From 6df1a4ed916662dc35afbb3f0cd35c05616c0965 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?=
 <emulatorman@parabola.nu>
Date: Wed, 4 Jun 2014 01:48:24 -0300
Subject: pacman-4.1.2-6.1: add secure options for gpg =>
 https://lists.parabolagnulinux.org/pipermail/dev/2014-June/002219.html

---
 libre/pacman/gpg.conf | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 libre/pacman/gpg.conf

(limited to 'libre/pacman/gpg.conf')

diff --git a/libre/pacman/gpg.conf b/libre/pacman/gpg.conf
new file mode 100644
index 000000000..7fc6fc661
--- /dev/null
+++ b/libre/pacman/gpg.conf
@@ -0,0 +1,50 @@
+# pacman-key default options
+no-greeting
+no-permission-warning
+lock-never
+keyserver-options timeout=20
+
+# From duraconf
+# personal digest preferences
+personal-digest-preferences SHA512
+
+# message digest algorithm used when signing a key
+cert-digest-algo SHA512
+
+# Set the list of default preferences to string.
+# used for new keys and default for "setpref"
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+
+# From
+# https://crabgrass.riseup.net/riseuplabs+paow/openpgp-best-practices
+# Only use secure keyservers
+keyserver hkps://hkps.pool.sks-keyservers.net
+keyserver-options ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem
+keyserver-options no-honor-keyserver-url
+
+# when outputting certificates, view user IDs distinctly from keys:
+fixed-list-mode
+
+# short-keyids are trivially spoofed; it's easy to create a long-keyid
+# collision; if you care about strong key identifiers, you always want
+# to see the fingerprint:
+keyid-format 0xlong
+fingerprint
+
+# when multiple digests are supported by all recipients, choose the
+# strongest one:
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+
+# If you use a graphical environment (and even if you don't)
+# you should be using an agent: (similar arguments as
+# https://www.debian-administration.org/users/dkg/weblog/64)
+use-agent
+
+# You should always know at a glance which User IDs gpg thinks are
+# legitimately bound to the keys in your keyring:
+verify-options show-uid-validity
+list-options show-uid-validity
+
+# include an unambiguous indicator of which key made a signature: (see
+# http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
+sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
-- 
cgit v1.2.3-2-g168b