shell-things/.mikaela/gpg.conf
Mikaela Suomalainen 0a106c7d34
gpg.conf: fill in WTOP
As I have different user account for WTOP anyway, it's easier to have
it configured and easy to uncomment.
2020-03-15 19:45:59 +02:00

120 lines
5.0 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
# 2010 Free Software Foundation, Inc.
# 2012 - 2020 Mikaela Suomalainen
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Unless you specify which option file to use (with the command line
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
# by default.
#
# An options file can contain any long options which are available in
# GnuPG. If the first non white space character of a line is a '#',
# this line is ignored. Empty lines are also ignored.
#
# See the man page for a list of options.
# Use my key by default, trusted-key puts it to ultimate trust even if the
# private key is not present and default-recepient-self is not enough for
# gpg --encrypt -r
# default-key/encrypt-to take name according to `man gpg`
# NOTE! default-key is used instead of local-user as the latter cannot be
# overridden with flags (causing WTOP test to be signed with personal and
# WTOP keys)
default-key mikaela@mikaela.info
# if auto-key-lookup is used, this tells the recepient which WKD to check?
sender mikaela@mikaela.info
# Has to be LONG key instead of fingerprint https://dev.gnupg.org/T4855
trusted-key 0x99392F62BAE30723
encrypt-to mikaela@mikaela.info
# WTOP (see comments above)
#default-key mikaela@unicus.com
#sender mikaela@unicus.com
#trusted-key 0x440D764E4F4A6C2D
#encrypt-to mikaela@unicus.com
# Ignore preferred keyserver and also import non-self-sigs
keyserver-options no-honor-keyserver-url,no-self-sigs-only
# The defaults are apparently self-sigs-only,import-clean starting from
# gpg 2.2.17, but there seem to be controversial views on them and I need
# some not-self-sigs with `--fetch-keys`
# Debian uses self-sigs-only (while I would be fine with import-clean)
# * https://dev.gnupg.org/T4628#128513
# Arch Linux reverts the change going by no-self-sigs-only,no-import-clean
# * https://bugs.archlinux.org/task/63147
# Try to automatically find keys from local/wkd if key for email address isn't found, but we are encrypting to email address.
auto-key-retrieve
auto-key-locate local,wkd,dane
# Encrypt to sender's key by default
default-recipient-self
# Use UTF-8 charset
charset UTF-8
display-charset utf-8
# use GPG Agent to avoid retyping passphrase very often.
use-agent
# Do everything in ASCII format by default instead of binary
armor
# Show the LONG KEYID and fingerprint by default and tell that it's hexadecimal string.
keyid-format 0xLONG
with-fingerprint
with-wkd-hash
with-keygrip
# I refuse to comment on GPG's weird scale how I have verified keys as
# I appear to disagree on the official meanings of 1-3.
# If I sign a key, I have verified it to best of my ability. Also
# apparently it doesn't have much meaning anyway https://debian-administration.org/users/dkg/weblog/98
no-ask-cert-level
default-cert-level 0
# Count also the persona signatures for WoT if someone has those.
min-cert-level 1
# Ask when signatures expire.
ask-cert-expire
default-cert-expire 2y
# Copying https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults
# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode
# You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
verify-options show-uid-validity
# Display calculated validity, which keyring the keys are from and when
# signatures expire
# Show URLs of signing policies when they exist
list-options show-uid-validity,show-keyring,show-sig-expire,show-policy-urls
# Disable comments
no-comments
# Don't output version, small chance of having people put same keys on IPFS
no-emit-version
# Trust On First Use (marginal trust) with WoT being full trust. I find this
# less annoying in KMail than only WoT or the comment below, and I think it
# may be additional motivation for me to actually sign the keys I trust with
# all keyservers hiding signatures and gpg not importing them.
# I think `keybase pgp pull` also helps here as the people I am tracking
# there are going to be in my keyring, however it's still a centralized
# service.
trust-model tofu+pgp
# WoT with TOFUs conflict detection, but without positive trust. This may
# be better due to https://gitea.blesmrt.net/mikaela/pgp-alt-wot/ and lsign.
tofu-default-policy unknown
# Groups to encrypt to when encrypting to specific addrses, I don't think
# this needs to be in the main file without my changes.
# Email that should go to the team
group support@privacytools.io=588F6E4EABE8C7B552D00FA641911F722B0F9AE3 30CE697C77678A9A6B0A5D5C6F3175557E766CBF 69FF455A869F9031A691E0F199392F62BAE30723 1FE976484C2EB73B61D102234B313017F994C1FD 5704D032D073A0F8D1D001C3D4045195AB86173B 6325C3370B70177138ABF3086A957C9A9A9429F7