Skip to content

🔑 GPG

Generate Key

gpg --full-generate-key

Import

lpass show gpg --attach=8017296795546256342-55097 -q | gpg --import
gpg --import secret.asc

Trust Own Key

# https://unix.stackexchange.com/a/407070/93726
gpg --edit-key [email protected]

gpg> trust

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
gpg> save

🖋 Sign Others' Keys

wget http://example.com/pgp-public-key -O- | gpg --import
gpg --list-keys
gpg --sign-key [email protected]

List

# Secret keys
gpg --list-secret-keys --keyid-format LONG
# All keys
gpg --list-keys --keyid-format LONG

Submit to Keyserver

gpg --keyid-format LONG --list-keys [email protected]
pub   rsa4096/ABCDEF0123456789 2018-01-01 [SCEA] [expires: 2021-01-01]
      ABCDEF0123456789ABCDEF0123456789
uid              [ ultimate ] John Doe
gpg --keyserver keyserver.ubuntu.com --send-keys ABCDEF0123456789

Revokation Certificate

gpg --output revoke.asc --gen-revoke [email protected]

Export

gpg --export-secret-keys --armor $EMAIL > /path/to/secret-key-backup.asc
gpg --export --armor $EMAIL > /path/to/public-key-backup.asc

Keygrip to match *.key filenames in ~/.gnupg/private-keys-v1.d directory

gpg --list-secret-keys --with-keygrip
gpg --list-keys --with-keygrip

Get Key ID

key=$(gpg --list-keys | sed -n '/^\s/s/\s*//p') && echo "0x"${key:(-8)}
# 0x08B7D7A3

Restart Agent on Windows

gpg-connect-agent reloadagent /bye

Refresh Keys

gpg --refresh-keys --keyserver keyserver.ubuntu.com

Pinentry Mode

gpg --pinentry-mode loopback --import <file>.asc

Validity Unknown

gpg --check-trustdb
gpg --update-trustdb

Show Subkey Fingerprints

gpg -K --with-subkey-fingerprints

Unlock Key

To manually force a passphrase prompt and "unlock" the key, you can run a simple GPG command that requires it, such as:

gpg -s

This command initiates a signature process on standard input. It will prompt you to type some text and then ask for your passphrase to sign it. Once you've entered the passphrase, you can press Ctrl+D twice to exit the command. Your key will then be unlocked and cached by gpg-agent.

Type something.

References