \-v, \-\-verbose
 @opindex verbose
 Give more information during processing. If used
 twice, the input data is listed in detail.
 
-@item --no-verbose
-@opindex no-verbose
+@item \-\-no\-verbose
+@opindex no\-verbose
 Reset verbose level to 0.  Should not be used in an option file.
 
-@item -q, --quiet
+@item \-q, \-\-quiet
 @opindex quiet
 Try to be as quiet as possible.  Should not be used in an option file.
 
-@item --batch
-@itemx --no-batch
+@item \-\-batch
+@itemx \-\-no\-batch
 @opindex batch
-@opindex no-batch
+@opindex no\-batch
 Use batch mode.  Never ask, do not allow interactive commands.
-@option{--no-batch} disables this option.  Note that even with a
+@option{\-\-no\-batch} disables this option.  Note that even with a
 filename given on the command line, gpg might still need to read from
 STDIN (in particular if gpg figures that the input is a
 detached signature and no data file has been specified).  Thus if you
@@ -1308,186 +1308,186 @@ do not want to feed data via STDIN, you should connect STDIN to
 @file{/dev/null}.
 
 It is highly recommended to use this option along with the options
-@option{--status-fd} and @option{--with-colons} for any unattended use of
+@option{\-\-status\-fd} and @option{\-\-with\-colons} for any unattended use of
 @command{gpg}.  Should not be used in an option file.
 
-@item --no-tty
-@opindex no-tty
+@item \-\-no\-tty
+@opindex no\-tty
 Make sure that the TTY (terminal) is never used for any output.
 This option is needed in some cases because GnuPG sometimes prints
-warnings to the TTY even if @option{--batch} is used.
+warnings to the TTY even if @option{\-\-batch} is used.
 
-@item --yes
+@item \-\-yes
 @opindex yes
 Assume "yes" on most questions.  Should not be used in an option file.
 
-@item --no
+@item \-\-no
 @opindex no
 Assume "no" on most questions.  Should not be used in an option file.
 
 
-@item --list-options @var{parameters}
-@opindex list-options
+@item \-\-list\-options @var{parameters}
+@opindex list\-options
 This is a space or comma delimited string that gives options used when
-listing keys and signatures (that is, @option{--list-keys},
-@option{--check-signatures}, @option{--list-public-keys},
-@option{--list-secret-keys}, and the @option{--edit-key} functions).
-Options can be prepended with a @option{no-} (after the two dashes) to
+listing keys and signatures (that is, @option{\-\-list\-keys},
+@option{\-\-check\-signatures}, @option{\-\-list\-public\-keys},
+@option{\-\-list\-secret\-keys}, and the @option{\-\-edit\-key} functions).
+Options can be prepended with a @option{no\-} (after the two dashes) to
 give the opposite meaning.  The options are:
 
 @table @asis
 
-  @item show-photos
-  @opindex list-options:show-photos
-  Causes @option{--list-keys}, @option{--check-signatures},
-  @option{--list-public-keys}, and @option{--list-secret-keys} to
+  @item show\-photos
+  @opindex list\-options:show\-photos
+  Causes @option{\-\-list\-keys}, @option{\-\-check\-signatures},
+  @option{\-\-list\-public\-keys}, and @option{\-\-list\-secret\-keys} to
   display any photo IDs attached to the key.  Defaults to no. See also
-  @option{--photo-viewer}.  Does not work with @option{--with-colons}:
-  see @option{--attribute-fd} for the appropriate way to get photo data
+  @option{\-\-photo\-viewer}.  Does not work with @option{\-\-with\-colons}:
+  see @option{\-\-attribute\-fd} for the appropriate way to get photo data
   for scripts and other frontends.
 
-  @item show-usage
-  @opindex list-options:show-usage
+  @item show\-usage
+  @opindex list\-options:show\-usage
   Show usage information for keys and subkeys in the standard key
   listing.  This is a list of letters indicating the allowed usage for a
   key (@code{E}=encryption, @code{S}=signing, @code{C}=certification,
   @code{A}=authentication).  Defaults to yes.
 
-  @item show-policy-urls
-  @opindex list-options:show-policy-urls
-  Show policy URLs in the  @option{--check-signatures}
+  @item show\-policy\-urls
+  @opindex list\-options:show\-policy\-urls
+  Show policy URLs in the  @option{\-\-check\-signatures}
   listings.  Defaults to no.
 
-  @item show-notations
-  @itemx show-std-notations
-  @itemx show-user-notations
-  @opindex list-options:show-notations
-  @opindex list-options:show-std-notations
-  @opindex list-options:show-user-notations
-  Show all, IETF standard, or user-defined signature notations in the
-  @option{--check-signatures} listings. Defaults to no.
-
-  @item show-keyserver-urls
-  @opindex list-options:show-keyserver-urls
+  @item show\-notations
+  @itemx show\-std\-notations
+  @itemx show\-user\-notations
+  @opindex list\-options:show\-notations
+  @opindex list\-options:show\-std\-notations
+  @opindex list\-options:show\-user\-notations
+  Show all, IETF standard, or user\-defined signature notations in the
+  @option{\-\-check\-signatures} listings. Defaults to no.
+
+  @item show\-keyserver\-urls
+  @opindex list\-options:show\-keyserver\-urls
   Show any preferred keyserver URL in the
-  @option{--check-signatures} listings. Defaults to no.
+  @option{\-\-check\-signatures} listings. Defaults to no.
 
-  @item show-uid-validity
-  @opindex list-options:show-uid-validity
+  @item show\-uid\-validity
+  @opindex list\-options:show\-uid\-validity
   Display the calculated validity of user IDs during key listings.
   Defaults to yes.
 
-  @item show-unusable-uids
-  @opindex list-options:show-unusable-uids
+  @item show\-unusable\-uids
+  @opindex list\-options:show\-unusable\-uids
   Show revoked and expired user IDs in key listings. Defaults to no.
 
-  @item show-unusable-subkeys
-  @opindex list-options:show-unusable-subkeys
+  @item show\-unusable\-subkeys
+  @opindex list\-options:show\-unusable\-subkeys
   Show revoked and expired subkeys in key listings. Defaults to no.
 
-  @item show-keyring
-  @opindex list-options:show-keyring
+  @item show\-keyring
+  @opindex list\-options:show\-keyring
   Display the keyring name at the head of key listings to show which
   keyring a given key resides on. Defaults to no.
 
-  @item show-sig-expire
-  @opindex list-options:show-sig-expire
+  @item show\-sig\-expire
+  @opindex list\-options:show\-sig\-expire
   Show signature expiration dates (if any) during
-  @option{--check-signatures} listings. Defaults to no.
+  @option{\-\-check\-signatures} listings. Defaults to no.
 
-  @item show-sig-subpackets
-  @opindex list-options:show-sig-subpackets
+  @item show\-sig\-subpackets
+  @opindex list\-options:show\-sig\-subpackets
   Include signature subpackets in the key listing. This option can take an
   optional argument list of the subpackets to list. If no argument is
   passed, list all subpackets. Defaults to no. This option is only
-  meaningful when using @option{--with-colons} along with
-  @option{--check-signatures}.
+  meaningful when using @option{\-\-with\-colons} along with
+  @option{\-\-check\-signatures}.
 
-  @item show-only-fpr-mbox
-  @opindex list-options:show-only-fpr-mbox
-  For each user-id which has a valid mail address print
+  @item show\-only\-fpr\-mbox
+  @opindex list\-options:show\-only\-fpr\-mbox
+  For each user\-id which has a valid mail address print
   only the fingerprint followed by the mail address.
 
-  @item sort-sigs
-  @opindex list-options:sort-sigs
-  With --list-sigs and --check-sigs sort the signatures by keyID and
+  @item sort\-sigs
+  @opindex list\-options:sort\-sigs
+  With \-\-list\-sigs and \-\-check\-sigs sort the signatures by keyID and
   creation time to make it easier to view the history of these
-  signatures.  The self-signature is also listed before other
+  signatures.  The self\-signature is also listed before other
   signatures. Defaults to yes.
 
 @end table
 
-@item --verify-options @var{parameters}
-@opindex verify-options
+@item \-\-verify\-options @var{parameters}
+@opindex verify\-options
 This is a space or comma delimited string that gives options used when
-verifying signatures. Options can be prepended with a `no-' to give
+verifying signatures. Options can be prepended with a `no\-' to give
 the opposite meaning. The options are:
 
 @table @asis
 
-  @item show-photos
-  @opindex verify-options:show-photos
+  @item show\-photos
+  @opindex verify\-options:show\-photos
   Display any photo IDs present on the key that issued the signature.
-  Defaults to no. See also @option{--photo-viewer}.
+  Defaults to no. See also @option{\-\-photo\-viewer}.
 
-  @item show-policy-urls
-  @opindex verify-options:show-policy-urls
+  @item show\-policy\-urls
+  @opindex verify\-options:show\-policy\-urls
   Show policy URLs in the signature being verified. Defaults to yes.
 
-  @item show-notations
-  @itemx show-std-notations
-  @itemx show-user-notations
-  @opindex verify-options:show-notations
-  @opindex verify-options:show-std-notations
-  @opindex verify-options:show-user-notations
+  @item show\-notations
+  @itemx show\-std\-notations
+  @itemx show\-user\-notations
+  @opindex verify\-options:show\-notations
+  @opindex verify\-options:show\-std\-notations
+  @opindex verify\-options:show\-user\-notations
   Show all, IETF standard, or user-defined signature notations in the
   signature being verified. Defaults to IETF standard.
 
-  @item show-keyserver-urls
-  @opindex verify-options:show-keyserver-urls
+  @item show\-keyserver\-urls
+  @opindex verify\-options:show\-keyserver\-urls
   Show any preferred keyserver URL in the signature being verified.
   Defaults to yes.
 
-  @item show-uid-validity
-  @opindex verify-options:show-uid-validity
+  @item show\-uid\-validity
+  @opindex verify\-options:show\-uid\-validity
   Display the calculated validity of the user IDs on the key that issued
   the signature. Defaults to yes.
 
-  @item show-unusable-uids
-  @opindex verify-options:show-unusable-uids
+  @item show\-unusable\-uids
+  @opindex verify\-options:show\-unusable\-uids
   Show revoked and expired user IDs during signature verification.
   Defaults to no.
 
-  @item show-primary-uid-only
-  @opindex verify-options:show-primary-uid-only
+  @item show\-primary\-uid\-only
+  @opindex verify\-options:show\-primary\-uid\-only
   Show only the primary user ID during signature verification.  That is
   all the AKA lines as well as photo Ids are not shown with the signature
   verification status.
 
 @end table
 
-@item --enable-large-rsa
-@itemx --disable-large-rsa
-@opindex enable-large-rsa
-@opindex disable-large-rsa
-With --generate-key and --batch, enable the creation of RSA secret keys as
+@item \-\-enable\-large\-rsa
+@itemx \-\-disable\-large\-rsa
+@opindex enable\-large\-rsa
+@opindex disable\-large\-rsa
+With \-\-generate\-key and \-\-batch, enable the creation of RSA secret keys as
 large as 8192 bit.  Note: 8192 bit is more than is generally
 recommended.  These large keys don't significantly improve security,
 but they are more expensive to use, and their signatures and
 certifications are larger.  This option is only available if the
-binary was build with large-secmem support.
+binary was build with large\-secmem support.
 
-@item --enable-dsa2
-@itemx --disable-dsa2
-@opindex enable-dsa2
-@opindex disable-dsa2
+@item \-\-enable\-dsa2
+@itemx \-\-disable\-dsa2
+@opindex enable\-dsa2
+@opindex disable\-dsa2
 Enable hash truncation for all DSA keys even for old DSA Keys up to
-1024 bit.  This is also the default with @option{--openpgp}.  Note
+1024 bit.  This is also the default with @option{\-\-openpgp}.  Note
 that older versions of GnuPG also required this flag to allow the
 generation of DSA larger than 1024 bit.
 
-@item --photo-viewer @var{string}
-@opindex photo-viewer
+@item \-\-photo\-viewer @var{string}
+@opindex photo\-viewer
 This is the command line that should be run to view a photo ID. "%i"
 will be expanded to a filename containing the photo. "%I" does the
 same, except the file will not be deleted once the viewer exits.
@@ -1501,11 +1501,11 @@ and "%%" for an actual percent sign. If neither %i or %I are present,
 then the photo will be supplied to the viewer on standard input.
 
 On Unix the default viewer is
-@code{xloadimage -fork -quiet -title 'KeyID 0x%k' STDIN}
+@code{xloadimage \-fork \-quiet \-title 'KeyID 0x%k' STDIN}
 with a fallback to
-@code{display -title 'KeyID 0x%k' %i}
+@code{display \-title 'KeyID 0x%k' %i}
 and finally to
-@code{xdg-open %i}.
+@code{xdg\-open %i}.
 On Windows
 @code{!ShellExecute 400 %i} is used; here the command is a meta
 command to use that API call followed by a wait time in milliseconds
@@ -1513,59 +1513,59 @@ which is used to give the viewer time to read the temporary image file
 before gpg deletes it again.  Note that if your image viewer program
 is not secure, then executing it from gpg does not make it secure.
 
-@item --exec-path @var{string}
-@opindex exec-path
+@item \-\-exec\-path @var{string}
+@opindex exec\-path
 @efindex PATH
 Sets a list of directories to search for photo viewers If not provided
 photo viewers use the @code{PATH} environment variable.
 
-@item --keyring @var{file}
+@item \-\-keyring @var{file}
 @opindex keyring
 Add @var{file} to the current list of keyrings. If @var{file} begins
 with a tilde and a slash, these are replaced by the $HOME directory. If
 the filename does not contain a slash, it is assumed to be in the GnuPG
-home directory ("~/.gnupg" unless @option{--homedir} or $GNUPGHOME is
+home directory ("~/.gnupg" unless @option{\-\-homedir} or $GNUPGHOME is
 used).
 
 Note that this adds a keyring to the current list. If the intent is to
-use the specified keyring alone, use @option{--keyring} along with
-@option{--no-default-keyring}.
+use the specified keyring alone, use @option{\-\-keyring} along with
+@option{\-\-no\-default\-keyring}.
 
-If the option @option{--no-keyring} has been used no keyrings will
+If the option @option{\-\-no\-keyring} has been used no keyrings will
 be used at all.
 
-Note that if the option @option{use-keyboxd} is enabled in
+Note that if the option @option{use\-keyboxd} is enabled in
 @file{common.conf}, no keyrings are used at all and keys are all
 maintained by the keyboxd process in its own database.
 
-@item --primary-keyring @var{file}
-@opindex primary-keyring
-This is a varian of @option{--keyring} and designates @var{file} as
+@item \-\-primary\-keyring @var{file}
+@opindex primary\-keyring
+This is a varian of @option{\-\-keyring} and designates @var{file} as
 the primary public keyring. This means that newly imported keys (via
-@option{--import} or keyserver @option{--recv-from}) will go to this
+@option{\-\-import} or keyserver @option{\-\-recv\-from}) will go to this
 keyring.
 
 
-@item --secret-keyring @var{file}
-@opindex secret-keyring
+@item \-\-secret\-keyring @var{file}
+@opindex secret\-keyring
 This is an obsolete option and ignored.  All secret keys are stored in
-the @file{private-keys-v1.d} directory below the GnuPG home directory.
+the @file{private\-keys\-v1.d} directory below the GnuPG home directory.
 
-@item --trustdb-name @var{file}
-@opindex trustdb-name
+@item \-\-trustdb\-name @var{file}
+@opindex trustdb\-name
 Use @var{file} instead of the default trustdb. If @var{file} begins
 with a tilde and a slash, these are replaced by the $HOME directory. If
 the filename does not contain a slash, it is assumed to be in the GnuPG
-home directory (@file{~/.gnupg} if @option{--homedir} or $GNUPGHOME is
+home directory (@file{~/.gnupg} if @option{\-\-homedir} or $GNUPGHOME is
 not used).
 
-@include opt-homedir.texi
+@include opt\-homedir.texi
 
 
-@item --display-charset @var{name}
-@opindex display-charset
+@item \-\-display\-charset @var{name}
+@opindex display\-charset
 Set the name of the native character set. This is used to convert some
-informational strings like user IDs to the proper UTF-8 encoding.
+informational strings like user IDs to the proper UTF\-8 encoding.
 Note that this has nothing to do with the character set of data to be
 encrypted or signed; GnuPG does not recode user-supplied data. If this
 option is not used, the default character set is determined from the
@@ -1575,102 +1575,102 @@ are:
 
 @table @asis
 
-  @item iso-8859-1
-  @opindex display-charset:iso-8859-1
+  @item iso\-8859\-1
+  @opindex display\-charset:iso\-8859\-1
   This is the Latin 1 set.
 
-  @item iso-8859-2
-  @opindex display-charset:iso-8859-2
+  @item iso\-8859\-2
+  @opindex display\-charset:iso\-8859\-2
   The Latin 2 set.
 
-  @item iso-8859-15
-  @opindex display-charset:iso-8859-15
+  @item iso\-8859\-15
+  @opindex display\-charset:iso\-8859\-15
   This is currently an alias for
   the Latin 1 set.
 
-  @item koi8-r
-  @opindex display-charset:koi8-r
-  The usual Russian set (RFC-1489).
+  @item koi8\-r
+  @opindex display\-charset:koi8\-r
+  The usual Russian set (RFC\-1489).
 
-  @item utf-8
-  @opindex display-charset:utf-8
+  @item utf\-8
+  @opindex display\-charset:utf\-8
   Bypass all translations and assume
-  that the OS uses native UTF-8 encoding.
+  that the OS uses native UTF\-8 encoding.
 @end table
 
-@item --utf8-strings
-@itemx --no-utf8-strings
-@opindex utf8-strings
-Assume that command line arguments are given as UTF-8 strings. The
-default (@option{--no-utf8-strings}) is to assume that arguments are
+@item \-\-utf8\-strings
+@itemx \-\-no\-utf8\-strings
+@opindex utf8\-strings
+Assume that command line arguments are given as UTF\-8 strings. The
+default (@option{\-\-no\-utf8\-strings}) is to assume that arguments are
 encoded in the character set as specified by
-@option{--display-charset}. These options affect all following
+@option{\-\-display\-charset}. These options affect all following
 arguments. Both options may be used multiple times.
 This option should not be used in an option file.
 
-This option has no effect on Windows.  There the internal used UTF-8
+This option has no effect on Windows.  There the internal used UTF\-8
 encoding is translated for console input and output.  The command line
-arguments are expected as Unicode and translated to UTF-8.  Thus when
+arguments are expected as Unicode and translated to UTF\-8.  Thus when
 calling this program from another, make sure to use the Unicode
 version of CreateProcess.
 
-@anchor{gpg-option --options}
-@item --options @var{file}
+@anchor{gpg\-option \-\-options}
+@item \-\-options @var{file}
 @opindex options
 Read options from @var{file} and do not try to read them from the
-default options file in the homedir (see @option{--homedir}). This
+default options file in the homedir (see @option{\-\-homedir}). This
 option is ignored if used in an options file.
 
-@item --no-options
-@opindex no-options
-Shortcut for @option{--options /dev/null}. This option is detected
+@item \-\-no\-options
+@opindex no\-options
+Shortcut for @option{\-\-options /dev/null}. This option is detected
 before an attempt to open an option file.  Using this option will also
 prevent the creation of a @file{~/.gnupg} homedir.
 
