shell-things/gpg/gpg.conf

120 lines
4.8 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# SPDX-FileCopyrightText: 1998 Free Software Foundation, Inc.
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
# 2010 Free Software Foundation, Inc.
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Unless you specify which option file to use (with the command line
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
# by default.
#
# An options file can contain any long options which are available in
# GnuPG. If the first non white space character of a line is a '#',
# this line is ignored. Empty lines are also ignored.
#
# See the man page for a list of options.
# Use my key by default, trusted-key puts it to ultimate trust even if the
# private key is not present and default-recepient-self is not enough for
# gpg --encrypt -r
# default-key/encrypt-to take name according to `man gpg`
# NOTE! default-key is used instead of local-user as the latter cannot be
# overridden with flags (causing WTOP test to be signed with personal and
# WTOP keys)
#default-key suomalainen@mikaela.info
# Has to be LONG key instead of fingerprint https://dev.gnupg.org/T4855
#trusted-key 0x99392F62BAE30723
# The above issue is resolved in 2.2.20
#trusted-key 69FF455A869F9031A691E0F199392F62BAE30723
#encrypt-to suomalainen@mikaela.info
# WTOP (see comments above)
#default-key mikaela+digitalents@mikaela.info
#trusted-key 0xDF046339D69EB8C9
#encrypt-to mikaela+digitalents@mikaela.info
# Ignore preferred keyserver and also import non-self-sigs
# WARNING! DoS hole!
keyserver-options no-honor-keyserver-url,no-self-sigs-only,no-import-clean,no-import-minimal
import-options no-self-sigs-only,no-import-clean,no-import-minimal
# The defaults are apparently self-sigs-only,import-clean starting from
# gpg 2.2.17, but there seem to be controversial views on them and I need
# some not-self-sigs with `--fetch-keys`
# Debian uses self-sigs-only (while I would be fine with import-clean)
# * https://dev.gnupg.org/T4628#128513
# Arch Linux reverts the change going by no-self-sigs-only,no-import-clean
# * https://bugs.archlinux.org/task/63147
# Try to automatically find keys from local/wkd if key for email address isn't found, but we are encrypting to email address.
auto-key-retrieve
auto-key-locate local,wkd,dane
# Encrypt to sender's key by default
default-recipient-self
# Use UTF-8 charset
charset UTF-8
display-charset utf-8
# use GPG Agent to avoid retyping passphrase very often.
use-agent
# Do everything in ASCII format by default instead of binary
armor
# Show the LONG KEYID and fingerprint by default and tell that it's hexadecimal string.
keyid-format 0xLONG
with-fingerprint
with-wkd-hash
with-keygrip
# I refuse to comment on GPG's weird scale how I have verified keys as
# I appear to disagree on the official meanings of 1-3.
# If I sign a key, I have verified it to best of my ability. Also
# apparently it doesn't have much meaning anyway https://debian-administration.org/users/dkg/weblog/98
no-ask-cert-level
default-cert-level 0
# Count also the persona signatures for WoT if someone has those.
min-cert-level 1
# Ask when signatures expire.
ask-cert-expire
default-cert-expire 2y
# Copying https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults
# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode
# You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
verify-options show-uid-validity
# Display calculated validity, which keyring the keys are from and when
# signatures expire
# Show URLs of signing policies when they exist
list-options show-uid-validity,show-keyring,show-sig-expire,show-policy-urls
# Disable comments
no-comments
# Don't output version, small chance of having people put same keys on IPFS
no-emit-version
# Trust On First Use (marginal trust) with WoT being full trust. I find this
# less annoying in KMail than only WoT or the comment below, and I think it
# may be additional motivation for me to actually sign the keys I trust with
# all keyservers hiding signatures and gpg not importing them.
# I think `keybase pgp pull` also helps here as the people I am tracking
# there are going to be in my keyring, however it's still a centralized
# service.
trust-model tofu+pgp
# WoT with TOFUs conflict detection, but without positive trust. This may
# be better due to https://gitea.blesmrt.net/mikaela/pgp-alt-wot/ and lsign.
tofu-default-policy unknown