my cheat sheet on GnuPrivacyGuard (gpg)

Home

1 gpg cheat

  • gpp -ea file.

Encrypt a file using ASCII Armour, output to stdout.

2 gpg options

Several options can be used with most of the gpg commands. Here are the most common ones:

  • -a to encrypt in ascii armored format. (otherwise will be binary OpenPGP format)
  • -v verbose
  • -q quiet
  • -i interactive (prompt before overwriting any files)

3 Public key encryption

This will produce an encrypted file, secret.txt.gpg, that can only be decrypted by the recipient:

  • gpg -e -r <RECIPIENT> -o msg.secret.gpg msg.txt
  • gpg -e -a -r RECIPIENT> --output msg.secret.gpg msg.txt
  • gpg -e -a -u "sender username" -r "receiver username" --output msg.secret.gpg msg.txt

For <RECIPIENT> you can use their key ID, their email, or their name (or part thereof). As long has you have imported their public key beforehand.

  • gpg -e -r <KEY ID> ...
  • gpg -e -r "Bez" ...
  • gpg -e -r "acme@gmail.com" ...

Specifying multiple recipients

  • gpg -e -r <RECIPIENT> -r <ANOTHER RECIPIENT> ... secret.txt

NOTE: Omitting -o|--output will produce an encrypted file named <ORIGINAL FILENAME>.gpg by default. So you could see this:

  • gpg -e -r <RECIPIENT> msg.txt
  • gpg -e -a -r <RECIPIENT> msg.txt
  • gpg -e -a -u "sender username" -r "receiver username" msg.txt

The -u option lets you override your own userid and sign with another user's private key. Well that would be unusual, but, you may have more than one set of secret keys and public key pairs. ?? maybe…

4 Encrypting files with symetric encryption.

4.1 Symetric encryption

-c --symmetric -c Encrypt with a symmetric cipher using a passphrase. This command may be combined with:

  • -s --sign (for a signed and symmetrically encrypted message),
  • -e --encrypt (for a message that may be decrypted via a secret key or a passphrase), or
  • --sign and --encrypt together (for a signed message that

may be decrypted via a secret key or a passphrase).

For example:

  • gpg -ca file to encrypt in ascii armor
  • gpg -cas file to sign and encrypt in ascii armor and be prompted for a password for this encrypted file.
  • gpg -ea -r userid1 file to encrypt for userid1 in ascii armor
  • gpg -eas -r userid1 file to sign and encrypt for userid1 in ascii armor

All the above could be done in digital formot (not ascii armor) if you omit the -a option. The output will be in binary OpenPGP format

For example:

  • gpg -c file to encrypt
  • gpg -cs file to sign and encrypt and be prompted for a password for this encrypted file.
  • gpg -e -r userid1 file to encrypt for userid1
  • gpg -es -r userid1 file to sign and encrypt for userid1

4.2 caching passphrases

gpg caches the passphrase used for symmetric encryption so that a decrypt operation may not require that the user needs to enter the passphrase. The option --no-symkey-cache can be used to disable this feature. So otherwise go ahead and encrypt. You won't need the password to unencrypt.

You can increase or change the duration will hold the passphrase in its cache by editing ~/.gnupg/gpg.conf= and changing the value of The value is in seconds, so 86400 is one day.

Example:

  • gpg -c myfile.txt

4.3 gpg.conf

Here is my gpg.conf edited lines. 

default-key 484815391
default-recipient sjobs@icloud.com
encrypt-to userid1@gmail.com
keyserver hkp://keys.gnupg.net

There are many other options. See the file itself as it has many comments to describe each options.

4.4 Encrypt to self

From the man pages, --encrypt-to name is intended for use in the options file and may be used with your own user-id as an "encrypt-to-self". These keys are only used when there are other recipients given either by use of --recipient or by the asked user id. No trust checking is performed for these user ids.

5 Decrypting a file

To decrypt the file secret.txt.gpg, and output it to secret.txt:

  • gpg -d -o secret.txt secret.txt.gpg

If the file is encrypted via symmetric encryption, you will be prompted for the passphrase.