-@item -z @var{n}
-@itemx --compress-level @var{n}
-@itemx --bzip2-compress-level @var{n}
-@opindex compress-level
-@opindex bzip2-compress-level
+@item \-z @var{n}
+@itemx \-\-compress\-level @var{n}
+@itemx \-\-bzip2\-compress\-level @var{n}
+@opindex compress\-level
+@opindex bzip2\-compress\-level
 Set compression level to @var{n} for the ZIP and ZLIB compression
 algorithms. The default is to use the default compression level of zlib
-(normally 6). @option{--bzip2-compress-level} sets the compression level
+(normally 6). @option{\-\-bzip2\-compress\-level} sets the compression level
 for the BZIP2 compression algorithm (defaulting to 6 as well). This is a
-different option from @option{--compress-level} since BZIP2 uses a
+different option from @option{\-\-compress\-level} since BZIP2 uses a
 significant amount of memory for each additional compression level.
-@option{-z} sets both. A value of 0 for @var{n} disables compression.
+@option{\-z} sets both. A value of 0 for @var{n} disables compression.
 
-@item --bzip2-decompress-lowmem
-@opindex bzip2-decompress-lowmem
+@item \-\-bzip2\-decompress\-lowmem
+@opindex bzip2\-decompress\-lowmem
 Use a different decompression method for BZIP2 compressed files. This
 alternate method uses a bit more than half the memory, but also runs
 at half the speed. This is useful under extreme low memory
 circumstances when the file was originally compressed at a high
-@option{--bzip2-compress-level}.
+@option{\-\-bzip2\-compress\-level}.
 
 
-@item --mangle-dos-filenames
-@itemx --no-mangle-dos-filenames
-@opindex mangle-dos-filenames
-@opindex no-mangle-dos-filenames
+@item \-\-mangle\-dos\-filenames
+@itemx \-\-no\-mangle\-dos\-filenames
+@opindex mangle\-dos\-filenames
+@opindex no\-mangle\-dos\-filenames
 Older version of Windows cannot handle filenames with more than one
-dot. @option{--mangle-dos-filenames} causes GnuPG to replace (rather
+dot. @option{\-\-mangle\-dos\-filenames} causes GnuPG to replace (rather
 than add to) the extension of an output filename to avoid this
 problem. This option is off by default and has no effect on non-Windows
 platforms.
 
-@item --ask-cert-level
-@itemx --no-ask-cert-level
-@opindex ask-cert-level
+@item \-\-ask\-cert\-level
+@itemx \-\-no\-ask\-cert\-level
+@opindex ask\-cert\-level
 When making a key signature, prompt for a certification level. If this
 option is not specified, the certification level used is set via
-@option{--default-cert-level}. See @option{--default-cert-level} for
+@option{\-\-default\-cert\-level}. See @option{\-\-default\-cert\-level} for
 information on the specific levels and how they are
-used. @option{--no-ask-cert-level} disables this option. This option
+used. @option{\-\-no\-ask\-cert\-level} disables this option. This option
 defaults to no.
 
-@item --default-cert-level @var{n}
-@opindex default-cert-level
+@item \-\-default\-cert\-level @var{n}
+@opindex default\-cert\-level
 The default to use for the check level when signing a key.
 
 0 means you make no particular claim as to how carefully you verified
@@ -1699,15 +1699,15 @@ and "extensive" mean to you.
 
 This option defaults to 0 (no particular claim).
 
-@item --min-cert-level
-@opindex min-cert-level
+@item \-\-min\-cert\-level
+@opindex min\-cert\-level
 When building the trust database, treat any signatures with a
 certification level below this as invalid. Defaults to 2, which
 disregards level 1 signatures. Note that level 0 "no particular
 claim" signatures are always accepted.
 
-@item --trusted-key @var{long key ID or fingerprint}
-@opindex trusted-key
+@item \-\-trusted\-key @var{long key ID or fingerprint}
+@opindex trusted\-key
 Assume that the specified key (which should be given as fingerprint)
 is as trustworthy as one of your own secret keys. This option is
 useful if you don't want to keep your secret keys (or one of them)
@@ -1716,25 +1716,25 @@ recipient's or signator's key.  If the given key is not locally
 available but an LDAP keyserver is configured the missing key is
 imported from that server.
 
-@item --trust-model @{pgp|classic|tofu|tofu+pgp|direct|always|auto@}
-@opindex trust-model
+@item \-\-trust\-model @{pgp|classic|tofu|tofu+pgp|direct|always|auto@}
+@opindex trust\-model
 Set what trust model GnuPG should follow. The models are:
 
 @table @asis
 
   @item pgp
-  @opindex trust-model:pgp
+  @opindex trust\-model:pgp
   This is the Web of Trust combined with trust signatures as used in PGP
   5.x and later. This is the default trust model when creating a new
   trust database.
 
   @item classic
-  @opindex trust-model:classic
+  @opindex trust\-model:classic
   This is the standard Web of Trust as introduced by PGP 2.
 
   @item tofu
-  @opindex trust-model:tofu
-  @anchor{trust-model-tofu}
+  @opindex trust\-model:tofu
+  @anchor{trust\-model\-tofu}
   TOFU stands for Trust On First Use.  In this trust model, the first
   time a key is seen, it is memorized.  If later another key with a
   user id with the same email address is seen, both keys are marked as
@@ -1766,12 +1766,12 @@ Set what trust model GnuPG should follow. The models are:
   In the TOFU model, policies are associated with bindings between
   keys and email addresses (which are extracted from user ids and
   normalized).  There are five policies, which can be set manually
-  using the @option{--tofu-policy} option.  The default policy can be
-  set using the @option{--tofu-default-policy} option.
+  using the @option{\-\-tofu\-policy} option.  The default policy can be
+  set using the @option{\-\-tofu\-default\-policy} option.
 
   The TOFU policies are: @code{auto}, @code{good}, @code{unknown},
   @code{bad} and @code{ask}.  The @code{auto} policy is used by
-  default (unless overridden by @option{--tofu-default-policy}) and
+  default (unless overridden by @option{\-\-tofu\-default\-policy}) and
   marks a binding as marginally trusted.  The @code{good},
   @code{unknown} and @code{bad} policies mark a binding as fully
   trusted, as having unknown trust or as having trust never,
@@ -1783,20 +1783,20 @@ Set what trust model GnuPG should follow. The models are:
   @code{undefined} trust level is returned.
 
   @item tofu+pgp
-  @opindex trust-model:tofu+pgp
+  @opindex trust\-model:tofu+pgp
   This trust model combines TOFU with the Web of Trust.  This is done
   by computing the trust level for each model and then taking the
   maximum trust level where the trust levels are ordered as follows:
   @code{unknown < undefined < marginal < fully < ultimate < expired <
   never}.
 
-  By setting @option{--tofu-default-policy=unknown}, this model can be
+  By setting @option{\-\-tofu\-default\-policy=unknown}, this model can be
   used to implement the web of trust with TOFU's conflict detection
   algorithm, but without its assignment of positive trust values,
   which some security-conscious users don't like.
 
   @item direct
-  @opindex trust-model:direct
+  @opindex trust\-model:direct
   Key validity is set directly by the user and not calculated via the
   Web of Trust.  This model is solely based on the key and does
   not distinguish user IDs.  Note that when changing to another trust
@@ -1805,7 +1805,7 @@ Set what trust model GnuPG should follow. The models are:
   the key to sign other keys.
 
   @item always
-  @opindex trust-model:always
+  @opindex trust\-model:always
   Skip key validation and assume that used keys are always fully
   valid. You generally won't use this unless you are using some
   external validation scheme. This option also suppresses the
@@ -1815,7 +1815,7 @@ Set what trust model GnuPG should follow. The models are:
   disabled keys.
 
   @item auto
-  @opindex trust-model:auto
+  @opindex trust\-model:auto
   Select the trust model depending on whatever the internal trust
   database says. This is the default model if such a database already
   exists.  Note that a tofu trust model is not considered here and
@@ -1823,9 +1823,9 @@ Set what trust model GnuPG should follow. The models are:
 @end table
 
 
-@item --auto-key-locate @var{mechanisms}
-@itemx --no-auto-key-locate
-@opindex auto-key-locate
+@item \-\-auto\-key\-locate @var{mechanisms}
+@itemx \-\-no\-auto\-key\-locate
+@opindex auto\-key\-locate
 GnuPG can automatically locate and retrieve keys as needed using this
 option.  This happens when encrypting to an email address (in the
 "user@@example.com" form), and there are no "user@@example.com" keys
@@ -1833,17 +1833,17 @@ on the local keyring.  This option takes any number of the mechanisms
 listed below, in the order they are to be tried.  Instead of listing
 the mechanisms as comma delimited arguments, the option may also be
 given several times to add more mechanism.  The option
-@option{--no-auto-key-locate} or the mechanism "clear" resets the
+@option{\-\-no\-auto\-key\-locate} or the mechanism "clear" resets the
 list.  The default is "local,wkd".
 
 @table @asis
 
   @item cert
-  Locate a key using DNS CERT, as specified in RFC-4398.
+  Locate a key using DNS CERT, as specified in RFC\-4398.
 
   @item dane
   Locate a key using DANE, as specified
-  in draft-ietf-dane-openpgpkey-05.txt.
+  in draft\-ietf\-dane\-openpgpkey\-05.txt.
 
   @item wkd
   Locate a key using the Web Key Directory protocol.
@@ -1856,30 +1856,30 @@ list.  The default is "local,wkd".
   @item ntds
   Locate the key using the Active Directory (Windows only).  This
   method also allows to search by fingerprint using the command
-  @option{--locate-external-key}.  Note that this mechanism is
+  @option{\-\-locate\-external\-key}.  Note that this mechanism is
   actually a shortcut for the mechanism @samp{keyserver} but using
   "ldap:///" as the keyserver.
 
   @item keyserver
   Locate a key using a keyserver.  This method also allows to search
-  by fingerprint using the command @option{--locate-external-key} if
+  by fingerprint using the command @option{\-\-locate\-external\-key} if
   any of the configured keyservers is an LDAP server.
 
-  @item keyserver-URL
+  @item keyserver\-URL
   In addition, a keyserver URL as used in the @command{dirmngr}
   configuration may be used here to query that particular keyserver.
   This method also allows to search by fingerprint using the command
-  @option{--locate-external-key} if the URL specifies an LDAP server.
+  @option{\-\-locate\-external\-key} if the URL specifies an LDAP server.
 
   @item local
   Locate the key using the local keyrings.  This mechanism allows the user to
   select the order a local key lookup is done.  Thus using
-  @samp{--auto-key-locate local} is identical to
-  @option{--no-auto-key-locate}.
+  @samp{\-\-auto\-key\-locate local} is identical to
+  @option{\-\-no\-auto\-key\-locate}.
 
   @item nodefault
   This flag disables the standard local key lookup, done before any of the
-  mechanisms defined by the @option{--auto-key-locate} are tried.  The
+  mechanisms defined by the @option{\-\-auto\-key\-locate} are tried.  The
   position of this mechanism in the list does not matter.  It is not
   required if @code{local} is also used.
 
@@ -1892,45 +1892,45 @@ list.  The default is "local,wkd".
 @end table
 
 
-@item --auto-key-import
-@itemx --no-auto-key-import
-@opindex auto-key-import
-@opindex no-auto-key-import
+@item \-\-auto\-key\-import
+@itemx \-\-no\-auto\-key\-import
+@opindex auto\-key\-import
+@opindex no\-auto\-key\-import
 This is an offline mechanism to get a missing key for signature
 verification and for later encryption to this key.  If this option is
 enabled and a signature includes an embedded key, that key is
 used to verify the signature and on verification success the key is
-imported. The default is @option{--no-auto-key-import}.
+imported. The default is @option{\-\-no\-auto\-key\-import}.
 
-On the sender (signing) site the option @option{--include-key-block}
+On the sender (signing) site the option @option{\-\-include\-key\-block}
 needs to be used to put the public part of the signing key as “Key
 Block subpacket” into the signature.
 
-@item --auto-key-retrieve
-@itemx --no-auto-key-retrieve
-@opindex auto-key-retrieve
-@opindex no-auto-key-retrieve
+@item \-\-auto\-key\-retrieve
+@itemx \-\-no\-auto\-key\-retrieve
+@opindex auto\-key\-retrieve
+@opindex no\-auto\-key\-retrieve
 These options enable or disable the automatic retrieving of keys from
 a keyserver when verifying signatures made by keys that are not on the
-local keyring.  The default is @option{--no-auto-key-retrieve}.
+local keyring.  The default is @option{\-\-no\-auto\-key\-retrieve}.
 
 The order of methods tried to lookup the key is:
 
-1. If the option @option{--auto-key-import} is set and the signatures
+1. If the option @option{\-\-auto\-key\-import} is set and the signatures
 includes an embedded key, that key is used to verify the signature and
 on verification success that key is imported.
 
 2. If a preferred keyserver is specified in the signature and the
-option @option{honor-keyserver-url} is active (which is not the
+option @option{honor\-keyserver\-url} is active (which is not the
 default), that keyserver is tried.  Note that the creator of the
-signature uses the option @option{--sig-keyserver-url} to specify the
+signature uses the option @option{\-\-sig\-keyserver\-url} to specify the
 preferred keyserver for data signatures.
 
 3. If the signature has the Signer's UID set (e.g. using
-@option{--sender} while creating the signature) a Web Key Directory
+@option{\-\-sender} while creating the signature) a Web Key Directory
 (WKD) lookup is done.  This is the default configuration but can be
-disabled by removing WKD from the auto-key-locate list or by using the
-option @option{--disable-signer-uid}.
+disabled by removing WKD from the auto\-key\-locate list or by using the
+option @option{\-\-disable\-signer\-uid}.
 
 4. If any keyserver is configured and the Issuer Fingerprint is part
 of the signature (since GnuPG 2.1.16), the configured keyservers are
@@ -1943,22 +1943,22 @@ you naturally will not have on your local keyring), the operator can
 tell both your IP address and the time when you verified the
 signature.
 
-@item --keyid-format @{none|short|0xshort|long|0xlong@}
-@opindex keyid-format
+@item \-\-keyid\-format @{none|short|0xshort|long|0xlong@}
+@opindex keyid\-format
 Select how to display key IDs.  "none" does not show the key ID at all
 but shows the fingerprint in a separate line.  "short" is the
 traditional 8-character key ID.  "long" is the more accurate (but less
 convenient) 16-character key ID.  Add an "0x" to either to include an
 "0x" at the beginning of the key ID, as in 0x99242560.  Note that this
-option is ignored if the option @option{--with-colons} is used.
+option is ignored if the option @option{\-\-with\-colons} is used.
 
-@item --keyserver @var{name}
+@item \-\-keyserver @var{name}
 @opindex keyserver
-This option is deprecated - please use the @option{--keyserver} in
+This option is deprecated - please use the @option{\-\-keyserver} in
 @file{dirmngr.conf} instead.
 
 Use @var{name} as your keyserver. This is the server that
-@option{--receive-keys}, @option{--send-keys}, and @option{--search-keys}
+@option{\-\-receive\-keys}, @option{\-\-send\-keys}, and @option{\-\-search\-keys}
 will communicate with to receive keys from, send keys to, and search for
 keys on. The format of the @var{name} is a URI:
 `scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
@@ -1972,19 +1972,19 @@ need to send keys to more than one server. The keyserver
 @code{hkp://keys.gnupg.net} uses round robin DNS to give a different
 keyserver each time you use it.
 
-@item --keyserver-options @{@var{name}=@var{value}@}
-@opindex keyserver-options
+@item \-\-keyserver\-options @{@var{name}=@var{value}@}
+@opindex keyserver\-options
 This is a space or comma delimited string that gives options for the
-keyserver. Options can be prefixed with a `no-' to give the opposite
+keyserver. Options can be prefixed with a `no\-' to give the opposite
 meaning. Valid import-options or export-options may be used here as
-well to apply to importing (@option{--recv-key}) or exporting
-(@option{--send-key}) a key from a keyserver. While not all options
+well to apply to importing (@option{\-\-recv\-key}) or exporting
+(@option{\-\-send\-key}) a key from a keyserver. While not all options
 are available for all keyserver types, some common options are:
 
 @table @asis
 
-  @item include-revoked
-  When searching for a key with @option{--search-keys}, include keys that
+  @item include\-revoked
+  When searching for a key with @option{\-\-search\-keys}, include keys that
   are marked on the keyserver as revoked. Note that not all keyservers
   differentiate between revoked and unrevoked keys, and for such
   keyservers this option is meaningless. Note also that most keyservers do
@@ -1992,67 +1992,67 @@ are available for all keyserver types, some common options are:
   this option off may result in skipping keys that are incorrectly marked
   as revoked.
 
-  @item include-disabled
-  When searching for a key with @option{--search-keys}, include keys that
+  @item include\-disabled
+  When searching for a key with @option{\-\-search\-keys}, include keys that
   are marked on the keyserver as disabled. Note that this option is not
   used with HKP keyservers.
 
-  @item auto-key-retrieve
-  This is an obsolete alias for the option @option{auto-key-retrieve}.
+  @item auto\-key\-retrieve
+  This is an obsolete alias for the option @option{auto\-key\-retrieve}.
   Please do not use it; it will be removed in future versions..
 
-  @item honor-keyserver-url
-  When using @option{--refresh-keys}, if the key in question has a preferred
+  @item honor\-keyserver\-url
+  When using @option{\-\-refresh\-keys}, if the key in question has a preferred
   keyserver URL, then use that preferred keyserver to refresh the key
-  from. In addition, if auto-key-retrieve is set, and the signature
+  from. In addition, if auto\-key\-retrieve is set, and the signature
   being verified has a preferred keyserver URL, then use that preferred
   keyserver to fetch the key from. Note that this option introduces a
   "web bug": The creator of the key can see when the keys is
   refreshed.  Thus this option is not enabled by default.
 
-  @item include-subkeys
+  @item include\-subkeys
   When receiving a key, include subkeys as potential targets. Note that
   this option is not used with HKP keyservers, as they do not support
   retrieving keys by subkey id.
 
   @item timeout
-  @itemx http-proxy=@var{value}
+  @itemx http\-proxy=@var{value}
   @itemx verbose
   @itemx debug
-  @itemx check-cert
-  @item ca-cert-file
+  @itemx check\-cert
+  @item ca\-cert\-file
   These options have no more function since GnuPG 2.1.  Use the
   @code{dirmngr} configuration options instead.
 
 @end table
 
-The default list of options is: "self-sigs-only, import-clean,
-repair-keys, repair-pks-subkey-bug, export-attributes". However, if
-the actual used source is an LDAP server "no-self-sigs-only" is
-assumed unless "self-sigs-only" has been explictly configured.
+The default list of options is: "self\-sigs\-only, import\-clean,
+repair\-keys, repair\-pks\-subkey\-bug, export\-attributes". However, if
+the actual used source is an LDAP server "no\-self\-sigs\-only" is
+assumed unless "self\-sigs\-only" has been explictly configured.
 
 
-@item --completes-needed @var{n}
-@opindex compliant-needed
+@item \-\-completes\-needed @var{n}
+@opindex compliant\-needed
 Number of completely trusted users to introduce a new
 key signer (defaults to 1).
 
-@item --marginals-needed @var{n}
-@opindex marginals-needed
+@item \-\-marginals\-needed @var{n}
+@opindex marginals\-needed
 Number of marginally trusted users to introduce a new
 key signer (defaults to 3)
 
-@item --tofu-default-policy @{auto|good|unknown|bad|ask@}
-@opindex tofu-default-policy
+@item \-\-tofu\-default\-policy @{auto|good|unknown|bad|ask@}
+@opindex tofu\-default\-policy
 The default TOFU policy (defaults to @code{auto}).  For more
-information about the meaning of this option, @pxref{trust-model-tofu}.
+information about the meaning of this option, @pxref{trust\-model\-tofu}.
 
-@item --max-cert-depth @var{n}
-@opindex max-cert-depth
+@item \-\-max\-cert\-depth @var{n}
+@opindex max\-cert\-depth
 Maximum depth of a certification chain (default is 5).
 
