GPG Notes

This post provides some random notes on gpg usage I can never seem to remember correctly. It will expand as needed.


Signing things

# Contents only visible after running gpg
$ gpg --local-user user@whatever.domain --sign --armor --output thefile.asc thefile
# Plain text contents included in output
$ gpg --local-user user@whatever.domain --clearsign --armor --output thefile.asc thefile

Verifying signatures

# Verify and dump plaintext to specific file
$ gpg --output thefile thefile.asc

Showing signatures applied to a key

$ gpg --check-sigs FINGERPRINT

The output of this command is as follows (from the pgp mailing list)

 The exclamation mark is only produced on --check-sigs, it's absent on 
 --list-sigs so it's an indication that the signature is good. All signatures 
 with --check-sigs should have the ! because signatures made by keys not in 
 your key ring are excluded.
 The digit is the indication of how much verification took place before signing 
 - when you sign a key, GnuPG asks you how carefully you verified the key, 3 
 is the highest level - very careful checking. As the man page describes, this 
 is a personal thing and one person's definition of 'very careful' might not 
 match yours. Personally, I mean: I checked the fingerprint against a printed 
 copy given to me face-to-face by the keyholder who proved his/her identity 
 using recognised photo ID (passport, driving licence etc.) and the email 
 address was verified by correspondence.
 0 means you make no particular claim as to how carefully you verified the key.
                  1 means you believe the key is owned by the person who claims 
 to own it but you could not, or did  not verify  the  key  at  all.   This 
 is useful for a "persona" verification, where you sign the key of a 
 pseudonymous user.
                  2 means you did casual verification of the key.  For example, 
 this could mean that you  verified  that the key fingerprint and checked the 
 user ID on the key against a photo ID.
                  3 means you did extensive verification of the key.  For 
 example, this could mean that you verified the key fingerprint with the owner 
 of the key in person, and that you checked, by means of a hard to forge 
 document  with  a photo ID (such as a passport) that the name of the key 
 owner matches the name in the user ID on the key, and finally that you 
 verified (by exchange of email) that the email address on the key belongs to 
 the key owner.
                  Note  that  the examples given above for levels 2 and 3 are 
 just that: examples.  In the end, it is up to you to decide just what 
 "casual" and "extensive" mean to you.
 From this section of the manpage:
       --default-cert-check-level n

Key Maintenance

Updating your key

# To grab new signatures from the keyserver for instance
$ gpg --keyserver --recv-key FINGERPRINT

Sending an updated key

# After you've signed it for instance
$ gpg --keyserver --send-key someone@some.domain


Encrypt a file for a recipient

# Using their public key
$ gpg --encrypt --recipient someone@some.domain plaintextfile
# Using symmetric encryption and a shared secret
$ gpg --encrypt --symmetric plaintextfile

Decrypt a file

$ gpg --decrypt encryptedfile

Use a distinct keyring

If you are using keys associated with an employer, client, or particular project and don’t want them mixed in with your personal keys, you can use a dedicated keyring.

# Create the keyring
$ gpg --no-default-keyring --keyring /path/to/new-keyring.gpg --fingerprint
# Import a secret key
$ gpg --no-default-keyring --keyring /path/to/new-keyring.gpg --import /path/to/secret.key
# Verify it was added
$ gpg --no-default-keyring --keyring /path/to/new-keyring.gpg --list-keys
# Decrypt a file with the new key
$ gpg --no-default-keyring --keyring /path/to/new-keyring.gpg --decrypt /path/to/encrypted.file

Figuring out wtf

Sometimes things just don’t work. In this case, increase the verbosity to full strength!

$ gpg -vvvv --decrypt /file/that/seems/to.break