gpg.conf

## gpg.conf optimized for privacy 0.2
## homepage:
## https://github.com/ioerror/torbirdy/pull/11
## source:
## https://github.com/ioerror/torbirdy/blob/master/gpg.conf

##################################################################
## BEGIN some suggestions from TorBirdy setting extensions.enigmail.agentAdditionalParam

## Don't disclose the version
no-emit-version

## Don't add additional comments (may leak language, etc)
no-comments

## We want to force UTF-8 everywhere
display-charset utf-8

## Proxy settings
keyserver-options http-proxy=socks5://TORIP:TORPORT

keyserver hkp://qdigse2yzvuglcix.onion

## END some suggestions from TorBirdy TorBirdy setting extensions.enigmail.agentAdditionalParam
##################################################################

##################################################################
## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html

personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

## END Some suggestions from Debian http://keyring.debian.org/creating-key.html
##################################################################

##################################################################
## BEGIN Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices

## When creating a key, individuals may designate a specific keyserver to use to pull their keys from.
## The above option will disregard this designation and use the pool, which is useful because (1) it
## prevents someone from designating an insecure method for pulling their key and (2) if the server
## designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will
## never be refreshed.
keyserver-options no-honor-keyserver-url

## when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode

## long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid)
keyid-format 0xlong

## when multiple digests are supported by all recipients, choose the strongest one:
## already defined above
#personal-digest-preferences SHA512 SHA384 SHA256 SHA224

## preferences chosen for new keys should prioritize stronger algorithms:
## already defined above
#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed

## If you use a graphical environment (and even if you don't) you should be using an agent:
## (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)
use-agent

## You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
verify-options show-uid-validity
list-options show-uid-validity

## include an unambiguous indicator of which key made a signature:
## (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g

## when making an OpenPGP certification, use a stronger digest than the default SHA1:
## already defined above
#cert-digest-algo SHA256

## END Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
##################################################################

##################################################################
## BEGIN Some suggestions from TorBirdy opt-in's

## Up to you whether you in comment it (remove the single # in front of
## it) or not. Disabled by default, because it causes too much complaints and
## confusion.

## Don't include keyids that may disclose the sender or any other non-obvious keyids
#throw-keyids

## END Some suggestions from TorBirdy opt-in's
##################################################################