NOTE: Omitting -o|--output will print the unencrypted contents to stdout

gpg -d --passphrase password --batch --no-tty < test2.c.gpg2 >test2.c.decrypted

6 Signing a file

Signing may or may not encrypt the file. They are two different things. A signature is a unique hash of the file that was hashed using your private key. Anybody with the public key can check the signature of that document, as long as they have both the document and the signature file.

That may be on the same file, or sent as a separate signature file.

  • gpg -o signed-file.txt.gpg -s file.txt # -s is old-school pgp command.
  • gpg --detach-sign file.txt # does not encrypt, and outputs a separate
  • gpg --detach-sign --armor file.txt

file called file.txt.sig that is the matching signature file to file.txt

This can be used during encryption to also sign encrypted files:

  • gpg -s -o secret.txt.gpg -r <RECIPIENT> secret.txt

6.1 Signing in cleartext with separate signature file.

Often you want to sign in cleartext, but send the signature as a separate file. To confirm signature, the recipient must have BOTH documents, i.e the docuement and the signature file.

  • gpg -sb signs a document, with a detached signature file
  • gpg -sb -u specify the particular key to use for signing your file

If you specify a user, -u does that user's public key will be used to sign it, and ONLY that user's private key will be able to confirm the signature. ? Don't know if this is used much.

  • gpg --armor --detach-sign file.txt

This will generate a file.txt.sig file alongside the file.txt Send both to your intended target.

You will be asked the password for the secret key of your default user.

7 Verifying a signature

  • gpg --verify file.txt.sig Both the .sig file as well as the file.txt file have to be accessible.

Viewing content of signed file

  • gpg -d signed-file.txt.gpg # this is an old school pgp command

8 Signing a key

Important step to build up WOT (web of trust) is to sign keys after you have veried that the fingerprints match what your contact is saying.

  • gpg --sign-key keyid

9 Import a public key from another user.

First have that user send you their public key, for example userid1.asc 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - http://gpgtools.org

