my cheat sheet on GnuPrivacyGuard (gpg)
1 gpg cheat
gpp -ea file.
Encrypt a file using ASCII Armour, output to stdout.
2 gpg options
Several options can be used with most of the gpg commands. Here are the most common ones:
-a
to encrypt in ascii armored format. (otherwise will be binary OpenPGP format)-v
verbose-q
quiet-i
interactive (prompt before overwriting any files)
3 Public key encryption
This will produce an encrypted file, secret.txt.gpg, that can only be
decrypted
by the recipient
:
gpg -e -r <RECIPIENT> -o msg.secret.gpg msg.txt
gpg -e -a -r RECIPIENT> --output msg.secret.gpg msg.txt
gpg -e -a -u "sender username" -r "receiver username" --output msg.secret.gpg msg.txt
For <RECIPIENT> you can use their key ID
, their email
, or their name
(or part thereof). As long has you have imported their public key
beforehand.
gpg -e -r <KEY ID> ...
gpg -e -r "Bez" ...
gpg -e -r "acme@gmail.com" ...
Specifying multiple recipients
gpg -e -r <RECIPIENT> -r <ANOTHER RECIPIENT> ... secret.txt
NOTE: Omitting -o|--output
will produce an encrypted file named
<ORIGINAL FILENAME>.gpg by default. So you could see this:
gpg -e -r <RECIPIENT> msg.txt
gpg -e -a -r <RECIPIENT> msg.txt
gpg -e -a -u "sender username" -r "receiver username" msg.txt
The -u
option lets you override your own userid
and sign with another
user's private key
. Well that would be unusual, but, you may have more than
one set of secret keys
and public key pairs
. ?? maybe…
4 Encrypting files with symetric encryption.
4.1 Symetric encryption
-c --symmetric
-c Encrypt with a symmetric cipher
using a passphrase. This
command may be combined with:
-s --sign
(for a signed and symmetrically encrypted message),-e --encrypt
(for a message that may be decrypted via a secret key or a passphrase), or--sign
and--encrypt
together (for a signed message that
may be decrypted via a secret key or a passphrase).
For example:
gpg -ca file
to encrypt in ascii armorgpg -cas file
to sign and encrypt in ascii armor and be prompted for a password for this encrypted file.gpg -ea -r userid1 file
to encrypt for userid1 in ascii armorgpg -eas -r userid1 file
to sign and encrypt for userid1 in ascii armor
All the above could be done in digital formot (not ascii armor) if you omit
the -a
option. The output will be in binary OpenPGP format
For example:
gpg -c file
to encryptgpg -cs file
to sign and encrypt and be prompted for a password for this encrypted file.gpg -e -r userid1 file
to encrypt for userid1gpg -es -r userid1 file
to sign and encrypt for userid1
4.2 caching passphrases
gpg caches the passphrase used for symmetric encryption so that a decrypt
operation may not require that the user needs to enter the passphrase. The
option --no-symkey-cache
can be used to disable this feature. So otherwise
go ahead and encrypt. You won't need the password to unencrypt.
You can increase or change the duration will hold the passphrase in its cache by editing ~/.gnupg/gpg.conf= and changing the value of The value is in seconds, so 86400 is one day.
Example:
gpg -c myfile.txt
4.3 gpg.conf
Here is my gpg.conf
edited lines.
default-key 484815391 default-recipient sjobs@icloud.com encrypt-to userid1@gmail.com keyserver hkp://keys.gnupg.net
There are many other options. See the file itself as it has many comments to describe each options.
4.4 Encrypt to self
From the man pages, --encrypt-to name
is intended for use in the options file
and may be used with your own user-id as an "encrypt-to-self". These keys are
only used when there are other recipients given either by use of --recipient
or by the asked user id. No trust checking is performed for these user ids.
5 Decrypting a file
To decrypt the file secret.txt.gpg, and output it to secret.txt:
gpg -d -o secret.txt secret.txt.gpg
If the file is encrypted via symmetric encryption, you will be prompted
for the passphrase
.
NOTE: Omitting -o|--output
will print the unencrypted contents to stdout
gpg -d --passphrase password --batch --no-tty < test2.c.gpg2 >test2.c.decrypted
6 Signing a file
Signing may or may not encrypt
the file. They are two different things.
