Skip to content

Instantly share code, notes, and snippets.

@MatthewVance
Last active July 23, 2019 22:43
Show Gist options
  • Save MatthewVance/92401e0e9ac0f1f0d8d0eba60fd60f7c to your computer and use it in GitHub Desktop.
Save MatthewVance/92401e0e9ac0f1f0d8d0eba60fd60f7c to your computer and use it in GitHub Desktop.
GPG related configuration options. More secure but less interoperable than typical defaults.
log-file ~/.gnupg/dirmngr.log
debug-level basic
verbose
# disable-ipv6
keyserver hkps://hkps.pool.sks-keyservers.net
hkp-cacert /etc/ssl/certs/sks-keyservers.netCA.pem
# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
# 2010 Free Software Foundation, Inc.
#
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
##Use a hkps pool as my keyserver
keyserver hkps://hkps.pool.sks-keyservers.net
#Ignore any keyservers pointed to by a key so hkps (the pool set above) will always be used
keyserver-options no-honor-keyserver-url
#don't forget implied cipher, digest, and compression preferences that will be auto added if not explicitly set https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html
personal-cipher-preferences AES256,AES192,AES
personal-digest-preferences SHA512,SHA384,SHA256
#use SHA512 when signing keys
cert-digest-algo SHA512
#tell the world my keys require something from this list be used
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB ZIP Uncompressed
# Tell GPG to try using GnuPG-Agent before asking for a passphrase.
use-agent
# Do not automatically locate and retrieve keys as needed
no-auto-key-locate
#Hide the version string in ASCII armored output
no-emit-version
#Do not merge primary user ID and primary key in --with-colon listing mode and print all timestamps as seconds since 1970-01-01
fixed-list-mode
#Show the 16-character key ID with 0x before it
keyid-format 0xlong
#Display the calculated validity of the user IDs on the key that issued the signature and during key listings
verify-options show-uid-validity
list-options show-uid-validity
# Use name as the cipher algorithm used to protect secret keys.
s2k-cipher-algo AES256
# Use name as the digest algorithm used to mangle the passphrases.
s2k-digest-algo SHA512
# Selects how passphrases are mangled. If n is 0 a plain passphrase (which is
# not recommended) will be used, a 1 adds a salt to the passphrase and a 3
# (the default) iterates the whole process a number of times
# (see --s2k-count). Unless --rfc1991 is used, this mode is also used for
# conventional encryption.
s2k-mode 3
# Specify how many times the passphrase mangling is repeated.
s2k-count 131072
# Remove all comments. It is a good idea Note that comment lines,
# like all other header lines, are not protected by the signature.
no-comments
# Same as the command --fingerprint but changes only the format of the output
# and may be used together with another command.
with-fingerprint
# When verifying a signature made from a subkey, ensure that the cross
# certification "back signature" on the subkey is present and valid.
# This protects against a subtle attack against subkeys that can sign.
# Defaults to --require-cross-certification for gpg2.
require-cross-certification
# --no-throw-keyids Do not put the recipient key IDs into encrypted messages.
# This helps to hide the receivers of the message and is a limited
# countermeasure against traffic analysis. ([Using a little social engineering
# anyone who is able to decrypt the message can check whether one of the other
# recipients is the one he suspects.]) On the receiving side, it may slow down
# the decryption process because all available secret keys must be tried.
# --no-throw-keyids disables this option. This option is essentially the same
# as using --hidden-recipient for all recipients.
throw-keyids
# Suppress the initial copyright message but do not enter batch mode.
no-greeting
# Set the name of the native character set.
charset utf8
# Assume that the arguments are already given as UTF8 strings. The default
# (--no-utf8-strings) is to assume that arguments are encoded in the
# character set as specified by --charset. These options effects all
# following arguments. Both options may used multiple times.
utf8-strings
#Set default-key
##default-key 0x123...REPLACE with your key
gpg --import fake
curl --tlsv1.2 -L https://sks-keyservers.net/sks-keyservers.netCA.pem -O
curl --tlsv1.2 -L https://sks-keyservers.net/sks-keyservers.netCA.pem.asc -O
# Move hkps pool cert to cert store
sudo cp -v sks-keyservers.netCA.pem /etc/ssl/certs/
# Import key for HKPS signature
gpg --recv-key 0x0B7F8B60E3EDFAE3
# Verify HKPS cert
gpg --verify ~/Downloads/opgp/sks-keyservers.netCA.pem.asc /etc/ssl/certs/sks-keyservers.netCA.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment