Mikaela
/
shell-things
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
shell-things/gpg/gpg.conf

116 lines
4.9 KiB
Plaintext
Raw Normal View History

add gpg.conf. It's enough related to shell-things.
2012-03-22 13:45:01 +01:00
# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
# 2010 Free Software Foundation, Inc.
gpg.conf: fix local-user/encrypt-to Resolves: #61
2020-02-26 13:53:52 +01:00
# 2012 - 2020 Mikaela Suomalainen
add gpg.conf. It's enough related to shell-things.
2012-03-22 13:45:01 +01:00
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Unless you specify which option file to use (with the command line
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
# by default.
#
# An options file can contain any long options which are available in
# GnuPG. If the first non white space character of a line is a '#',
# this line is ignored. Empty lines are also ignored.
#
# See the man page for a list of options.
gpg.conf: restore encrypt-to lines
2019-12-11 11:46:06 +01:00
# Use my key by default, trusted-key puts it to ultimate trust even if the
# private key is not present and default-recepient-self is not enough for
# gpg --encrypt -r
gpg.conf: replace local-user with default-key
2020-03-13 18:25:17 +01:00
# default-key/encrypt-to take name according to `man gpg`
# NOTE! default-key is used instead of local-user as the latter cannot be
# overridden with flags (causing WTOP test to be signed with personal and
# WTOP keys)
#default-key mikaela@mikaela.info # MIKAELA_GREP # MIKAELA_GREP_GPG
gpg.conf: add the sender option
2020-02-26 14:02:27 +01:00
# if auto-key-lookup is used, this tells the recepient which WKD to check?
#sender mikaela@mikaela.info # MIKAELA_GREP # MIKAELA_GREP_GPG
gpg.conf: fix local-user/encrypt-to Resolves: #61
2020-02-26 13:53:52 +01:00
# Has to be LONG key instead of fingerprint https://dev.gnupg.org/T4855
gpg.conf: trusted-key, cert levels, cert expiry
2019-12-07 18:02:23 +01:00
#trusted-key 0x99392F62BAE30723 # MIKAELA_GREP # MIKAELA_GREP_GPG
gpg.conf: fix local-user/encrypt-to Resolves: #61
2020-02-26 13:53:52 +01:00
#encrypt-to mikaela@mikaela.info # MIKAELA_GREP # MIKAELA_GREP_GPG
gpg.conf: add the sender option
2020-02-26 14:02:27 +01:00
# WTOP (see comments above)
gpg.conf: update forgotten WTOP key
2021-09-28 10:49:11 +02:00
#default-key mikaela+digitalents@mikaela.info # MIKAELA_GREP # MIKAELA_GREP_GPG
#sender mikaela+digitalents@mikaela.info # MIKAELA_GREP # MIKAELA_GREP_GPG
#trusted-key 0xDF046339D69EB8C9 # MIKAELA_GREP # MIKAELA_GREP_GPG
#encrypt-to mikaela+digitalents@mikaela.info # MIKAELA_GREP # MIKAELA_GREP_GPG
gpg.conf: put the default key on top
2019-12-06 18:41:24 +01:00
gpg.conf: keyserver-option no-self-sigs-only Fixes `gpg --fetch-keys` for my workflow plan of attempting to fetch my signatures on keys I trust from somewhat trustworthy place.
2019-12-10 12:56:55 +01:00
# Ignore preferred keyserver and also import non-self-sigs
keyserver-options no-honor-keyserver-url,no-self-sigs-only
gpg.conf: no keyserver options, document confusion
2019-12-06 19:22:32 +01:00
# The defaults are apparently self-sigs-only,import-clean starting from
gpg.conf: keyserver-option no-self-sigs-only Fixes `gpg --fetch-keys` for my workflow plan of attempting to fetch my signatures on keys I trust from somewhat trustworthy place.
2019-12-10 12:56:55 +01:00
# gpg 2.2.17, but there seem to be controversial views on them and I need
# some not-self-sigs with `--fetch-keys`
gpg.conf: no keyserver options, document confusion
2019-12-06 19:22:32 +01:00
# Debian uses self-sigs-only (while I would be fine with import-clean)
# * https://dev.gnupg.org/T4628#128513
# Arch Linux reverts the change going by no-self-sigs-only,no-import-clean
# * https://bugs.archlinux.org/task/63147
gnupg/gpg.conf: add http://keyserver.pgp.com/ to keyserver list.
2012-08-11 09:56:01 +02:00
gpg.conf: adjust keyserver-options & auto-key-locate
2019-12-02 23:48:35 +01:00
# Try to automatically find keys from local/wkd if key for email address isn't found, but we are encrypting to email address.
gpg: add auto-key-retrieve
2019-12-05 13:51:13 +01:00
auto-key-retrieve
gpg.conf: enable dane key locating
2019-12-08 10:53:16 +01:00
auto-key-locate local,wkd,dane
gpg.conf: I Read The Fine Manual and learned many things...
2012-12-21 18:50:44 +01:00
gpg.conf: add comments
2012-12-21 12:19:49 +01:00
# Encrypt to sender's key by default
add gpg.conf. It's enough related to shell-things.