mQGNBGAMMNQBDADBgw9+XdPutM5e3q5uRbJZfCMYEb5oBRM9XB7kckL17sVczO3a
ZviO0A1J0I1+NbNbDVDUVqBCfU4xYl1A1yj916OxOaZlnO+NzPPhOygiPnScVdnq
rZ2oUQkmlWXKl8qtgg4RUxsOGg2Jem1VvU9zqdaBK7Uoajsg6qnAxMjxDfo1H3/V
OXZeInxN44at9mogy1SQYMwK9sEBfc5NZ6/dQNVBSlqlorJ7QoqUIqrBNcVvryoX
0YBG1nBu1MBdy4GWROjBpyzBROsUN9AM9Qoz+Gq5/yO1glDlIG11ZXcgM2nHQVFp
mKYlHXZxR/20InNq/gx9+xUxhEeBCSQLN6bce59LwMPukh3bvaCEED07fYUTEHZd
Njc2EuU8Qsp0RtG+8DcbqU+naE0Mc1UCl7Ed8pNSFwclIe+0/APtIV3kQju9BF/U
RbBhWIoSR5qdZywOOjsBd9XYVFv06WIirpRftHtmJZbnYWLH9iELmNSCgQpuK8Ce
P6Bend6hSvJsjB0AEQEAAbQhWmludGlzIFBlcmtvbnMgPHppbnRpc0BnbWFpbC5j
b20+iQHUBBMBCAA+FiEEmA0KRrC2/Y/nuzLhF29iGkhFJDMFAmAMMNQCGwMFCQPC
ZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQF29iGkhFJDOxTwwAkucjo88E
8n/P1B7kreyH6PJKELvyPjwMGZShvlt0dY58wU8HwtUeWg2D6oh1EedWXOUlFQAG
4cHOhIK/WwIHefs+A4cpjsm4XrfixE5Nis072SXG3h1in4dEGwhP/c/XChABfB/j
fyZ/KJsQOgC4aUgGcoSvgCOmoYjPgXoAHI+vcfUDFOYVuxZOrDkxnKCsior9Cipb
p0XYaz7j4SVOqeLfp7VsfzbTQf4OAiRt8RgfC2yB5ZV2Ogufe4MoukgaUStwP6ef
9sLUEzIhCvVvWkW4PeEJpLv5RbCEgetAnb9G1VHMH0iZ8+apDcdLbk78BCDjZkiV
B7qj0EQdmav7ZB+FNOXXASIfPFJYMzTeURWEjuDbv/RSnOJRYD4Dv80jHpFthRte
qUpL80Of5J4dDu/L1iAXBPVgkCWsIqzCPgyNeyoltD+B9FAo9s3f1ObkAc0EJiuy
wV+BlKkQl/PLVVKqV72sSfACHUliVrB1TdCfoye/2CCNRF6bCb9dL3dLuQGNBGAM
MNQBDADWRv7wtgtC3/bGSZWlFArtlAn0bAdjYrmvs9Lffi7u2/idU7WdB9KwxPmm
DXH8Kn2XXOkE15YFz2u4Xf/1bqsYk12YL0XKGeYUBAiwOrTuSF0r+JCtnzb65vEe
XV7PCDUhYo0ILAJVrhhNoWxUM77QTxt3u6CcQBFYZDsKvSFK5zx2oI78aY3hzKIP
EVfGpHd4oecJ++m0CZKVnYF0mO0Kk2ULhplYWLgqcjgl1j+sLq9wDizV7X4tpyFM
tTo/64FRV7H5OtTioA2Qz+ATvKLnkc0nhuBNbj3MDdgrehQkAXiVoAuSYmR9kprf
mJoL+4uR6XrTjTexo4ki6W8eSMCkK/3oaSGxM1DZk4UGNjLA99Hy5jVAlagBx34e
lzrHl7odI6qIQeL30+dD0GWeSdUDvt8WW69UfCES7nTKhiH586C7pehJmP0htvAS
YIlBucUIBH10T3X7IfwyHAmTSYWNMxnbrZ+KL6ulowigJJTuaovPeka7BAOOoYxV
v+KeOQMAEQEAAYkBvAQYAQgAJhYhBJgNCkawtv2P57sy4RdvYhpIRSQzBQJgDDDU
AhsMBQkDwmcAAAoJEBdvYhpIRSQz18YL/RWmLFakq/qNR9NCs0O6WVVOri3oI0k1
ldArGZQ15zTn/QF3fm3iZl28mZIrfS+6pTfA3t85aFp8MwidX5mKfq9xgEqL3A3a
Ynk0LIdZdO9BD8F/aASbRMocWQbN/dVb14kr/Ogw5QQ4f6oFJlJZ5DepWLKfNOMq
sMe0t9vC3CS7KdiFF7EaG1WWvG9BiJ+0mCVpzWQbnfHylBUj+LBbzm4Z7oYRCrzH
I1jvHAgK3dDnbPKtYMwW0lpdOVmLk/J20VI+MUlBHHugo/Pt86GK5Fvglh4fbZde
+KBmfjiepLqR2serkhUEBRmC6ng7BABG+8L8aZ1cE3clMhV9s1XoOQvzzokbdsCZ
QurMXt6hBVPMnrbZHNIquufwuaQgk7YM1Gi/Wz6O2zTc0wKcyt1yJvqx+h6SmQtE
mvWNdTkyIkU7ym8t3KQDR2lF5m12mZ6UGoh+LF2OsbGgs6K+w6XzTJHPGwo3RQS1
H+jxpSvNNHPYJEMSthUSh+dOuf0ARzpq9A==
=djfu
-----END PGP PUBLIC KEY BLOCK-----

Then you can type ~gpg --import "userid1.asc" The key is now in the list:

gpg --list-keys 

/home/archels/.gnupg/pubring.gpg
--------------------------------
pub   2048R/052E0F63 2014-07-27
uid                  Userid1 Perkons <jchapman@acme.com>
sub   2048R/C91CCABB 2014-07-27

Note that the public key contains their owner's name and e-mail address.

10 About gpg keys

gpg will have four different types of keys:

pub public primary key
sub public sub-key
sec secret primary key
ssb secret sub-key

The primary key, also called master-key, contains one or more user-IDs (name, email-address) and is used for for signing. The sub-key, signed by the primary key and thus confirmed to belong to its user-IDs, is used for encryption/decryption.

