Docu review done: Tue 17 Oct 2023 10:49:59 AM CEST

Table of Content

Commands

CommandsDescription
`gpg [–recipient-r] [mail@recipient] –output [outputfile] –encrypt [file2encrypt]`
`gpg [–hidden-recipient-R] [mail@ricipient] –output [outputfile] –encrypt [file2encrypt]`
gpg -r [mail1@recipient] -r [mail2@recipient] -r [mailX@recipient] --output [outputfile] --encrypt [file2encrypt]allows to encrypt file + set multiple recipients, works with -R as well
gpg --import [publickey].ascimports public key
gpg --export [mail@youraddresstoexport OR keyid]will generate keyring pub file
gpg --armor --export [mail@youraddresstoexport OR keyid]exports pubkey
gpg -u [keyid]use different key as your current one e.g. gpg -u 1234 --sign-keys 5878
gpg --receive-keys [keyid]fetches key with [keyid] from keyserver
gpg --send-keys [keyid]sends key with [keyid] to keyserver
gpg --localuser [keyid]lets you perform a command with [keyid]
gpg --enarmor < key.gpg > key.ascconvert pub key key.gpg to key.asc without import to keyring
gpg --keyid-format long --list-keyskeyid-format allows you to enforece the formating
gpg --import-options show-only --import ./pubkey.ascshows Key-ID, Name/eMail, Key-Type and creation/expiration date

GPG Signature

Create signature on file

Usage signed copy

Both commands below will create a copy of the orignal file ( which includes the signature as well):

$ gpg --sign <file>
$ gpg --output --sign <signed_copy_file>.sig <file>

Using detached signate

Using the --detach-sign parameter, allows you to sign a file and only create the signature part in a seperate one:

$ gpg --detach-sign <file>
$ gpg --detach-sign --armor <file>
$ gpg --detach-sign --sign --output <signature_file>.sig <file>

Sample 1

$ gpg --sign ./titten
gpg: using "123412341234ASDFASDFASDF12341234ASDFASDF" as default secret key for signing
$ ls -la | grep titten.gpg
titten.gpg

Sample 2

$gpg --output titten.sig --sign ./titten
gpg: using "123412341234ASDFASDFASDF12341234ASDFASDF" as default secret key for signing
$ ls -la | grep titten
titten
titten.sig

Sample 3

$gpg --detatch-sign --sign --output ./titten.sig ./titten
gpg: using "123412341234ASDFASDFASDF12341234ASDFASDF" as default secret key for signing
$ ls -la | grep titten
titten
titten.sig

Verify signature of file

Usage with included signature and content

$ gpg --verify <file.gpg>
$ gpg --output <target file> --decrypt <encrypted and signed file> && gpg --verify <encrypted and signed file> <target file>

Usage with detachted signature

$ gpg --verify <signature-file> <file>

Sample 1

Verify when you have the pubkey in your keyring

$ gpg --verify titten.gpg
gpg: Signature made Day Nr Mon Year HH:MM:SS AP ZONE
gpg:                using TYPE key 123412341234ASDFASDFASDF12341234ASDFASDF
gpg: Good signature from "MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>" [ultimate]

Sample 2

for detailed output (e.g. id if you dont have it in your trust chain)

$ gpg -v --status-fd 1 --verify titten.gpg
gpg: original file name='titten'
gpg: Signature made Thu 26 Sep 2013 06:51:39 AM EST using RSA key ID 35C7553C
[GNUPG:] ERRSIG 7FF2D37135C7553C 1 10 00 1380142299 9
[GNUPG:] NO_PUBKEY 7FF2D37135C7553C
gpg: Can't check signature: public key not found

Sample 3

Using gpgv and specific keyring file

$ gpgv --keyring ./pubkeyring.gpg titten.gpg
gpg: Signature made Day Nr Mon Year HH:MM:SS AP ZONE
gpg:                using TYPE key 123412341234ASDFASDFASDF12341234ASDFASDF
gpg: Good signature from "MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>" [ultimate]

Sample 4

Using detached signature file to verify

$ gpg --verify ./my_file.sh.sig my_file.sh
gpg: Signature made Day Nr Mon Year HH:MM:SS AP ZONE
gpg:                using TYPE key 123412341234ASDFASDFASDF12341234ASDFASDF
gpg: Good signature from "MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>" [ultimate]

Keysigning Party

apt install signing-party
/usr/bin/gpg-key2ps -1 -s <gpgid> -p a4 | gs -sDEVICE=pdfwrite -sOutputFile=out.pdf ; see out.pdf

Manually sign key and sed it to keyserver

$ gpg --keyserver myowngpgserver.sons-of-sparda.at --receive-keys 132412341234ASDFASDFASDF123412341234
$ gpg --sign-key 132412341234ASDFASDFASDF123412341234
$ gpg --keyserver myowngpgserver.sons-of-sparda.at --send-keys 132412341234ASDFASDFASDF123412341234

