Simple guide to gpg
$Id: gpg.txt,v 1.3 2002/07/31 15:28:36 mbm Exp $

GENERATING KEYS
gpg --gen-key                                   - generates a key (note
                                                  that this uses the
                                                  blocking /dev/random
                                                  device, and so is best
                                                  done at a machine with
                                                  a console)

USEFUL OPTIONS
gpg -a ...                                      - produce signatures and
                                                  ciphertext as "ascii
                                                  armoured", ie base64
                                                  encoded
SIGNING AND VERIFYING
cat file | gpg --clearsign > file_with_sig      - signature in ASCII text
                                                  like you see on non-Mutt
                                                  mails. Escapes the '-'.
gpg --verify file_with_sig                      - verifies a file with an
                                                  inline signature
gpg -b <file >file.sig                          - create a detached signature
gpg --verify file.sig < file                    - verifies the detached
                                                  signature in file.sig
                                                  corresponds to file.
ENCRYPTION AND DECRYPTION
gpg -e -r email@address.tld <file               - encrypt file to key in
                                                  keyring corresponding to
                                                  email@address.tld, multiple
                                                  -r options may be specified.
gpg --decrypt < file                            - decrypt file with your key.
(at this point, I should note that setting encrypt-to your@email.address in
 the options file is a good plan as this will make sure your key can also
 decrypt any message you send).

KEY MANAGEMENT
gpg --list-keys                                 - list the public keys in
                                                  your keyring.
gpg --list-secret-keys                          - list the secret keys in
                                                  your keyring.
gpg --fingerprint --list-keys                   - with fingerprints
gpg --with-colons --fixed-list-mode --list-keys - do it in a format suitable
                                                  for machine reading.
gpg --list-sigs                                 - list the signatures on a
                                                  key.
gpg --edit-key email@address.tld                - go in and edit details of
                                                  this key. (see commands
                                                  below, this is interactive)
gpg --recv-keys 0xd9c1eb11                      - get from the keyserver a
                                                  copy of the key with id
                                                  0xd9c1eb11. (You set the
                                                  keyserver in the options
                                                  file, as there is a comment
                                                  in the default one.) This
                                                  will have all the signatures
                                                  that the keyserver knows
                                                  about.
gpg --send-keys 0xd9c1eb11                      - send to the keyserver a
                                                  copy of the key with id
                                                  0xd9c1eb11.
(in the above cases, it is worth noting that merges will happen sensibly).
gpg --export email@address.tld                  - extract the key from your
                                                  keyring file, and put it
                                                  on stdout. Sensibly used
                                                  in conjunction with -a.

  EDITING KEYS (UID)
  uids will be listed as:
   (1). Matthew Byng-Maddick <mbm@colondot.net>
  or
   (1)  Matthew Byng-Maddick <mbm@colondot.net>
  if they are "unselected" and
   (1)* Matthew Byng-Maddick <mbm@colondot.net>
  if they are "selected". The "." represents a "primary" userid for the key.
  In the above example, typing `1' at the "Command> " prompt will select
  and unselect the uid.

  o If this is your own key:
    adduid                        - add a userid
    deluid                        - delete all selected userids
    passwd                        - change the key passphrase
  o If not you will basically want:
    sign                          - sign this person's key (generally having
                                    done appropriate fingerprint checking).
                                    The signature that will be created is
                                    marked as exportable, and unless uids
                                    are selected, you'll only sign the
                                    primary uid. Otherwise you'll sign all
                                    that are selected.
    lsign                         - as above, but the signature will never
                                    be exported.
    revsig                        - create a certificate of revocation for
                                    your signatures on these keys.

  EDITING KEYS (SUBKEYS)
  If you've set your key to expire what will actually happen is that the
  main key (the signing key) stays valid for ever, but the encryption
  subkey is the part that expires. When it expires, you'll need to add
  a new subkey signed with your main key, with the new expiry date on it.
    key <n>                       - select the subkey n (n will almost
                                    always be 1, for the main subkey)
    delkey                        - this will delete the currently selected
                                    subkey, prompting you to confirm
    addkey                        - prompt for creation of a new subkey,
                                    with the full options. You'll almost
                                    certainly want a type '3' key as the
                                    subkey is normally used for encryption.