# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
#           2010 Free Software Foundation, Inc.
#           2012 - 2020 Mikaela Suomalainen
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# 
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Unless you specify which option file to use (with the command line
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
# by default.
#
# An options file can contain any long options which are available in
# GnuPG. If the first non white space character of a line is a '#',
# this line is ignored.  Empty lines are also ignored.
#
# See the man page for a list of options.

# Use my key by default, trusted-key puts it to ultimate trust even if the
# private key is not present and default-recepient-self is not enough for
# gpg --encrypt -r
# local-user/encrypt-to take name according to `man gpg`
local-user mikaela@mikaela.info
# Has to be LONG key instead of fingerprint https://dev.gnupg.org/T4855
trusted-key 0x99392F62BAE30723
encrypt-to mikaela@mikaela.info
# WTOP
#local-user 
#trusted-key 
#encrypt-to 

# Ignore preferred keyserver and also import non-self-sigs
keyserver-options no-honor-keyserver-url,no-self-sigs-only
# The defaults are apparently self-sigs-only,import-clean starting from
# gpg 2.2.17, but there seem to be controversial views on them and I need
# some not-self-sigs with `--fetch-keys`
# Debian uses self-sigs-only (while I would be fine with import-clean)
#  * https://dev.gnupg.org/T4628#128513
# Arch Linux reverts the change going by no-self-sigs-only,no-import-clean
#  * https://bugs.archlinux.org/task/63147

# Try to automatically find keys from local/wkd if key for email address isn't found, but we are encrypting to email address.
auto-key-retrieve
auto-key-locate local,wkd,dane

# Encrypt to sender's key by default
default-recipient-self

# Use UTF-8 charset
charset UTF-8
display-charset utf-8

# use GPG Agent to avoid retyping passphrase very often.
use-agent

# Do everything in ASCII format by default instead of binary
armor

# Show the LONG KEYID and fingerprint by default and tell that it's hexadecimal string.
keyid-format 0xLONG
with-fingerprint
with-wkd-hash
with-keygrip

# I refuse to comment on GPG's weird scale how I have verified keys as
#  I appear to disagree on the official meanings of 1-3.
#  If I sign a key, I have verified it to best of my ability. Also
#  apparently it doesn't have much meaning anyway https://debian-administration.org/users/dkg/weblog/98
no-ask-cert-level
default-cert-level 0
# Count also the persona signatures for WoT if someone has those.
min-cert-level 1

# Ask when signatures expire.
ask-cert-expire
default-cert-expire 2y

# Copying https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults
# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode
# You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
verify-options show-uid-validity
# Display calculated validity, which keyring the keys are from and when
# signatures expire
list-options show-uid-validity,show-keyring,show-sig-expire

# Disable comments
no-comments

# Don't output version, small chance of having people put same keys on IPFS
no-emit-version

# Trust On First Use (marginal trust) with WoT being full trust. I find this
# less annoying in KMail than only WoT or the comment below, and I think it
# may be additional motivation for me to actually sign the keys I trust with
# all keyservers hiding signatures and gpg not importing them.
# I think `keybase pgp pull` also helps here as the people I am tracking
# there are going to be in my keyring, however it's still a centralized
# service.
trust-model tofu+pgp
# WoT with TOFU’s conflict detection, but without positive trust. This may
# be better due to https://gitea.blesmrt.net/mikaela/pgp-alt-wot/ and lsign.
tofu-default-policy unknown

# Groups to encrypt to when encrypting to specific addrses, I don't think
# this needs to be in the main file without my changes.
# Email that should go to the team
group support@privacytools.io=588F6E4EABE8C7B552D00FA641911F722B0F9AE3 30CE697C77678A9A6B0A5D5C6F3175557E766CBF 69FF455A869F9031A691E0F199392F62BAE30723 1FE976484C2EB73B61D102234B313017F994C1FD 5704D032D073A0F8D1D001C3D4045195AB86173B 6325C3370B70177138ABF3086A957C9A9A9429F7