-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathgpg.conf
More file actions
88 lines (55 loc) · 3.01 KB
/
gpg.conf
File metadata and controls
88 lines (55 loc) · 3.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# A basic ~/.gnupg/gpg.conf using stronger than default message
# digests and transport protocols. For the most part, defaults in
# modern versions are chosen for an optimal balance of security and
# interoperability, but you may wish to override them in favor of
# slightly more secure modes of operation. This example should
# evolve over time, as new cryptographic recommendations emerge and
# software defaults shift to adopt them.
#
# Source and references:-
# https://wiki.openstack.org/wiki/OpenPGP_Web_of_Trust
# https://github.com/myfreeweb/dotfiles/blob/master/gpg.conf
# https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
# Use a strong message digest algorithm (not MD5 or SHA1) when
# making an OpenPGP certification (e.g. signing keys).
cert-digest-algo SHA512
# Override the algorithm priority order in recipient key
# preferences (choose the strongest algorithm when multiple digests
# are supported by all recipients). The first in this list is also
# used when signing without encryption.
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# Define the priority order for hashes, ciphers and compression.
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
# Receive, send and search for keys in the SKS keyservers pool using
# HKPS (OpenPGP HTTP Keyserver Protocol via TLS/SSL).
# See https://sks-keyservers.net/overview-of-pools.php#pool_hkps
keyserver hkps://hkps.pool.sks-keyservers.net
# Set the path to the public certificate for the
# sks-keyservers.net CA used to verify connections to servers in the
# pool above. This should be changed to an absolute path.
keyserver-options ca-cert-file=sks-keyservers.netCA.pem
# Ignore keyserver URLs specified in retrieved/refreshed keys
# so they don't direct you to update from non-HKPS sources.
keyserver-options no-honor-keyserver-url
# You should be using an agent for the same reasons given at:-
# https://www.debian-administration.org/users/dkg/weblog/64
use-agent
# Display key IDs in a more collision-resistant 16-digit hexidecimal
# format and display "0x" at the beginning of the ID for clarity.
keyid-format 0xlong
# You should always know at a glance which User IDs gpg thinks are
# legitimately bound to the keys in your keyring. Display the
# calculated validity of user IDs when listing keys or showing
# signatures.
list-options show-uid-validity
verify-options show-uid-validity
# when outputting certificates, view user IDs distinctly from keys
# and print all timestamps as seconds since 1970-01-01.
fixed-list-mode
# Include an unambiguous indicator of which key made a signature.
# This example uses "%g" to display the fingerprint of the key
# making the signature (which might be a subkey):-
# sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
# (from http://www.ietf.org/mail-archive/web/openpgp/current/msg00400.html)
# http://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html#index-sig_002dnotation-310
# sig-notation issuer-fpr@domain.example.com=%g