2012-03-22 13:45:01 +01:00
default-recipient-self
gpg.conf: add comments
2012-12-21 12:19:49 +01:00
# Use UTF-8 charset
add gpg.conf. It's enough related to shell-things.
2012-03-22 13:45:01 +01:00
charset UTF-8
gpg.conf: I Read The Fine Manual and learned many things...
2012-12-21 18:50:44 +01:00
display-charset utf-8
gpg.conf: add comments
2012-12-21 12:19:49 +01:00
gpg.conf: comment things I don't understand etc. keyserver is not needed with GPGv2, I have no idea what some of those options do and thus have suspect that they make my GPG more insecure and I have used MATE for years and don't have eog available.
2018-09-18 20:37:28 +02:00
# use GPG Agent to avoid retyping passphrase very often.
gnupg/gpg.conf: use ASCII instead of binary by default. (No need to specify -a).
2012-08-06 11:16:56 +02:00
use-agent
gpg.conf: add comments
2012-12-21 12:19:49 +01:00
# Do everything in ASCII format by default instead of binary
gnupg/gpg.conf: use ASCII instead of binary by default. (No need to specify -a).
2012-08-06 11:16:56 +02:00
armor
gpg.conf: add comments
2012-12-21 12:19:49 +01:00
gpg.conf: show fingerprints by default (e.g --list-keys) and add export... ...ing options to teach to be careful and add commented throw-keyid
2012-12-22 15:43:34 +01:00
# Show the LONG KEYID and fingerprint by default and tell that it's hexadecimal string.
gpg.conf: Set default keyid-format to 0xLONG.
2012-07-26 12:17:43 +02:00
keyid-format 0xLONG
gpg.conf: show fingerprints by default (e.g --list-keys) and add export... ...ing options to teach to be careful and add commented throw-keyid
2012-12-22 15:43:34 +01:00
with-fingerprint
gpg.conf: add wkd hashes as I seem to use them increasingly often
2019-12-06 19:55:58 +01:00
with-wkd-hash
gpg.conf: with-keygrip
2020-02-18 00:55:29 +01:00
with-keygrip
gnupg/gpg.conf: Show LONG KEYID by default with "--list-keys".
2012-07-24 09:32:53 +02:00
gpg.conf: trusted-key, cert levels, cert expiry
2019-12-07 18:02:23 +01:00
# I refuse to comment on GPG's weird scale how I have verified keys as
# I appear to disagree on the official meanings of 1-3.
# If I sign a key, I have verified it to best of my ability. Also
# apparently it doesn't have much meaning anyway https://debian-administration.org/users/dkg/weblog/98
no-ask-cert-level
default-cert-level 0
# Count also the persona signatures for WoT if someone has those.
min-cert-level 1
# Ask when signatures expire.
gpg.conf: ask signature expire time & trust level
2013-01-17 15:48:48 +01:00
ask-cert-expire
gpg.conf: trusted-key, cert levels, cert expiry
2019-12-07 18:02:23 +01:00
default-cert-expire 2y
gpg.conf: show fingerprints by default (e.g --list-keys) and add export... ...ing options to teach to be careful and add commented throw-keyid
2012-12-22 15:43:34 +01:00
gpg.conf: copy https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults
2013-02-26 11:18:20 +01:00
# Copying https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults
# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode
# You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
verify-options show-uid-validity
gpg: add show-keyring,show-sig-expire to list-options Resolves: #52
2020-02-10 22:29:03 +01:00
# Display calculated validity, which keyring the keys are from and when
# signatures expire
gpg.conf: add show-policy-urls to list-options
2020-03-11 13:57:22 +01:00
# Show URLs of signing policies when they exist
list-options show-uid-validity,show-keyring,show-sig-expire,show-policy-urls
gpg.conf: copy https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults
2013-02-26 11:18:20 +01:00
gpg.conf: declare WoT dead & no-comments * export-clean & import-clean are now done * my gpg won't output the comments anymore Resolves: #125
2019-08-01 11:19:44 +02:00
# Disable comments
no-comments
gpg.conf: add no-emit-version Closes: #20
2019-08-26 19:35:43 +02:00
# Don't output version, small chance of having people put same keys on IPFS
no-emit-version
gpg.conf: enable TOFU
2019-12-06 22:23:36 +01:00
# Trust On First Use (marginal trust) with WoT being full trust. I find this
# less annoying in KMail than only WoT or the comment below, and I think it
# may be additional motivation for me to actually sign the keys I trust with
# all keyservers hiding signatures and gpg not importing them.
# I think `keybase pgp pull` also helps here as the people I am tracking
# there are going to be in my keyring, however it's still a centralized
# service.
trust-model tofu+pgp
gpg.conf: disable TOFU's positive trust As I have the pgp-alt-wot repository and am building my own Web of Trust and lsign, I have no reason to have positive trust values.
2020-01-30 19:21:31 +01:00
# WoT with TOFUs conflict detection, but without positive trust. This may
# be better due to https://gitea.blesmrt.net/mikaela/pgp-alt-wot/ and lsign.
tofu-default-policy unknown
gpg.conf: enable TOFU
2019-12-06 22:23:36 +01:00