aboutsummaryrefslogtreecommitdiff
path: root/gnupg/gpg.conf.m4
diff options
context:
space:
mode:
authorTom Ryder <tom@sanctum.geek.nz>2014-11-13 11:13:20 +1300
committerTom Ryder <tom@sanctum.geek.nz>2014-11-13 11:13:20 +1300
commit91633c46338ddac59e2e4f1ad7f44870d471fce5 (patch)
treece3c1342c9ee870672f16f35bd23915b7e0a8c6a /gnupg/gpg.conf.m4
parentDon't use Pathogen if Vim is ancient (diff)
downloaddotfiles-91633c46338ddac59e2e4f1ad7f44870d471fce5.tar.gz
dotfiles-91633c46338ddac59e2e4f1ad7f44870d471fce5.zip
Generate gpg.conf from m4 template on make call
We have to do this because gpg.conf doesn't understand tilde or environment variable expansion in the configuration file, and the only reliable way to make the ca-cert-file option work between different implementations of gpg(1) and its cURL link is to explicitly specify the path to the CA file. This is probably a better approach than installing the thing as a trusted system CA anyway, which requires root privileges that I don't really want to assume anyone installing this has. I'm also including the CA, CRL, and .pem for the SKS keyservers in this commit. This seems a lesser evil than trying to pull them with cURL or wget at make(1) time.
Diffstat (limited to 'gnupg/gpg.conf.m4')
-rw-r--r--gnupg/gpg.conf.m453
1 files changed, 53 insertions, 0 deletions
diff --git a/gnupg/gpg.conf.m4 b/gnupg/gpg.conf.m4
new file mode 100644
index 00000000..81a95f3d
--- /dev/null
+++ b/gnupg/gpg.conf.m4
@@ -0,0 +1,53 @@
+# Retrieve certs automatically if possible
+auto-key-locate cert pka
+
+# Prevent boilerplate about needing key decryption, which is handled by the
+# agent; the gpg function in my Bash scripts overrides this for certain
+# commands where it interferes
+batch
+
+# Use SHA512 as the hash when making key signatures
+cert-digest-algo SHA512
+
+# Specify the hash algorithms to be used for new keys as available
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+
+# In the absence of any other recipient, encrypt messages for myself
+default-recipient-self
+
+# Show complete dates and use proper column separation for --with-colon listing mode
+fixed-list-mode
+
+# Use 16-character key IDs as the default 8-character key IDs can be forged
+keyid-format 0xlong
+
+# Use a pool of servers which support HKPS (encrypted key retrieval)
+keyserver hkps://hkps.pool.sks-keyservers.net
+
+# Retrieve keys automatically; check the keyserver port cert; use whichever
+# server is proffered from the pool
+keyserver-options auto-key-retrieve check-cert no-honor-keyserver-url ca-certfile=DOTFILES_HOME/.gnupg/sks-keyservers.net/sks-keyservers.netCA.pem
+
+# Include trust/validity for UIDs in listings
+list-options show-uid-validity
+
+# Suppress the copyright message
+no-greeting
+
+# Use SHA512 as my message digest, overriding GnuPG's efforts to use the lowest
+# common denominator in hashing algorithms
+personal-digest-preferences SHA512
+
+# Suppress a lot of output; sometimes I add --verbose to undo this
+quiet
+
+# Use the GPG agent for key management and decryption
+use-agent
+
+# Include trust/validity for UIDs when verifying signatures
+verify-options pka-lookups show-uid-validity
+
+# Assume "yes" is the answer to most questions, that is, don't keep asking me
+# to confirm something I've asked to be done
+yes
+