A signature is a unique hash of the file that was hashed
using your
private key
. Anybody with the public key can check the signature of that
document, as long as they have both the document
and the signature file
.
That may be on the same file, or sent as a separate signature file.
gpg -o signed-file.txt.gpg -s file.txt
# -s is old-school pgp command.gpg --detach-sign file.txt
# does not encrypt, and outputs a separategpg --detach-sign --armor file.txt
file called file.txt.sig
that is the matching signature file to file.txt
This can be used during encryption to also sign encrypted files:
gpg -s -o secret.txt.gpg -r <RECIPIENT> secret.txt
6.1 Signing in cleartext with separate signature file.
Often you want to sign in cleartext, but send the signature as a separate file. To confirm signature, the recipient must have BOTH documents, i.e the docuement and the signature file.
gpg -sb
signs a document, with a detached signature filegpg -sb -u
specify the particular key to use for signing your file
If you specify a user, -u
does that user's public key will be used to
sign it, and ONLY that user's private key will be able to confirm the
signature. ? Don't know if this is used much.
gpg --armor --detach-sign file.txt
This will generate a file.txt.sig
file alongside the file.txt Send both
to your intended target.
You will be asked the password for the secret key of your default user.
7 Verifying a signature
gpg --verify file.txt.sig
Both the .sig file as well as the file.txt file have to be accessible.
Viewing content of signed file
gpg -d signed-file.txt.gpg
# this is an old school pgp command
8 Signing a key
Important step to build up WOT (web of trust) is to sign keys after you have veried that the fingerprints match what your contact is saying.
gpg --sign-key keyid
9 Import a public key from another user.
First have that user send you their public key, for example userid1.asc
-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: GPGTools - http://gpgtools.org mQGNBGAMMNQBDADBgw9+XdPutM5e3q5uRbJZfCMYEb5oBRM9XB7kckL17sVczO3a ZviO0A1J0I1+NbNbDVDUVqBCfU4xYl1A1yj916OxOaZlnO+NzPPhOygiPnScVdnq rZ2oUQkmlWXKl8qtgg4RUxsOGg2Jem1VvU9zqdaBK7Uoajsg6qnAxMjxDfo1H3/V OXZeInxN44at9mogy1SQYMwK9sEBfc5NZ6/dQNVBSlqlorJ7QoqUIqrBNcVvryoX 0YBG1nBu1MBdy4GWROjBpyzBROsUN9AM9Qoz+Gq5/yO1glDlIG11ZXcgM2nHQVFp mKYlHXZxR/20InNq/gx9+xUxhEeBCSQLN6bce59LwMPukh3bvaCEED07fYUTEHZd Njc2EuU8Qsp0RtG+8DcbqU+naE0Mc1UCl7Ed8pNSFwclIe+0/APtIV3kQju9BF/U RbBhWIoSR5qdZywOOjsBd9XYVFv06WIirpRftHtmJZbnYWLH9iELmNSCgQpuK8Ce P6Bend6hSvJsjB0AEQEAAbQhWmludGlzIFBlcmtvbnMgPHppbnRpc0BnbWFpbC5j