GnuPG 2.1 best practices review

[anarcat]

This is a meta-issue to regroup issues surrounding a formal review of the GnuPG best practices after the publication of the GnuPG 2.1 release, which includes some of the recommendations from the document.

• ca-cert-file option deprecated in GnuPG 2.1 #294 ca-cert-file option deprecated in GnuPG 2.1
• Use dirmngr in OpenPGP best practices #449 Use dirmngr in OpenPGP best practices
• GPG 2.1 use hkps by default #450 GPG 2.1 use hkps by default
• Note hopenpgp-tools broken with GnuPG >= 2.1 #447 Note hopenpgp-tools broken with GnuPG >= 2.1
• newer GnuPG releases generate revocation cert #452 newer GnuPG releases generate revocation cert
• update key splitting procedure for GnuPG 2.1 #453 update key splitting procedure for GnuPG 2.1
• mention elliptic curve algorithms in best practices guide #454 mention elliptic curve algorithms in best practices guide
• review default algorithms recommendations for GPG 2.1 #455 review default algorithms recommendations for GPG 2.1
• clarify that GPG doesn't store keys in pubring.kbx #456 clarify that GPG doesn't store keys in pubring.kbx
• link to the 2.1 review issue #457 link to the 2.1 review issue

[baldurmen]

Just wanted to drop a "thank you" for this thread of bug reports. i've encountered a few quirks with the migration to GPG and it's nice to know people are looking into it ;D

[wiktor-k]

Phew, I'm glad that I found this ticket.

I think the best practices guide should either target only modern GnuPG (>2.1) or be split into two - modern and legacy.

Currently it's hard to navigate and a lot of stuff is obsolete in modern gpg (keyserver-options no-honor-keyserver-url is used by default, new keys have 2y expiry automatically, keys are V4, stronger prefs are used by default, the key generation wizard do not ask about Comment)...

There is also stuff that I think is worth adding (for example setting up Web Key Directory on own domain allows easy and secure key discovery using e-mail addresses).

[anarcat]

pull requests are welcome! :)

[wiktor-k]

Excellent idea :)

[DamianRivas]

Hello, thank you for the wonderful guide! I was able to follow every part of the guide, but I'm failing to publish my key to a key server.

I believe this is because gnupg-curl doesn't seem to exist anymore. Are there any known alternatives? I'm on Ubuntu 18.04.

Another weird thing is that https://sks-keyservers.net/sks-keyservers.netCA.pem does not seem to download a file by default. What I did was I right-clicked that link and selected "Save Link As..." Then I was able to save a file called sks-keyservers.netCA.pem. Is this acceptable?

[kradan]

Hi @DamianRivas, thanks for the feedback! We can only help if we know what you tried in combination with the output of for example 'gpg --send-keys keyIDs'. Also this is not a good place to give user support, at best try the [gpg-users list](http://lists.gnupg.org/mailman/listinfo/gnupg-users) or the [webchat](https://webchat.freenode.net/?channels=#gnupg) for #gnupg.

I believe this is because `gnupg-curl` doesn't seem to exist anymore. Are there any known alternatives? I'm on Ubuntu 18.04.

See above, since version 2.1 gpg uses dirmngr to handle interactions with keyservers as explained in latest changes to the guide (#523).

Another weird thing is that https://sks-keyservers.net/sks-keyservers.netCA.pem does not seem to download a file by default. What I did was I right-clicked that link and selected "Save Link As..." Then I was able to save a file called `sks-keyservers.netCA.pem`. Is this acceptable?

Isn't this what you wanted? You are lucky, modern firefox shows a dialog to trust a new Certificate Authority when opening a .pem file instead. Sorry, I can't help you better without a clear error message.

[DamianRivas]

Hi @kradan! I actually just tried again and it worked for me this time. Perhaps I copied and pasted the fingerprint incorrectly the first time around. And yeah, the command was gpg --send-keys '<fingerprint>' from the publish section of the "Managing OpenPGP Keys" article.

It might be a good idea to explicitly state that dirmngr replaces gnupg-curl. I came across the guide because I'm totally new to encryption, and "Use dirmngr in OpenPGP best practices" didn't mean anything to me until now that I already know to look for that. Just my 2 cents if the goal here is to be welcoming to newbies.

The more I Google, the more it seems that most of the stuff in the riseup guide is deprecated. I realize this is stated in the beginning but considering the amount of information it contains I didn't expect so much to be outdated for newer versions. Although there seems to be some good gems in there like parcimonie.

I don't want to go on a huge tangent, so thanks for the reply and the resources! :)

[heitorPB]

I just added a new issue about the guide: #539