-@item --no-sig-cache
-@opindex no-sig-cache
+@item \-\-no\-sig\-cache
+@opindex no\-sig\-cache
 Do not cache the verification status of key signatures.
 Caching gives a much better performance in key listings. However, if
 you suspect that your public keyring is not safe against write
@@ -2060,134 +2060,134 @@ modifications, you can use this option to disable the caching. It
 probably does not make sense to disable it because all kind of damage
 can be done if someone else has write access to your public keyring.
 
-@item --auto-check-trustdb
-@itemx --no-auto-check-trustdb
-@opindex auto-check-trustdb
+@item \-\-auto\-check\-trustdb
+@itemx \-\-no\-auto\-check\-trustdb
+@opindex auto\-check\-trustdb
 If GnuPG feels that its information about the Web of Trust has to be
-updated, it automatically runs the @option{--check-trustdb} command
+updated, it automatically runs the @option{\-\-check\-trustdb} command
 internally.  This may be a time consuming
-process. @option{--no-auto-check-trustdb} disables this option.
+process. @option{\-\-no\-auto\-check\-trustdb} disables this option.
 
-@item --use-agent
-@itemx --no-use-agent
-@opindex use-agent
+@item \-\-use\-agent
+@itemx \-\-no\-use\-agent
+@opindex use\-agent
 This is dummy option. @command{@gpgname} always requires the agent.
 
-@item --gpg-agent-info
-@opindex gpg-agent-info
+@item \-\-gpg\-agent\-info
+@opindex gpg\-agent\-info
 This is dummy option. It has no effect when used with @command{@gpgname}.
 
 
-@item --agent-program @var{file}
-@opindex agent-program
+@item \-\-agent\-program @var{file}
+@opindex agent\-program
 Specify an agent program to be used for secret key operations.  The
 default value is determined by running @command{gpgconf} with the
-option @option{--list-dirs}.  Note that the pipe symbol (@code{|}) is
+option @option{\-\-list\-dirs}.  Note that the pipe symbol (@code{|}) is
 used for a regression test suite hack and may thus not be used in the
 file name.
 
-@item --dirmngr-program @var{file}
-@opindex dirmngr-program
+@item \-\-dirmngr\-program @var{file}
+@opindex dirmngr\-program
 Specify a dirmngr program to be used for keyserver access.  The
 default value is @file{@value{BINDIR}/dirmngr}.
 
-@item --disable-dirmngr
+@item \-\-disable\-dirmngr
 Entirely disable the use of the Dirmngr.
 
-@item --no-autostart
-@opindex no-autostart
-Do not start the gpg-agent or the dirmngr if it has not yet been
+@item \-\-no\-autostart
+@opindex no\-autostart
+Do not start the gpg\-agent or the dirmngr if it has not yet been
 started and its service is required.  This option is mostly useful on
-machines where the connection to gpg-agent has been redirected to
+machines where the connection to gpg\-agent has been redirected to
 another machines.  If dirmngr is required on the remote machine, it
-may be started manually using @command{gpgconf --launch dirmngr}.
+may be started manually using @command{gpgconf \-\-launch dirmngr}.
 
-@item --lock-once
-@opindex lock-once
+@item \-\-lock\-once
+@opindex lock\-once
 Lock the databases the first time a lock is requested
 and do not release the lock until the process
 terminates.
 
-@item --lock-multiple
-@opindex lock-multiple
+@item \-\-lock\-multiple
+@opindex lock\-multiple
 Release the locks every time a lock is no longer
-needed. Use this to override a previous @option{--lock-once}
+needed. Use this to override a previous @option{\-\-lock\-once}
 from a config file.
 
-@item --lock-never
-@opindex lock-never
+@item \-\-lock\-never
+@opindex lock\-never
 Disable locking entirely. This option should be used only in very
 special environments, where it can be assured that only one process
 is accessing those files. A bootable floppy with a stand-alone
 encryption system will probably use this. Improper usage of this
 option may lead to data and key corruption.
 
-@item --exit-on-status-write-error
-@opindex exit-on-status-write-error
+@item \-\-exit\-on\-status\-write\-error
+@opindex exit\-on\-status\-write\-error
 This option will cause write errors on the status FD to immediately
 terminate the process. That should in fact be the default but it never
 worked this way and thus we need an option to enable this, so that the
 change won't break applications which close their end of a status fd
 connected pipe too early. Using this option along with
-@option{--enable-progress-filter} may be used to cleanly cancel long
+@option{\-\-enable\-progress\-filter} may be used to cleanly cancel long
 running gpg operations.
 
-@item --limit-card-insert-tries @var{n}
-@opindex limit-card-insert-tries
+@item \-\-limit\-card\-insert\-tries @var{n}
+@opindex limit\-card\-insert\-tries
 With @var{n} greater than 0 the number of prompts asking to insert a
-smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
+smartcard gets limited to N\-1. Thus with a value of 1 gpg won't at
 all ask to insert a card if none has been inserted at startup. This
 option is useful in the configuration file in case an application does
 not know about the smartcard support and waits ad infinitum for an
 inserted card.
 
-@item --no-random-seed-file
-@opindex no-random-seed-file
+@item \-\-no\-random\-seed\-file
+@opindex no\-random\-seed\-file
 GnuPG uses a file to store its internal random pool over invocations.
 This makes random generation faster; however sometimes write operations
 are not desired. This option can be used to achieve that with the cost of
 slower random generation.
 
-@item --no-greeting
-@opindex no-greeting
+@item \-\-no\-greeting
+@opindex no\-greeting
 Suppress the initial copyright message.
 
-@item --no-secmem-warning
-@opindex no-secmem-warning
+@item \-\-no\-secmem\-warning
+@opindex no\-secmem\-warning
 Suppress the warning about "using insecure memory".
 
-@item --no-permission-warning
-@opindex permission-warning
-Suppress the warning about unsafe file and home directory (@option{--homedir})
+@item \-\-no\-permission\-warning
+@opindex permission\-warning
+Suppress the warning about unsafe file and home directory (@option{\-\-homedir})
 permissions. Note that the permission checks that GnuPG performs are
 not intended to be authoritative, but rather they simply warn about
 certain common permission problems. Do not assume that the lack of a
 warning means that your system is secure.
 
-Note that the warning for unsafe @option{--homedir} permissions cannot be
+Note that the warning for unsafe @option{\-\-homedir} permissions cannot be
 suppressed in the gpg.conf file, as this would allow an attacker to
 place an unsafe gpg.conf file in place, and use this file to suppress
-warnings about itself. The @option{--homedir} permissions warning may only be
+warnings about itself. The @option{\-\-homedir} permissions warning may only be
 suppressed on the command line.
 
-@item --require-secmem
-@itemx --no-require-secmem
-@opindex require-secmem
+@item \-\-require\-secmem
+@itemx \-\-no\-require\-secmem
+@opindex require\-secmem
 Refuse to run if GnuPG cannot get secure memory. Defaults to no
 (i.e. run, but give a warning).
 
 
-@item --require-cross-certification
-@itemx --no-require-cross-certification
-@opindex require-cross-certification
+@item \-\-require\-cross\-certification
+@itemx \-\-no\-require\-cross\-certification
+@opindex require\-cross\-certification
 When verifying a signature made from a subkey, ensure that the cross
 certification "back signature" on the subkey is present and valid.  This
 protects against a subtle attack against subkeys that can sign.
-Defaults to @option{--require-cross-certification} for
+Defaults to @option{\-\-require\-cross\-certification} for
 @command{@gpgname}.
 
-@item --expert
-@itemx --no-expert
+@item \-\-expert
+@itemx \-\-no\-expert
 @opindex expert
 Allow the user to do certain nonsensical or "silly" things like
 signing an expired or revoked key, or certain potentially incompatible
@@ -2195,7 +2195,7 @@ things like generating unusual key types. This also disables certain
 warning messages about potentially incompatible actions. As the name
 implies, this option is for experts only. If you don't fully
 understand the implications of what it allows you to do, leave this
-off. @option{--no-expert} disables this option.
+off. @option{\-\-no\-expert} disables this option.
 
 @end table
 
@@ -2208,66 +2208,66 @@ off. @option{--no-expert} disables this option.
 
 @table @gnupgtabopt
 
-@item --recipient @var{name}
-@itemx -r
+@item \-\-recipient @var{name}
+@itemx \-r
 @opindex recipient
 Encrypt for user id @var{name}. If this option or
-@option{--hidden-recipient} is not specified, GnuPG asks for the user-id
-unless @option{--default-recipient} is given.
+@option{\-\-hidden\-recipient} is not specified, GnuPG asks for the user-id
+unless @option{\-\-default\-recipient} is given.
 
-@item --hidden-recipient @var{name}
-@itemx -R
-@opindex hidden-recipient
+@item \-\-hidden\-recipient @var{name}
+@itemx \-R
+@opindex hidden\-recipient
 Encrypt for user ID @var{name}, but hide the key ID of this user's
 key. This option helps to hide the receiver of the message and is a
 limited countermeasure against traffic analysis. If this option or
-@option{--recipient} is not specified, GnuPG asks for the user ID unless
-@option{--default-recipient} is given.
+@option{\-\-recipient} is not specified, GnuPG asks for the user ID unless
+@option{\-\-default\-recipient} is given.
 
-@item --recipient-file @var{file}
-@itemx -f
-@opindex recipient-file
-This option is similar to @option{--recipient} except that it
+@item \-\-recipient\-file @var{file}
+@itemx \-f
+@opindex recipient\-file
+This option is similar to @option{\-\-recipient} except that it
 encrypts to a key stored in the given file.  @var{file} must be the
 name of a file containing exactly one key.  @command{@gpgname} assumes that
 the key in this file is fully valid.
 
-@item --hidden-recipient-file @var{file}
-@itemx -F
-@opindex hidden-recipient-file
-This option is similar to @option{--hidden-recipient} except that it
+@item \-\-hidden\-recipient\-file @var{file}
+@itemx \-F
+@opindex hidden\-recipient\-file
+This option is similar to @option{\-\-hidden\-recipient} except that it
 encrypts to a key stored in the given file.  @var{file} must be the
 name of a file containing exactly one key.  @command{@gpgname} assumes that
 the key in this file is fully valid.
 
-@item --encrypt-to @var{name}
-@opindex encrypt-to
-Same as @option{--recipient} but this one is intended for use in the
+@item \-\-encrypt\-to @var{name}
+@opindex encrypt\-to
+Same as @option{\-\-recipient} but this one is intended for use in the
 options file and may be used with your own user-id as an
-"encrypt-to-self". These keys are only used when there are other
-recipients given either by use of @option{--recipient} or by the asked
+"encrypt\-to\-self". These keys are only used when there are other
+recipients given either by use of @option{\-\-recipient} or by the asked
 user id.  No trust checking is performed for these user ids and even
 disabled keys can be used.
 
-@item --hidden-encrypt-to @var{name}
-@opindex hidden-encrypt-to
-Same as @option{--hidden-recipient} but this one is intended for use in the
+@item \-\-hidden\-encrypt\-to @var{name}
+@opindex hidden\-encrypt\-to
+Same as @option{\-\-hidden\-recipient} but this one is intended for use in the
 options file and may be used with your own user-id as a hidden
-"encrypt-to-self". These keys are only used when there are other
-recipients given either by use of @option{--recipient} or by the asked user id.
+"encrypt\-to\-self". These keys are only used when there are other
+recipients given either by use of @option{\-\-recipient} or by the asked user id.
 No trust checking is performed for these user ids and even disabled
 keys can be used.
 
-@item --no-encrypt-to
-@opindex no-encrypt-to
-Disable the use of all @option{--encrypt-to} and
-@option{--hidden-encrypt-to} keys.
+@item \-\-no\-encrypt\-to
+@opindex no\-encrypt\-to
+Disable the use of all @option{\-\-encrypt\-to} and
+@option{\-\-hidden\-encrypt\-to} keys.
 
-@item --group @{@var{name}=@var{value}@}
+@item \-\-group @{@var{name}=@var{value}@}
 @opindex group
 Sets up a named group, which is similar to aliases in email programs.
-Any time the group name is a recipient (@option{-r} or
-@option{--recipient}), it will be expanded to the values
+Any time the group name is a recipient (@option{\-r} or
+@option{\-\-recipient}), it will be expanded to the values
 specified. Multiple groups with the same name are automatically merged
 into a single group.
 
@@ -2279,21 +2279,21 @@ from the command line, it may be necessary to quote the argument to
 this option to prevent the shell from treating it as multiple
 arguments.
 
-@item --ungroup @var{name}
+@item \-\-ungroup @var{name}
 @opindex ungroup
-Remove a given entry from the @option{--group} list.
+Remove a given entry from the @option{\-\-group} list.
 
-@item --no-groups
-@opindex no-groups
-Remove all entries from the @option{--group} list.
+@item \-\-no\-groups
+@opindex no\-groups
+Remove all entries from the @option{\-\-group} list.
 
-@item --local-user @var{name}
-@itemx -u
-@opindex local-user
+@item \-\-local\-user @var{name}
+@itemx \-u
+@opindex local\-user
 Use @var{name} as the key to sign with. Note that this option overrides
-@option{--default-key}.
+@option{\-\-default\-key}.
 
-@item --sender @var{mbox}
+@item \-\-sender @var{mbox}
 @opindex sender
 This option has two purposes.  @var{mbox} must either be a complete
 user ID containing a proper mail address or just a plain mail address.
@@ -2315,7 +2315,7 @@ information.  Note that GnuPG considers only the mail address part of
 a User ID.
 
 If this option or the said subpacket is available the TRUST lines as
-printed by option @option{status-fd} correspond to the corresponding
+printed by option @option{status\-fd} correspond to the corresponding
 User ID; if no User ID is known the TRUST lines are computed directly
 on the key and do not give any information about the User ID.  In the
 latter case it his highly recommended to scripts and other frontends
@@ -2323,30 +2323,30 @@ to evaluate the VALIDSIG line, retrieve the key and print all User IDs
 along with their validity (trust) information.
 
 
-@item --try-secret-key @var{name}
-@opindex try-secret-key
+@item \-\-try\-secret\-key @var{name}
+@opindex try\-secret\-key
 For hidden recipients GPG needs to know the keys to use for trial
-decryption.  The key set with @option{--default-key} is always tried
+decryption.  The key set with @option{\-\-default\-key} is always tried
 first, but this is often not sufficient.  This option allows setting more
 keys to be used for trial decryption.  Although any valid user-id
 specification may be used for @var{name} it makes sense to use at least
-the long keyid to avoid ambiguities.  Note that gpg-agent might pop up a
+the long keyid to avoid ambiguities.  Note that gpg\-agent might pop up a
 pinentry for a lot keys to do the trial decryption.  If you want to stop
 all further trial decryption you may use close-window button instead of
 the cancel button.
 
-@item --try-all-secrets
-@opindex try-all-secrets
+@item \-\-try\-all\-secrets
+@opindex try\-all\-secrets
 Don't look at the key ID as stored in the message but try all secret
 keys in turn to find the right decryption key. This option forces the
 behaviour as used by anonymous recipients (created by using
-@option{--throw-keyids} or @option{--hidden-recipient}) and might come
+@option{\-\-throw\-keyids} or @option{\-\-hidden\-recipient}) and might come
 handy in case where an encrypted message contains a bogus key ID.
 
-@item --skip-hidden-recipients
-@itemx --no-skip-hidden-recipients
-@opindex skip-hidden-recipients
-@opindex no-skip-hidden-recipients
+@item \-\-skip\-hidden\-recipients
+@itemx \-\-no\-skip\-hidden\-recipients
+@opindex skip\-hidden\-recipients
+@opindex no\-skip\-hidden\-recipients
 During decryption skip all anonymous recipients.  This option helps in
 the case that people use the hidden recipients feature to hide their
 own encrypt-to key from others.  If one has many secret keys this
@@ -2366,24 +2366,24 @@ message which includes real anonymous recipients.
 
 @table @gnupgtabopt
 
-@item --armor
-@itemx -a
+@item \-\-armor
+@itemx \-a
 @opindex armor
 Create ASCII armored output.  The default is to create the binary
 OpenPGP format.
 
-@item --no-armor
-@opindex no-armor
+@item \-\-no\-armor
+@opindex no\-armor
 Assume the input data is not in ASCII armored format.
 
-@item --output @var{file}
-@itemx -o @var{file}
+@item \-\-output @var{file}
+@itemx \-o @var{file}
 @opindex output
-Write output to @var{file}.  To write to stdout use @code{-} as the
+Write output to @var{file}.  To write to stdout use @code{\-} as the
 filename.
 
-@item --max-output @var{n}
-@opindex max-output
+@item \-\-max\-output @var{n}
+@opindex max\-output
 This option sets a limit on the number of bytes that will be generated
 when processing a file. Since OpenPGP supports various levels of
 compression, it is possible that the plaintext of a given message may be
@@ -2392,8 +2392,8 @@ works properly with such messages, there is often a desire to set a
 maximum file size that will be generated before processing is forced to
 stop by the OS limits. Defaults to 0, which means "no limit".
 
-@item --chunk-size @var{n}
-@opindex chunk-size
+@item \-\-chunk\-size @var{n}
+@opindex chunk\-size
 The AEAD encryption mode encrypts the data in chunks so that a
 receiving side can check for transmission errors or tampering at the
 end of each chunk and does not need to delay this until all data has
@@ -2401,17 +2401,17 @@ been received.  The used chunk size is 2^@var{n} byte.  The lowest
 allowed value for @var{n} is 6 (64 byte) and the largest is the
 default of 22 which creates chunks not larger than 4 MiB.
 
-@item --input-size-hint @var{n}
-@opindex input-size-hint
+@item \-\-input\-size\-hint @var{n}
+@opindex input\-size\-hint
 This option can be used to tell GPG the size of the input data in
 bytes.  @var{n} must be a positive base-10 number.  This option is
 only useful if the input is not taken from a file.  GPG may use this
 hint to optimize its buffer allocation strategy.  It is also used by
-the @option{--status-fd} line ``PROGRESS'' to provide a value for
+the @option{\-\-status\-fd} line ``PROGRESS'' to provide a value for
 ``total'' if that is not available by other means.
 
-@item --key-origin @var{string}[,@var{url}]
-@opindex key-origin
+@item \-\-key\-origin @var{string}[,@var{url}]
+@opindex key\-origin
 gpg can track the origin of a key. Certain origins are implicitly
 known (e.g. keyserver, web key directory) and set.  For a standard
 import the origin of the keys imported can be set with this option.
@@ -2419,20 +2419,20 @@ To list the possible values use "help" for @var{string}.  Some origins
 can store an optional @var{url} argument.  That URL can appended to
 @var{string} after a comma.
 
-@item --import-options @var{parameters}
-@opindex import-options
+@item \-\-import\-options @var{parameters}
+@opindex import\-options
 This is a space or comma delimited string that gives options for
-importing keys. Options can be prepended with a `no-' to give the
+importing keys. Options can be prepended with a `no\-' to give the
 opposite meaning. The options are:
 
 @table @asis
 
-  @item import-local-sigs
+  @item import\-local\-sigs
   Allow importing key signatures marked as "local". This is not
   generally useful unless a shared keyring scheme is being used.
   Defaults to no.
 
-  @item keep-ownertrust
+  @item keep\-ownertrust
   Normally possible still existing ownertrust values of a key are
   cleared if a key is imported.  This is in general desirable so that
   a formerly deleted key does not automatically gain an ownertrust
@@ -2441,79 +2441,79 @@ opposite meaning. The options are:
   already assigned ownertrust values.  This can be achieved by using
   this option.
 
-  @item repair-pks-subkey-bug
+  @item repair\-pks\-subkey\-bug
   During import, attempt to repair the damage caused by the PKS keyserver
   bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note
   that this cannot completely repair the damaged key as some crucial data
   is removed by the keyserver, but it does at least give you back one
-  subkey. Defaults to no for regular @option{--import} and to yes for
-  keyserver @option{--receive-keys}.
+  subkey. Defaults to no for regular @option{\-\-import} and to yes for
+  keyserver @option{\-\-receive\-keys}.
 
