--- /dev/null
+no-greeting
+# Don't leak information by automatically trying to get keys.
+no-auto-key-locate
+
+# Set the charset to UTF-8; you should make sure that your terminal correctly implements UTF-8 support.
+# TODO(dlg): vttest?
+charset utf-8
+display-charset utf-8
+
+# Display long keyids and fingerprints by default
+keyid-format 0xlong
+with-fingerprint
+verbose
+# Never show photos, but show all notations and signature subpackets
+list-options show-policy-urls no-show-photos show-notations show-keyserver-urls show-uid-validity show-sig-subpackets
+verify-options show-policy-urls no-show-photos show-notations show-keyserver-urls show-uid-validity no-pka-lookups no-pka-trust-increase
+
+# Disable truncating DSA2 message hashes (yes, that's what this does)
+disable-dsa2
+
+# Use the https-secured HKPS pool. The sks-keyservers.net CA is available at https://sks-keyservers.net/sks-keyservers.netCA.pem
+keyserver hkps://hkps.pool.sks-keyservers.net
+keyserver-options check-cert ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem keep-temp-files verbose verbose debug no-honor-keyserver-url no-auto-key-retrieve no-honor-pka-record
+
+# Some options to avoid stupid behaviors.
+require-cross-certification
+force-v4-certs
+import-options no-repair-pks-subkey-bug import-clean
+export-options export-clean
+force-mdc
+
+# Use a real encryption algorithm to protect the secret keyring, rather than CAST5.
+s2k-cipher-algo AES256
+s2k-digest-algo SHA512
+s2k-mode 3
+
+# This is the maximum iteration count. It's way too small. You should entomb or just
+# scrypt your private keyring when not in use.
+s2k-count 65011712
+
+# Human-readable version of cipher preferences:
+# Cipher: AES256, AES192, AES, TWOFISH, BLOWFISH, CAMELLIA256, CAMELLIA192, CAMELLIA128
+# rationale: AES is best-studied. Twofish and Blowfish second-best. CAMELLIA is believed
+# to be as strong as AES but much less studied. (You may prefer moving AES128 lower.)
+# Digest: SHA512, SHA384, SHA224, SHA256, RIPEMD160
+# rationale: SHA2 is still considered strong. RIPEMD160 is believed better than SHA-1.
+# Compression: ZLIB, BZIP2, ZIP, Uncompressed
+# rationale: Personal preference.
+
+# Set cipher preferences for encryption/signing to other users.
+# NB: This does not prevent an 3DES, IDEA, or MD5 from being used, if the recipient
+# prefers it.
+personal-cipher-preferences S9 S8 S7 S10 S4 S13 S12 S11
+personal-digest-preferences H10 H9 H11 H8 H3 H2
+personal-compress-preferences Z2 Z3 Z1 Z0
+
+disable-cipher-algo CAST5 IDEA
+# Regrettably, not supported by GnuPG
+# disable-digest-algo MD5
+
+# Set the default preference list for new public keys.
+default-preference-list S9 S8 S7 S10 S4 S13 S12 S11 H10 H9 H11 H8 H3 H2 Z2 Z3 Z1 Z0
projects / dotfiles / commitdiff