Since gpg2, keys are generate4d with one of several usages:

  • (S)igning,
  • (E)ncryption,
  • (C)ertification

Each key will have a level of trust, designated from these trust settings:

Letter Meaning
- No ownertrust assigned / not yet calculated.
e Trust calculation has failed.
q Not enough information for calculation.
n Never trust this key.
m Marginally trusted.
f Fully trusted.
u Ultimately trusted.

Some key managment commands: 

gpg --edit-key 0x7E62F194
gpg --quick-set expire <1> <2> <3>
gpg2 --list-secret-keys --keyid-format LONG
gpg --quick-generate-key user-id [algo [usage [expire]]]
gpg --list-keys
gpg --list-public-keys
gpg --list-secret-keys
gpg --locate-keys
gpg --show-keys
gpg --delete-keys
gpg --delete-secret-keys
gpg --refresh-keys
gpg --generate-key
gpg --quick-set-expire
gpg --sign-key

11 Managing your keyring

11.1 Importing keys from a 3rd party

  • gpg --import somepubkey.asc

This will import the key "somepubkey.asc" into your public keyring.

When someone sends you a PGP-encrypted message, you need that person's public key to decrypt it. When you want to send an encrypted message to someone, you need that person's public key to encrypt it. Public keys often come in an ASCII-encoded format. Makes it universally shareable.

If the file is Egils-public-key.asc, then importing it would be done with:

  • gpg --import "Egils-public-key.asc"

which you can then see on your key ring with

  • gpg --list-keys

11.2 Sign after importing.

You will notice that after importing another public key, if you run gpg --check-signatures that the state of this key will be [ unknown ] rather than [ full ] or [ ultimate ] That is because just by importing a key you have not made any claims as to the trust level of that key.

Therefore, you must sign the key with gpg --sign-key keyid and state your level of trust. The keyid you can get from the output of gpg --list-keys or just use the email address of the assoicated user of the key.

11.2.1 keyid or email-addr

gpg allows you to use either an email address associated to a key or the key id. Either will do.

11.3 Import a secret/private key

You would only do this for instance, to copy it from one computer to another.

  • gpg --allow-secret-key-import --import "my private key.txt"

11.4 Generate a new key:

  • gpg --gen-key
  • gpg --full-gen-key

11.5 Generate a revokation certificate

This should be done as soon as you generate a key pair, then kept safe in case your computer becomes inoperable or is stolen.

  • gpg -output ~/revocation.crt -gen-revoke userid1@gmail.com

11.6 List public keys:

  • gpg -k
  • gpg --list-keys

11.7 List secret keys:

  • gpg -K
  • gpg --list-secret-keys

11.8 Deleting a key from a keyring:

You first have to delete the secret key, and only THEN delete the public key. If you try to delete the public key first, you will see a gpg message telling you to delete the secret key first.

  • gpg --delete-secret-keys admin@acme.com
  • gpg --delete-keys admin@acme.com

You will be asked 4 times if you want to delete them. Obviously think four times before doing it. – maybe take a backup first.. Be sure.

11.9 Change secret key password

gpg --edit-key key-id where you get your key id from gpg -K

  • help
  • passwd
  • enter your current password
  • enter the new password twice
  • quit

11.10 Exporting keys

  • gpg -o key.gpg --export <KEY ID>
  • gpg --output key.gpg --export <KEY ID>

You would export you public key, so that Egils could import it and thus decrypt messages that you encrypted with your secret key.

11.11 Export public key in ASCII:

  • gpg --output user-yahoo.com.asc --armor --export user@yahoo.com
  • gpg -o user-yahoo.com.asc --armor --export user@yahoo.com

Note: Omitting the -o|–output option will print the key to stdout.

11.12 Exporting secret key in ASCII

If you want to backup your secret key to an offline file, (recommended as good practice)

  • gpg --output user-yahoo.com.asc --armor --export-secret-key user@yahoo.com
  • gpg -o user-yahoo.com.asc --armor --export-secret-key user@yahoo.com

Obviously be very careful where you store this secret key, preferrably offline.

12 Uploading to a Keyserver

I uploaded my public key to keys.openpgp.org 

keys.openpgp.org
Your key
980D0A46B0B6FD8FE7BB32E15ADEADBEEFCAFE12
is now published for the identity userid1@gmail.com.

