===================
GnuPG Best Practice
===================

Key Verifications
=================

OpenPGPv4 Standard
------------------

.. code-block:: bash

   gpg --export-options export-minimal --export KEY_ID | gpg --list-packets | grep version

Key Algorithm
-------------

RSA is recommended:

.. code-block:: bash

   gpg --export-options export-minimal --export KEY_ID | gpg --list-packets | grep -A2 '^:public key packet:$' | grep algo

Key Size
--------

RSA with 4096 bit is recommended:

.. code-block:: bash

   gpg --export-options export-minimal --export KEY_ID | gpg --list-packets | grep -A2 'public key' | grep 'pkey\[0\]:'

Self Signature
--------------

Self Signatures should not be done with MD5:

.. code-block:: bash

   gpg --export-options export-minimal --export KEY_ID | gpg --list-packets | grep -A2 'signature' | grep 'digest algo 1,'

Self Signatures should not be done with SHA1:

.. code-block:: bash

   gpg --export-options export-minimal --export KEY_ID | gpg --list-packets | grep -A2 'signature' | grep 'digest algo 2,'

Prefered digests
----------------

Key should use SHA2 as prefered digest:

.. code-block:: bash

   gpg --export-options export-minimal --export KEY_ID | gpg --list-packets | grep 'pref-hash-algos'

Expiration date
---------------

Key should have expiration date:

.. code-block:: bash

   gpg --export-options export-minimal --export KEY_ID | gpg --list-packets | grep 'key expires after'