-  @item import-show
-  @itemx show-only
+  @item import\-show
+  @itemx show\-only
   Show a listing of the key as imported right before it is stored.
-  This can be combined with the option @option{--dry-run} to only look
-  at keys; the option @option{show-only} is a shortcut for this
-  combination.  The command @option{--show-keys} is another shortcut
+  This can be combined with the option @option{\-\-dry\-run} to only look
+  at keys; the option @option{show\-only} is a shortcut for this
+  combination.  The command @option{\-\-show\-keys} is another shortcut
   for this.  Note that suffixes like '#' for "sec" and "sbb" lines
   may or may not be printed.
 
-  @item import-export
+  @item import\-export
   Run the entire import code but instead of storing the key to the
   local keyring write it to the output.  The export option
-  @option{export-dane} affect the output.  This option can for example
+  @option{export\-dane} affect the output.  This option can for example
   be used to remove all invalid parts from a key without the
   need to store it.
 
-  @item merge-only
+  @item merge\-only
   During import, allow key updates to existing keys, but do not allow
   any new keys to be imported. Defaults to no.
 
-  @item import-clean
+  @item import\-clean
   After import, compact (remove all signatures except the
   self-signature) any user IDs from the new key that are not usable.
   Then, remove any signatures from the new key that are not usable.
   This includes signatures that were issued by keys that are not present
-  on the keyring. This option is the same as running the @option{--edit-key}
+  on the keyring. This option is the same as running the @option{\-\-edit\-key}
   command "clean" after import. Defaults to no.
 
-  @item self-sigs-only
+  @item self\-sigs\-only
   Accept only self-signatures while importing a key.  All other key
   signatures are skipped at an early import stage.  This option can be
-  used with @code{keyserver-options} to mitigate attempts to flood a
+  used with @code{keyserver\-options} to mitigate attempts to flood a
   key with bogus signatures from a keyserver.  The drawback is that
   all other valid key signatures, as required by the Web of Trust are
   also not imported.  Note that when using this option along with
-  import-clean it suppresses the final clean step after merging the
+  import\-clean it suppresses the final clean step after merging the
   imported key into the existing key.
 
-  @item repair-keys
+  @item repair\-keys
   After import, fix various problems with the
   keys.  For example, this reorders signatures, and strips duplicate
   signatures.  Defaults to yes.
 
-  @item bulk-import
-  When used the keyboxd (option @option{use-keyboxd} in @file{common.conf})
+  @item bulk\-import
+  When used the keyboxd (option @option{use\-keyboxd} in @file{common.conf})
   does the import within a single
   transaction.
 
-  @item import-minimal
+  @item import\-minimal
   Import the smallest key possible. This removes all signatures except
   the most recent self-signature on each user ID. This option is the
-  same as running the @option{--edit-key} command "minimize" after import.
+  same as running the @option{\-\-edit\-key} command "minimize" after import.
   Defaults to no.
 
   @item restore
-  @itemx import-restore
+  @itemx import\-restore
   Import in key restore mode.  This imports all data which is usually
   skipped during import; including all GnuPG specific data.  All other
   contradicting options are overridden.
 @end table
 
-@item --import-filter @{@var{name}=@var{expr}@}
-@itemx --export-filter @{@var{name}=@var{expr}@}
-@opindex import-filter
-@opindex export-filter
+@item \-\-import\-filter @{@var{name}=@var{expr}@}
+@itemx \-\-export\-filter @{@var{name}=@var{expr}@}
+@opindex import\-filter
+@opindex export\-filter
 These options define an import/export filter which are applied to the
 imported/exported keyblock right before it will be stored/written.
 @var{name} defines the type of filter to use, @var{expr} the
@@ -2525,18 +2525,18 @@ The available filter types are:
 
 @table @asis
 
-  @item keep-uid
+  @item keep\-uid
   This filter will keep a user id packet and its dependent packets in
   the keyblock if the expression evaluates to true.
 
-  @item drop-subkey
+  @item drop\-subkey
   This filter drops the selected subkeys.
-  Currently only implemented for --export-filter.
+  Currently only implemented for \-\-export\-filter.
 
-  @item drop-sig
+  @item drop\-sig
   This filter drops the selected key signatures on user ids.
   Self-signatures are not considered.
-  Currently only implemented for --import-filter.
+  Currently only implemented for \-\-import\-filter.
 
 @end table
 
@@ -2549,35 +2549,35 @@ The available properties are:
 @table @asis
 
   @item uid
-  A string with the user id.  (keep-uid)
+  A string with the user id.  (keep\-uid)
 
   @item mbox
   The addr-spec part of a user id with mailbox or the empty string.
-  (keep-uid)
+  (keep\-uid)
 
   @item key_algo
   A number with the public key algorithm of a key or subkey packet.
-  (drop-subkey)
+  (drop\-subkey)
 
   @item key_created
   @itemx key_created_d
   The first is the timestamp a public key or subkey packet was
   created.  The second is the same but given as an ISO string,
-  e.g. "2016-08-17". (drop-subkey)
+  e.g. "2016\-08\-17". (drop\-subkey)
 
   @item fpr
   The hexified fingerprint of the current subkey or primary key.
-  (drop-subkey)
+  (drop\-subkey)
 
   @item primary
-  Boolean indicating whether the user id is the primary one.  (keep-uid)
+  Boolean indicating whether the user id is the primary one.  (keep\-uid)
 
   @item expired
-  Boolean indicating whether a user id (keep-uid), a key (drop-subkey), or a
-  signature (drop-sig) expired.
+  Boolean indicating whether a user id (keep\-uid), a key (drop\-subkey), or a
+  signature (drop\-sig) expired.
 
   @item revoked
-  Boolean indicating whether a user id (keep-uid) or a key (drop-subkey) has
+  Boolean indicating whether a user id (keep\-uid) or a key (drop\-subkey) has
   been revoked.
 
   @item disabled
@@ -2585,83 +2585,83 @@ The available properties are:
 
   @item secret
   Boolean indicating whether a key or subkey is a secret one.
-  (drop-subkey)
+  (drop\-subkey)
 
   @item usage
   A string indicating the usage flags for the subkey, from the
   sequence ``ecsa?''.  For example, a subkey capable of just signing
-  and authentication would be an exact match for ``sa''. (drop-subkey)
+  and authentication would be an exact match for ``sa''. (drop\-subkey)
 
   @item sig_created
   @itemx sig_created_d
   The first is the timestamp a signature packet was created.  The
   second is the same but given as an ISO date string,
-  e.g. "2016-08-17". (drop-sig)
+  e.g. "2016\-08\-17". (drop\-sig)
 
   @item sig_algo
-  A number with the public key algorithm of a signature packet. (drop-sig)
+  A number with the public key algorithm of a signature packet. (drop\-sig)
 
   @item sig_digest_algo
-  A number with the digest algorithm of a signature packet. (drop-sig)
+  A number with the digest algorithm of a signature packet. (drop\-sig)
 
 @end table
 
-@item --export-options @var{parameters}
-@opindex export-options
+@item \-\-export\-options @var{parameters}
+@opindex export\-options
 This is a space or comma delimited string that gives options for
-exporting keys.  Options can be prepended with a `no-' to give the
+exporting keys.  Options can be prepended with a `no\-' to give the
 opposite meaning.  The options are:
 
 @table @asis
 
-  @item export-local-sigs
+  @item export\-local\-sigs
   Allow exporting key signatures marked as "local". This is not
   generally useful unless a shared keyring scheme is being used.
   Defaults to no.
 
-  @item export-attributes
+  @item export\-attributes
   Include attribute user IDs (photo IDs) while exporting. Not
   including attribute user IDs is useful to export keys that are going
   to be used by an OpenPGP program that does not accept attribute user
   IDs.  Defaults to yes.
 
-  @item export-sensitive-revkeys
+  @item export\-sensitive\-revkeys
   Include designated revoker information that was marked as
   "sensitive". Defaults to no.
 
-  @c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
-  @c export-reset-subkey-passwd hack is not anymore justified.  Such use
+  @c Since GnuPG 2.1 gpg\-agent manages the secret key and thus the
+  @c export\-reset\-subkey\-passwd hack is not anymore justified.  Such use
   @c cases may be implemented using a specialized secret key export
   @c tool.
-  @c @item export-reset-subkey-passwd
-  @c When using the @option{--export-secret-subkeys} command, this option resets
+  @c @item export\-reset\-subkey\-passwd
+  @c When using the @option{\-\-export\-secret\-subkeys} command, this option resets
   @c the passphrases for all exported subkeys to empty. This is useful
   @c when the exported subkey is to be used on an unattended machine where
   @c a passphrase doesn't necessarily make sense. Defaults to no.
 
   @item backup
-  @itemx export-backup
+  @itemx export\-backup
   Export for use as a backup.  The exported data includes all data
   which is needed to restore the key or keys later with GnuPG.  The
   format is basically the OpenPGP format but enhanced with GnuPG
   specific data.  All other contradicting options are overridden.
 
-  @item export-clean
+  @item export\-clean
   Compact (remove all signatures from) user IDs on the key being
   exported if the user IDs are not usable. Also, do not export any
   signatures that are not usable. This includes signatures that were
   issued by keys that are not present on the keyring. This option is
-  the same as running the @option{--edit-key} command "clean" before export
+  the same as running the @option{\-\-edit\-key} command "clean" before export
   except that the local copy of the key is not modified. Defaults to
   no.
 
-  @item export-minimal
+  @item export\-minimal
   Export the smallest key possible. This removes all signatures except the
   most recent self-signature on each user ID. This option is the same as
-  running the @option{--edit-key} command "minimize" before export except
+  running the @option{\-\-edit\-key} command "minimize" before export except
   that the local copy of the key is not modified. Defaults to no.
 
-  @item export-dane
+  @item export\-dane
   Instead of outputting the key material output OpenPGP DANE records
   suitable to put into DNS zone files.  An ORIGIN line is printed before
   each record to allow diverting the records to the corresponding zone
@@ -2669,67 +2669,67 @@ opposite meaning.  The options are:
 
 @end table
 
-@item --with-colons
-@opindex with-colons
+@item \-\-with\-colons
+@opindex with\-colons
 Print key listings delimited by colons. Note that the output will be
-encoded in UTF-8 regardless of any @option{--display-charset} setting. This
+encoded in UTF\-8 regardless of any @option{\-\-display\-charset} setting. This
 format is useful when GnuPG is called from scripts and other programs
 as it is easily machine parsed. The details of this format are
 documented in the file @file{doc/DETAILS}, which is included in the GnuPG
 source distribution.
 
-@item --fixed-list-mode
-@opindex fixed-list-mode
-Do not merge primary user ID and primary key in @option{--with-colon}
+@item \-\-fixed\-list\-mode
+@opindex fixed\-list\-mode
+Do not merge primary user ID and primary key in @option{\-\-with\-colon}
 listing mode and print all timestamps as seconds since 1970-01-01.
 Since GnuPG 2.0.10, this mode is always used and thus this option is
 obsolete; it does not harm to use it though.
 
-@item --legacy-list-mode
-@opindex legacy-list-mode
+@item \-\-legacy\-list\-mode
+@opindex legacy\-list\-mode
 Revert to the pre-2.1 public key list mode.  This only affects the
 human readable output and not the machine interface
-(i.e. @code{--with-colons}).  Note that the legacy format does not
+(i.e. @code{\-\-with\-colons}).  Note that the legacy format does not
 convey suitable information for elliptic curves.
 
-@item --with-fingerprint
-@opindex with-fingerprint
-Same as the command @option{--fingerprint} but changes only the format
+@item \-\-with\-fingerprint
+@opindex with\-fingerprint
+Same as the command @option{\-\-fingerprint} but changes only the format
 of the output and may be used together with another command.
 
-@item --with-subkey-fingerprint
-@opindex with-subkey-fingerprint
+@item \-\-with\-subkey\-fingerprint
+@opindex with\-subkey\-fingerprint
 If a fingerprint is printed for the primary key, this option forces
 printing of the fingerprint for all subkeys.  This could also be
-achieved by using the @option{--with-fingerprint} twice but by using
-this option along with keyid-format "none" a compact fingerprint is
+achieved by using the @option{\-\-with\-fingerprint} twice but by using
+this option along with keyid\-format "none" a compact fingerprint is
 printed.
 
-@item --with-icao-spelling
-@opindex with-icao-spelling
+@item \-\-with\-icao\-spelling
+@opindex with\-icao\-spelling
 Print the ICAO spelling of the fingerprint in addition to the hex digits.
 
-@item --with-keygrip
-@opindex with-keygrip
-Include the keygrip in the key listings.  In @code{--with-colons} mode
+@item \-\-with\-keygrip
+@opindex with\-keygrip
+Include the keygrip in the key listings.  In @code{\-\-with\-colons} mode
 this is implicitly enable for secret keys.
 
-@item --with-key-origin
-@opindex with-key-origin
+@item \-\-with\-key\-origin
+@opindex with\-key\-origin
 Include the locally held information on the origin and last update of
-a key in a key listing.  In @code{--with-colons} mode this is always
+a key in a key listing.  In @code{\-\-with\-colons} mode this is always
 printed.  This data is currently experimental and shall not be
 considered part of the stable API.
 
-@item --with-wkd-hash
-@opindex with-wkd-hash
+@item \-\-with\-wkd\-hash
+@opindex with\-wkd\-hash
 Print a Web Key Directory identifier along with each user ID in key
 listings.  This is an experimental feature and semantics may change.
 
-@item --with-secret
-@opindex with-secret
+@item \-\-with\-secret
+@opindex with\-secret
 Include info about the presence of a secret key in public key listings
-done with @code{--with-colons}.
+done with @code{\-\-with\-colons}.
 
 @end table
 
@@ -2741,8 +2741,8 @@ done with @code{--with-colons}.
 
 @table @gnupgtabopt
 
-@item -t, --textmode
-@itemx --no-textmode
+@item \-t, \-\-textmode
+@itemx \-\-no\-textmode
 @opindex textmode
 Treat input files as text and store them in the OpenPGP canonical text
 form with standard "CRLF" line endings. This also sets the necessary
@@ -2750,124 +2750,124 @@ flags to inform the recipient that the encrypted or signed data is text
 and may need its line endings converted back to whatever the local
 system uses. This option is useful when communicating between two
 platforms that have different line ending conventions (UNIX-like to Mac,
-Mac to Windows, etc). @option{--no-textmode} disables this option, and
+Mac to Windows, etc). @option{\-\-no\-textmode} disables this option, and
 is the default.
 
-@item --force-v3-sigs
-@itemx --no-force-v3-sigs
-@item --force-v4-certs
-@itemx --no-force-v4-certs
+@item \-\-force\-v3\-sigs
+@itemx \-\-no\-force\-v3\-sigs
+@item \-\-force\-v4\-certs
+@itemx \-\-no\-force\-v4\-certs
 These options are obsolete and have no effect since GnuPG 2.1.
 
-@item --force-aead
-@opindex force-aead
+@item \-\-force\-aead
+@opindex force\-aead
 Force the use of AEAD encryption over MDC encryption.  AEAD is a
 modern and faster way to do authenticated encryption than the old MDC
-method.  See also options @option{--aead-algo} and
-@option{--chunk-size}.
+method.  See also options @option{\-\-aead\-algo} and
+@option{\-\-chunk\-size}.
 
-@item --force-mdc
-@itemx --disable-mdc
-@opindex force-mdc
-@opindex disable-mdc
+@item \-\-force\-mdc
+@itemx \-\-disable\-mdc
+@opindex force\-mdc
+@opindex disable\-mdc
 These options are obsolete and have no effect since GnuPG 2.2.8.  The
 MDC is always used unless the keys indicate that an AEAD algorithm can
 be used in which case AEAD is used.  But note: If the creation of a
 legacy non-MDC message is exceptionally required, the option
-@option{--rfc2440} allows for this.
+@option{\-\-rfc2440} allows for this.
 
-@item --disable-signer-uid
-@opindex disable-signer-uid
+@item \-\-disable\-signer\-uid
+@opindex disable\-signer\-uid
 By default the user ID of the signing key is embedded in the data signature.
 As of now this is only done if the signing key has been specified with
-@option{local-user} using a mail address, or with @option{sender}.  This
+@option{local\-user} using a mail address, or with @option{sender}.  This
 information can be helpful for verifier to locate the key; see option
-@option{--auto-key-retrieve}.
+@option{\-\-auto\-key\-retrieve}.
 
-@item --include-key-block
-@itemx --no-include-key-block
-@opindex include-key-block
-@opindex no-include-key-block
+@item \-\-include\-key\-block
+@itemx \-\-no\-include\-key\-block
+@opindex include\-key\-block
+@opindex no\-include\-key\-block
 This option is used to embed the actual signing key into a data
 signature.  The embedded key is stripped down to a single user id and
 includes only the signing subkey used to create the signature as well
 as as valid encryption subkeys.  All other info is removed from the
 key to keep it and thus the signature small.  This option is the
 OpenPGP counterpart to the @command{gpgsm} option
-@option{--include-certs} and allows the recipient of a signed message
+@option{\-\-include\-certs} and allows the recipient of a signed message
 to reply encrypted to the sender without using any online directories
-to lookup the key.  The default is @option{--no-include-key-block}.
-See also the option @option{--auto-key-import}.
+to lookup the key.  The default is @option{\-\-no\-include\-key\-block}.
+See also the option @option{\-\-auto\-key\-import}.
 
-@item --personal-cipher-preferences @var{string}
-@opindex personal-cipher-preferences
+@item \-\-personal\-cipher\-preferences @var{string}
+@opindex personal\-cipher\-preferences
 Set the list of personal cipher preferences to @var{string}.  Use
-@command{@gpgname --version} to get a list of available algorithms,
+@command{@gpgname \-\-version} to get a list of available algorithms,
 and use @code{none} to set no preference at all.  This allows the user
 to safely override the algorithm chosen by the recipient key
 preferences, as GPG will only select an algorithm that is usable by
 all recipients.  The most highly ranked cipher in this list is also
-used for the @option{--symmetric} encryption command.
+used for the @option{\-\-symmetric} encryption command.
 
-@item --personal-aead-preferences @var{string}
-@opindex personal-aead-preferences
+@item \-\-personal\-aead\-preferences @var{string}
+@opindex personal\-aead\-preferences
 Set the list of personal AEAD preferences to @var{string}.  Use
-@command{@gpgname --version} to get a list of available algorithms,
+@command{@gpgname \-\-version} to get a list of available algorithms,
 and use @code{none} to set no preference at all.  This allows the user
 to safely override the algorithm chosen by the recipient key
 preferences, as GPG will only select an algorithm that is usable by
 all recipients.  The most highly ranked cipher in this list is also
-used for the @option{--symmetric} encryption command.
+used for the @option{\-\-symmetric} encryption command.
 
-@item --personal-digest-preferences @var{string}
-@opindex personal-digest-preferences
+@item \-\-personal\-digest\-preferences @var{string}
+@opindex personal\-digest\-preferences
 Set the list of personal digest preferences to @var{string}.  Use
-@command{@gpgname --version} to get a list of available algorithms,
+@command{@gpgname \-\-version} to get a list of available algorithms,
 and use @code{none} to set no preference at all.  This allows the user
 to safely override the algorithm chosen by the recipient key
 preferences, as GPG will only select an algorithm that is usable by
 all recipients.  The most highly ranked digest algorithm in this list
 is also used when signing without encryption
-(e.g. @option{--clear-sign} or @option{--sign}).
+(e.g. @option{\-\-clear\-sign} or @option{\-\-sign}).
 