It required a confirmation via email, which I responded to, and then got my key registered. The email confirmation message was: 

Hi,

This is an automated message from keys.openpgp.org. If you didn't /request this
message, please ignore it.

OpenPGP key: 980D0A46B0B6FD8FE7BB32E15ADEADBEEFCAFE12

To let others find this key from your email address "userid1@gmail.com", please
click the link below:

https://keys.openpgp.org/verify/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You can find more info at keys.openpgp.org/about.

https://keys.openpgp.org
distributing OpenPGP keys since 2019

I also uploaded my .asc public key to https://pgp.mit.edu

and also to:

https://keyserver.ubuntu.com/pks/add

On that link, you can search for userid1@gmail.com and see this:

keyserver-ubuntu.com.png

Figure 1: keyserver.ubuntu.com search

12.1 Correct method of backing up private key

  • gpg --output user-backup-=pub-sec-keys.pgp --armor --export-secret-keys --export-options export-backup user@yahoo.com
  • gpg -o user-backup-pub-sec-keys.pgp --armor --export-secret-keys --export-options export-backup user@yahoo.com

This exports all neccessary information to restore the secret keys including the trust database info. This should be stored offline.

13 Key maintenance

13.1 edit-key <keyid>

Edit key presents you with several editing menu picks as follows:

From the man page:

  • delkey Remove a subkey (secondary key). Note that it is not possible to retract a subkey, once it has been send to the public (i.e. to a keyserver). In that case you better use revkey. Also note that this only deletes the public part of a key.
  • revkey Revoke a subkey.

13.2 dealing with expired keys

When your main key is expired, you cannot use it. At least any attempt to use it that needs access to your secret key will come back with an error 

gpg: Warning: not using '7ABEEF433' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key

So you get the error No secret key. So all that is required is to edit the secret key, and update the expiration date. The following examples do that.

gpg --list-secret-keys Shows that it is there, but expired. 

Users/userid1/.gnupg/pubring.gpg
--------------------------------
sec   rsa3072 2021-01-23 [SC] [expired: 2023-07-30]
      45C81..........................153A11E
uid           [ expired] Graham Chapman <jchapman@acme.com>

So we edit it with: gpg --edit-key 45C81..........................153A11E 

   gpg (GnuPG/MacGPG2) 2.2.41; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa3072/DEADBEEFC153A11E
     created: 2021-01-23  expired: 2023-07-30  usage: SC  
     trust: ultimate      validity: expired
ssb  rsa3072/11CAFE7F11BEEF22
     created: 2021-01-23  expired: 2023-07-30  usage: E   
[ expired] (1). Graham Chapman <jchapman@acme.com>

Notice the expiration date is July 2023, so we change that. gpg> expire 

   Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

Key is valid for? (0) 2y 

   Key expires at Thu 11 Sep 20:03:35 2025 EDT
Is this correct? (y/N) y

sec  rsa3072/5ADEADBEEFCAFE12
     created: 2021-01-23  expires: 2025-09-12  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/11CAFE7F11BEEF22
     created: 2021-01-23  expired: 2023-07-30  usage: E   
[ultimate] (1). Graham Chapman <jchapman@acme.com>

gpg: WARNING: Your encryption subkey expires soon.
gpg: You may want to change its expiration date too.
gpg> quit
Save changes? (y/N) y

So now notice that the expiration date is Sept 2025. The sub key however still has an expiration that has passed, i.e. still July 2023. That is because we only changed the primary secret key, not the secret subkey , ssb To fix that we need to create a new secret subkey (from the existing primary key) This new secret subkey will have an expiration set appropriately. Finally we will delete the expired secret subkey.