b20+iQHUBBMBCAA+FiEEmA0KRrC2/Y/nuzLhF29iGkhFJDMFAmAMMNQCGwMFCQPC ZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQF29iGkhFJDOxTwwAkucjo88E 8n/P1B7kreyH6PJKELvyPjwMGZShvlt0dY58wU8HwtUeWg2D6oh1EedWXOUlFQAG 4cHOhIK/WwIHefs+A4cpjsm4XrfixE5Nis072SXG3h1in4dEGwhP/c/XChABfB/j fyZ/KJsQOgC4aUgGcoSvgCOmoYjPgXoAHI+vcfUDFOYVuxZOrDkxnKCsior9Cipb p0XYaz7j4SVOqeLfp7VsfzbTQf4OAiRt8RgfC2yB5ZV2Ogufe4MoukgaUStwP6ef 9sLUEzIhCvVvWkW4PeEJpLv5RbCEgetAnb9G1VHMH0iZ8+apDcdLbk78BCDjZkiV B7qj0EQdmav7ZB+FNOXXASIfPFJYMzTeURWEjuDbv/RSnOJRYD4Dv80jHpFthRte qUpL80Of5J4dDu/L1iAXBPVgkCWsIqzCPgyNeyoltD+B9FAo9s3f1ObkAc0EJiuy wV+BlKkQl/PLVVKqV72sSfACHUliVrB1TdCfoye/2CCNRF6bCb9dL3dLuQGNBGAM MNQBDADWRv7wtgtC3/bGSZWlFArtlAn0bAdjYrmvs9Lffi7u2/idU7WdB9KwxPmm DXH8Kn2XXOkE15YFz2u4Xf/1bqsYk12YL0XKGeYUBAiwOrTuSF0r+JCtnzb65vEe XV7PCDUhYo0ILAJVrhhNoWxUM77QTxt3u6CcQBFYZDsKvSFK5zx2oI78aY3hzKIP EVfGpHd4oecJ++m0CZKVnYF0mO0Kk2ULhplYWLgqcjgl1j+sLq9wDizV7X4tpyFM tTo/64FRV7H5OtTioA2Qz+ATvKLnkc0nhuBNbj3MDdgrehQkAXiVoAuSYmR9kprf mJoL+4uR6XrTjTexo4ki6W8eSMCkK/3oaSGxM1DZk4UGNjLA99Hy5jVAlagBx34e lzrHl7odI6qIQeL30+dD0GWeSdUDvt8WW69UfCES7nTKhiH586C7pehJmP0htvAS YIlBucUIBH10T3X7IfwyHAmTSYWNMxnbrZ+KL6ulowigJJTuaovPeka7BAOOoYxV v+KeOQMAEQEAAYkBvAQYAQgAJhYhBJgNCkawtv2P57sy4RdvYhpIRSQzBQJgDDDU AhsMBQkDwmcAAAoJEBdvYhpIRSQz18YL/RWmLFakq/qNR9NCs0O6WVVOri3oI0k1 ldArGZQ15zTn/QF3fm3iZl28mZIrfS+6pTfA3t85aFp8MwidX5mKfq9xgEqL3A3a Ynk0LIdZdO9BD8F/aASbRMocWQbN/dVb14kr/Ogw5QQ4f6oFJlJZ5DepWLKfNOMq sMe0t9vC3CS7KdiFF7EaG1WWvG9BiJ+0mCVpzWQbnfHylBUj+LBbzm4Z7oYRCrzH I1jvHAgK3dDnbPKtYMwW0lpdOVmLk/J20VI+MUlBHHugo/Pt86GK5Fvglh4fbZde +KBmfjiepLqR2serkhUEBRmC6ng7BABG+8L8aZ1cE3clMhV9s1XoOQvzzokbdsCZ QurMXt6hBVPMnrbZHNIquufwuaQgk7YM1Gi/Wz6O2zTc0wKcyt1yJvqx+h6SmQtE mvWNdTkyIkU7ym8t3KQDR2lF5m12mZ6UGoh+LF2OsbGgs6K+w6XzTJHPGwo3RQS1 H+jxpSvNNHPYJEMSthUSh+dOuf0ARzpq9A== =djfu -----END PGP PUBLIC KEY BLOCK-----
Then you can type ~gpg --import "userid1.asc"
The key is now in the list:
gpg --list-keys
/home/archels/.gnupg/pubring.gpg -------------------------------- pub 2048R/052E0F63 2014-07-27 uid Userid1 Perkons <jchapman@acme.com> sub 2048R/C91CCABB 2014-07-27
Note that the public key contains their owner's name and e-mail address.
10 About gpg keys
gpg will have four
different types of keys:
pub | public primary key |
---|---|
sub | public sub-key |
sec | secret primary key |
ssb | secret sub-key |
The primary
key, also called master-key
, contains one or more user-IDs (name,
email-address) and is used for for signing
. The sub-key
, signed by the primary
key and thus confirmed to belong to its user-IDs, is used for
encryption/decryption
.