-@item --personal-compress-preferences @var{string}
-@opindex personal-compress-preferences
+@item \-\-personal\-compress\-preferences @var{string}
+@opindex personal\-compress\-preferences
 Set the list of personal compression preferences to @var{string}.
-Use @command{@gpgname --version} to get a list of available
+Use @command{@gpgname \-\-version} to get a list of available
 algorithms, and use @code{none} to set no preference at all.  This
 allows the user to safely override the algorithm chosen by the
 recipient key preferences, as GPG will only select an algorithm that
 is usable by all recipients.  The most highly ranked compression
 algorithm in this list is also used when there are no recipient keys
-to consider (e.g. @option{--symmetric}).
+to consider (e.g. @option{\-\-symmetric}).
 
-@item --s2k-cipher-algo @var{name}
-@opindex s2k-cipher-algo
+@item \-\-s2k\-cipher\-algo @var{name}
+@opindex s2k\-cipher\-algo
 Use @var{name} as the cipher algorithm for symmetric encryption with
-a passphrase if @option{--personal-cipher-preferences} and
-@option{--cipher-algo} are not given.  The default is @value{GPGSYMENCALGO}.
+a passphrase if @option{\-\-personal\-cipher\-preferences} and
+@option{\-\-cipher\-algo} are not given.  The default is @value{GPGSYMENCALGO}.
 
-@item --s2k-digest-algo @var{name}
-@opindex s2k-digest-algo
+@item \-\-s2k\-digest\-algo @var{name}
+@opindex s2k\-digest\-algo
 Use @var{name} as the digest algorithm used to mangle the passphrases
-for symmetric encryption.  The default is SHA-1.
+for symmetric encryption.  The default is SHA\-1.
 
-@item --s2k-mode @var{n}
-@opindex s2k-mode
+@item \-\-s2k\-mode @var{n}
+@opindex s2k\-mode
 Selects how passphrases for symmetric encryption are mangled. If
 @var{n} is 0 a plain passphrase (which is in general not recommended)
 will be used, a 1 adds a salt (which should not be used) to the
 passphrase and a 3 (the default) iterates the whole process a number
-of times (see @option{--s2k-count}).
+of times (see @option{\-\-s2k\-count}).
 
-@item --s2k-count @var{n}
-@opindex s2k-count
+@item \-\-s2k\-count @var{n}
+@opindex s2k\-count
 Specify how many times the passphrases mangling for symmetric
 encryption is repeated.  This value may range between 1024 and
-65011712 inclusive.  The default is inquired from gpg-agent.  Note
+65011712 inclusive.  The default is inquired from gpg\-agent.  Note
 that not all values in the 1024-65011712 range are legal and if an
 illegal value is selected, GnuPG will round up to the nearest legal
-value.  This option is only meaningful if @option{--s2k-mode} is set
+value.  This option is only meaningful if @option{\-\-s2k\-mode} is set
 to the default of 3.
 
 
@@ -2887,78 +2887,78 @@ options.
 
 @table @gnupgtabopt
 
-@item --gnupg
+@item \-\-gnupg
 @opindex gnupg
 Use standard GnuPG behavior. This is essentially OpenPGP behavior (see
-@option{--openpgp}), but with extension from the proposed update to
+@option{\-\-openpgp}), but with extension from the proposed update to
 OpenPGP and with some additional workarounds for common compatibility
 problems in different versions of PGP.  This is the default option, so
 it is not generally needed, but it may be useful to override a
 different compliance option in the gpg.conf file.
 
-@item --openpgp
+@item \-\-openpgp
 @opindex openpgp
 Reset all packet, cipher and digest options to strict OpenPGP
-behavior.  This option implies @option{--allow-old-cipher-algos}.  Use
-this option to reset all previous options like @option{--s2k-*},
-@option{--cipher-algo}, @option{--digest-algo} and
-@option{--compress-algo} to OpenPGP compliant values. All PGP
+behavior.  This option implies @option{\-\-allow\-old\-cipher\-algos}.  Use
+this option to reset all previous options like @option{\-\-s2k\-*},
+@option{\-\-cipher\-algo}, @option{\-\-digest\-algo} and
+@option{\-\-compress\-algo} to OpenPGP compliant values. All PGP
 workarounds are disabled.
 
-@item --rfc4880
+@item \-\-rfc4880
 @opindex rfc4880
-Reset all packet, cipher and digest options to strict RFC-4880
-behavior.  This option implies @option{--allow-old-cipher-algos}.
-Note that this is currently the same thing as @option{--openpgp}.
+Reset all packet, cipher and digest options to strict RFC\-4880
+behavior.  This option implies @option{\-\-allow\-old\-cipher\-algos}.
+Note that this is currently the same thing as @option{\-\-openpgp}.
 
-@item --rfc4880bis
+@item \-\-rfc4880bis
 @opindex rfc4880bis
 Reset all packet, cipher and digest options to strict according to the
-proposed updates of RFC-4880.
+proposed updates of RFC\-4880.
 
-@item --rfc2440
+@item \-\-rfc2440
 @opindex rfc2440
-Reset all packet, cipher and digest options to strict RFC-2440
+Reset all packet, cipher and digest options to strict RFC\-2440
 behavior.  Note that by using this option encryption packets are
 created in a legacy mode without MDC protection.  This is dangerous
 and should thus only be used for experiments.  This option implies
-@option{--allow-old-cipher-algos}.  See also option
-@option{--ignore-mdc-error}.
+@option{\-\-allow\-old\-cipher\-algos}.  See also option
+@option{\-\-ignore\-mdc\-error}.
 
-@item --pgp6
+@item \-\-pgp6
 @opindex pgp6
-This option is obsolete; it is handled as an alias for @option{--pgp7}
+This option is obsolete; it is handled as an alias for @option{\-\-pgp7}
 
-@item --pgp7
+@item \-\-pgp7
 @opindex pgp7
 Set up all options to be as PGP 7 compliant as possible. This allowed
 the ciphers IDEA, 3DES, CAST5,AES128, AES192, AES256, and TWOFISH.,
 the hashes MD5, SHA1 and RIPEMD160, and the compression algorithms
-none and ZIP.  This option implies @option{--escape-from-lines} and
-disables @option{--throw-keyids},
+none and ZIP.  This option implies @option{\-\-escape\-from\-lines} and
+disables @option{\-\-throw\-keyids},
 
-@item --pgp8
+@item \-\-pgp8
 @opindex pgp8
 Set up all options to be as PGP 8 compliant as possible. PGP 8 is a lot
 closer to the OpenPGP standard than previous versions of PGP, so all
-this does is disable @option{--throw-keyids} and set
-@option{--escape-from-lines}.  All algorithms are allowed except for the
+this does is disable @option{\-\-throw\-keyids} and set
+@option{\-\-escape\-from\-lines}.  All algorithms are allowed except for the
 SHA224, SHA384, and SHA512 digests.
 
-@item --compliance @var{string}
+@item \-\-compliance @var{string}
 @opindex compliance
 This option can be used instead of one of the options above.  Valid
 values for @var{string} are the above option names (without the double
 dash) and possibly others as shown when using "help" for @var{string}.
 
-@item --min-rsa-length @var{n}
-@opindex min-rsa-length
-This option adjusts the compliance mode "de-vs" for stricter key size
+@item \-\-min\-rsa\-length @var{n}
+@opindex min\-rsa\-length
+This option adjusts the compliance mode "de\-vs" for stricter key size
 requirements.  For example, a value of 3000 turns rsa2048 and dsa2048
-keys into non-VS-NfD compliant keys.
+keys into non-VS\-NfD compliant keys.
 
-@item --require-compliance
-@opindex require-compliance
+@item \-\-require\-compliance
+@opindex require\-compliance
 To check that data has been encrypted according to the rules of the
 current compliance mode, a gpg user needs to evaluate the status
 lines.  This is allows frontends to handle compliance check in a more
@@ -2966,7 +2966,7 @@ flexible way.  However, for scripted use the required evaluation of
 the status-line requires quite some effort; this option can be used
 instead to make sure that the gpg process exits with a failure if the
 compliance rules are not fulfilled.  Note that this option has
-currently an effect only in "de-vs" mode.
+currently an effect only in "de\-vs" mode.
 
 @end table
 
@@ -2979,25 +2979,25 @@ currently an effect only in "de-vs" mode.
 
 @table @gnupgtabopt
 
-@item -n
-@itemx --dry-run
-@opindex dry-run
+@item \-n
+@itemx \-\-dry\-run
+@opindex dry\-run
 Don't make any changes (this is not completely implemented).
 
-@item --list-only
-@opindex list-only
-Changes the behaviour of some commands. This is like @option{--dry-run} but
+@item \-\-list\-only
+@opindex list\-only
+Changes the behaviour of some commands. This is like @option{\-\-dry\-run} but
 different in some cases. The semantic of this option may be extended in
 the future. Currently it only skips the actual decryption pass and
 therefore enables a fast listing of the encryption keys.
 
-@item -i
-@itemx --interactive
+@item \-i
+@itemx \-\-interactive
 @opindex interactive
 Prompt before overwriting any files.
 
-@item --debug-level @var{level}
-@opindex debug-level
+@item \-\-debug\-level @var{level}
+@opindex debug\-level
 Select the debug level for investigating problems. @var{level} may be
 a numeric value or by a keyword:
 
@@ -3024,7 +3024,7 @@ How these messages are mapped to the actual debugging flags is not
 specified and may change with newer releases of this program. They are
 however carefully selected to best aid in debugging.
 
-@item --debug @var{flags}
+@item \-\-debug @var{flags}
 @opindex debug
 Set debug flags.  All flags are or-ed and @var{flags} may be given
 in C syntax (e.g. 0x0042) or as a comma separated list of flag names.
@@ -3032,28 +3032,28 @@ To get a list of all supported flags the single word "help" can be
 used. This option is only useful for debugging and the behavior may
 change at any time without notice.
 
-@item --debug-all
-@opindex debug-all
+@item \-\-debug\-all
+@opindex debug\-all
 Set all useful debugging flags.
 
-@item --debug-iolbf
-@opindex debug-iolbf
+@item \-\-debug\-iolbf
+@opindex debug\-iolbf
 Set stdout into line buffered mode.  This option is only honored when
 given on the command line.
 
-@item --debug-set-iobuf-size @var{n}
-@opindex debug-iolbf
+@item \-\-debug\-set\-iobuf\-size @var{n}
+@opindex debug\-iolbf
 Change the buffer size of the IOBUFs to @var{n} kilobyte.  Using 0
 prints the current size.  Note well: This is a maintainer only option
 and may thus be changed or removed at any time without notice.
 
-@item --debug-allow-large-chunks
-@opindex debug-allow-large-chunks
+@item \-\-debug\-allow\-large\-chunks
+@opindex debug\-allow\-large\-chunks
 To facilitate software tests and experiments this option allows to
-specify a limit of up to 4 EiB (@code{--chunk-size 62}).
+specify a limit of up to 4 EiB (@code{\-\-chunk\-size 62}).
 
-@item --faked-system-time @var{epoch}
-@opindex faked-system-time
+@item \-\-faked\-system\-time @var{epoch}
+@opindex faked\-system\-time
 This option is only useful for testing; it sets the system time back or
 forth to @var{epoch} which is the number of seconds elapsed since the year
 1970.  Alternatively @var{epoch} may be given as a full ISO time string
@@ -3062,93 +3062,93 @@ forth to @var{epoch} which is the number of seconds elapsed since the year
 If you suffix @var{epoch} with an exclamation mark (!), the system time
 will appear to be frozen at the specified time.
 
-@item --full-timestrings
-@opindex full-timestrings
+@item \-\-full\-timestrings
+@opindex full\-timestrings
 Change the format of printed creation and expiration times from just
 the date to the date and time.  This is in general not useful and the
-same information is anyway available in @option{--with-colons} mode.
+same information is anyway available in @option{\-\-with\-colons} mode.
 These longer strings are also not well aligned with other printed
 data.
 
-@item --enable-progress-filter
-@opindex enable-progress-filter
+@item \-\-enable\-progress\-filter
+@opindex enable\-progress\-filter
 Enable certain PROGRESS status outputs. This option allows frontends
 to display a progress indicator while gpg is processing larger files.
 There is a slight performance overhead using it.
 
-@item --status-fd @var{n}
-@opindex status-fd
+@item \-\-status\-fd @var{n}
+@opindex status\-fd
 Write special status strings to the file descriptor @var{n}.
 See the file DETAILS in the documentation for a listing of them.
 
-@item --status-file @var{file}
-@opindex status-file
-Same as @option{--status-fd}, except the status data is written to file
+@item \-\-status\-file @var{file}
+@opindex status\-file
+Same as @option{\-\-status\-fd}, except the status data is written to file
 @var{file}.
 
-@item --logger-fd @var{n}
-@opindex logger-fd
+@item \-\-logger\-fd @var{n}
+@opindex logger\-fd
 Write log output to file descriptor @var{n} and not to STDERR.
 
-@item --log-file @var{file}
-@itemx --logger-file @var{file}
-@opindex log-file
-Same as @option{--logger-fd}, except the logger data is written to
+@item \-\-log\-file @var{file}
+@itemx \-\-logger\-file @var{file}
+@opindex log\-file
+Same as @option{\-\-logger\-fd}, except the logger data is written to
 file @var{file}.  Use @file{socket://} to log to s socket.
 
-@item --attribute-fd @var{n}
-@opindex attribute-fd
+@item \-\-attribute\-fd @var{n}
+@opindex attribute\-fd
 Write attribute subpackets to the file descriptor @var{n}. This is most
-useful for use with @option{--status-fd}, since the status messages are
+useful for use with @option{\-\-status\-fd}, since the status messages are
 needed to separate out the various subpackets from the stream delivered
 to the file descriptor.
 
-@item --attribute-file @var{file}
-@opindex attribute-file
-Same as @option{--attribute-fd}, except the attribute data is written to
+@item \-\-attribute\-file @var{file}
+@opindex attribute\-file
+Same as @option{\-\-attribute\-fd}, except the attribute data is written to
 file @var{file}.
 
-@item --comment @var{string}
-@itemx --no-comments
+@item \-\-comment @var{string}
+@itemx \-\-no\-comments
 @opindex comment
 Use @var{string} as a comment string in cleartext signatures and ASCII
-armored messages or keys (see @option{--armor}). The default behavior is
-not to use a comment string. @option{--comment} may be repeated multiple
-times to get multiple comment strings. @option{--no-comments} removes
+armored messages or keys (see @option{\-\-armor}). The default behavior is
+not to use a comment string. @option{\-\-comment} may be repeated multiple
+times to get multiple comment strings. @option{\-\-no\-comments} removes
 all comments.  It is a good idea to keep the length of a single comment
 below 60 characters to avoid problems with mail programs wrapping such
 lines.  Note that comment lines, like all other header lines, are not
 protected by the signature.
 
-@item --emit-version
-@itemx --no-emit-version
-@opindex emit-version
+@item \-\-emit\-version
+@itemx \-\-no\-emit\-version
+@opindex emit\-version
 Force inclusion of the version string in ASCII armored output.  If
 given once only the name of the program and the major number is
 emitted, given twice the minor is also emitted, given thrice
 the micro is added, and given four times an operating system identification
-is also emitted.  @option{--no-emit-version} (default) disables the version
+is also emitted.  @option{\-\-no\-emit\-version} (default) disables the version
 line.
 
-@item --sig-notation @{@var{name}=@var{value}@}
-@itemx --cert-notation @{@var{name}=@var{value}@}
-@itemx -N, --set-notation @{@var{name}=@var{value}@}
-@opindex sig-notation
-@opindex cert-notation
-@opindex set-notation
+@item \-\-sig\-notation @{@var{name}=@var{value}@}
+@itemx \-\-cert\-notation @{@var{name}=@var{value}@}
+@itemx \-N, \-\-set\-notation @{@var{name}=@var{value}@}
+@opindex sig\-notation
+@opindex cert\-notation
+@opindex set\-notation
 Put the name value pair into the signature as notation data.
 @var{name} must consist only of printable characters or spaces, and
 must contain a '@@' character in the form keyname@@domain.example.com
 (substituting the appropriate keyname and domain name, of course).  This
 is to help prevent pollution of the IETF reserved notation
-namespace. The @option{--expert} flag overrides the '@@'
+namespace. The @option{\-\-expert} flag overrides the '@@'
 check. @var{value} may be any printable string; it will be encoded in
-UTF-8, so you should check that your @option{--display-charset} is set
+UTF\-8, so you should check that your @option{\-\-display\-charset} is set
 correctly. If you prefix @var{name} with an exclamation mark (!), the
 notation data will be flagged as critical
-(rfc4880:5.2.3.16). @option{--sig-notation} sets a notation for data
-signatures. @option{--cert-notation} sets a notation for key signatures
-(certifications). @option{--set-notation} sets both.
+(rfc4880:5.2.3.16). @option{\-\-sig\-notation} sets a notation for data
+signatures. @option{\-\-cert\-notation} sets a notation for key signatures
+(certifications). @option{\-\-set\-notation} sets both.
 
 There are special codes that may be used in notation names. "%k" will
 be expanded into the key ID of the key being signed, "%K" into the
@@ -3162,91 +3162,91 @@ smartcard, and "%%" results in a single "%". %k, %K, and %f are only
 meaningful when making a key signature (certification), and %c is only
 meaningful when using the OpenPGP smartcard.
 
-@item --known-notation @var{name}
-@opindex known-notation
+@item \-\-known\-notation @var{name}
+@opindex known\-notation
 Adds @var{name} to a list of known critical signature notations.  The
 effect of this is that gpg will not mark a signature with a critical
 signature notation of that name as bad.  Note that gpg already knows
 by default about a few critical signatures notation names.
 
-@item --sig-policy-url @var{string}
-@itemx --cert-policy-url @var{string}
-@itemx --set-policy-url @var{string}
-@opindex sig-policy-url
-@opindex cert-policy-url
-@opindex set-policy-url
+@item \-\-sig\-policy\-url @var{string}
+@itemx \-\-cert\-policy\-url @var{string}
+@itemx \-\-set\-policy\-url @var{string}
+@opindex sig\-policy\-url
+@opindex cert\-policy\-url
+@opindex set\-policy\-url
 Use @var{string} as a Policy URL for signatures (rfc4880:5.2.3.20).  If
 you prefix it with an exclamation mark (!), the policy URL packet will
-be flagged as critical. @option{--sig-policy-url} sets a policy url for
-data signatures. @option{--cert-policy-url} sets a policy url for key
-signatures (certifications). @option{--set-policy-url} sets both.
+be flagged as critical. @option{\-\-sig\-policy\-url} sets a policy url for
+data signatures. @option{\-\-cert\-policy\-url} sets a policy url for key
+signatures (certifications). @option{\-\-set\-policy\-url} sets both.
 
 The same %-expandos used for notation data are available here as well.
 
-@item --sig-keyserver-url @var{string}
-@opindex sig-keyserver-url
+@item \-\-sig\-keyserver\-url @var{string}
+@opindex sig\-keyserver\-url
 Use @var{string} as a preferred keyserver URL for data signatures. If
 you prefix it with an exclamation mark (!), the keyserver URL packet
 will be flagged as critical.
 
 The same %-expandos used for notation data are available here as well.
 
-@item --set-filename @var{string}
-@opindex set-filename
+@item \-\-set\-filename @var{string}
+@opindex set\-filename
 Use @var{string} as the filename which is stored inside messages.
 This overrides the default, which is to use the actual filename of the
 file being encrypted.  Using the empty string for @var{string}
 effectively removes the filename from the output.
 