13.3 run-through of changing expiration date for keys

gpg --edit-key 11CAFE7F11BEEF22 

gpg (GnuPG/MacGPG2) 2.2.41; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa3072/5ADEADBEEFCAFE12
     created: 2021-01-23  expires: 2025-09-12  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/11CAFE7F11BEEF22
     created: 2021-01-23  expired: 2023-07-30  usage: E   
[ultimate] (1). Graham Chapman <jchapman@acme.com>

gpg> addkey 

 Please select what kind of key you want:
 (3) DSA (sign only)
 (4) RSA (sign only)
 (5) Elgamal (encrypt only)
 (6) RSA (encrypt only)
(14) Existing key from card

Your selection? 6 

   RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

Key is valid for? (0) 2y 

   Key expires at Thu 11 Sep 21:07:30 2025 EDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa3072/5ADEADBEEFCAFE12
     created: 2021-01-23  expires: 2025-09-12  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/11CAFE7F11BEEF22
     created: 2021-01-23  expired: 2023-07-30  usage: E   
ssb  rsa3072/5A11FF9B9BBEEF33
     created: 2023-09-13  expires: 2025-09-12  usage: E   
[ultimate] (1). Graham Chapman <jchapman@acme.com>

gpg> delkey 

   You must select at least one key.
(Use the 'key' command.)

gpg> list 

   sec  rsa3072/5ADEADBEEFCAFE12
     created: 2021-01-23  expires: 2025-09-12  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/11CAFE7F11BEEF22
     created: 2021-01-23  expired: 2023-07-30  usage: E   
ssb  rsa3072/5A11FF9B9BBEEF33
     created: 2023-09-13  expires: 2025-09-12  usage: E   
[ultimate] (1). Graham Chapman <jchapman@acme.com>

gpg> delkey 11CAFE7F11BEEF22 

   You must select at least one key.
(Use the 'key' command.)

gpg> key ? 

   sec  rsa3072/5ADEADBEEFCAFE12
     created: 2021-01-23  expires: 2025-09-12  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/11CAFE7F11BEEF22
     created: 2021-01-23  expired: 2023-07-30  usage: E   
ssb  rsa3072/5A11FF9B9BBEEF33
     created: 2023-09-13  expires: 2025-09-12  usage: E   
[ultimate] (1). Graham Chapman <jchapman@acme.com>

gpg> key 11CAFE7F11BEEF22 

   sec  rsa3072/5ADEADBEEFCAFE12
     created: 2021-01-23  expires: 2025-09-12  usage: SC  
     trust: ultimate      validity: ultimate
ssb* rsa3072/11CAFE7F11BEEF22
     created: 2021-01-23  expired: 2023-07-30  usage: E   
ssb  rsa3072/5A11FF9B9BBEEF33
     created: 2023-09-13  expires: 2025-09-12  usage: E   
[ultimate] (1). Graham Chapman <jchapman@acme.com>

gpg> delkey 

   Do you really want to delete this key? (y/N) y

sec  rsa3072/5ADEADBEEFCAFE12
     created: 2021-01-23  expires: 2025-09-12  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/5A11FF9B9BBEEF33
     created: 2023-09-13  expires: 2025-09-12  usage: E   
[ultimate] (1). Graham Chapman <jchapman@acme.com>

gpg>

13.4 pass

See also the *nix command pass It is related to gpg.

14 Correct way of using multiple keys

Since the above method was confusing and did not seem to work anyway, I then deleted the icloud key above, and instead generated a new icloud key on my Linux vm. I then signed each others keys following these steps:

  1. on each host:
    • gpg -o zperkons.asc --armor --export D60E5B66 # for public key somedude@icloud.com
    • gpg -o userid1.asc --armor --export 48452433 # for public key userid1@gmail.com
  2. copied the local .asc file to the other computer
  3. on each host imported the other public key:
    • gpg --import userid1.asc
    • gpg --import zperkons.asc
  4. on each host, signed the imported public key
    • gpg --sign-key userid1@gmail.com
    • gpg --sign-key somedude@icloud.com
  5. checked fingerprints on my gmail.com computer: 
/Users/userid1[3478]
$ gpg --fingerprint userid1@gmail.com
pub   rsa3072 2021-01-23 [SC] [expires: 2023-01-23]
      980D 0A46 B0B6 FD8F E7BB  32E1 176F 621A 4845 2433
uid           [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com>
sub   rsa3072 2021-01-23 [E] [expires: 2023-01-23]

/Users/userid1[3479]
$ gpg --fingerprint somedude@icloud.com
pub   dsa3072 2022-04-24 [SC] [expires: 2024-04-23]
      C779 18DE 8AA3 51C0 724A  83D3 0137 4DB6 D60E 5B66
uid           [  full  ] Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>
sub   elg3072 2022-04-24 [E] [expires: 2024-04-23]

