There are a few configuration files needed for the operation of the agent. By default they may all be found in the current home directory (see option –homedir).
SIGHUPhowever only a few options will actually have an effect. This default name may be changed on the command line (see option –options).
S. Colons may optionally be used to separate the bytes of a fingerprint; this allows to cut and paste the fingerprint from a key listing output.
Here is an example where two keys are marked as ultimately trusted:
# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE A6935DD34EF3087973C706FC311AA2CCF733765B S # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
Before entering a key into this file, you need to ensure its authenticity. How to do this depends on your organisation; your administrator might have already entered those keys which are deemed trustworthy enough into this file. Places where to look for the fingerprint of a root certificate are letters received from the CA or the website of the CA (after making 100% sure that this is indeed the website of that CA). You may want to consider allowing interactive updates of this file by using the See option –allow-mark-trusted. This is however not as secure as maintaining this file manually. It is even advisable to change the permissions to read-only so that this file can't be changed inadvertently.
As a special feature a line
include-default will include a global
list of trusted certificates (e.g. /etc/gnupg/trustlist.txt).
This global list is also used if the local list is not available.
It is possible to add further flags after the
S for use by the
!to disable this entry.
The following example lists exactly one key. Note that keys available through a OpenPGP smartcard in the active smartcard reader are implicitly added to this list; i.e. there is no need to list them.
# Key added on 2005-02-25 15:08:29 5A6592BF45DC73BD876874A28FD4639282E29B52 0
Note that on larger installations, it is useful to put predefined files into the directory /etc/skel/.gnupg/ so that newly created users start up with a working configuration. For existing users the a small helper script is provided to create these files (see addgnupghome).