gpg

Table of ContentsClose

1. Create
- 1.1. Certificate/Master/Primary key [C]
- 1.2. Sub keys [S], [E], [A]
2. List
3. Export
- 3.1. Exporting certificate key for offline storage
- 3.2. Exporting public key
4. Delete
5. Revocation
6. Restoring
7. Extend
8. Extra security
- 8.1. Removing and Backing up cert key
9. Signing git commits
- 9.1. Signed tags
- 9.2. Signed commits
10. Resources

1. Create

1.1. Certificate/Master/Primary key [C]

When creating the cert key, we don't want it to expire as we'll store it elsewhere.

gpg --quick-generate-key 'Hrishikesh Barman <hrishi@geekodour.org>' ed25519 cert never
set -l KEY_ID "8963 3907 AE52 C5B4 72A1  ABF3 CB46 502E A121 F97D" # certificate key FP
gpg --quick-add-uid $KEY_ID 'Hrishikesh Barman <oss@geekodour.org>'
gpg --quick-add-uid $KEY_ID 'Hrishikesh Barman <hi@geekodour.org>'
gpg --quick-add-uid $KEY_ID 'Hrishikesh Barman <gigs@geekodour.org>'

1.2. Sub keys [S], [E], [A]

gpg --quick-add-key $KEY_ID cv25519 encr # [E], ed25519 is a signing scheme not a curve
gpg --quick-add-key $KEY_ID ed25519 sign # [S]

2. List

gpg --list-keys
gpg --list-secret-keys

3. Export

3.1. Exporting certificate key for offline storage

gpg --export-secret-key $KEY_ID | paperkey --output-type raw | qrencode --8bit --output secret-key.qr.png

Now make sure to print it and write the passphrase along w it. You can use zbarcam to restore it later. (You'll need the public key)

3.2. Exporting public key

gpg --output primary_public.gpg --export $KEY_ID # binary
gpg --armor --output primary_public.asc --export $KEY_ID # ascii armored

4. Delete

gpg --delete-key $KEY_ID # public key
gpg --delete-secret-key $KEY_ID # private key
gpg --delete-secret-and-public-key $KEY_ID # both

5. Revocation

You cannot delete a key from a keyserver, you can only revoke it. See this.
It needs to be stored somewhere safe because if someone gets access to this certificate he can use it to make your key unusable.

gpg --output [fp]_revoke.rev --gen-revoke [fp] # generate revoke cert, also generated automatically at creation time
gpg --import [fp]_revoke.rev
gpg --keyserver <key_server_url> --send-keys [fp]

6. Restoring

zbarimg -1 --raw -q -Sbinary secret-key.qr.png | paperkey --pubring public-key.gpg | gpg --import

Once imported, you might have to add it to the trustdb using gpg --edit-key. See this.

7. Extend

gpg --quick-set-expire [fp] <never/1y>

8. Extra security

8.1. Removing and Backing up cert key

We will not keep the certificate key in our home directory, we will move it offline. sub keys can stay for now till we get a physical key.
First step is to completely backup the ~/.gnupg directory to a local drive like a thumb drive.
Once that's done we do
- gpg --with-keygrip --list-key <key_ID>
- keygrip: SHA-1 hash of the public key parameters expressed in a way depended on the algorithm.
- cd ~/.gnupg/private-keys-v1.d and then delete the cert key from there based on the keygrip
Then we also remove the revocation certificate for the [C] key as we backed that up already.
So our system is clean of [C] now.

9. Signing git commits

git records the hash of the previous commit in each next commit's metadata, creating an unbreakable cryptographic chain of records.
So if you sign the HEAD commit, you're essentially verifying entire branch history.
Um, generally a good practice to PGP-sign commits. e.g. without commit signing Alice can fake a commit to pretend that it was actually authored by Bob

9.1. Signed tags

PGP signed tags are just annotated tags(tag object) with the tag content wrapped with the PGP signature.

9.2. Signed commits

Same as signed tags, just that signing happens on the commit object

10. Resources

What is the point of a public key fingerprint? | Hacker News