GnuPG Cheatsheet

These are important but not so commonly used. Therefore, I noted down some critical parts of it in case I need them in the future.

Create Keys

The interactive way:

gpg --expert --full-gen-key

Delete Keys

Delete Subkeys

$ gpg --edit-key $KEYID
gpg> list
gpg> key 1
gpg> delkey
gpg> save

Delete Specific Secret Keys

$ gpg-connect-agent "HELP DELETE_KEY" /bye
# DELETE_KEY [--force|--stub-only] <hexstring_with_keygrip>
#
# Delete a secret key from the key store.  If --force is used
# and a loopback pinentry is allowed, the agent will not ask
# the user for confirmation.  If --stub-only is used the key will
# only be deleted if it is a reference to a token.
OK

To delete a specific secret key (secret master key or secret subkey), you have to first obtain the target secret key’s keygrip. Then use the keygrip to delete the correct secret key:

gpg --list-secret-keys --with-keygrip starbops@hey.com
gpg-connect-agent "DELETE_KEY $KEYGRIP" /bye

Sign Data

Content with signature in binary format (generates $FILE.gpg):

gpg --local-user $SIGNING_KEYID --sign $FILE

Content with signature in ASCII format (generates $FILE.asc):

gpg --local-user $SIGNING_KEYID --sign --armor $FILE

Content followed by signature in ASCII format (generates $FILE.asc):

gpg --local-user $SIGNING_KEYID --clear-sign $FILE

Only signature in binary format (generates $FILE.gpg):

gpg --local-user $SIGNING_KEYID --detach-sign $FILE

Only signature in ASCII format (generates $FILE.asc):

gpg --local-user $SIGNING_KEYID --detach-sign --armor $FILE

Interact with Other People

When you go to some key-signing parties, you might exchange fingerprints with people (maybe it’s on your business card)

Upload Public Keys

There’re several public GPG key servers. You have to upload your public key to one of them.

• keyserver.ubuntu.com
• keys.openpgp.org
• pgp.mit.edu
• pgp.uni-mainz.de
• pgp.net.nz

gpg --keyserver $KEYSERVER --send-keys $KEYID

Download Other People’s Public Key

gpg --keyserver $KEYSERVER --recv-keys $KEYID

Or, if you don’t know what the ID is for the key, specify the UID (email address):

gpg --keyserver $KEYSERVER --search-keys $UID

After you download their public keys, you could check their signatures, sign them, or use them to encrypt data, then transfer the protected data back to their owner via email. Lots of things could be done!

Oh, BTW, if you encounter any Network is unreachable issue during sending, receiving, or even searching keys on any keyserver, try this. Make sure you add this line in your ~/.gnupg/dirmngr.conf:

standard-resolver

To make the config take effect, reload dirmngr process by:

gpgconf --reload dirmngr

Now you should be all good. I encountered this on my M1 Mac mini environment. Not sure what the root cause is. Maybe it’s a bug on the M1 version of gpg.

Sign Public Keys

Signing other people’s public keys is a very serious thing. You should check the key’s fingerprint with its owner face to face. If not possible, schedule a video meeting. This is to keep the authenticity of the key, making sure that the key owner owns the key you’re going to sign.

To sign a public key, you can do the following (if you have multiple keys in your GPG keyring, you have to decide which key is the signing key with --default-key $SIGNING_KEYID or --local-user $SIGNING_KEYID):

gpg --local-user $SIGNING_KEYID --sign-key $TARGET_KEYID

Or, if you prefer the interactive way:

$ gpg --local-user $SIGNING_KEYID --edit-key $TARGET_KEYID
gpg> list
gpg> sign
gpg> save

Check Key Signature

gpg --check-sigs $KEYID

References

• Delete secret subkeys
• Delete subkeys (pub + secret)
• Choose different secret keys to sign different public keys
• Signing keys
• Signing someone’s GPG key