Chaning trust level of key

$ gpg --edit-key 132412341234ASDFASDFASDF123412341234
pub  rsa4096/132412341234ASDFASDFASDF123412341234
     created: 2019-10-07  expires: never       usage: SC
     trust: marginal      validity: full
sub  rsa4096/567856785678ASDFASDFASDF567856785678
     created: 2019-10-07  expires: never       usage: E
[  full  ] (1). MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>

gpg> trust
pub  rsa4096/1D3369BB8F0EE8FE
     created: 2019-10-07  expires: never       usage: SC
     trust: marginal      validity: full
sub  rsa4096/5397BD70F1995324
     created: 2019-10-07  expires: never       usage: E
[  full  ] (1). MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? [0-5m]

pub  rsa4096/132412341234ASDFASDFASDF123412341234
     created: 2019-10-07  expires: never       usage: SC
     trust: never         validity: full
sub  rsa4096/567856785678ASDFASDFASDF567856785678
     created: 2019-10-07  expires: never       usage: E
[  full  ] (1). MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>

gpg> quit

Extend expired gpg key

Frist you need to get the gpg id, buy running

gpg --list-key | grep expire -B2

Next is to go into editing mode, this will start the gpg cli

gpg --edit-key <gpgid>

Now, place expire and add the timeframe

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) <yourchoice>
Key expires at <Date when it will expire>
Is this correct? (y/N) y

Final step is to save it, buy entering save ;)

gpg> save

Now you need to generate your now pubkey export by running

gpg --armor --export <mailaddress|gpgid>

Revoce gpg key

If gpg keys are not in use any more, you should revoke them.

At local keyring

To revoce an existing key in your local keyring you need to import your revocation key.

If you havn’t create one during the key creation, perform the following command:

$ gpg --output ./revoke.asc --gen-revoke <GPG-KEY-ID4REVOCE>

Make sure you have the right revokation file, double check!

If you are sure, just import it like so:

$ gpg --import ./revoke.asc

Now the gpg key with the ID you placed instead of <GPG-KEY-ID4REVOCE> got revoked

At remote keyserver

If youn are not sure that you placed your gpg key on the keyserver, use can search for it before you uploaded your revocation

$ gpg --keyserver <KEY-SERVER-URL> --search-keys <GPG-KEY-ID4REVOCE>

To revoke a key on a remote keyserver, you have to revoce it first locally (see above) and perform then --send-keys to upload the revocation.

$ gpg --keyserver <KEY-SERVER-URL> --send-keys <GPG-KEY-ID4REVOCE>

Now also on the remote server the gpg key is shown as revoked.

GPG Agent

The gpg agents allows you to cache several gpg keys.

GPG Connect Agent

The gpg-connect-agent is used to connect to the gpg-agent and interact with it.

$ gpg-connect-agent
> [youcommands]
> [enter or bye to leave]

To list all loaded key you can run the command keyinfo --list

$ gpg-connect-agent
> keyinfo --list
S KEYINFO 1234123412341234ASDFASDFASDF12341234ASDF D - - 1 P - - -
OK
>

The 1 shown in the list above, indecates that this keygrip is cached. This happens for example when you key got unlocked and is cached now. You can also pass commands directly to gpg-connect-agent to stdin

$ echo "keyinfo --list" | gpg-connect-agent
S KEYINFO 1234123412341234ASDFASDFASDF12341234ASDF D - - 1 P - - -
OK

GPG2

Errors

“Inappropriate ioctl for device”

Add the export for GPG_TTY into your ~/.profile or ~/.bashrc or ~/.zshrc or what every you use like this

export GPG_TTY=$(tty)

Restart your shell/session and your are good to go

Export and Import private keys

To migrate your private key with all your subkeys you just have to run one command on the client where it is stored.

$ gpg -a --export-secret-key "[mail|key-id]" > private.key

Now you will get asked to enter your pwd, if you have set one and get the file created.

If you move fully your key, dont forget about the revocation files e.g. ~/.gnupg/openpgp-revocs.d/*.rev

Next, just move the key(s) in a secure way to your other client and just perform a import withe the additional parameter --allow-secret-key-import. There you will get again the pwd dialog.

$ gpg --allow-secret-key-import --import private.key

After that is done, just make sure that you trust it full, by editing the key:

$ gpg --edit-key [keyid]
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/AAAAAAAAAABBBBBB
     created: 2021-04-20  expires: 2042-04-20  usage: SC
     trust: <trustvalue>  validity: <validityvalue>
ssb  cv25519/CCCCCCCCCCDDDDDD
     created: 2021-04-20  expires: 2042-04-20  usage: E
[<trustvalue>] (1). My Fancy Name <my_fany_name@my_fancy_domain.me>
[<trustvalue>] (2). My Fancy Name <my_fany_name@my_fancy_domain.me2>

gpg> trust

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Yur decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

sec  ed25519/AAAAAAAAAABBBBBB
     created: 2021-04-20  expires: 2042-04-20  usage: SC
     trust: ultimate      validity: ultimate
ssb  cv25519/CCCCCCCCCCDDDDDD
     created: 2021-04-20  expires: 2042-04-20  usage: E
[ultimate] (1). My Fancy Name <my_fany_name@my_fancy_domain.me>
[ultimate] (2). My Fancy Name <my_fany_name@my_fancy_domain.me2>

gpg> save

And you are done ;)

Delete only private key from keyring

Makue sure you know what you do there and maybe have a backup of your gpg home, at least somewhere

If you want only to remove your private key from your keyring use --delete-secret-keys instead of --delete-keys.

gpg --homedir ./ --delete-secret-keys AAAAAAAAAAAAAABBBBBBBBBBBBBBEEEEEEEEEEEE
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  rsa8192/BBBBEEEEEEEEEEEE 2021-04-20 My Fancy Name <my_fancy_name@delete_privatekey_of.me>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

For each subkey you have, yo will get an additional question, if you really want to remove this.

After that, you can have a look at gpg --list-keys and see that the pubkeys are still avaiable.