gpg.md

GnuPG

Description

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC 4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.

Directory

• GnuPG
  • Description
  • Directory
  • References
  • Setup
    • Description
    • References
    • Steps
  • Generate GPG Key
    • Description
    • References
    • Steps
  • Sign Git Commits
    • Description
    • References
    • Steps
  • Update Config
    • Description
    • References
    • Steps
  • Update GPG Key Passphrase
    • Description
    • References
    • Steps

References

• GnuPG

---

Setup

Description

This details how to install and setup GnuPG and Pinentry.

References

• GnuPG Installation
• GnuPG Pinentry

Steps

1. Install the gnupg package (should come preinstalled by default in most cases) using yay.

2. Install the pinentry package (should come preinstalled by default in most cases) using yay.

3. (Optional) If you use KDE Wallet, you can also use it to store GPG key passphrases.

---

Generate GPG Key

Description

This details how to generate a GPG key.

References

• GPG Usage

Steps

1. Launch a Terminal application (i.e. Konsole).

2. Generate a GPG key using the gpg command:

   gpg --full-gen-key

3. Add the following values when prompted:

   • What kind of key: 9 (ECC (sign and encrypt) *default*)
   • Which elliptic curve you want: 1 (Curve 25519 *default*)
   • Key is valid for: 1y
   • Is this correct: y
   • Real name: My Name (Add your real name here)
   • Email address: user@example.org (Add your email address here)
   • Comment: (Leave this blank or add a comment)
   • Change name, comment, email, or okay/quit: o

   Make any of your own adjustments to the above values as desired.

4. Enter a passphrase when prompted or leave it empty. Save to the system's password manager if given the option.

---

Sign Git Commits

Description

This details how we can enforce automatic signing for all our commits and tags in Git and GitHub/GitLab.

References

• How to sign your commits

Steps

1. Create a GPG key if you have not already.

2. List down all available GPG keys:

   gpg --list-secret-keys --keyid-format long

3. From the given output, locate our GPG key and take note of the row containing its corresponding secret key denoted by the abbreviation sec. For example:

   sec   ed25519/1H89FHO4MGAJTJ9Z 2024-04-07 [SC] [expires: 2025-04-07]
   

   Get the long key ID by copying the value trailing the /. Based on our example, the long key ID would be the following value:

   1H89FHO4MGAJTJ9Z
   

4. Using the long key ID, get its corresponding GPG public key using the following command:

   gpg --armor --export <long-key-id>

   For example, assuming our long key ID is 1H89FHO4MGAJTJ9Z:

   gpg --armor --export 1H89FHO4MGAJTJ9Z

5. The GPG public key we require would look something like the following:

   -----BEGIN PGP PUBLIC KEY BLOCK-----
   
   7Ze49bA33Xzun7SbusOQspoUIYsgPny2eitPOKRvavumM+397nTftVhHia/eI410
   ...
   Lz8/MGzO2FgC33XdFwhyyp3yQH18XCnV4IMUgrFNrG==
   =iT48
   -----END PGP PUBLIC KEY BLOCK-----
   

   Copy the entire content of the public key.

6. To register the GPG public key to GitHub, do the following:

   • Go to GitHub's SSH and GPG keys page.
   • Under the GPG keys section, click the New GPG key button.
   • Add a title for the GPG key (i.e. your system's user and hostname).
   • Paste our GPG public key into the Key text field.
   • Click the Add GPG key button.

7. To register the GPG public key to GitLab, do the following:

   • Go to GitLab's GPG Keys page.
   • Click the Add new key button.
   • Paste our GPG public key into the Key text field.
   • Click the Add key button.

8. Configure Git to use our GPG key and enforce automatic signing for all our commits and tags.

   • Register our GPG key to Git using the long key ID:

     git config --global user.signingkey <long-key-id>

     For example, assuming our long key ID is 1H89FHO4MGAJTJ9Z:

     git config --global user.signingkey 1H89FHO4MGAJTJ9Z

   • Set automatic commit signing:

     git config --global commit.gpgSign true

   • Set automatic tag signing:

     git config --global tag.gpgSign true

9. To ensure that GPG uses the correct terminal for user interaction when performing cryptographic operations, set GPG_TTY to the value of tty in your default shell profile.

   • Update the default shell profile (i.e. fish) with the following variable assignment:

     set -x GPG_TTY (tty)

     If your default shell profile is bash, add the following line instead:

     export GPG_TTY=$(tty)

   • Reload the updated shell profile (i.e. ~/.config/fish/config.fish) to apply the changes:

     source ~/.config/fish/config.fish

---

Update Config

Description

This details how to update the GnuPG agent configuration.

References

• GnuPG Configuration

Steps

1. Create or update an existing gpg-agent.conf config file:

   nano ~/.gnupg/gpg-agent.conf

2. Write and save any necessary changes to the config file.

3. Reload the updated config:

   gpg-connect-agent reloadagent /bye

---

Update GPG Key Passphrase

Description

This details how to update the passphrase of a GPG key.

References

• GPG Change Passphrase Secret Key Password Command

Steps

1. List our GPG keys:

   gpg --list-secret-keys --keyid-format long

2. From this output, locate our GPG key and take note of the value of the second column from the row that has sec in the first column:

   sec   ed25519/1H89FHO4MGAJTJ9Z
   

3. Copy the value trailing the / (i.e. 1H89FHO4MGAJTJ9Z), and edit the GPG key using the following command:

   gpg --edit-key 1H89FHO4MGAJTJ9Z

4. In the gpg> prompt, enter the passwd subcommand to change the passphrase:

   passwd

5. Enter the current passphrase of the GPG key when prompted.

6. Enter the new passphrase and confirm it when prompted.

   You may need to enter the save command in the gpg> prompt to save changes made to the GPG key.