Since gpg2, keys are generate4d with one of several usages:
- (
S
)igning, - (
E
)ncryption, - (
C
)ertification
Each key will have a level of trust, designated from these trust settings:
Letter | Meaning |
---|---|
- | No ownertrust assigned / not yet calculated. |
e | Trust calculation has failed. |
q | Not enough information for calculation. |
n | Never trust this key. |
m | Marginally trusted. |
f | Fully trusted. |
u | Ultimately trusted. |
Some key managment commands:
gpg --edit-key 0x7E62F194 gpg --quick-set expire <1> <2> <3> gpg2 --list-secret-keys --keyid-format LONG gpg --quick-generate-key user-id [algo [usage [expire]]] gpg --list-keys gpg --list-public-keys gpg --list-secret-keys gpg --locate-keys gpg --show-keys gpg --delete-keys gpg --delete-secret-keys gpg --refresh-keys gpg --generate-key gpg --quick-set-expire gpg --sign-key
11 Managing your keyring
11.1 Importing keys from a 3rd party
gpg --import somepubkey.asc
This will import the key "somepubkey.asc" into your public keyring.
When someone sends you a PGP-encrypted message, you need that person's public
key
to decrypt it. When you want to send an encrypted message to someone, you
need that person's public key
to encrypt it. Public keys often come in an
ASCII-encoded format. Makes it universally shareable.
If the file is Egils-public-key.asc, then importing it would be done with:
gpg --import "Egils-public-key.asc"
which you can then see on your key ring with
gpg --list-keys
11.2 Sign after importing.
You will notice that after importing another public key, if you run
gpg --check-signatures
that the state of this key will be [ unknown ]
rather
than [ full ]
or [ ultimate ]
That is because just by importing a key
you have not made any claims as to the trust level of that key.
Therefore, you must sign
the key with gpg --sign-key keyid
and state your level
of trust. The keyid you can get from the output of gpg --list-keys
or just use
the email address of the assoicated user of the key.
11.2.1 keyid or email-addr
gpg allows you to use either an email address associated to a key or the key id. Either will do.
11.3 Import a secret/private key
You would only do this for instance, to copy it from one computer to another.
gpg --allow-secret-key-import --import "my private key.txt"
11.4 Generate a new key:
gpg --gen-key
gpg --full-gen-key
11.5 Generate a revokation certificate
This should be done as soon as you generate a key pair, then kept safe in case your computer becomes inoperable or is stolen.
gpg -output ~/revocation.crt -gen-revoke userid1@gmail.com
11.6 List public keys:
gpg -k
gpg --list-keys
11.7 List secret keys:
gpg -K
gpg --list-secret-keys
11.8 Deleting a key from a keyring:
You first have to delete the secret key, and only THEN delete the public key. If you try to delete the public key first, you will see a gpg message telling you to delete the secret key first.
gpg --delete-secret-keys admin@acme.com
gpg --delete-keys admin@acme.com
You will be asked 4 times if you want to delete them. Obviously think four times before doing it. – maybe take a backup first.. Be sure.
11.9 Change secret key password
gpg --edit-key key-id
where you get your key id from gpg -K
- help
- passwd
- enter your current password
- enter the new password twice
- quit
11.10 Exporting keys
gpg -o key.gpg --export <KEY ID>
gpg --output key.gpg --export <KEY ID>
You would export you public key
, so that Egils could import it and thus
decrypt messages that you encrypted with your secret key.
11.11 Export public key in ASCII:
gpg --output user-yahoo.com.asc --armor --export user@yahoo.com
gpg -o user-yahoo.com.asc --armor --export user@yahoo.com
Note: Omitting the -o|–output option will print the key to stdout.
11.12 Exporting secret key in ASCII
If you want to backup your secret key to an offline file, (recommended as good practice)
gpg --output user-yahoo.com.asc --armor --export-secret-key user@yahoo.com
gpg -o user-yahoo.com.asc --armor --export-secret-key user@yahoo.com
Obviously be very careful where you store this secret key, preferrably offline.
12 Uploading to a Keyserver
I uploaded my public key to keys.openpgp.org
keys.openpgp.org Your key 980D0A46B0B6FD8FE7BB32E15ADEADBEEFCAFE12 is now published for the identity userid1@gmail.com.