-@item --for-your-eyes-only
-@itemx --no-for-your-eyes-only
-@opindex for-your-eyes-only
+@item \-\-for\-your\-eyes\-only
+@itemx \-\-no\-for\-your\-eyes\-only
+@opindex for\-your\-eyes\-only
 Set the `for your eyes only' flag in the message. This causes GnuPG to
-refuse to save the file unless the @option{--output} option is given,
+refuse to save the file unless the @option{\-\-output} option is given,
 and PGP to use a "secure viewer" with a claimed Tempest-resistant font
-to display the message. This option overrides @option{--set-filename}.
-@option{--no-for-your-eyes-only} disables this option.
+to display the message. This option overrides @option{\-\-set\-filename}.
+@option{\-\-no\-for\-your\-eyes\-only} disables this option.
 
-@item --use-embedded-filename
-@itemx --no-use-embedded-filename
-@opindex use-embedded-filename
+@item \-\-use\-embedded\-filename
+@itemx \-\-no\-use\-embedded\-filename
+@opindex use\-embedded\-filename
 Try to create a file with a name as embedded in the data. This can be
 a dangerous option as it enables overwriting files.  Defaults to no.
-Note that the option @option{--output} overrides this option.
+Note that the option @option{\-\-output} overrides this option.
 
-@item --cipher-algo @var{name}
-@opindex cipher-algo
+@item \-\-cipher\-algo @var{name}
+@opindex cipher\-algo
 Use @var{name} as cipher algorithm. Running the program with the
-command @option{--version} yields a list of supported algorithms. If
+command @option{\-\-version} yields a list of supported algorithms. If
 this is not used the cipher algorithm is selected from the preferences
 stored with the key. In general, you do not want to use this option as
 it allows you to violate the OpenPGP standard.  The option
-@option{--personal-cipher-preferences} is the safe way to accomplish the
+@option{\-\-personal\-cipher\-preferences} is the safe way to accomplish the
 same thing.
 
-@item --aead-algo @var{name}
-@opindex aead-algo
+@item \-\-aead\-algo @var{name}
+@opindex aead\-algo
 Specify that the AEAD algorithm @var{name} is to be used.  This is
 useful for symmetric encryption where no key preference are available
 to select the AEAD algorithm.  Running @command{@gpgname} with option
-@option{--version} shows the available AEAD algorithms.  In general,
+@option{\-\-version} shows the available AEAD algorithms.  In general,
 you do not want to use this option as it allows you to violate the
-OpenPGP standard.  The option @option{--personal-aead-preferences} is
+OpenPGP standard.  The option @option{\-\-personal\-aead\-preferences} is
 the safe way to accomplish the same thing.
 
-@item --digest-algo @var{name}
-@opindex digest-algo
+@item \-\-digest\-algo @var{name}
+@opindex digest\-algo
 Use @var{name} as the message digest algorithm. Running the program
-with the command @option{--version} yields a list of supported
+with the command @option{\-\-version} yields a list of supported
 algorithms. In general, you do not want to use this option as it
 allows you to violate the OpenPGP standard.  The option
-@option{--personal-digest-preferences} is the safe way to accomplish
+@option{\-\-personal\-digest\-preferences} is the safe way to accomplish
 the same thing.
 
-@item --compress-algo @var{name}
-@opindex compress-algo
-Use compression algorithm @var{name}. "zlib" is RFC-1950 ZLIB
-compression. "zip" is RFC-1951 ZIP compression which is used by PGP.
+@item \-\-compress\-algo @var{name}
+@opindex compress\-algo
+Use compression algorithm @var{name}. "zlib" is RFC\-1950 ZLIB
+compression. "zip" is RFC\-1951 ZIP compression which is used by PGP.
 "bzip2" is a more modern compression scheme that can compress some
 things better than zip or zlib, but at the cost of more memory used
 during compression and decompression. "uncompressed" or "none"
@@ -3264,13 +3264,13 @@ versions) only supports ZIP compression. Using any algorithm other
 than ZIP or "none" will make the message unreadable with PGP. In
 general, you do not want to use this option as it allows you to
 violate the OpenPGP standard.  The option
-@option{--personal-compress-preferences} is the safe way to accomplish
+@option{\-\-personal\-compress\-preferences} is the safe way to accomplish
 the same thing.
 
-@item --cert-digest-algo @var{name}
-@opindex cert-digest-algo
+@item \-\-cert\-digest\-algo @var{name}
+@opindex cert\-digest\-algo
 Use @var{name} as the message digest algorithm used when signing a
-key. Running the program with the command @option{--version} yields a
+key. Running the program with the command @option{\-\-version} yields a
 list of supported algorithms.  Be aware that if you choose an
 algorithm that GnuPG supports but other OpenPGP implementations do
 not, then some users will not be able to use the key signatures you
@@ -3280,33 +3280,33 @@ selecting an arbitrary digest algorithm may result in error messages
 from lower crypto layers or lead to security flaws.
 
 
-@item --disable-cipher-algo @var{name}
-@opindex disable-cipher-algo
+@item \-\-disable\-cipher\-algo @var{name}
+@opindex disable\-cipher\-algo
 Never allow the use of @var{name} as cipher algorithm.
 The given name will not be checked so that a later loaded algorithm
 will still get disabled.
 
-@item --disable-pubkey-algo @var{name}
-@opindex disable-pubkey-algo
+@item \-\-disable\-pubkey\-algo @var{name}
+@opindex disable\-pubkey\-algo
 Never allow the use of @var{name} as public key algorithm.
 The given name will not be checked so that a later loaded algorithm
 will still get disabled.
 
-@item --throw-keyids
-@itemx --no-throw-keyids
-@opindex throw-keyids
+@item \-\-throw\-keyids
+@itemx \-\-no\-throw\-keyids
+@opindex throw\-keyids
 Do not put the recipient key IDs into encrypted messages. This helps to
 hide the receivers of the message and is a limited countermeasure
 against traffic analysis.@footnote{Using a little social engineering
 anyone who is able to decrypt the message can check whether one of the
 other recipients is the one he suspects.}  On the receiving side, it may
 slow down the decryption process because all available secret keys must
-be tried.  @option{--no-throw-keyids} disables this option. This option
-is essentially the same as using @option{--hidden-recipient} for all
+be tried.  @option{\-\-no\-throw\-keyids} disables this option. This option
+is essentially the same as using @option{\-\-hidden\-recipient} for all
 recipients.
 
-@item --not-dash-escaped
-@opindex not-dash-escaped
+@item \-\-not\-dash\-escaped
+@opindex not\-dash\-escaped
 This option changes the behavior of cleartext signatures
 so that they can be used for patch files. You should not
 send such an armored file via email because all spaces
@@ -3315,17 +3315,17 @@ option for data which has 5 dashes at the beginning of a
 line, patch files don't have this. A special armor header
 line tells GnuPG about this cleartext signature option.
 
-@item --escape-from-lines
-@itemx --no-escape-from-lines
-@opindex escape-from-lines
+@item \-\-escape\-from\-lines
+@itemx \-\-no\-escape\-from\-lines
+@opindex escape\-from\-lines
 Because some mailers change lines starting with "From " to ">From " it
 is good to handle such lines in a special way when creating cleartext
 signatures to prevent the mail system from breaking the signature. Note
 that all other PGP versions do it this way too.  Enabled by
-default. @option{--no-escape-from-lines} disables this option.
+default. @option{\-\-no\-escape\-from\-lines} disables this option.
 
-@item --passphrase-repeat @var{n}
-@opindex passphrase-repeat
+@item \-\-passphrase\-repeat @var{n}
+@opindex passphrase\-repeat
 Specify how many times @command{@gpgname} will request a new
 passphrase be repeated.  This is useful for helping memorize a
 passphrase.  Defaults to 1 repetition; can be set to 0 to disable any
@@ -3333,19 +3333,19 @@ passphrase repetition.  Note that a @var{n} greater than 1 will pop up
 the pinentry window @var{n}+1 times even if a modern pinentry with
 two entry fields is used.
 
-@item --passphrase-fd @var{n}
-@opindex passphrase-fd
+@item \-\-passphrase\-fd @var{n}
+@opindex passphrase\-fd
 Read the passphrase from file descriptor @var{n}. Only the first line
 will be read from file descriptor @var{n}. If you use 0 for @var{n},
 the passphrase will be read from STDIN. This can only be used if only
 one passphrase is supplied.
 
 Note that since Version 2.0 this passphrase is only used if the
-option @option{--batch} has also been given. Since Version 2.1
-the @option{--pinentry-mode} also needs to be set to @code{loopback}.
+option @option{\-\-batch} has also been given. Since Version 2.1
+the @option{\-\-pinentry\-mode} also needs to be set to @code{loopback}.
 
-@item --passphrase-file @var{file}
-@opindex passphrase-file
+@item \-\-passphrase\-file @var{file}
+@opindex passphrase\-file
 Read the passphrase from file @var{file}. Only the first line will
 be read from file @var{file}. This can only be used if only one
 passphrase is supplied. Obviously, a passphrase stored in a file is
@@ -3353,10 +3353,10 @@ of questionable security if other users can read this file. Don't use
 this option if you can avoid it.
 
 Note that since Version 2.0 this passphrase is only used if the
-option @option{--batch} has also been given. Since Version 2.1
-the @option{--pinentry-mode} also needs to be set to @code{loopback}.
+option @option{\-\-batch} has also been given. Since Version 2.1
+the @option{\-\-pinentry\-mode} also needs to be set to @code{loopback}.
 
-@item --passphrase @var{string}
+@item \-\-passphrase @var{string}
 @opindex passphrase
 Use @var{string} as the passphrase. This can only be used if only one
 passphrase is supplied. Obviously, this is of very questionable
@@ -3364,11 +3364,11 @@ security on a multi-user system. Don't use this option if you can
 avoid it.
 
 Note that since Version 2.0 this passphrase is only used if the
-option @option{--batch} has also been given. Since Version 2.1
-the @option{--pinentry-mode} also needs to be set to @code{loopback}.
+option @option{\-\-batch} has also been given. Since Version 2.1
+the @option{\-\-pinentry\-mode} also needs to be set to @code{loopback}.
 
-@item --pinentry-mode @var{mode}
-@opindex pinentry-mode
+@item \-\-pinentry\-mode @var{mode}
+@opindex pinentry\-mode
 Set the pinentry mode to @var{mode}.  Allowed values for @var{mode}
 are:
 @table @asis
@@ -3385,14 +3385,14 @@ are:
   Pinentry the user is not prompted again if he enters a bad password.
 @end table
 
-@item --no-symkey-cache
-@opindex no-symkey-cache
+@item \-\-no\-symkey\-cache
+@opindex no\-symkey\-cache
 Disable the passphrase cache used for symmetrical en- and decryption.
 This cache is based on the message specific salt value
-(cf. @option{--s2k-mode}).
+(cf. @option{\-\-s2k\-mode}).
 
-@item --request-origin @var{origin}
-@opindex request-origin
+@item \-\-request\-origin @var{origin}
+@opindex request\-origin
 Tell gpg to assume that the operation ultimately originated at
 @var{origin}.  Depending on the origin certain restrictions are applied
 and the Pinentry may include an extra note on the origin.  Supported
@@ -3400,67 +3400,67 @@ values for @var{origin} are: @code{local} which is the default,
 @code{remote} to indicate a remote origin or @code{browser} for an
 operation requested by a web browser.
 
-@item --command-fd @var{n}
-@opindex command-fd
+@item \-\-command\-fd @var{n}
+@opindex command\-fd
 This is a replacement for the deprecated shared-memory IPC mode.
 If this option is enabled, user input on questions is not expected
 from the TTY but from the given file descriptor. It should be used
-together with @option{--status-fd}. See the file doc/DETAILS in the source
+together with @option{\-\-status\-fd}. See the file doc/DETAILS in the source
 distribution for details on how to use it.
 
-@item --command-file @var{file}
-@opindex command-file
-Same as @option{--command-fd}, except the commands are read out of file
+@item \-\-command\-file @var{file}
+@opindex command\-file
+Same as @option{\-\-command\-fd}, except the commands are read out of file
 @var{file}
 
-@item --allow-non-selfsigned-uid
-@itemx --no-allow-non-selfsigned-uid
-@opindex allow-non-selfsigned-uid
+@item \-\-allow\-non\-selfsigned\-uid
+@itemx \-\-no\-allow\-non\-selfsigned\-uid
+@opindex allow\-non\-selfsigned\-uid
 Allow the import and use of keys with user IDs which are not
 self-signed. This is not recommended, as a non self-signed user ID is
-trivial to forge. @option{--no-allow-non-selfsigned-uid} disables.
+trivial to forge. @option{\-\-no\-allow\-non\-selfsigned\-uid} disables.
 
-@item --allow-freeform-uid
-@opindex allow-freeform-uid
+@item \-\-allow\-freeform\-uid
+@opindex allow\-freeform\-uid
 Disable all checks on the form of the user ID while generating a new
 one. This option should only be used in very special environments as
-it does not ensure the de-facto standard format of user IDs.
+it does not ensure the de\-facto standard format of user IDs.
 
-@item --ignore-time-conflict
-@opindex ignore-time-conflict
+@item \-\-ignore\-time\-conflict
+@opindex ignore\-time\-conflict
 GnuPG normally checks that the timestamps associated with keys and
 signatures have plausible values. However, sometimes a signature
 seems to be older than the key due to clock problems. This option
-makes these checks just a warning. See also @option{--ignore-valid-from} for
+makes these checks just a warning. See also @option{\-\-ignore\-valid\-from} for
 timestamp issues on subkeys.
 
-@item --ignore-valid-from
-@opindex ignore-valid-from
+@item \-\-ignore\-valid\-from
+@opindex ignore\-valid\-from
 GnuPG normally does not select and use subkeys created in the future.
 This option allows the use of such keys and thus exhibits the
 pre-1.0.7 behaviour. You should not use this option unless there
-is some clock problem. See also @option{--ignore-time-conflict} for timestamp
+is some clock problem. See also @option{\-\-ignore\-time\-conflict} for timestamp
 issues with signatures.
 
-@item --ignore-crc-error
-@opindex ignore-crc-error
+@item \-\-ignore\-crc\-error
+@opindex ignore\-crc\-error
 The ASCII armor used by OpenPGP is protected by a CRC checksum against
 transmission errors. Occasionally the CRC gets mangled somewhere on
 the transmission channel but the actual content (which is protected by
 the OpenPGP protocol anyway) is still okay. This option allows GnuPG
 to ignore CRC errors.
 
-@item --ignore-mdc-error
-@opindex ignore-mdc-error
+@item \-\-ignore\-mdc\-error
+@opindex ignore\-mdc\-error
 This option changes a MDC integrity protection failure into a warning.
 It is required to decrypt old messages which did not use an MDC.  It
 may also be useful if a message is partially garbled, but it is
 necessary to get as much data as possible out of that garbled message.
 Be aware that a missing or failed MDC can be an indication of an
-attack.  Use with great caution; see also option @option{--rfc2440}.
+attack.  Use with great caution; see also option @option{\-\-rfc2440}.
 
-@item --allow-old-cipher-algos
-@opindex allow-old-cipher-algos
+@item \-\-allow\-old\-cipher\-algos
+@opindex allow\-old\-cipher\-algos
 Old cipher algorithms like 3DES, IDEA, or CAST5 encrypt data using
 blocks of 64 bits; modern algorithms use blocks of 128 bit instead.
 To avoid certain attack on these old algorithms it is suggested not to
@@ -3468,83 +3468,83 @@ encrypt more than 150 MiByte using the same key.  For this reason gpg
 does not allow the use of 64 bit block size algorithms for encryption
 unless this option is specified.
 
-@item --allow-weak-digest-algos
-@opindex allow-weak-digest-algos
+@item \-\-allow\-weak\-digest\-algos
+@opindex allow\-weak\-digest\-algos
 Signatures made with known-weak digest algorithms are normally
 rejected with an ``invalid digest algorithm'' message.  This option
 allows the verification of signatures made with such weak algorithms.
 MD5 is the only digest algorithm considered weak by default.  See also
-@option{--weak-digest} to reject other digest algorithms.
+@option{\-\-weak\-digest} to reject other digest algorithms.
 
-@item --weak-digest @var{name}
-@opindex weak-digest
+@item \-\-weak\-digest @var{name}
+@opindex weak\-digest
 Treat the specified digest algorithm as weak.  Signatures made over
 weak digests algorithms are normally rejected. This option can be
 supplied multiple times if multiple algorithms should be considered
-weak.  See also @option{--allow-weak-digest-algos} to disable
+weak.  See also @option{\-\-allow\-weak\-digest\-algos} to disable
 rejection of weak digests.  MD5 is always considered weak, and does
 not need to be listed explicitly.
 
-@item --allow-weak-key-signatures
-@opindex allow-weak-key-signatures
+@item \-\-allow\-weak\-key\-signatures
+@opindex allow\-weak\-key\-signatures
 To avoid a minor risk of collision attacks on third-party key
-signatures made using SHA-1, those key signatures are considered
+signatures made using SHA\-1, those key signatures are considered
 invalid.  This options allows to override this restriction.
 
-@item --override-compliance-check
-@opindex --override-compliance-check
+@item \-\-override\-compliance\-check
+@opindex \-\-override\-compliance\-check
 The signature verification only allows the use of keys suitable in the
 current compliance mode.  If the compliance mode has been forced by a
 global option, there might be no way to check certain signature.  This
 option allows to override this and prints an extra warning in such a
-case.  This option is ignored in --batch mode so that no accidental
+case.  This option is ignored in \-\-batch mode so that no accidental
 unattended verification may happen.
 
-@item --no-default-keyring
-@opindex no-default-keyring
+@item \-\-no\-default\-keyring
+@opindex no\-default\-keyring
 Do not add the default keyring to the list of keyrings. Note that
 GnuPG needs for almost all operations a keyring. Thus if you use this
-option and do not provide alternate keyrings via @option{--keyring},
+option and do not provide alternate keyrings via @option{\-\-keyring},
 then GnuPG will still use the default keyring.
 
-Note that if the option @option{use-keyboxd} is enabled in
+Note that if the option @option{use\-keyboxd} is enabled in
 @file{common.conf}, no keyrings are used at all and keys are all
 maintained by the keyboxd process in its own database.
 
-@item --no-keyring
-@opindex no-keyring
+@item \-\-no\-keyring
+@opindex no\-keyring
 Do not use any keyring at all.  This overrides the default and all
 options which specify keyrings.
 
-@item --skip-verify
-@opindex skip-verify
+@item \-\-skip\-verify
+@opindex skip\-verify
 Skip the signature verification step. This may be
 used to make the decryption faster if the signature
 verification is not needed.
 
-@item --with-key-data
-@opindex with-key-data
-Print key listings delimited by colons (like @option{--with-colons}) and
+@item \-\-with\-key\-data
+@opindex with\-key\-data
+Print key listings delimited by colons (like @option{\-\-with\-colons}) and
 print the public key data.
 
-@item --list-signatures
-@opindex list-signatures
-@itemx --list-sigs
-@opindex list-sigs
-Same as @option{--list-keys}, but the signatures are listed too.  This
-command has the same effect as using @option{--list-keys} with
-@option{--with-sig-list}.  Note that in contrast to
-@option{--check-signatures} the key signatures are not verified.  This
+@item \-\-list\-signatures
+@opindex list\-signatures
+@itemx \-\-list\-sigs
+@opindex list\-sigs
+Same as @option{\-\-list\-keys}, but the signatures are listed too.  This
+command has the same effect as using @option{\-\-list\-keys} with
+@option{\-\-with\-sig\-list}.  Note that in contrast to
+@option{\-\-check\-signatures} the key signatures are not verified.  This
 command can be used to create a list of signing keys missing in the
 local keyring; for example:
 
 @example
-      gpg --list-sigs --with-colons USERID | \
-        awk -F: '$1=="sig" && $2=="?" @{if($13)@{print $13@}else@{print $5@}@}'
+      gpg \-\-list\-sigs \-\-with\-colons USERID | \
+        awk \-F: '$1=="sig" && $2=="?" @{if($13)@{print $13@}else@{print $5@}@}'
 @end example
 
-@item --fast-list-mode
-@opindex fast-list-mode
+@item \-\-fast\-list\-mode
+@opindex fast\-list\-mode
 Changes the output of the list commands to work faster; this is achieved
 by leaving some parts empty. Some applications don't need the user ID
 and the trust information given in the listings. By using this options
@@ -3552,18 +3552,18 @@ they can get a faster listing. The exact behaviour of this option may
 change in future versions.  If you are missing some information, don't
 use this option.
 
