Below are some use cases that I had to solve today with their solutions.
0xDEADBEEF is a placeholder for any other key. I recommend using the long variant when displaying keys, see configuration.
Common stuff: list, receive, upload
First of all, a simple list of the most basic commands:
gpg2 --fingerprint 0xDEADBEEF
gpg2 --recv-keys 0xDEADBEEF
gpg2 --send-keys 0xDEADBEEF
Now that we have that, let's go on with some more advanced topics.
Using a configuration file
To save some settings used with your local gpg, create or modify
~/.gnupg/gpg.conf. Then use options like the ones below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
default-key 0xDEADBEEF use-agent keyserver hkps://hkps.pool.sks-keyservers.net # when outputting certificates, view user IDs distinctly from keys fixed-list-mode # long keyids are more collision-resistant than short keyids (it's trivial # to make a key with any desired short keyid) keyid-format 0xlong # when multiple digests are supported by all recipients, choose the strongest one personal-digest-preferences SHA512 SHA384 SHA256 SHA224 # preferences chosen for new keys should prioritize stronger algorithms default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed # when making an OpenPGP certification, use a stronger digest than the default SHA1 cert-digest-algo SHA512 # prevent version string from appearing in your signatures/public keys no-emit-version # more preferences personal-cipher-preferences AES256 TWOFISH AES192 AES personal-compress-preferences ZLIB BZIP2 ZIP
To set the expiration date of a key with subkeys, use
gpg2 --edit-key 0xDEADBEEF. You will enter the gpg2 edit cli.
Now, changing for example the expiration date of all keys in this key, first use
expire and enter the value. Because you also want to change the expiration date of the subkey, select it with
key 1 and repeat the expiration edit.
As a result, both keys should now show the new expiration date. Upload the refreshed key with
--send-key and hope that every one of your GPG friends fetches it before expiration. Else they get an error, which might confuse people not used to software :)
To list all signatures for a key, use
gpg2 --list-sigs 0xDEADBEEF. To also let gpg2 run a check over those signatures, use
gpg2 --check-sigs 0xDEADBEEF.
If you wish to sign a foreign key with your private key, you can use
gpg2 --ask-cert-level --sign-key 0xDEADBEEF. Please note that you should use the configuration file above to select your default key with which the foreign key will be signed. If you wish to use another one, add
--default-key 0xSECRETDEADBEEF to the command.
In case you chose the wrong key to sign the foreign key, go into edit mode with
gpg2 --edit-key 0xDEADBEEF. The command to remove signatures is
delsig. It looks like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
% gpg2 --edit-key 0xDEADBEEF gpg (GnuPG) 2.1.14; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa4096/0xDEADBEEF created: 1999-12-31 expires: 2012-12-21 usage: SCA trust: ultimate validity: ultimate ssb rsa4096/0xFEFEFEFE created: 1999-12-31 expires: 2012-12-21 usage: E [ultimate] (1). Santa Claus <root@localhost> [ultimate] (2) Santa Claus <email@example.com> gpg> uid 1 gpg> delsig uid Santa Claus <root@localhost> sig!3 0xDEADBEEF 1999-12-31 [self-signature] Delete this good signature? (y/N/q)
For every signature of this UID this dialog asks me if I want to remove the signature or keep it. You can now iterate over the whole signature list until you reach the one you want to delete. Don't forget to save after editing!