Source other configuration file in gpg.conf
Solution 1
GnuPG does not allow sourcing configuration files from within configuration files:
--options file
Read options from file and do not try to read them from the default
options file in the homedir (see --homedir). This option is ignored
if used in an options file.
You can use the --options command line argument multiple times, though; so you might create an alias or wrapper script like this, loading a shared and a local configuration file:
gpg --options ~/.dotfiles/gnupg/gpg.conf --options ~/.gnupg/gpg.conf
Solution 2
Why not just make the gpg.conf file and then copy it to the second workstation? I can not envision the settings needing to change (much). Note that your keys are stored separately.
You could store the gpg.conf file on a secure network file share both workstations could access and then reference it with the command below. While not recommended it is possible. [If an attacker controlled gpg.conf they could try to downgrade you to old insecure DES encryption or many other undesirable things]
gpg.conf
This is the standard configuration file read by gpg2 on startup. It may >contain any valid long option; the leading two dashes may not be entered and >the option may not be abbreviated. This default name may be changed on the >command line (see gpg-option –options). You should backup this file.
gpg2 --options [config file in non default location]
To change the default signing key:
--default-key name
Use name as the default key to sign with. If this option is not used, the default key is the first key found in the secret keyring. Note that -u or
--local-user overrides this option.
Sample gpg.conf file designed with High Security in mind (may need to remove tor features if you don't use) Duraconfig : https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
Discussion of increasing gpg.conf security
GPG Config File and command line options
Related videos on Youtube
38 : 05
22 : 34
16 : 58
07 : 02
00 : 50
02 : 04
11 : 27
languitar
PhD in software engineering for robotics. Currently working as a data engineer and software architect.
Updated on September 18, 2022Comments
-
languitar almost 2 years
Is there any way to source a secondary configuration file inside the usual gpg.conf?
I'd like to share a set of common configuration options across different workstations but I also need several local customizations.
-
languitar almost 9 yearsI don't want a copy because I want ongoing changes which I make (e.g. for security settings) to be available on all hosts. But, .e.g the primary key IDs differ on the workstations due to separate contexts I am working in.
-
StackAbstraction almost 9 yearsThe primary key is by default the first public secret key pair and therefore does not need to be setup in gpg.conf -
languitar almost 9 yearsWhat do you mean by "first"? Is there any ordering of keys that I can change in my keyring assuming I have multiple secret keys?
-
StackAbstraction almost 9 years
-default-key name Use name as the default key to sign with. If this option is not used, the default key is the first key found in the secret keyring. Note that -u or --local-user overrides this option.gnupg.org/documentation/manuals/gnupg/… -
languitar almost 9 yearsBut that is exactly the option I want to set per computer in my config. The help text does not explain what first means and since I have multiple private keys, I need to specify which one I want to use on which computer.
-
StackAbstraction almost 9 yearsFirst is the earliest created secret key by date and time. I think you are over thinking this concern. Just copy the same gpg.conf and once change the default key in the config file. Done. If you really want specify the key in your command line operations.
-
languitar almost 9 yearsSorry, but this does not answer the question. I want to share the configuration file for good reasons. I am working on many computers and I do not want to manually synchronize changes apart from the primary key. I would most likely forget one of the computers. Specifying the key via the command line will not easily work for programs which internally use gpg.
-
StackAbstraction almost 9 yearsThen build the gpg.conf file in a user startup script. i.e. take base-gpg.conf (without default key settings) and add to it default-key.conf to store as gpg.conf. Much simplier would be just to call gpg with the command --default-key <keyid> in addition to the other command you are running
-
languitar almost 9 yearsThat would work, but not directly with homeshick, which I use to manage dotfiles.