MatthewVance/HKPS

## dirmngr.conf
log-file ~/.gnupg/dirmngr.log
debug-level basic
verbose
# disable-ipv6
keyserver hkps://hkps.pool.sks-keyservers.net
hkp-cacert /etc/ssl/certs/sks-keyservers.netCA.pem

## gpg.conf
# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
# 2010 Free Software Foundation, Inc.
#
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#

##Use a hkps pool as my keyserver
keyserver hkps://hkps.pool.sks-keyservers.net

#Ignore any keyservers pointed to by a key so hkps (the pool set above) will always be used
keyserver-options no-honor-keyserver-url

#don't forget implied cipher, digest, and compression preferences that will be auto added if not explicitly set https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html
personal-cipher-preferences AES256,AES192,AES
personal-digest-preferences SHA512,SHA384,SHA256

#use SHA512 when signing keys
cert-digest-algo SHA512

#tell the world my keys require something from this list be used
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB ZIP Uncompressed

# Tell GPG to try using GnuPG-Agent before asking for a passphrase.
use-agent

# Do not automatically locate and retrieve keys as needed
no-auto-key-locate

#Hide the version string in ASCII armored output
no-emit-version

#Do not merge primary user ID and primary key in --with-colon listing mode and print all timestamps as seconds since 1970-01-01
fixed-list-mode

#Show the 16-character key ID with 0x before it
keyid-format 0xlong

#Display the calculated validity of the user IDs on the key that issued the signature and during key listings
verify-options show-uid-validity
list-options show-uid-validity

# Use name as the cipher algorithm used to protect secret keys.
s2k-cipher-algo AES256

# Use name as the digest algorithm used to mangle the passphrases.
s2k-digest-algo SHA512

# Selects how passphrases are mangled. If n is 0 a plain passphrase (which is
# not recommended) will be used, a 1 adds a salt to the passphrase and a 3
# (the default) iterates the whole process a number of times
# (see --s2k-count). Unless --rfc1991 is used, this mode is also used for
# conventional encryption.
s2k-mode 3

# Specify how many times the passphrase mangling is repeated.
s2k-count 131072

# Remove all comments. It is a good idea Note that comment lines,
# like all other header lines, are not protected by the signature.
no-comments

# Same as the command --fingerprint but changes only the format of the output
# and may be used together with another command.
with-fingerprint

# When verifying a signature made from a subkey, ensure that the cross
# certification "back signature" on the subkey is present and valid.
# This protects against a subtle attack against subkeys that can sign.
# Defaults to --require-cross-certification for gpg2.
require-cross-certification

# --no-throw-keyids Do not put the recipient key IDs into encrypted messages.
# This helps to hide the receivers of the message and is a limited
# countermeasure against traffic analysis. ([Using a little social engineering
# anyone who is able to decrypt the message can check whether one of the other
# recipients is the one he suspects.]) On the receiving side, it may slow down
# the decryption process because all available secret keys must be tried.
# --no-throw-keyids disables this option. This option is essentially the same
# as using --hidden-recipient for all recipients.
throw-keyids

# Suppress the initial copyright message but do not enter batch mode.
no-greeting

# Set the name of the native character set.
charset utf8

# Assume that the arguments are already given as UTF8 strings. The default
# (--no-utf8-strings) is to assume that arguments are encoded in the
# character set as specified by --charset. These options effects all
# following arguments. Both options may used multiple times.
utf8-strings

#Set default-key
##default-key 0x123...REPLACE with your key

## HKPS
gpg --import fake

curl --tlsv1.2 -L https://sks-keyservers.net/sks-keyservers.netCA.pem -O
curl --tlsv1.2 -L https://sks-keyservers.net/sks-keyservers.netCA.pem.asc -O

# Move hkps pool cert to cert store
sudo cp -v sks-keyservers.netCA.pem /etc/ssl/certs/

# Import key for HKPS signature
gpg --recv-key 0x0B7F8B60E3EDFAE3

# Verify HKPS cert
gpg --verify ~/Downloads/opgp/sks-keyservers.netCA.pem.asc /etc/ssl/certs/sks-keyservers.netCA.pem
	log-file ~/.gnupg/dirmngr.log
	debug-level basic
	verbose
	# disable-ipv6
	keyserver hkps://hkps.pool.sks-keyservers.net
	hkp-cacert /etc/ssl/certs/sks-keyservers.netCA.pem
	# Options for GnuPG
	# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
	# 2010 Free Software Foundation, Inc.
	#
	# This file is free software; as a special exception the author gives
	# unlimited permission to copy and/or distribute it, with or without
	# modifications, as long as this notice is preserved.
	#
	# This file is distributed in the hope that it will be useful, but
	# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
	# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
	#

