... | ... | @@ -17,6 +17,18 @@ |
|
|
- Use a future proof algorithm when generating the key pair
|
|
|
- RSA >= 4096 bit
|
|
|
- ECC Curve25519
|
|
|
- Create a key with a valid encryption subkey (`E`), so that encrypted verification tokens can be received.
|
|
|
- Create a key with signing capabilities on the root key (`S` - this is the default), as otherwise the root key has to be (temporarily) modified to accommodate the key verification process:
|
|
|
|
|
|
```shell
|
|
|
gpg --edit-key $KEYID # drops into an interactive prompt within gpg
|
|
|
change-usage
|
|
|
S # toggle signing capabilities on root key
|
|
|
Q # finish adjustment
|
|
|
save # if required, save key
|
|
|
gpg --local-user $KEYID! --clear-sign $FILE_TO_SIGN # make note of the postfix ! on $KEYID
|
|
|
# then follow above steps to remove signing capabilities
|
|
|
```
|
|
|
|
|
|
# Validating a key pair
|
|
|
- Use `sq-keyring-linter` from the `sequoia-keyring-linter` package to perform basic certificate checks (e.g. use of the unsafe SHA-1 checksum algorithm):
|
... | ... | |