It required a confirmation via email, which I responded to, and then got my key registered. The email confirmation message was:
Hi, This is an automated message from keys.openpgp.org. If you didn't /request this message, please ignore it. OpenPGP key: 980D0A46B0B6FD8FE7BB32E15ADEADBEEFCAFE12 To let others find this key from your email address "userid1@gmail.com", please click the link below: https://keys.openpgp.org/verify/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx You can find more info at keys.openpgp.org/about. https://keys.openpgp.org distributing OpenPGP keys since 2019
I also uploaded my .asc public key to https://pgp.mit.edu
and also to:
https://keyserver.ubuntu.com/pks/add
On that link, you can search for userid1@gmail.com and see this:
12.1 Correct method of backing up private key
gpg --output user-backup-=pub-sec-keys.pgp --armor --export-secret-keys --export-options export-backup user@yahoo.com
gpg -o user-backup-pub-sec-keys.pgp --armor --export-secret-keys --export-options export-backup user@yahoo.com
This exports all neccessary information to restore the secret keys including the trust database info. This should be stored offline.
13 Key maintenance
13.1 edit-key <keyid>
Edit key presents you with several editing menu picks as follows:
From the man page:
delkey
Remove a subkey (secondary key). Note that it is not possible to retract a subkey, once it has been send to the public (i.e. to a keyserver). In that case you better use revkey. Also note that this only deletes the public part of a key.revkey
Revoke a subkey.
13.2 dealing with expired keys
When your main key is expired
, you cannot use it. At least any attempt to
use it that needs access to your secret key will come back with an error
gpg: Warning: not using '7ABEEF433' as default key: No secret key gpg: all values passed to '--default-key' ignored gpg: no default secret key: No secret key
So you get the error No secret key
. So all that is required is to edit the
secret key, and update the expiration date. The following examples do that.
gpg --list-secret-keys
Shows that it is there, but expired.
Users/userid1/.gnupg/pubring.gpg -------------------------------- sec rsa3072 2021-01-23 [SC] [expired: 2023-07-30] 45C81..........................153A11E uid [ expired] Graham Chapman <jchapman@acme.com>
So we edit it with: gpg --edit-key 45C81..........................153A11E
gpg (GnuPG/MacGPG2) 2.2.41; Copyright (C) 2022 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa3072/DEADBEEFC153A11E created: 2021-01-23 expired: 2023-07-30 usage: SC trust: ultimate validity: expired ssb rsa3072/11CAFE7F11BEEF22 created: 2021-01-23 expired: 2023-07-30 usage: E [ expired] (1). Graham Chapman <jchapman@acme.com>
Notice the expiration date is July 2023, so we change that.
gpg> expire
Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Thu 11 Sep 20:03:35 2025 EDT Is this correct? (y/N) y sec rsa3072/5ADEADBEEFCAFE12 created: 2021-01-23 expires: 2025-09-12 usage: SC trust: ultimate validity: ultimate ssb rsa3072/11CAFE7F11BEEF22 created: 2021-01-23 expired: 2023-07-30 usage: E [ultimate] (1). Graham Chapman <jchapman@acme.com> gpg: WARNING: Your encryption subkey expires soon. gpg: You may want to change its expiration date too. gpg> quit Save changes? (y/N) y
So now notice that the expiration date is Sept 2025. The sub key however still
has an expiration that has passed, i.e. still July 2023. That is because we
only changed the primary secret key
, not the secret subkey
, ssb
To fix that we need to create a new secret subkey
(from the existing primary
key) This new secret subkey will have an expiration set appropriately. Finally
we will delete the expired secret subkey
.