	##Use a hkps pool as my keyserver
	keyserver hkps://hkps.pool.sks-keyservers.net

	#Ignore any keyservers pointed to by a key so hkps (the pool set above) will always be used
	keyserver-options no-honor-keyserver-url

	#don't forget implied cipher, digest, and compression preferences that will be auto added if not explicitly set https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html
	personal-cipher-preferences AES256,AES192,AES
	personal-digest-preferences SHA512,SHA384,SHA256

	#use SHA512 when signing keys
	cert-digest-algo SHA512

	#tell the world my keys require something from this list be used
	default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB ZIP Uncompressed

	# Tell GPG to try using GnuPG-Agent before asking for a passphrase.
	use-agent

	# Do not automatically locate and retrieve keys as needed
	no-auto-key-locate

	#Hide the version string in ASCII armored output
	no-emit-version

	#Do not merge primary user ID and primary key in --with-colon listing mode and print all timestamps as seconds since 1970-01-01
	fixed-list-mode

	#Show the 16-character key ID with 0x before it
	keyid-format 0xlong

	#Display the calculated validity of the user IDs on the key that issued the signature and during key listings
	verify-options show-uid-validity
	list-options show-uid-validity

	# Use name as the cipher algorithm used to protect secret keys.
	s2k-cipher-algo AES256

	# Use name as the digest algorithm used to mangle the passphrases.
	s2k-digest-algo SHA512

	# Selects how passphrases are mangled. If n is 0 a plain passphrase (which is
	# not recommended) will be used, a 1 adds a salt to the passphrase and a 3
	# (the default) iterates the whole process a number of times
	# (see --s2k-count). Unless --rfc1991 is used, this mode is also used for
	# conventional encryption.
	s2k-mode 3

	# Specify how many times the passphrase mangling is repeated.
	s2k-count 131072

	# Remove all comments. It is a good idea Note that comment lines,
	# like all other header lines, are not protected by the signature.
	no-comments

	# Same as the command --fingerprint but changes only the format of the output
	# and may be used together with another command.
	with-fingerprint

	# When verifying a signature made from a subkey, ensure that the cross
	# certification "back signature" on the subkey is present and valid.
	# This protects against a subtle attack against subkeys that can sign.
	# Defaults to --require-cross-certification for gpg2.
	require-cross-certification

	# --no-throw-keyids Do not put the recipient key IDs into encrypted messages.
	# This helps to hide the receivers of the message and is a limited
	# countermeasure against traffic analysis. ([Using a little social engineering
	# anyone who is able to decrypt the message can check whether one of the other
	# recipients is the one he suspects.]) On the receiving side, it may slow down
	# the decryption process because all available secret keys must be tried.
	# --no-throw-keyids disables this option. This option is essentially the same
	# as using --hidden-recipient for all recipients.
	throw-keyids

	# Suppress the initial copyright message but do not enter batch mode.
	no-greeting

	# Set the name of the native character set.
	charset utf8

	# Assume that the arguments are already given as UTF8 strings. The default
	# (--no-utf8-strings) is to assume that arguments are encoded in the
	# character set as specified by --charset. These options effects all
	# following arguments. Both options may used multiple times.
	utf8-strings

	#Set default-key
	##default-key 0x123...REPLACE with your key
	gpg --import fake

	curl --tlsv1.2 -L https://sks-keyservers.net/sks-keyservers.netCA.pem -O
	curl --tlsv1.2 -L https://sks-keyservers.net/sks-keyservers.netCA.pem.asc -O

	# Move hkps pool cert to cert store
	sudo cp -v sks-keyservers.netCA.pem /etc/ssl/certs/

	# Import key for HKPS signature
	gpg --recv-key 0x0B7F8B60E3EDFAE3

	# Verify HKPS cert
	gpg --verify ~/Downloads/opgp/sks-keyservers.netCA.pem.asc /etc/ssl/certs/sks-keyservers.netCA.pem