Skip to content
This repository has been archived by the owner on Aug 26, 2023. It is now read-only.

Latest commit

 

History

History
130 lines (89 loc) · 3.5 KB

README.md

File metadata and controls

130 lines (89 loc) · 3.5 KB

My GnuPG configuration and some helper scripts

  __________________________________________________
/ This repo has been archived!                       \
| Its successor is at:                               |
\ https://codeberg.org/duxsco/gpg-config-and-scripts /
  --------------------------------------------------
         \   ^__^
          \  (oo)\_______
             (__)\       )\/\
                 ||----w |
                 ||     ||

⚠️ If you want to create a new keypair, you cann follow the section Create a GnuPG keypair. ⚠️

System requirements

This repo assumes you using GnuPG 2.3.x (stable).

macOS needs these HomeBrew packages to be installed:

  • bash
  • findutils
  • gnupg
  • gnu-sed

You need to comment out default-key as well as encrypt-to in gpg.conf OR set the ID of one of your secret keys. The same applies to sender where you have to provide your UID's e-mail address or comment the option out altogether. To print full-length personal key IDs and e-mail addresses:

gpg --list-options show-only-fpr-mbox --list-secret-keys

Understand the GnuPG configuration

To better understand GnuPG config options you can use man.sh to display man pages while highlighting defaults (in yellow) and options that have been set in the configuration file (in red).

man.sh

# print man.sh help
bash bin/man.sh

# print "OPTIONS" section of the manpage while
# highlighting options set in the .conf red and "default" in yellow
bash bin/man.sh gpg.conf

# If "less" doesn't show any colors, use the "-R" (--RAW-CONTROL-CHARS) flag
bash bin/man.sh ~/.gnupg/gpg.conf | less -R

List public keys and delete untrusted ones

With pubkey.sh, public keys are listed from top to bottom, colored and grouped by following trust levels:

  1. ultimate
  2. full
  3. marginal
  4. undefined
  5. The rest: unknown, expired, never trust, revoked and error
  • To print the list:

man.sh

bash bin/pubkey.sh
  • To delete any public key without trust level ultimate, full, marginal and undefined you have to pass the -d flag. You will be prompted and must confirm the deletion of each public key.

man.sh

bash bin/pubkey.sh -d

Pull public keys

GnuPG offers multiple mechanism to pull a public key. pull.sh tries out a predefined list of mechanism and lets you choose one of them for pulling the public key:

man.sh

# print pull.sh help
bash bin/pull.sh

# pull a certain key
bash bin/pull.sh <KEY ID>

SSH support

Launch gpg-agent with ssh support:

echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf

Copy the keygrip from your authentication subkey and add to ~/.gnupg/sshcontrol:

gpg --list-secret-keys --with-keygrip

Add to your ~/.bashrc:

unset SSH_AGENT_PID
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export SSH_AUTH_SOCK

Export your ssh public key and add to your server's ~/.ssh/authorized_keys:

gpg --export-ssh-key <KEY ID>

I prefer typing in my pin for my GnuPG smartcard every time:

echo "LocalCommand gpgconf --reload scdaemon" >> ~/.ssh/config
sudo -i bash -c "echo 'PermitLocalCommand yes' >> /etc/ssh/ssh_config"

Other GnuPG repos

https://github.com/duxsco?tab=repositories&q=gpg-