-@item --no-literal
-@opindex no-literal
+@item \-\-no\-literal
+@opindex no\-literal
 This is not for normal use. Use the source to see for what it might be useful.
 
-@item --set-filesize
-@opindex set-filesize
+@item \-\-set\-filesize
+@opindex set\-filesize
 This is not for normal use. Use the source to see for what it might be useful.
 
-@item --show-session-key
-@opindex show-session-key
+@item \-\-show\-session\-key
+@opindex show\-session\-key
 Display the session key used for one message. See
-@option{--override-session-key} for the counterpart of this option.
+@option{\-\-override\-session\-key} for the counterpart of this option.
 
 We think that Key Escrow is a Bad Thing; however the user should have
 the freedom to decide whether to go to prison or to reveal the content
@@ -3576,57 +3576,57 @@ messaging system that the ciphertext transmitted corresponds to an
 inappropriate plaintext so they can take action against the offending
 user.
 
-@item --override-session-key @var{string}
-@itemx --override-session-key-fd @var{fd}
-@opindex override-session-key
+@item \-\-override\-session\-key @var{string}
+@itemx \-\-override\-session\-key\-fd @var{fd}
+@opindex override\-session\-key
 Don't use the public key but the session key @var{string} respective
 the session key taken from the first line read from file descriptor
 @var{fd}.  The format of this string is the same as the one printed by
-@option{--show-session-key}. This option is normally not used but
+@option{\-\-show\-session\-key}. This option is normally not used but
 comes handy in case someone forces you to reveal the content of an
 encrypted message; using this option you can do this without handing
-out the secret key.  Note that using @option{--override-session-key}
+out the secret key.  Note that using @option{\-\-override\-session\-key}
 may reveal the session key to all local users via the global process
 table.  Often it is useful to combine this option with
-@option{--no-keyring}.
+@option{\-\-no\-keyring}.
 
-@item --ask-sig-expire
-@itemx --no-ask-sig-expire
-@opindex ask-sig-expire
+@item \-\-ask\-sig\-expire
+@itemx \-\-no\-ask\-sig\-expire
+@opindex ask\-sig\-expire
 When making a data signature, prompt for an expiration time. If this
 option is not specified, the expiration time set via
-@option{--default-sig-expire} is used. @option{--no-ask-sig-expire}
+@option{\-\-default\-sig\-expire} is used. @option{\-\-no\-ask\-sig\-expire}
 disables this option.
 
-@item --default-sig-expire
-@opindex default-sig-expire
+@item \-\-default\-sig\-expire
+@opindex default\-sig\-expire
 The default expiration time to use for signature expiration. Valid
 values are "0" for no expiration, a number followed by the letter d
 (for days), w (for weeks), m (for months), or y (for years) (for
 example "2m" for two months, or "5y" for five years), or an absolute
-date in the form YYYY-MM-DD. Defaults to "0".
+date in the form YYYY\-MM\-DD. Defaults to "0".
 
-@item --ask-cert-expire
-@itemx --no-ask-cert-expire
-@opindex ask-cert-expire
+@item \-\-ask\-cert\-expire
+@itemx \-\-no\-ask\-cert\-expire
+@opindex ask\-cert\-expire
 When making a key signature, prompt for an expiration time. If this
 option is not specified, the expiration time set via
-@option{--default-cert-expire} is used. @option{--no-ask-cert-expire}
+@option{\-\-default\-cert\-expire} is used. @option{\-\-no\-ask\-cert\-expire}
 disables this option.
 
-@item --default-cert-expire
-@opindex default-cert-expire
+@item \-\-default\-cert\-expire
+@opindex default\-cert\-expire
 The default expiration time to use for key signature expiration.
 Valid values are "0" for no expiration, a number followed by the
 letter d (for days), w (for weeks), m (for months), or y (for years)
 (for example "2m" for two months, or "5y" for five years), or an
-absolute date in the form YYYY-MM-DD. Defaults to "0".
+absolute date in the form YYYY\-MM\-DD. Defaults to "0".
 
-@item --default-new-key-algo @var{string}
-@opindex default-new-key-algo @var{string}
+@item \-\-default\-new\-key\-algo @var{string}
+@opindex default\-new\-key\-algo @var{string}
 This option can be used to change the default algorithms for key
 generation. The @var{string} is similar to the arguments required for
-the command @option{--quick-add-key} but slightly different.  For
+the command @option{\-\-quick\-add\-key} but slightly different.  For
 example the current default of @code{"rsa2048/cert,sign+rsa2048/encr"}
 (or @code{"rsa3072"}) can be changed to the value of what we currently
 call future default, which is @code{"ed25519/cert,sign+cv25519/encr"}.
@@ -3634,99 +3634,99 @@ You need to consult the source code to learn the details.  Note that
 the advanced key generation commands can always be used to specify a
 key algorithm directly.
 
-@item --no-auto-trust-new-key
-@opindex no-auto-trust-new-key
+@item \-\-no\-auto\-trust\-new\-key
+@opindex no\-auto\-trust\-new\-key
 When creating a new key the ownertrust of the new key is set to
 ultimate.  This option disables this and the user needs to manually
 assign an ownertrust value.
 
-@item --force-sign-key
-@opindex force-sign-key
+@item \-\-force\-sign\-key
+@opindex force\-sign\-key
 This option modifies the behaviour of the commands
-@option{--quick-sign-key}, @option{--quick-lsign-key}, and the "sign"
-sub-commands of @option{--edit-key} by forcing the creation of a key
+@option{\-\-quick\-sign\-key}, @option{\-\-quick\-lsign\-key}, and the "sign"
+sub-commands of @option{\-\-edit\-key} by forcing the creation of a key
 signature, even if one already exists.
 
-@item --forbid-gen-key
-@opindex forbid-gen-key
+@item \-\-forbid\-gen\-key
+@opindex forbid\-gen\-key
 This option is intended for use in the global config file to disallow
 the use of generate key commands.  Those commands will then fail with
 the error code for Not Enabled.
 
-@item --allow-secret-key-import
-@opindex allow-secret-key-import
+@item \-\-allow\-secret\-key\-import
+@opindex allow\-secret\-key\-import
 This is an obsolete option and is not used anywhere.
 
-@item --allow-multiple-messages
-@item --no-allow-multiple-messages
+@item \-\-allow\-multiple\-messages
+@item \-\-no\-allow\-multiple\-messages
 These are obsolete options; they have no more effect since GnuPG 2.2.8.
 
-@item --enable-special-filenames
-@opindex enable-special-filenames
+@item \-\-enable\-special\-filenames
+@opindex enable\-special\-filenames
 This option enables a mode in which filenames of the form
-@file{-&n}, where n is a non-negative decimal number,
+@file{\-&n}, where n is a non-negative decimal number,
 refer to the file descriptor n and not to a file with that name.
 
-@item --no-expensive-trust-checks
-@opindex no-expensive-trust-checks
+@item \-\-no\-expensive\-trust\-checks
+@opindex no\-expensive\-trust\-checks
 Experimental use only.
 
-@item --preserve-permissions
-@opindex preserve-permissions
+@item \-\-preserve\-permissions
+@opindex preserve\-permissions
 Don't change the permissions of a secret keyring back to user
 read/write only. Use this option only if you really know what you are doing.
 
-@item --default-preference-list @var{string}
-@opindex default-preference-list
+@item \-\-default\-preference\-list @var{string}
+@opindex default\-preference\-list
 Set the list of default preferences to @var{string}. This preference
 list is used for new keys and becomes the default for "setpref" in the
-@option{--edit-key} menu.
+@option{\-\-edit\-key} menu.
 
-@item --default-keyserver-url @var{name}
-@opindex default-keyserver-url
+@item \-\-default\-keyserver\-url @var{name}
+@opindex default\-keyserver\-url
 Set the default keyserver URL to @var{name}. This keyserver will be
 used as the keyserver URL when writing a new self-signature on a key,
 which includes key generation and changing preferences.
 
-@item --list-config
-@opindex list-config
+@item \-\-list\-config
+@opindex list\-config
 Display various internal configuration parameters of GnuPG. This option
 is intended for external programs that call GnuPG to perform tasks, and
 is thus not generally useful. See the file @file{doc/DETAILS} in the
 source distribution for the details of which configuration items may be
-listed. @option{--list-config} is only usable with
-@option{--with-colons} set.
+listed. @option{\-\-list\-config} is only usable with
+@option{\-\-with\-colons} set.
 
-@item --list-gcrypt-config
-@opindex list-gcrypt-config
+@item \-\-list\-gcrypt\-config
+@opindex list\-gcrypt\-config
 Display various internal configuration parameters of Libgcrypt.
 
-@item --gpgconf-list
-@opindex gpgconf-list
-This command is similar to @option{--list-config} but in general only
+@item \-\-gpgconf\-list
+@opindex gpgconf\-list
+This command is similar to @option{\-\-list\-config} but in general only
 internally used by the @command{gpgconf} tool.
 
-@item --gpgconf-test
-@opindex gpgconf-test
+@item \-\-gpgconf\-test
+@opindex gpgconf\-test
 This is more or less dummy action.  However it parses the configuration
 file and returns with failure if the configuration file would prevent
 @command{@gpgname} from startup.  Thus it may be used to run a syntax check
 on the configuration file.
 
-@c @item --use-only-openpgp-card
-@c @opindex use-only-openpgp-card
+@c @item \-\-use\-only\-openpgp\-card
+@c @opindex use\-only\-openpgp\-card
 @c Only access OpenPGP card's and no other cards.  This is a hidden
 @c option which could be used in case an old use case required the
 @c OpenPGP card while several cards are available.  This option might be
 @c removed if it turns out that nobody requires it.
 
-@item --chuid @var{uid}
+@item \-\-chuid @var{uid}
 @opindex chuid
 Change the current user to @var{uid} which may either be a number or a
 name.  This can be used from the root account to run gpg for
 another user.  If @var{uid} is not the current UID a standard PATH is
 set and the envvar GNUPGHOME is unset.  To override the latter the
-option @option{--homedir} can be used.  This option has only an effect
+option @option{\-\-homedir} can be used.  This option has only an effect
 when used on the command line.  This option has currently no effect at
 all on Windows.
 
@@ -3740,42 +3740,42 @@ all on Windows.
 
 @table @gnupgtabopt
 
-@item --show-photos
-@itemx --no-show-photos
-@opindex show-photos
-Causes @option{--list-keys}, @option{--list-signatures},
-@option{--list-public-keys}, @option{--list-secret-keys}, and verifying
+@item \-\-show\-photos
+@itemx \-\-no\-show\-photos
+@opindex show\-photos
+Causes @option{\-\-list\-keys}, @option{\-\-list\-signatures},
+@option{\-\-list\-public\-keys}, @option{\-\-list\-secret\-keys}, and verifying
 a signature to also display the photo ID attached to the key, if
-any. See also @option{--photo-viewer}. These options are deprecated. Use
-@option{--list-options [no-]show-photos} and/or @option{--verify-options
-[no-]show-photos} instead.
+any. See also @option{\-\-photo\-viewer}. These options are deprecated. Use
+@option{\-\-list\-options [no\-]show\-photos} and/or @option{\-\-verify\-options
+[no\-]show\-photos} instead.
 
-@item --show-keyring
-@opindex show-keyring
+@item \-\-show\-keyring
+@opindex show\-keyring
 Display the keyring name at the head of key listings to show which
 keyring a given key resides on. This option is deprecated: use
-@option{--list-options [no-]show-keyring} instead.
+@option{\-\-list\-options [no\-]show\-keyring} instead.
 
-@item --always-trust
-@opindex always-trust
-Identical to @option{--trust-model always}. This option is deprecated.
+@item \-\-always\-trust
+@opindex always\-trust
+Identical to @option{\-\-trust\-model always}. This option is deprecated.
 
-@item --show-notation
-@itemx --no-show-notation
-@opindex show-notation
-Show signature notations in the @option{--list-signatures} or @option{--check-signatures} listings
+@item \-\-show\-notation
+@itemx \-\-no\-show\-notation
+@opindex show\-notation
+Show signature notations in the @option{\-\-list\-signatures} or @option{\-\-check\-signatures} listings
 as well as when verifying a signature with a notation in it. These
-options are deprecated. Use @option{--list-options [no-]show-notation}
-and/or @option{--verify-options [no-]show-notation} instead.
+options are deprecated. Use @option{\-\-list\-options [no\-]show\-notation}
+and/or @option{\-\-verify\-options [no\-]show\-notation} instead.
 
-@item --show-policy-url
-@itemx --no-show-policy-url
-@opindex show-policy-url
-Show policy URLs in the @option{--list-signatures} or @option{--check-signatures}
+@item \-\-show\-policy\-url
+@itemx \-\-no\-show\-policy\-url
+@opindex show\-policy\-url
+Show policy URLs in the @option{\-\-list\-signatures} or @option{\-\-check\-signatures}
 listings as well as when verifying a signature with a policy URL in
-it. These options are deprecated. Use @option{--list-options
-[no-]show-policy-url} and/or @option{--verify-options
-[no-]show-policy-url} instead.
+it. These options are deprecated. Use @option{\-\-list\-options
+[no\-]show\-policy\-url} and/or @option{\-\-verify\-options
+[no\-]show\-policy\-url} instead.
 
 
 @end table
@@ -3792,7 +3792,7 @@ it. These options are deprecated. Use @option{--list-options
 
 There are a few configuration files to control certain aspects of
 @command{@gpgname}'s operation. Unless noted, they are expected in the
-current home directory (@pxref{option --homedir}).
+current home directory (@pxref{option \-\-homedir}).
 
 @table @file
 
@@ -3801,14 +3801,14 @@ current home directory (@pxref{option --homedir}).
   This is the standard configuration file read by @command{@gpgname} on
   startup.  It may contain any valid long option; the leading two dashes
   may not be entered and the option may not be abbreviated.  This default
-  name may be changed on the command line (@pxref{gpg-option --options}).
+  name may be changed on the command line (@pxref{gpg\-option \-\-options}).
   You should backup this file.
 
   @item common.conf
   @efindex common.conf
   This is an optional configuration file read by @command{@gpgname} on
   startup.  It may contain options pertaining to all components of
-  GnuPG.  Its current main use is for the "use-keyboxd" option.
+  GnuPG.  Its current main use is for the "use\-keyboxd" option.
 
 @end table
 
@@ -3820,7 +3820,7 @@ helper script is provided to create these files (@pxref{addgnupghome}).
 
 For internal purposes @command{@gpgname} creates and maintains a few other
 files; They all live in the current home directory (@pxref{option
---homedir}).  Only the @command{@gpgname} program may modify these files.
+-\-homedir}).  Only the @command{@gpgname} program may modify these files.
 
 
 @table @file
@@ -3828,7 +3828,7 @@ files; They all live in the current home directory (@pxref{option
   @efindex ~/.gnupg
   This is the default home directory which is used if neither the
   environment variable @code{GNUPGHOME} nor the option
-  @option{--homedir} is given.
+  @option{\-\-homedir} is given.
 
   @item ~/.gnupg/pubring.gpg
   @efindex pubring.gpg
@@ -3863,10 +3863,10 @@ files; They all live in the current home directory (@pxref{option
 
   @example
   $ cd ~/.gnupg
-  $ gpg --export-ownertrust >otrust.lst
+  $ gpg \-\-export\-ownertrust >otrust.lst
   $ mv pubring.gpg publickeys.backup
-  $ gpg --import-options restore --import publickeys.backups
-  $ gpg --import-ownertrust otrust.lst
+  $ gpg \-\-import\-options restore \-\-import publickeys.backups
+  $ gpg \-\-import\-ownertrust otrust.lst
   @end example
 
   @item ~/.gnupg/pubring.kbx.lock
@@ -3881,14 +3881,14 @@ files; They all live in the current home directory (@pxref{option
   @item ~/.gnupg/secring.gpg.lock
   The lock file for the legacy secret keyring.
 
-  @item ~/.gnupg/.gpg-v21-migrated
-  @efindex .gpg-v21-migrated
+  @item ~/.gnupg/.gpg\-v21\-migrated
+  @efindex .gpg\-v21\-migrated
   File indicating that a migration to GnuPG 2.1 has been done.
 
   @item ~/.gnupg/trustdb.gpg
   @efindex trustdb.gpg
   The trust database.  There is no need to backup this file; it is better
-  to backup the ownertrust values (@pxref{option --export-ownertrust}).
+  to backup the ownertrust values (@pxref{option \-\-export\-ownertrust}).
 
   @item ~/.gnupg/trustdb.gpg.lock
   The lock file for the trust database.
@@ -3897,8 +3897,8 @@ files; They all live in the current home directory (@pxref{option
   @efindex random_seed
   A file used to preserve the state of the internal random pool.
 
-  @item ~/.gnupg/openpgp-revocs.d/
-  @efindex openpgp-revocs.d
+  @item ~/.gnupg/openpgp\-revocs.d/
+  @efindex openpgp\-revocs.d
   This is the directory where gpg stores pre-generated revocation
   certificates.  The file name corresponds to the OpenPGP fingerprint of
   the respective key.  It is suggested to backup those certificates and
@@ -3927,7 +3927,7 @@ Operation is further controlled by a few environment variables:
 
   @item PINENTRY_USER_DATA
   @efindex PINENTRY_USER_DATA
-  This value is passed via gpg-agent to pinentry.  It is useful to convey
+  This value is passed via gpg\-agent to pinentry.  It is useful to convey
   extra information to a custom pinentry.
 
   @item COLUMNS
@@ -3955,12 +3955,12 @@ Operation is further controlled by a few environment variables:
 
 @end table
 
-When calling the gpg-agent component @command{@gpgname} sends a set of
-environment variables to gpg-agent.  The names of these variables can
+When calling the gpg\-agent component @command{@gpgname} sends a set of
+environment variables to gpg\-agent.  The names of these variables can
 be listed using the command:
 
 @example
-  gpg-connect-agent 'getinfo std_env_names' /bye | awk '$1=="D" @{print $2@}'
+  gpg\-connect\-agent 'getinfo std_env_names' /bye | awk '$1=="D" @{print $2@}'
 @end example
 
 
@@ -3976,35 +3976,35 @@ be listed using the command:
 
 @table @asis
 
-@item gpg -se -r @code{Bob} @code{file}
+@item gpg \-se \-r @code{Bob} @code{file}
 sign and encrypt for user Bob
 
-@item gpg --clear-sign @code{file}
+@item gpg \-\-clear\-sign @code{file}
 make a cleartext signature
 
-@item gpg -sb @code{file}
+@item gpg \-sb @code{file}
 make a detached signature
 
-@item gpg -u 0x12345678 -sb @code{file}
+@item gpg \-u 0x12345678 \-sb @code{file}
 make a detached signature with the key 0x12345678
 
-@item gpg --list-keys @code{user_ID}
+@item gpg \-\-list\-keys @code{user_ID}
 show keys
 
-@item gpg --fingerprint @code{user_ID}
+@item gpg \-\-fingerprint @code{user_ID}
 show fingerprint
 
-@item gpg --verify @code{pgpfile}
-@itemx gpg --verify @code{sigfile} [@code{datafile}]
+@item gpg \-\-verify @code{pgpfile}
+@itemx gpg \-\-verify @code{sigfile} [@code{datafile}]
 Verify the signature of the file but do not output the data unless
 requested.  The second form is used for detached signatures, where
 @code{sigfile} is the detached signature (either ASCII armored or
 binary) and @code{datafile} are the signed data; if this is not given, the name of the
 file holding the signed data is constructed by cutting off the
 extension (".asc" or ".sig") of @code{sigfile} or by asking the user
-for the filename.  If the option @option{--output} is also used the
+for the filename.  If the option @option{\-\-output} is also used the
 signed data is written to the file specified by that option; use
-@code{-} to write the signed data to stdout.
+@code{\-} to write the signed data to stdout.
 @end table
 
 
@@ -4015,13 +4015,13 @@ signed data is written to the file specified by that option; use
 @c *******************************************
 @mansect how to specify a user id
 @ifset isman
-@include specify-user-id.texi
+@include specify\-user\-id.texi
 @end ifset
 
 @mansect filter expressions
 @chapheading FILTER EXPRESSIONS
 
-The options @option{--import-filter} and @option{--export-filter} use
+The options @option{\-\-import\-filter} and @option{\-\-export\-filter} use
 expressions with this syntax (square brackets indicate an optional
 part and curly braces a repetition, white space between the elements
 are allowed):
@@ -4039,7 +4039,7 @@ used it evaluates to the empty string.  Unless otherwise noted, the
 @var{VALUE} must always be given and may not be the empty string.  No
 quoting is defined for the value, thus the value may not contain the
 strings @code{&&} or @code{||}, which are used as logical connection
-operators.  The flag @code{--} can be used to remove this restriction.
+operators.  The flag @code{\-\-} can be used to remove this restriction.
 
