summaryrefslogtreecommitdiff
path: root/libre/pacman-parabola/gpg.conf
blob: 7fc6fc6613094b99be22faff7f0240194e7e7675 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# pacman-key default options
no-greeting
no-permission-warning
lock-never
keyserver-options timeout=20

# From duraconf
# personal digest preferences
personal-digest-preferences SHA512

# message digest algorithm used when signing a key
cert-digest-algo SHA512

# Set the list of default preferences to string.
# used for new keys and default for "setpref"
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

# From
# https://crabgrass.riseup.net/riseuplabs+paow/openpgp-best-practices
# Only use secure keyservers
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url

# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode

# short-keyids are trivially spoofed; it's easy to create a long-keyid
# collision; if you care about strong key identifiers, you always want
# to see the fingerprint:
keyid-format 0xlong
fingerprint

# when multiple digests are supported by all recipients, choose the
# strongest one:
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

# If you use a graphical environment (and even if you don't)
# you should be using an agent: (similar arguments as
# https://www.debian-administration.org/users/dkg/weblog/64)
use-agent

# You should always know at a glance which User IDs gpg thinks are
# legitimately bound to the keys in your keyring:
verify-options show-uid-validity
list-options show-uid-validity

# include an unambiguous indicator of which key made a signature: (see
# http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g