kristianf@ares ~ $ cd /tmp/ kristianf@ares /tmp $ ls firefox_kristianf pulse-PKdhtXMmr18n qipc_sharedmemory_qtsingleapplicationbfde75a5bf91e5179df8ee7ad4556d71fef8ca2ca6aa qtsingleapplication-344d-3e8 qtsingleapplication-344d-3e8-lockfile screen thunderbird_kristianf kristianf@ares /tmp $ mkdir blueknight-gnupg kristianf@ares /tmp $ cd blueknight-gnupg/ kristianf@ares /tmp/blueknight-gnupg $ ls kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . --full-gen-key gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keybox '/tmp/blueknight-gnupg/pubring.kbx' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Test User 1 Email address: test@example.com Comment: You selected this USER-ID: "Test User 1 " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /tmp/blueknight-gnupg/trustdb.gpg: trustdb created gpg: key 3CF9340634956BDD marked as ultimately trusted gpg: directory '/tmp/blueknight-gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/tmp/blueknight-gnupg/openpgp-revocs.d/614151853A25D2F6DD1D9EDF3CF9340634956BDD.rev' public and secret key created and signed. Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. pub rsa2048 2017-06-08 [SC] 614151853A25D2F6DD1D9EDF3CF9340634956BDD 614151853A25D2F6DD1D9EDF3CF9340634956BDD uid Test User 1 kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . --full-gen-key gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Local CA Email address: ca@example.com Comment: You selected this USER-ID: "Local CA " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 5443DA92C37DC66F marked as ultimately trusted gpg: revocation certificate stored as '/tmp/blueknight-gnupg/openpgp-revocs.d/A999E9C975B85CCACE4304855443DA92C37DC66F.rev' public and secret key created and signed. Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. pub rsa2048 2017-06-08 [SC] A999E9C975B85CCACE4304855443DA92C37DC66F A999E9C975B85CCACE4304855443DA92C37DC66F uid Local CA kristianf@ares /tmp/blueknight-gnupg $ man gpg GPG2(1) GNU Privacy Guard 2.1 GPG2(1) NAME gpg2 - OpenPGP encryption and signing tool SYNOPSIS gpg2 [--homedir dir] [--options file] [options] command [args] DESCRIPTION gpg2 is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP standard. gpg2 features complete key management and all the bells and whistles you would expect from a full OpenPGP implementation. There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG 2.x supports modern encryption algorithms and thus should be preferred over GnuPG 1.x. You only need to use GnuPG 1.x if your platform doesn't support GnuPG 2.x, or you need support for some features that GnuPG 2.x has deprecated, e.g., decrypting data created with PGP-2 keys. In contrast to the standalone command gpg from GnuPG 1.x, the 2.x ver‐ sion is commonly installed under the name gpg2. ...skipping... For each signature listed, there are several flags in between the "sig" tag and keyid. These flags give additional information about each signature. From left to right, they are the numbers 1-3 for certificate check level (see --ask-cert-level), "L" for a local or non-exportable signature (see --lsign-key), "R" for a nonRevocable signature (see the --edit-key command "nrsign"), "P" for a signature that contains a policy URL (see --cert-pol‐ icy-url), "N" for a signature that contains a notation (see --cert-notation), "X" for an eXpired signature (see --ask-cert- expire), and the numbers 1-9 or "T" for 10 and above to indicate trust signature levels (see the --edit-key command "tsign"). --check-signatures --check-sigs Same as --list-signatures, but the signatures are verified. Note that for performance reasons the revocation status of a signing key is not shown. This command has the same effect as using --list-keys with --with-sig-check. The status of the verification is indicated by a flag directly following the "sig" tag (and thus before the flags described above for --list-signatures). A "!" indicates that the signa‐ ture has been successfully verified, a "-" denotes a bad signa‐ kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --edit-key user@ gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: key "user@" not found: No public key kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --edit-key user1@example.com gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: key "user1@example.com" not found: No public key kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com -k gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u /tmp/blueknight-gnupg/pubring.kbx --------------------------------- pub rsa2048 2017-06-08 [SC] 614151853A25D2F6DD1D9EDF3CF9340634956BDD uid [ultimate] Test User 1 pub rsa2048 2017-06-08 [SC] A999E9C975B85CCACE4304855443DA92C37DC66F uid [ultimate] Local CA kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --edit-key test@example.com gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa2048/3CF9340634956BDD created: 2017-06-08 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Test User 1 gpg> quit kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --cert-notation "test-notation@kfwebs.net=Example of cert notation" --edit-key test@example.com gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa2048/3CF9340634956BDD created: 2017-06-08 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Test User 1 gpg> lsign sec rsa2048/3CF9340634956BDD created: 2017-06-08 expires: never usage: SC trust: ultimate validity: ultimate Primary key fingerprint: 6141 5185 3A25 D2F6 DD1D 9EDF 3CF9 3406 3495 6BDD Test User 1 Are you sure that you want to sign this key with your key "Local CA " (5443DA92C37DC66F) The signature will be marked as non-exportable. Really sign? (y/N) y gpg> save kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --cert-notation "test-notation@kfwebs.net=Example of cert notation" --edit-key test@example.com gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u sec rsa2048/3CF9340634956BDD created: 2017-06-08 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Test User 1 gpg> trust sec rsa2048/3CF9340634956BDD created: 2017-06-08 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Test User 1 Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 0 Your decision? 