13.3 run-through of changing expiration date for keys
gpg --edit-key 11CAFE7F11BEEF22
gpg (GnuPG/MacGPG2) 2.2.41; Copyright (C) 2022 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa3072/5ADEADBEEFCAFE12 created: 2021-01-23 expires: 2025-09-12 usage: SC trust: ultimate validity: ultimate ssb rsa3072/11CAFE7F11BEEF22 created: 2021-01-23 expired: 2023-07-30 usage: E [ultimate] (1). Graham Chapman <jchapman@acme.com>
gpg> addkey
Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (14) Existing key from card
Your selection? 6
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) Requested keysize is 3072 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Thu 11 Sep 21:07:30 2025 EDT Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec rsa3072/5ADEADBEEFCAFE12 created: 2021-01-23 expires: 2025-09-12 usage: SC trust: ultimate validity: ultimate ssb rsa3072/11CAFE7F11BEEF22 created: 2021-01-23 expired: 2023-07-30 usage: E ssb rsa3072/5A11FF9B9BBEEF33 created: 2023-09-13 expires: 2025-09-12 usage: E [ultimate] (1). Graham Chapman <jchapman@acme.com>
gpg> delkey
You must select at least one key. (Use the 'key' command.)
gpg> list
sec rsa3072/5ADEADBEEFCAFE12 created: 2021-01-23 expires: 2025-09-12 usage: SC trust: ultimate validity: ultimate ssb rsa3072/11CAFE7F11BEEF22 created: 2021-01-23 expired: 2023-07-30 usage: E ssb rsa3072/5A11FF9B9BBEEF33 created: 2023-09-13 expires: 2025-09-12 usage: E [ultimate] (1). Graham Chapman <jchapman@acme.com>
gpg> delkey 11CAFE7F11BEEF22
You must select at least one key. (Use the 'key' command.)
gpg> key ?
sec rsa3072/5ADEADBEEFCAFE12 created: 2021-01-23 expires: 2025-09-12 usage: SC trust: ultimate validity: ultimate ssb rsa3072/11CAFE7F11BEEF22 created: 2021-01-23 expired: 2023-07-30 usage: E ssb rsa3072/5A11FF9B9BBEEF33 created: 2023-09-13 expires: 2025-09-12 usage: E [ultimate] (1). Graham Chapman <jchapman@acme.com>
gpg> key 11CAFE7F11BEEF22
sec rsa3072/5ADEADBEEFCAFE12 created: 2021-01-23 expires: 2025-09-12 usage: SC trust: ultimate validity: ultimate ssb* rsa3072/11CAFE7F11BEEF22 created: 2021-01-23 expired: 2023-07-30 usage: E ssb rsa3072/5A11FF9B9BBEEF33 created: 2023-09-13 expires: 2025-09-12 usage: E [ultimate] (1). Graham Chapman <jchapman@acme.com>
gpg> delkey
Do you really want to delete this key? (y/N) y sec rsa3072/5ADEADBEEFCAFE12 created: 2021-01-23 expires: 2025-09-12 usage: SC trust: ultimate validity: ultimate ssb rsa3072/5A11FF9B9BBEEF33 created: 2023-09-13 expires: 2025-09-12 usage: E [ultimate] (1). Graham Chapman <jchapman@acme.com> gpg>
13.4 pass
See also the *nix command pass
It is related to gpg.
14 Correct way of using multiple keys
Since the above method was confusing and did not seem to work anyway, I then deleted the icloud key above, and instead generated a new icloud key on my Linux vm. I then signed each others keys following these steps:
- on each host:
gpg -o zperkons.asc --armor --export D60E5B66
# for public key somedude@icloud.comgpg -o userid1.asc --armor --export 48452433
# for public key userid1@gmail.com
- copied the local
.asc
file to the other computer - on each host imported the other public key:
gpg --import userid1.asc
gpg --import zperkons.asc
- on each host, signed the imported public key
gpg --sign-key userid1@gmail.com
gpg --sign-key somedude@icloud.com
- checked fingerprints on my gmail.com computer:
/Users/userid1[3478] $ gpg --fingerprint userid1@gmail.com pub rsa3072 2021-01-23 [SC] [expires: 2023-01-23] 980D 0A46 B0B6 FD8F E7BB 32E1 176F 621A 4845 2433 uid [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com> sub rsa3072 2021-01-23 [E] [expires: 2023-01-23] /Users/userid1[3479] $ gpg --fingerprint somedude@icloud.com pub dsa3072 2022-04-24 [SC] [expires: 2024-04-23] C779 18DE 8AA3 51C0 724A 83D3 0137 4DB6 D60E 5B66 uid [ full ] Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> sub elg3072 2022-04-24 [E] [expires: 2024-04-23] /Users/userid1[3480]
- checked fingerprints on my zperkons@iclcoud.com computer:
userid1@c8host ~/.gnupg[1054] $ gpg --fingerprint userid1@gmail.com pub rsa3072 2021-01-23 [SC] [expires: 2023-01-23] 980D 0A46 B0B6 FD8F E7BB 32E1 176F 621A 4845 2433 uid [ full ] Miles Smoketoomuch <msmoketoomuch@acme.com> sub rsa3072 2021-01-23 [E] [expires: 2023-01-23] userid1@c8host ~/.gnupg[1055] $ gpg --fingerprint somedude@icloud.com pub dsa3072 2022-04-24 [SC] [expires: 2024-04-23] C779 18DE 8AA3 51C0 724A 83D3 0137 4DB6 D60E 5B66 uid [ultimate] Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> sub elg3072 2022-04-24 [E] [expires: 2024-04-23] userid1@c8host ~/.gnupg[1056] $
- check signatures:
/Users/userid1[3480] $ gpg --check-signatures /Users/userid1/.gnupg/pubring.gpg -------------------------------- pub rsa3072 2021-01-23 [SC] [expires: 2023-01-23] 980D0A46B0B6FD8FE7BB32E15ADEADBEEFCAFE12 uid [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com> sig!3 5ADEADBEEFCAFE12 2021-01-23 Miles Smoketoomuch <msmoketoomuch@acme.com> sub rsa3072 2021-01-23 [E] [expires: 2023-01-23] sig! 5ADEADBEEFCAFE12 2021-01-23 Miles Smoketoomuch <msmoketoomuch@acme.com> pub rsa3072 2022-04-23 [SC] [expires: 2024-04-22] CA1744F9B7872B89AB68AF081024C5B72FB0D198 uid [ultimate] sig!3 1024C5B72FB0D198 2022-04-23 Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) <admin@acmezint.com> sig! 5ADEADBEEFCAFE12 2022-04-23 Miles Smoketoomuch <msmoketoomuch@acme.com> sub rsa3072 2022-04-23 [E] [expires: 2024-04-22] sig! 1024C5B72FB0D198 2022-04-23 Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) smoker@acmezint.com> pub dsa3072 2022-04-24 [SC] [expires: 2024-04-23] C77918DE8AA351C0724A83D3A104976F912BDAFE5F26C36DBDE404A59E6B2C25 uid [ full ] Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> sig!3 A104976F912BDAFE5F26C36DBDE404A59E6B2C25 2022-04-24 Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> sig! 5ADEADBEEFCAFE12 2022-04-24 Miles Smoketoomuch <msmoketoomuch@acme.com> sub elg3072 2022-04-24 [E] [expires: 2024-04-23] sig! A104976F912BDAFE5F26C36DBDE404A59E6B2C25 2022-04-24 Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> gpg: 8 good signatures /Users/userid1[3481]
And the other host signatures:
userid1@c8host ~/.gnupg[1062] $ gpg --check-signatures /home/userid1/.gnupg/pubring.kbx ------------------------------- pub dsa3072 2022-04-24 [SC] [expires: 2024-04-23] C77918DE8AA351C0724A83D3A104976F912BDAFE5F26C36DBDE404A59E6B2C25 uid [ultimate] Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> sig!3 A104976F912BDAFE5F26C36DBDE404A59E6B2C25 2022-04-24 Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> sub elg3072 2022-04-24 [E] [expires: 2024-04-23] sig! A104976F912BDAFE5F26C36DBDE404A59E6B2C25 2022-04-24 Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> pub rsa3072 2021-01-23 [SC] [expires: 2023-01-23] 980D0A46B0B6FD8FE7BB32E15ADEADBEEFCAFE12 uid [ full ] Miles Smoketoomuch <msmoketoomuch@acme.com> sig!3 5ADEADBEEFCAFE12 2021-01-23 Miles Smoketoomuch <msmoketoomuch@acme.com> sig! A104976F912BDAFE5F26C36DBDE404A59E6B2C25 2022-04-24 Miles Smoketoomuch (icloud account for somedude) <somedude@icloud.com> sub rsa3072 2021-01-23 [E] [expires: 2023-01-23] sig! 5ADEADBEEFCAFE12 2021-01-23 Miles Smoketoomuch <msmoketoomuch@acme.com> gpg: 5 good signatures userid1@c8host ~/.gnupg[1063] $
