mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-10-30 15:09:24 +01:00
120 lines
4.8 KiB
Plaintext
120 lines
4.8 KiB
Plaintext
# SPDX-FileCopyrightText: 1998 Free Software Foundation, Inc.
|
||
#
|
||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||
#
|
||
# Options for GnuPG
|
||
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
|
||
# 2010 Free Software Foundation, Inc.
|
||
# This file is free software; as a special exception the author gives
|
||
# unlimited permission to copy and/or distribute it, with or without
|
||
# modifications, as long as this notice is preserved.
|
||
#
|
||
# This file is distributed in the hope that it will be useful, but
|
||
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
|
||
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||
#
|
||
# Unless you specify which option file to use (with the command line
|
||
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
|
||
# by default.
|
||
#
|
||
# An options file can contain any long options which are available in
|
||
# GnuPG. If the first non white space character of a line is a '#',
|
||
# this line is ignored. Empty lines are also ignored.
|
||
#
|
||
# See the man page for a list of options.
|
||
|
||
# Use my key by default, trusted-key puts it to ultimate trust even if the
|
||
# private key is not present and default-recepient-self is not enough for
|
||
# gpg --encrypt -r
|
||
# default-key/encrypt-to take name according to `man gpg`
|
||
# NOTE! default-key is used instead of local-user as the latter cannot be
|
||
# overridden with flags (causing WTOP test to be signed with personal and
|
||
# WTOP keys)
|
||
#default-key suomalainen@mikaela.info
|
||
# Has to be LONG key instead of fingerprint https://dev.gnupg.org/T4855
|
||
#trusted-key 0x99392F62BAE30723
|
||
# The above issue is resolved in 2.2.20
|
||
#trusted-key 69FF455A869F9031A691E0F199392F62BAE30723
|
||
#encrypt-to suomalainen@mikaela.info
|
||
# WTOP (see comments above)
|
||
#default-key mikaela+digitalents@mikaela.info
|
||
#trusted-key 0xDF046339D69EB8C9
|
||
#encrypt-to mikaela+digitalents@mikaela.info
|
||
|
||
# Ignore preferred keyserver and also import non-self-sigs
|
||
# WARNING! DoS hole!
|
||
keyserver-options no-honor-keyserver-url,no-self-sigs-only,no-import-clean,no-import-minimal
|
||
import-options no-self-sigs-only,no-import-clean,no-import-minimal
|
||
|
||
# The defaults are apparently self-sigs-only,import-clean starting from
|
||
# gpg 2.2.17, but there seem to be controversial views on them and I need
|
||
# some not-self-sigs with `--fetch-keys`
|
||
# Debian uses self-sigs-only (while I would be fine with import-clean)
|
||
# * https://dev.gnupg.org/T4628#128513
|
||
# Arch Linux reverts the change going by no-self-sigs-only,no-import-clean
|
||
# * https://bugs.archlinux.org/task/63147
|
||
|
||
# Try to automatically find keys from local/wkd if key for email address isn't found, but we are encrypting to email address.
|
||
auto-key-retrieve
|
||
auto-key-locate local,wkd,dane
|
||
|
||
# Encrypt to sender's key by default
|
||
default-recipient-self
|
||
|
||
# Use UTF-8 charset
|
||
charset UTF-8
|
||
display-charset utf-8
|
||
|
||
# use GPG Agent to avoid retyping passphrase very often.
|
||
use-agent
|
||
|
||
# Do everything in ASCII format by default instead of binary
|
||
armor
|
||
|
||
# Show the LONG KEYID and fingerprint by default and tell that it's hexadecimal string.
|
||
keyid-format 0xLONG
|
||
with-fingerprint
|
||
with-wkd-hash
|
||
with-keygrip
|
||
|
||
# I refuse to comment on GPG's weird scale how I have verified keys as
|
||
# I appear to disagree on the official meanings of 1-3.
|
||
# If I sign a key, I have verified it to best of my ability. Also
|
||
# apparently it doesn't have much meaning anyway https://debian-administration.org/users/dkg/weblog/98
|
||
no-ask-cert-level
|
||
default-cert-level 0
|
||
# Count also the persona signatures for WoT if someone has those.
|
||
min-cert-level 1
|
||
|
||
# Ask when signatures expire.
|
||
ask-cert-expire
|
||
default-cert-expire 2y
|
||
|
||
# Copying https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults
|
||
# when outputting certificates, view user IDs distinctly from keys:
|
||
fixed-list-mode
|
||
# You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
|
||
verify-options show-uid-validity
|
||
# Display calculated validity, which keyring the keys are from and when
|
||
# signatures expire
|
||
# Show URLs of signing policies when they exist
|
||
list-options show-uid-validity,show-keyring,show-sig-expire,show-policy-urls
|
||
|
||
# Disable comments
|
||
no-comments
|
||
|
||
# Don't output version, small chance of having people put same keys on IPFS
|
||
no-emit-version
|
||
|
||
# Trust On First Use (marginal trust) with WoT being full trust. I find this
|
||
# less annoying in KMail than only WoT or the comment below, and I think it
|
||
# may be additional motivation for me to actually sign the keys I trust with
|
||
# all keyservers hiding signatures and gpg not importing them.
|
||
# I think `keybase pgp pull` also helps here as the people I am tracking
|
||
# there are going to be in my keyring, however it's still a centralized
|
||
# service.
|
||
trust-model tofu+pgp
|
||
# WoT with TOFU’s conflict detection, but without positive trust. This may
|
||
# be better due to https://gitea.blesmrt.net/mikaela/pgp-alt-wot/ and lsign.
|
||
tofu-default-policy unknown
|