index.html :: rss :: github :: telegram :: email

gpg: survival guide

17 May 2025

setup

add this in your .zshrc / .bashrc:

export GPG_TTY=$(tty)

otherwise, pinentry will be asking for a passphrase on some unexpected console instead of the current-one.

basic day-to-day usage

list keys:

gpg -k # short form of --list-keys
gpg -K # short form of --list-secret-keys

import / export keys:

gpg --import friend.asc
gpg --export --armor <keyid> > my-pub-key.asc

sign a message (but not encrypt it!):

gpg --detch-sign message.txt # message.txt.sig created
gpg --clearsign message.txt  # message.txt.asc created,\
                             # it alone could be mailed

verify a signature:

gpg --verify from_friend.asc

keyserver

you could specify the keyserver address with --keyserver hkps://keys.openpgp.org flag.

search for a key by email address:

gpg --search-keys <[email protected]>

upload your keys to a keyserver:

gpg --send-keys <key-id>

update known keys from a server:

gpg --refresh-keys

keys signing

please refer to documents [1] and [2].

get the latest version of ones key:

gpg --receive-keys 542EF4B4D76748B4FA29972B4F5AF4699A21AF12

sign the key:

gpg --sign-key 542EF4B4D76748B4FA29972B4F5AF4699A21AF12

here is the important part. export and encrypt signed public key. send this to key's owner and let them decrypt the message, proofing that they possess the private key as well.

gpg -a --export <friends-keyid> | \
    gpg -se -r <friends-keyid> > ~/friend.asc.pgp

now your friend may decrypt and import the signed key back to their vault:

gpg --decrypt signed.asc.pgp > signed.asc
gpg --import signed.asc

then one could send their new, signed keys to a keyserver:

gpg --send-keys <signed-key-id>

config

no-braincell quick-start template, put into ~/.gnupg/gpg.conf:

default-key <your-key-id>
keyserver hkps://keys.openpgp.org

# more convenient format without spaces
keyid-format 0xlong
# make less noize
no-emit-version
# he is nice guy
use-agent

same for the gpg-agent, put into ~/.gnupg/gpg-agent.conf:

# how often you wanna type your password
default-cache-ttl 34560000
max-cache-ttl 34560000

neovim integration:

-- replace current buffer with its cleartext-signed version
vim.keymap.set("n", "<leader>n", "<cmd>%!gpg --quiet --clearsign<cr>")

references:

[0] https://wiki.archlinux.org/title/GnuPG

[1] https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84

[2] https://www.gnupg.org/gph/en/manual/x334.html

[3] https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/

[4] https://davesteele.github.io/gpg/2015/08/01/intermediate-gpg/