15 Examples
gpg -se -r Bob file
sign and encrypt a file for Bob (with Bob's public key)
gpg --clear-sign file
make a cleartext signature (with your private key)
gpg -sb file
sign and detach the signature (with your private key)
gpg -sb file -u 0x87654321
sign and detach the signature using key 0x87654321
gpg --list-keys
show keys
gpg --list-keys Alice
show keys for user Alice
gpg --fingerprint user_ID
show fingerprint for userID
gpg --check-signatures
show signature of all keys in your keyring Using multiple keys
By default gpg will run as the owner of the default key. To run gpg as the owner
of a different key, you must specify that. See the man gpg
15.1 Before signing by 1)
$ gpg --list-keys /Users/userid1/.gnupg/pubring.gpg -------------------------------- pub rsa3072 2021-01-23 [SC] [expires: 2023-01-23] 55EE44CC7775008FE7BB32E15ADEADBEEFCAFE12 uid [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com> sub rsa3072 2021-01-23 [E] [expires: 2023-01-23] pub ed25519 2022-04-23 [SC] [expires: 2024-04-22] 20c62e903ae2f08edb78ca76c3ba670c6af59639FF5FEDCE7091 uid [ultimate] Miles Smoketoomuch <somedude@icloud.com> sub cv25519 2022-04-23 [E] [expires: 2024-04-22] pub rsa3072 2022-04-23 [SC] [expires: 2024-04-22] CA1744F9B7872B89AB68AF081024C5B72FB0D198 uid [ultimate] Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) smoker@acmezint.com> sub rsa3072 2022-04-23 [E] [expires: 2024-04-22]
15.2 After signing by 1)
I signed the keys as user userid1@gmail.com but then --list-keys
did not seem
to change:
$ gpg --list-keys /Users/userid1/.gnupg/pubring.gpg -------------------------------- pub rsa3072 2021-01-23 [SC] [expires: 2023-01-23] 55EE44CC7775008FE7BB32E15ADEADBEEFCAFE12 uid [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com> sub rsa3072 2021-01-23 [E] [expires: 2023-01-23] pub ed25519 2022-04-23 [SC] [expires: 2024-04-22] 20C62E903AE2F08EDB78CA76C3BA670C6AF59639 uid [ultimate] Miles Smoketoomuch <somedude@icloud.com> sub cv25519 2022-04-23 [E] [expires: 2024-04-22] pub rsa3072 2022-04-23 [SC] [expires: 2024-04-22] CA1744F9B7872B89AB68AF081024C5B72FB0D198 uid [ultimate] Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) smoker@acmezint.com> sub rsa3072 2022-04-23 [E] [expires: 2024-04-22]
Looks the same. But I did sign zperkons and admin with the gmail key. hmmmm.
The first time I ran –list-keys after signing I got this:
$ gpg --list-keys gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: next trustdb check due at 2023-01-23 /Users/userid1/.gnupg/pubring.gpg -------------------------------- pub rsa3072 2021-01-23 [SC] [expires: 2023-01-23] 55EE44CC7775008FE7BB32E15ADEADBEEFCAFE12 uid [ultimate] Miles Smoketoomuch <msmoketoomuch@acme.com> sub rsa3072 2021-01-23 [E] [expires: 2023-01-23] pub ed25519 2022-04-23 [SC] [expires: 2024-04-22] 20c62e903ae2f08edb78ca76c3ba670c6af59639FF5FEDCE7091 uid [ultimate] Miles Smoketoomuch <somedude@icloud.com> sub cv25519 2022-04-23 [E] [expires: 2024-04-22] pub rsa3072 2022-04-23 [SC] [expires: 2024-04-22] CA1744F9B7872B89AB68AF081024C5B72FB0D198 uid [ultimate] Miles Smoketoomuch (Personal key for Miles Smoketoomuch on acmezint.com) smoker@acmezint.com> sub rsa3072 2022-04-23 [E] [expires: 2024-04-22]