1 sec rsa2048/3CF9340634956BDD created: 2017-06-08 expires: never usage: SC trust: undefined validity: ultimate [ultimate] (1). Test User 1 Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> save Key not changed so no update needed. kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --cert-notation "test-notation@kfwebs.net=Example of cert notation" --edit-key test@example.com gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 1q, 0n, 0m, 0f, 0u sec rsa2048/3CF9340634956BDD created: 2017-06-08 expires: never usage: SC trust: undefined validity: full [ full ] (1). Test User 1 gpg> check gpg> quit kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --list-sigs gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' /tmp/blueknight-gnupg/pubring.kbx --------------------------------- pub rsa2048 2017-06-08 [SC] 614151853A25D2F6DD1D9EDF3CF9340634956BDD uid [ full ] Test User 1 sig 3 3CF9340634956BDD 2017-06-08 Test User 1 sig L N 5443DA92C37DC66F 2017-06-08 Local CA pub rsa2048 2017-06-08 [SC] A999E9C975B85CCACE4304855443DA92C37DC66F uid [ultimate] Local CA sig 3 5443DA92C37DC66F 2017-06-08 Local CA kristianf@ares /tmp/blueknight-gnupg $ man gpg GPG2(1) GNU Privacy Guard 2.1 GPG2(1) NAME gpg2 - OpenPGP encryption and signing tool SYNOPSIS gpg2 [--homedir dir] [--options file] [options] command [args] DESCRIPTION gpg2 is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP standard. gpg2 features complete key management and all the bells and whistles you would expect from a full OpenPGP implementation. There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG 2.x supports modern encryption algorithms and thus should be preferred over GnuPG 1.x. You only need to use GnuPG 1.x if your platform doesn't support GnuPG 2.x, or you need support for some features that GnuPG 2.x has deprecated, e.g., decrypting data created with PGP-2 keys. In contrast to the standalone command gpg from GnuPG 1.x, the 2.x ver‐ sion is commonly installed under the name gpg2. ...skipping... icy-url), "N" for a signature that contains a notation (see --cert-notation), "X" for an eXpired signature (see --ask-cert- expire), and the numbers 1-9 or "T" for 10 and above to indicate trust signature levels (see the --edit-key command "tsign"). --check-signatures --check-sigs Same as --list-signatures, but the signatures are verified. Note that for performance reasons the revocation status of a signing key is not shown. This command has the same effect as using --list-keys with --with-sig-check. The status of the verification is indicated by a flag directly following the "sig" tag (and thus before the flags described above for --list-signatures). A "!" indicates that the signa‐ ture has been successfully verified, a "-" denotes a bad signa‐ ture and a "%" is used if an error occurred while checking the signature (e.g. a non supported algorithm). --locate-keys Locate the keys given as arguments. This command basically uses the same algorithm as used when locating keys for encryption or signing and may thus be used to see what keys gpg2 might use. ...skipping... --list-options parameters This is a space or comma delimited string that gives options used when listing keys and signatures (that is, --list-keys, --list-signatures, --list-public-keys, --list-secret-keys, and the --edit-key functions). Options can be prepended with a no- (after the two dashes) to give the opposite meaning. The options are: show-photos Causes --list-keys, --list-signatures, --list-public- keys, and --list-secret-keys to display any photo IDs attached to the key. Defaults to no. See also --photo- viewer. Does not work with --with-colons: see --attribute-fd for the appropriate way to get photo data for scripts and other frontends. show-usage Show usage information for keys and subkeys in the stan‐ dard key listing. This is a list of letters indicating the allowed usage for a key (E=encryption, S=signing, C=certification, A=authentication). Defaults to yes. show-policy-urls Show policy URLs in the --list-signatures or --check-sig‐ natures listings. Defaults to no. show-notations show-std-notations show-user-notations Show all, IETF standard, or user-defined signature nota‐ tions in the --list-signatures or --check-signatures listings. Defaults to no. show-keyserver-urls Show any preferred keyserver URL in the --list-signatures or --check-signatures listings. Defaults to no. show-uid-validity kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --list-options show-notations -k gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' /tmp/blueknight-gnupg/pubring.kbx --------------------------------- pub rsa2048 2017-06-08 [SC] 614151853A25D2F6DD1D9EDF3CF9340634956BDD uid [ full ] Test User 1 pub rsa2048 2017-06-08 [SC] A999E9C975B85CCACE4304855443DA92C37DC66F uid [ultimate] Local CA kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --list-options show-notations -k --list-sigs gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' gpg: conflicting commands kristianf@ares /tmp/blueknight-gnupg $ gpg --homedir . -u ca@example.com --list-options show-notations --list-sigs gpg: WARNING: unsafe permissions on homedir '/tmp/blueknight-gnupg' /tmp/blueknight-gnupg/pubring.kbx --------------------------------- pub rsa2048 2017-06-08 [SC] 614151853A25D2F6DD1D9EDF3CF9340634956BDD uid [ full ] Test User 1 sig 3 3CF9340634956BDD 2017-06-08 Test User 1 sig L N 5443DA92C37DC66F 2017-06-08 Local CA Signature notation: test-notation@kfwebs.net=Example of cert notation pub rsa2048 2017-06-08 [SC] A999E9C975B85CCACE4304855443DA92C37DC66F uid [ultimate] Local CA sig 3 5443DA92C37DC66F 2017-06-08 Local CA kristianf@ares /tmp/blueknight-gnupg $