 Numerical values are computed as long int; standard C notation
 applies.  @var{lc} is the logical connection operator; either
@@ -4084,28 +4084,28 @@ The supported operators (@var{op}) are:
   @item  >=
   The numerical value of the field must be GE than the value.
 
-  @item  -le
+  @item  \-le
   The string value of the field must be less or equal than the value.
 
-  @item  -lt
+  @item  \-lt
   The string value of the field must be less than the value.
 
-  @item  -gt
+  @item  \-gt
   The string value of the field must be greater than the value.
 
-  @item  -ge
+  @item  \-ge
   The string value of the field must be greater or equal than the value.
 
-  @item  -n
+  @item  \-n
   True if value is not empty (no value allowed).
 
-  @item  -z
+  @item  \-z
   True if value is empty (no value allowed).
 
-  @item  -t
+  @item  \-t
   Alias for "PROPNAME != 0" (no value allowed).
 
-  @item  -f
+  @item  \-f
   Alias for "PROPNAME == 0" (no value allowed).
 
 @end table
@@ -4115,11 +4115,11 @@ Values for @var{flag} must be space separated.  The supported flags
 are:
 
 @table @asis
-  @item --
+  @item \-\-
   @var{VALUE} spans to the end of the expression.
-  @item -c
+  @item \-c
   The string match in this part is done case-sensitive.
-  @item -t
+  @item \-t
   Leading and trailing spaces are not removed from @var{VALUE}.
   The optional single space after @var{op} is here required.
 @end table
@@ -4129,10 +4129,10 @@ the same type.  For example the four options in this example:
 
 @c man:.RS
 @example
- --import-filter keep-uid="uid =~ Alfa"
- --import-filter keep-uid="&& uid !~ Test"
- --import-filter keep-uid="|| uid =~ Alpha"
- --import-filter keep-uid="uid !~ Test"
+ \-\-import\-filter keep\-uid="uid =~ Alfa"
+ \-\-import\-filter keep\-uid="&& uid !~ Test"
+ \-\-import\-filter keep\-uid="|| uid =~ Alpha"
+ \-\-import\-filter keep\-uid="uid !~ Test"
 @end example
 @c man:.RE
 
@@ -4141,8 +4141,8 @@ which is equivalent to
 
 @c man:.RS
 @example
- --import-filter \
-  keep-uid="uid =~ Alfa" && uid !~ Test" || uid =~ Alpha" && "uid !~ Test"
+ \-\-import\-filter \
+  keep\-uid="uid =~ Alfa" && uid !~ Test" || uid =~ Alpha" && "uid !~ Test"
 @end example
 @c man:.RE
 
@@ -4151,7 +4151,7 @@ or "Alpha" but not the string "test".
 
 @mansect trust values
 @ifset isman
-@include trust-values.texi
+@include trust\-values.texi
 @end ifset
 
 @mansect return value
@@ -4180,15 +4180,15 @@ the secret key is often a advisable.
 
 If you are going to verify detached signatures, make sure that the
 program knows about it; either give both filenames on the command line
-or use @samp{-} to specify STDIN.
+or use @samp{\-} to specify STDIN.
 
 For scripted or other unattended use of @command{gpg} make sure to use
 the machine-parseable interface and not the default interface which is
 intended for direct use by humans.  The machine-parseable interface
 provides a stable and well documented API independent of the locale or
 future changes of @command{gpg}.  To enable this interface use the
-options @option{--with-colons} and @option{--status-fd}.  For certain
-operations the option @option{--command-fd} may come handy too.  See
+options @option{\-\-with\-colons} and @option{\-\-status\-fd}.  For certain
+operations the option @option{\-\-command\-fd} may come handy too.  See
 this man page and the file @file{DETAILS} for the specification of the
 interface.  Note that the GnuPG ``info'' pages as well as the PDF
 version of the GnuPG manual features a chapter on unattended use of
@@ -4200,12 +4200,12 @@ high-level abstraction on top of that interface.
 
 GnuPG tries to be a very flexible implementation of the OpenPGP
 standard. In particular, GnuPG implements many of the optional parts
-of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2
+of the standard, such as the SHA\-512 hash, and the ZLIB and BZIP2
 compression algorithms. It is important to be aware that not all
 OpenPGP programs implement these optional algorithms and that by
-forcing their use via the @option{--cipher-algo},
-@option{--digest-algo}, @option{--cert-digest-algo}, or
-@option{--compress-algo} options in GnuPG, it is possible to create a
+forcing their use via the @option{\-\-cipher\-algo},
+@option{\-\-digest\-algo}, @option{\-\-cert\-digest\-algo}, or
+@option{\-\-compress\-algo} options in GnuPG, it is possible to create a
 perfectly valid OpenPGP message, but one that cannot be read by the
 intended recipient.
 
@@ -4221,7 +4221,7 @@ really know what you are doing.
 
 If you absolutely must override the safe default, or if the preferences
 on a given key are invalid for some reason, you are far better off using
-the @option{--pgp6}, @option{--pgp7}, or @option{--pgp8} options. These
+the @option{\-\-pgp6}, @option{\-\-pgp7}, or @option{\-\-pgp8} options. These
 options are safe as they do not force any particular algorithms in
 violation of OpenPGP, but rather reduce the available algorithms to a
 "PGP-safe" list.
@@ -4259,7 +4259,7 @@ already been reported to our bug tracker at @url{https://bugs.gnupg.org}.
 
 @command{@gpgname} is often used as a backend engine by other software.  To help
 with this a machine interface has been defined to have an unambiguous
-way to do this.  The options @option{--status-fd} and @option{--batch}
+way to do this.  The options @option{\-\-status\-fd} and @option{\-\-batch}
 are almost always required for this.
 
 @menu
@@ -4298,7 +4298,7 @@ This technique works across all versions of GnuPG.
 Create a temporary directory, create (or copy) a configuration that
 meets your needs, make @command{@gpgname} use this directory either
 using the environment variable @var{GNUPGHOME}, or the option
-@option{--homedir}.  GPGME supports this too on a per-context basis,
+@option{\-\-homedir}.  GPGME supports this too on a per-context basis,
 by modifying the engine info of contexts.  Now execute whatever
 operation you like, import and export key material as necessary.  Once
 finished, you can delete the directory.  All GnuPG backend services
@@ -4308,7 +4308,7 @@ that were started will detect this and shut down.
 @subsection The quick key manipulation interface
 
 Recent versions of GnuPG have an interface to manipulate keys without
-using the interactive command @option{--edit-key}.  This interface was
+using the interactive command @option{\-\-edit\-key}.  This interface was
 added mainly for the benefit of GPGME (please consider using GPGME,
 see the manual subsection ``Programmatic use of GnuPG'').  This
 interface is described in the subsection ``How to manage your keys''.
@@ -4316,8 +4316,8 @@ interface is described in the subsection ``How to manage your keys''.
 @node Unattended GPG key generation
 @subsection Unattended key generation
 
-The command @option{--generate-key} may be used along with the option
-@option{--batch} for unattended key generation.  This is the most
+The command @option{\-\-generate\-key} may be used along with the option
+@option{\-\-batch} for unattended key generation.  This is the most
 flexible way of generating keys, but it is also the most complex one.
 Consider using the quick key manipulation interface described in the
 previous subsection ``The quick key manipulation interface''.
@@ -4328,7 +4328,7 @@ follows:
 
 @itemize @bullet
   @item Text only, line length is limited to about 1000 characters.
-  @item UTF-8 encoding must be used to specify non-ASCII characters.
+  @item UTF\-8 encoding must be used to specify non-ASCII characters.
   @item Empty lines are ignored.
   @item Leading and trailing white space is ignored.
   @item A hash sign as the first non white space character indicates
@@ -4338,16 +4338,16 @@ follows:
   @item Parameters are specified by a keyword, followed by a colon.  Arguments
   are separated by white space.
   @item
-  The first parameter must be @samp{Key-Type}; control statements may be
+  The first parameter must be @samp{Key\-Type}; control statements may be
   placed anywhere.
   @item
-  The order of the parameters does not matter except for @samp{Key-Type}
+  The order of the parameters does not matter except for @samp{Key\-Type}
   which must be the first parameter.  The parameters are only used for
   the generated keyblock (primary and subkeys); parameters from previous
   sets are not used.  Some syntactically checks may be performed.
   @item
   Key generation takes place when either the end of the parameter file
-  is reached, the next @samp{Key-Type} parameter is encountered or at the
+  is reached, the next @samp{Key\-Type} parameter is encountered or at the
   control statement @samp{%commit} is encountered.
 @end itemize
 
@@ -4359,12 +4359,12 @@ Control statements:
 @item %echo @var{text}
 Print @var{text} as diagnostic.
 
-@item %dry-run
+@item %dry\-run
 Suppress actual key generation (useful for syntax checking).
 
 @item %commit
 Perform the key generation.  Note that an implicit commit is done at
-the next @asis{Key-Type} parameter.
+the next @asis{Key\-Type} parameter.
 
 @item %pubring @var{filename}
 Do not write the key to the default or commandline given keyring but
@@ -4383,20 +4383,20 @@ This option is a no-op for GnuPG 2.1 and later.
 
 See the previous subsection ``Ephemeral home directories''.
 
-@item %ask-passphrase
-@itemx %no-ask-passphrase
+@item %ask\-passphrase
+@itemx %no\-ask\-passphrase
 This option is a no-op for GnuPG 2.1 and later.
 
-@item %no-protection
+@item %no\-protection
 Using this option allows the creation of keys without any passphrase
 protection.  This option is mainly intended for regression tests.
 
-@item %transient-key
+@item %transient\-key
 If given the keys are created using a faster and a somewhat less
 secure random number generator.  This option may be used for keys
 which are only used for a short time and do not require full
 cryptographic strength.  It takes only effect if used together with
-the control statement @samp{%no-protection}.
+the control statement @samp{%no\-protection}.
 
 @end table
 
@@ -4405,64 +4405,64 @@ General Parameters:
 
 @table @asis
 
-@item Key-Type: @var{algo}
+@item Key\-Type: @var{algo}
 Starts a new parameter block by giving the type of the primary
 key. The algorithm must be capable of signing.  This is a required
 parameter.  @var{algo} may either be an OpenPGP algorithm number or a
 string with the algorithm name.  The special value @samp{default} may
 be used for @var{algo} to create the default key type; in this case a
-@samp{Key-Usage} shall not be given and @samp{default} also be used
-for @samp{Subkey-Type}.
+@samp{Key\-Usage} shall not be given and @samp{default} also be used
+for @samp{Subkey\-Type}.
 
-@item Key-Length: @var{nbits}
+@item Key\-Length: @var{nbits}
 The requested length of the generated key in bits.  The default is
-returned by running the command @samp{@gpgname --gpgconf-list}.
+returned by running the command @samp{@gpgname \-\-gpgconf\-list}.
 For ECC keys this parameter is ignored.
 
-@item Key-Curve: @var{curve}
+@item Key\-Curve: @var{curve}
 The requested elliptic curve of the generated key.  This is a required
 parameter for ECC keys.  It is ignored for non-ECC keys.
 
-@item Key-Grip: @var{hexstring}
+@item Key\-Grip: @var{hexstring}
 This is optional and used to generate a CSR or certificate for an
-already existing key.  Key-Length will be ignored when given.
+already existing key.  Key\-Length will be ignored when given.
 
-@item Key-Usage: @var{usage-list}
+@item Key\-Usage: @var{usage\-list}
 Space or comma delimited list of key usages.  Allowed values are
 @samp{encrypt}, @samp{sign}, and @samp{auth}.  This is used to
 generate the key flags.  Please make sure that the algorithm is
 capable of this usage.  Note that OpenPGP requires that all primary
 keys are capable of certification, so no matter what usage is given
-here, the @samp{cert} flag will be on.  If no @samp{Key-Usage} is
-specified and the @samp{Key-Type} is not @samp{default}, all allowed
+here, the @samp{cert} flag will be on.  If no @samp{Key\-Usage} is
+specified and the @samp{Key\-Type} is not @samp{default}, all allowed
 usages for that particular algorithm are used; if it is not given but
 @samp{default} is used the usage will be @samp{sign}.
 
-@item Subkey-Type: @var{algo}
+@item Subkey\-Type: @var{algo}
 This generates a secondary key (subkey).  Currently only one subkey
-can be handled.  See also @samp{Key-Type} above.
+can be handled.  See also @samp{Key\-Type} above.
 
-@item Subkey-Length: @var{nbits}
+@item Subkey\-Length: @var{nbits}
 Length of the secondary key (subkey) in bits.  The default is returned
-by running the command @samp{@gpgname --gpgconf-list}.
+by running the command @samp{@gpgname \-\-gpgconf\-list}.
 
-@item Subkey-Curve: @var{curve}
-Key curve for a subkey; similar to @samp{Key-Curve}.
+@item Subkey\-Curve: @var{curve}
+Key curve for a subkey; similar to @samp{Key\-Curve}.
 
-@item Subkey-Usage: @var{usage-list}
-Key usage lists for a subkey; similar to @samp{Key-Usage}.
+@item Subkey\-Usage: @var{usage\-list}
+Key usage lists for a subkey; similar to @samp{Key\-Usage}.
 
 @item Passphrase: @var{string}
 If you want to specify a passphrase for the secret key, enter it here.
 Default is to use the Pinentry dialog to ask for a passphrase.
 
-@item Name-Real: @var{name}
-@itemx Name-Comment: @var{comment}
-@itemx Name-Email: @var{email}
-The three parts of a user name.  Remember to use UTF-8 encoding here.
+@item Name\-Real: @var{name}
+@itemx Name\-Comment: @var{comment}
+@itemx Name\-Email: @var{email}
+The three parts of a user name.  Remember to use UTF\-8 encoding here.
 If you don't give any of them, no user ID is created.
 
-@item Expire-Date: @var{iso-date}|(@var{number}[d|w|m|y])
+@item Expire\-Date: @var{iso\-date}|(@var{number}[d|w|m|y])
 Set the expiration date for the key (and the subkey).  It may either
 be entered in ISO date format (e.g. "20000815T145012") or as number of
 days, weeks, month or years after the creation date.  The special
@@ -4474,10 +4474,10 @@ sense.  Although OpenPGP works with time intervals, GnuPG uses an
 absolute value internally and thus the last year we can represent is
 2105.
 
-@item  Creation-Date: @var{iso-date}
+@item  Creation\-Date: @var{iso\-date}
 Set the creation date of the key as stored in the key information and
 which is also part of the fingerprint calculation.  Either a date like
-"1986-04-26" or a full timestamp like "19860426T042640" may be used.
+"1986\-04\-26" or a full timestamp like "19860426T042640" may be used.
 The time is considered to be UTC.  The special notation "seconds=N"
 may be used to directly specify a the number of seconds since Epoch
 (Unix time).  If it is not given the current time is used.
@@ -4485,7 +4485,7 @@ may be used to directly specify a the number of seconds since Epoch
 @item Preferences: @var{string}
 Set the cipher, hash, and compression preference values for this key.
 This expects the same type of string as the sub-command @samp{setpref}
-in the @option{--edit-key} menu.
+in the @option{\-\-edit\-key} menu.
 
 @item  Revoker: @var{algo}:@var{fpr} [sensitive]
 Add a designated revoker to the generated key.  Algo is the public key
@@ -4509,31 +4509,31 @@ generation to associate a key parameter block with a status line.
 @noindent
 Here is an example on how to create a key in an ephemeral home directory:
 @smallexample
-$ export GNUPGHOME="$(mktemp -d)"
+$ export GNUPGHOME="$(mktemp \-d)"
 $ cat >foo <<EOF
      %echo Generating a basic OpenPGP key
-     Key-Type: DSA
-     Key-Length: 1024
-     Subkey-Type: ELG-E
-     Subkey-Length: 1024
-     Name-Real: Joe Tester
-     Name-Comment: with stupid passphrase
-     Name-Email: joe@@foo.bar
-     Expire-Date: 0
+     Key\-Type: DSA
+     Key\-Length: 1024
+     Subkey\-Type: ELG\-E
+     Subkey\-Length: 1024
+     Name\-Real: Joe Tester
+     Name\-Comment: with stupid passphrase
+     Name\-Email: joe@@foo.bar
+     Expire\-Date: 0
      Passphrase: abc
-     # Do a commit here, so that we can later print "done" :-)
+     # Do a commit here, so that we can later print "done" :\-)
      %commit
      %echo done
 EOF
-$ @gpgname --batch --generate-key foo
+$ @gpgname \-\-batch \-\-generate\-key foo
  [...]
-$ @gpgname --list-secret-keys
+$ @gpgname \-\-list\-secret\-keys
 /tmp/tmp.0NQxB74PEf/pubring.kbx
--------------------------------
-sec   dsa1024 2016-12-16 [SCA]
+-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+sec   dsa1024 2016\-12\-16 [SCA]
       768E895903FC1C44045C8CB95EEBDB71E9E849D0
 uid           [ultimate] Joe Tester (with stupid passphrase) <joe@@foo.bar>
-ssb   elg1024 2016-12-16 [E]
+ssb   elg1024 2016\-12\-16 [E]
 @end smallexample
 
 @noindent
@@ -4541,14 +4541,14 @@ If you want to create a key with the default algorithms you would use
 these parameters:
 @smallexample
      %echo Generating a default key
-     Key-Type: default
-     Subkey-Type: default
-     Name-Real: Joe Tester
-     Name-Comment: with stupid passphrase
-     Name-Email: joe@@foo.bar
-     Expire-Date: 0
+     Key\-Type: default
+     Subkey\-Type: default
+     Name\-Real: Joe Tester
+     Name\-Comment: with stupid passphrase
+     Name\-Email: joe@@foo.bar
+     Expire\-Date: 0
      Passphrase: abc
-     # Do a commit here, so that we can later print "done" :-)
+     # Do a commit here, so that we can later print "done" :\-)
      %commit
      %echo done
 @end smallexample
@@ -4560,6 +4560,6 @@ these parameters:
 @ifset isman
 @command{gpgv}(1),
 @command{gpgsm}(1),
-@command{gpg-agent}(1)
+@command{gpg\-agent}(1)
 @end ifset
-@include see-also-note.texi
+@include see\-also\-note.texi