/Users/userid1[3480]
  1. checked fingerprints on my zperkons@iclcoud.com computer: 
userid1@c8host ~/.gnupg[1054] $
gpg --fingerprint userid1@gmail.com
pub   rsa3072 2021-01-23 [SC] [expires: 2023-01-23]
      980D 0A46 B0B6 FD8F E7BB  32E1 176F 621A 4845 2433
uid           [  full  ] Miles Smoketoomuch <msmoketoomuch@acme.com>
sub   rsa3072 2021-01-23 [E] [expires: 2023-01-23]

userid1@c8host ~/.gnupg[1055] $
gpg --fingerprint somedude@icloud.com
pub   dsa3072 2022-04-24 [SC] [expires: 2024-04-23]
      C779 18DE 8AA3 51C0 724A  83D3 0137 4DB6 D60E 5B66
uid           [ultimate] Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>
sub   elg3072 2022-04-24 [E] [expires: 2024-04-23]

userid1@c8host ~/.gnupg[1056] $
  1. check signatures: 
/Users/userid1[3480]
$ gpg --check-signatures               
/Users/userid1/.gnupg/pubring.gpg
--------------------------------
pub   rsa3072 2021-01-23 [SC] [expires: 2023-01-23]
      980D0A46B0B6FD8FE7BB32E15ADEADBEEFCAFE12
uid           [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com>
sig!3        5ADEADBEEFCAFE12 2021-01-23  Miles Smoketoomuch <msmoketoomuch@acme.com>
sub   rsa3072 2021-01-23 [E] [expires: 2023-01-23]
sig!         5ADEADBEEFCAFE12 2021-01-23  Miles Smoketoomuch <msmoketoomuch@acme.com>

pub   rsa3072 2022-04-23 [SC] [expires: 2024-04-22]
      CA1744F9B7872B89AB68AF081024C5B72FB0D198
uid           [ultimate]
sig!3        1024C5B72FB0D198 2022-04-23  Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) <admin@acmezint.com>
sig!         5ADEADBEEFCAFE12 2022-04-23  Miles Smoketoomuch <msmoketoomuch@acme.com>
sub   rsa3072 2022-04-23 [E] [expires: 2024-04-22]
sig!         1024C5B72FB0D198 2022-04-23  Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) smoker@acmezint.com>

pub   dsa3072 2022-04-24 [SC] [expires: 2024-04-23]
      C77918DE8AA351C0724A83D3A104976F912BDAFE5F26C36DBDE404A59E6B2C25 
uid           [  full  ] Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>
sig!3        A104976F912BDAFE5F26C36DBDE404A59E6B2C25  2022-04-24  Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>
sig!         5ADEADBEEFCAFE12 2022-04-24  Miles Smoketoomuch <msmoketoomuch@acme.com>
sub   elg3072 2022-04-24 [E] [expires: 2024-04-23]
sig!         A104976F912BDAFE5F26C36DBDE404A59E6B2C25  2022-04-24  Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>

gpg: 8 good signatures
/Users/userid1[3481]

And the other host signatures: 

userid1@c8host ~/.gnupg[1062] $
gpg --check-signatures
/home/userid1/.gnupg/pubring.kbx
-------------------------------
pub   dsa3072 2022-04-24 [SC] [expires: 2024-04-23]
      C77918DE8AA351C0724A83D3A104976F912BDAFE5F26C36DBDE404A59E6B2C25 
uid           [ultimate] Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>
sig!3        A104976F912BDAFE5F26C36DBDE404A59E6B2C25  2022-04-24  Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>
sub   elg3072 2022-04-24 [E] [expires: 2024-04-23]
sig!         A104976F912BDAFE5F26C36DBDE404A59E6B2C25  2022-04-24  Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>

pub   rsa3072 2021-01-23 [SC] [expires: 2023-01-23]
      980D0A46B0B6FD8FE7BB32E15ADEADBEEFCAFE12
uid           [  full  ] Miles Smoketoomuch <msmoketoomuch@acme.com>
sig!3        5ADEADBEEFCAFE12 2021-01-23  Miles Smoketoomuch <msmoketoomuch@acme.com>
sig!         A104976F912BDAFE5F26C36DBDE404A59E6B2C25  2022-04-24  Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com>
sub   rsa3072 2021-01-23 [E] [expires: 2023-01-23]
sig!         5ADEADBEEFCAFE12 2021-01-23  Miles Smoketoomuch <msmoketoomuch@acme.com>

