# Options for GnuPG # Copyright 1998, 1999, 2000, 2001, 2002, 2003, # 2010 Free Software Foundation, Inc. # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # # This file is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Unless you specify which option file to use (with the command line # option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf # by default. # # An options file can contain any long options which are available in # GnuPG. If the first non white space character of a line is a '#', # this line is ignored. Empty lines are also ignored. # # See the man page for a list of options. # Use my key by default, trusted-key puts it to ultimate trust even if the # private key is not present and default-recepient-self is not enough for # gpg --encrypt -r # default-key/encrypt-to take name according to `man gpg` # NOTE! default-key is used instead of local-user as the latter cannot be # overridden with flags (causing WTOP test to be signed with personal and # WTOP keys) #default-key suomalainen@mikaela.info # Has to be LONG key instead of fingerprint https://dev.gnupg.org/T4855 #trusted-key 0x99392F62BAE30723 # The above issue is resolved in 2.2.20 #trusted-key 69FF455A869F9031A691E0F199392F62BAE30723 #encrypt-to suomalainen@mikaela.info # WTOP (see comments above) #default-key mikaela+digitalents@mikaela.info #trusted-key 0xDF046339D69EB8C9 #encrypt-to mikaela+digitalents@mikaela.info # Ignore preferred keyserver and also import non-self-sigs # WARNING! DoS hole! keyserver-options no-honor-keyserver-url,no-self-sigs-only,no-import-clean,no-import-minimal import-options no-self-sigs-only,no-import-clean,no-import-minimal # The defaults are apparently self-sigs-only,import-clean starting from # gpg 2.2.17, but there seem to be controversial views on them and I need # some not-self-sigs with `--fetch-keys` # Debian uses self-sigs-only (while I would be fine with import-clean) # * https://dev.gnupg.org/T4628#128513 # Arch Linux reverts the change going by no-self-sigs-only,no-import-clean # * https://bugs.archlinux.org/task/63147 # Try to automatically find keys from local/wkd if key for email address isn't found, but we are encrypting to email address. auto-key-retrieve auto-key-locate local,wkd,dane # Encrypt to sender's key by default default-recipient-self # Use UTF-8 charset charset UTF-8 display-charset utf-8 # use GPG Agent to avoid retyping passphrase very often. use-agent # Do everything in ASCII format by default instead of binary armor # Show the LONG KEYID and fingerprint by default and tell that it's hexadecimal string. keyid-format 0xLONG with-fingerprint with-wkd-hash with-keygrip # I refuse to comment on GPG's weird scale how I have verified keys as # I appear to disagree on the official meanings of 1-3. # If I sign a key, I have verified it to best of my ability. Also # apparently it doesn't have much meaning anyway https://debian-administration.org/users/dkg/weblog/98 no-ask-cert-level default-cert-level 0 # Count also the persona signatures for WoT if someone has those. min-cert-level 1 # Ask when signatures expire. ask-cert-expire default-cert-expire 2y # Copying https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults # when outputting certificates, view user IDs distinctly from keys: fixed-list-mode # You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring: verify-options show-uid-validity # Display calculated validity, which keyring the keys are from and when # signatures expire # Show URLs of signing policies when they exist list-options show-uid-validity,show-keyring,show-sig-expire,show-policy-urls # Disable comments no-comments # Don't output version, small chance of having people put same keys on IPFS no-emit-version # Trust On First Use (marginal trust) with WoT being full trust. I find this # less annoying in KMail than only WoT or the comment below, and I think it # may be additional motivation for me to actually sign the keys I trust with # all keyservers hiding signatures and gpg not importing them. # I think `keybase pgp pull` also helps here as the people I am tracking # there are going to be in my keyring, however it's still a centralized # service. trust-model tofu+pgp # WoT with TOFU’s conflict detection, but without positive trust. This may # be better due to https://gitea.blesmrt.net/mikaela/pgp-alt-wot/ and lsign. tofu-default-policy unknown