how2gpg

Published in in Tech
#gnupg #gpg #howto

Below are some use cases that I had to solve today with their solutions.
The key 0xDEADBEEF is a placeholder for any other key. I recommend using the long variant when displaying keys, see configuration.

Common stuff: list, receive, upload

First of all, a simple list of the most basic commands:

  • gpg2 --list-keys or gpg2 -k
  • gpg2 --list-secret-keys or gpg2 -K
  • gpg2 --fingerprint 0xDEADBEEF
  • gpg2 --recv-keys 0xDEADBEEF
  • gpg2 --send-keys 0xDEADBEEF

Now that we have that, let's go on with some more advanced topics.

Using a configuration file

To save some settings used with your local gpg, create or modify ~/.gnupg/gpg.conf. Then use options like the ones below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
default-key 0xDEADBEEF
use-agent
keyserver hkps://hkps.pool.sks-keyservers.net

# when outputting certificates, view user IDs distinctly from keys
fixed-list-mode

# long keyids are more collision-resistant than short keyids (it's trivial
# to make a key with any desired short keyid)
keyid-format 0xlong

# when multiple digests are supported by all recipients, choose the strongest one
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

# preferences chosen for new keys should prioritize stronger algorithms
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

# when making an OpenPGP certification, use a stronger digest than the default SHA1
cert-digest-algo SHA512

# prevent version string from appearing in your signatures/public keys
no-emit-version

# more preferences
personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-compress-preferences ZLIB BZIP2 ZIP

Expiration date

To set the expiration date of a key with subkeys, use gpg2 --edit-key 0xDEADBEEF. You will enter the gpg2 edit cli.

Now, changing for example the expiration date of all keys in this key, first use expire and enter the value. Because you also want to change the expiration date of the subkey, select it with key 1 and repeat the expiration edit.

As a result, both keys should now show the new expiration date. Upload the refreshed key with --send-key and hope that every one of your GPG friends fetches it before expiration. Else they get an error, which might confuse people not used to software :)

Signing

To list all signatures for a key, use gpg2 --list-sigs 0xDEADBEEF. To also let gpg2 run a check over those signatures, use gpg2 --check-sigs 0xDEADBEEF.

If you wish to sign a foreign key with your private key, you can use gpg2 --ask-cert-level --sign-key 0xDEADBEEF. Please note that you should use the configuration file above to select your default key with which the foreign key will be signed. If you wish to use another one, add --default-key 0xSECRETDEADBEEF to the command.

In case you chose the wrong key to sign the foreign key, go into edit mode with gpg2 --edit-key 0xDEADBEEF. The command to remove signatures is delsig. It looks like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
% gpg2 --edit-key 0xDEADBEEF
gpg (GnuPG) 2.1.14; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/0xDEADBEEF
     created: 1999-12-31  expires: 2012-12-21  usage: SCA
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xFEFEFEFE
     created: 1999-12-31  expires: 2012-12-21  usage: E
[ultimate] (1). Santa Claus <root@localhost>
[ultimate] (2)  Santa Claus <santa@north.pl>

gpg> uid 1

gpg> delsig
uid  Santa Claus <root@localhost>
sig!3        0xDEADBEEF 1999-12-31  [self-signature]
Delete this good signature? (y/N/q)

For every signature of this UID this dialog asks me if I want to remove the signature or keep it. You can now iterate over the whole signature list until you reach the one you want to delete. Don't forget to save after editing!