gpg: 5 good signatures
userid1@c8host ~/.gnupg[1063] $

15 Examples

gpg -se -r Bob file sign and encrypt a file for Bob (with Bob's public key) gpg --clear-sign file make a cleartext signature (with your private key) gpg -sb file sign and detach the signature (with your private key) gpg -sb file -u 0x87654321 sign and detach the signature using key 0x87654321 gpg --list-keys show keys gpg --list-keys Alice show keys for user Alice gpg --fingerprint user_ID show fingerprint for userID gpg --check-signatures show signature of all keys in your keyring Using multiple keys By default gpg will run as the owner of the default key. To run gpg as the owner of a different key, you must specify that. See the man gpg

15.1 Before signing by 1)

$ gpg --list-keys
/Users/userid1/.gnupg/pubring.gpg
--------------------------------
pub   rsa3072 2021-01-23 [SC] [expires: 2023-01-23]
      55EE44CC7775008FE7BB32E15ADEADBEEFCAFE12
uid           [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com>
sub   rsa3072 2021-01-23 [E] [expires: 2023-01-23]

pub   ed25519 2022-04-23 [SC] [expires: 2024-04-22]
      20c62e903ae2f08edb78ca76c3ba670c6af59639FF5FEDCE7091
uid           [ultimate] Miles Smoketoomuch <somedude@icloud.com>
sub   cv25519 2022-04-23 [E] [expires: 2024-04-22]

pub   rsa3072 2022-04-23 [SC] [expires: 2024-04-22]
      CA1744F9B7872B89AB68AF081024C5B72FB0D198
uid           [ultimate] Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) smoker@acmezint.com>
sub   rsa3072 2022-04-23 [E] [expires: 2024-04-22]

15.2 After signing by 1)

I signed the keys as user userid1@gmail.com but then --list-keys did not seem to change: 

$ gpg --list-keys                   
/Users/userid1/.gnupg/pubring.gpg
--------------------------------
pub   rsa3072 2021-01-23 [SC] [expires: 2023-01-23]
      55EE44CC7775008FE7BB32E15ADEADBEEFCAFE12
uid           [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com>
sub   rsa3072 2021-01-23 [E] [expires: 2023-01-23]

pub   ed25519 2022-04-23 [SC] [expires: 2024-04-22]
      20C62E903AE2F08EDB78CA76C3BA670C6AF59639
uid           [ultimate] Miles Smoketoomuch <somedude@icloud.com>
sub   cv25519 2022-04-23 [E] [expires: 2024-04-22]

pub   rsa3072 2022-04-23 [SC] [expires: 2024-04-22]
      CA1744F9B7872B89AB68AF081024C5B72FB0D198
uid           [ultimate] Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) smoker@acmezint.com>
sub   rsa3072 2022-04-23 [E] [expires: 2024-04-22]

Looks the same. But I did sign zperkons and admin with the gmail key. hmmmm.

The first time I ran –list-keys after signing I got this: 

$ gpg --list-keys                   
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2023-01-23
/Users/userid1/.gnupg/pubring.gpg
--------------------------------
pub   rsa3072 2021-01-23 [SC] [expires: 2023-01-23]
      55EE44CC7775008FE7BB32E15ADEADBEEFCAFE12
uid           [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com>
sub   rsa3072 2021-01-23 [E] [expires: 2023-01-23]

pub   ed25519 2022-04-23 [SC] [expires: 2024-04-22]
      20c62e903ae2f08edb78ca76c3ba670c6af59639FF5FEDCE7091
uid           [ultimate] Miles Smoketoomuch <somedude@icloud.com>
sub   cv25519 2022-04-23 [E] [expires: 2024-04-22]

pub   rsa3072 2022-04-23 [SC] [expires: 2024-04-22]
      CA1744F9B7872B89AB68AF081024C5B72FB0D198
uid           [ultimate] Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) smoker@acmezint.com>
sub   rsa3072 2022-04-23 [E] [expires: 2024-04-22]

16 Home