GnuPG (GPG) for macOS

gpg-agent.conf

# Script: setup-gpg-git-macos.sh
# Author: zx0r
# Date: 2025-01-30
# Description: This script installs and configures GnuPG (GPG) for macOS, sets up Git to use GPG for signing commits,
#              and ensures security settings are applied. It also auto-detects the user's shell, configures VSCode/VSCodium
#              to use GPG for commits, and sets up a launch agent for gpg-agent.

# Set cache times for normal and SSH keys (in seconds)
default-cache-ttl 3600
max-cache-ttl 7200
default-cache-ttl-ssh 3600
max-cache-ttl-ssh 7200

# Enable SSH support
enable-ssh-support

# Set pinentry program for macOS
pinentry-program /usr/local/bin/pinentry-mac

# Set TTY
ttyname $GPG_TTY

# Write environment file
write-env-file ~/.gnupg/gpg-agent.env

# Keyboard control settings
no-grab

# Allow preset passphrases
allow-preset-passphrase

# Enable loopback for better integration
allow-loopback-pinentry

# Set longer key grace period
ignore-cache-for-signing

gpg.conf

# Script: setup-gpg-git-macos.sh
# Author: zx0r
# Date: 2025-01-30
# Description: This script installs and configures GnuPG (GPG) for macOS, sets up Git to use GPG for signing commits,
#              and ensures security settings are applied. It also auto-detects the user's shell, configures VSCode/VSCodium
#              to use GPG for commits, and sets up a launch agent for gpg-agent.

# ┌───────────────────────────────────────────────────────────────────────────┐
# │ Setting defaults                                                          │
# └───────────────────────────────────────────────────────────────────────────┘

# Default/trusted key ID to use (helpful with throw-keyids)
# $ gpg --list-secret-keys --with-keygrip --with-colons | grep '^sec:' | awk -F: '{print $5}'
default-key <YOUR-KEY>

# Automatically encrypt replies to encrypted messages to yourself as well
default-recipient-self

# UTF-8 support for compatibility
charset utf-8

# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode

# Use the GPG agent for passphrase caching
use-agent

# Disable recipient key ID in messages
throw-keyids

# default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
armor

# include an unambiguous indicator of which key made a signature:
# (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
# (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html)
# sig-notation [email protected]=%g

# ┌───────────────────────────────────────────────────────────────────────────┐
# │ Algorithms & Ciphers                                                      │
# └───────────────────────────────────────────────────────────────────────────┘

# SHA512 as digest to sign keys
cert-digest-algo SHA512

# SHA512 as digest for symmetric ops
s2k-digest-algo SHA512

# AES256 as cipher for symmetric ops
s2k-cipher-algo AES256

# Set default key generation algorithm to RSA with 4096-bit length [strong protection]
default-new-key-algo rsa4096

# Use AES256, 192, or 128 as cipher
personal-cipher-preferences AES256 AES192 AES

# Use SHA512, 384, or 256 as digest
personal-digest-preferences SHA512 SHA384 SHA256

# Use ZLIB, BZIP2, ZIP, or no compression
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed

# Default preferences for new keys
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed

# ┌───────────────────────────────────────────────────────────────────────────┐
# │ Behavior of GnuPG                                                         │
# └───────────────────────────────────────────────────────────────────────────┘

# Repair legacy PGP subkey bug during import
import-options repair-pks-subkey-bug

# Remove all signatures from imported keys that are not usable
import-options import-clean

# Remove all non-exportable signatures during export
export-options export-clean

# Display Options
# Show validity of user IDs during key listings
list-options show-uid-validity

# Show validity of user IDs during signature verification
verify-options show-uid-validity

# Show Unix timestamps
fixed-list-mode

# Disable caching of passphrase for symmetrical ops
no-symkey-cache

# Disable banner Interface Options
no-greeting

# No comments on signatures
no-comments

# No version in signatures
no-emit-version

# Show unix timestamps
fixed-list-mode

# Long hexadecimal key format
keyid-format 0xlong

# Display fingerprint
with-fingerprint

# Disable caching of passphrasae for symmetrical encryption
no-symkey-cache

# Disable recipient key ID in messages
# throw-keyids
trust-model always

# Skip time conflict warnings during signature verification
# This is useful when system clock differences might cause issues
ignore-time-conflict

# Ensure cross-certification on signing subkeys
# This enhances security by requiring signatures between primary and subkeys
require-cross-certification

# Commented out: Allow non-standard UIDs during key generation
# Enabling this would allow creation of UIDs without email addresses
# allow-freeform-uid

# Display all keys and their fingerprints
with-fingerprint

# Display key origins and updates
#with-key-origin

# Cross-certify subkeys are present and valid
require-cross-certification

# no-tty
# pinentry-mode loopback

# ┌───────────────────────────────────────────────────────────────────────────┐
# │ Keyring & Keyserver                                                       │
# └───────────────────────────────────────────────────────────────────────────┘

# Disable the use of the default public and secret keyrings
# This allows explicit specification of which keyrings to use
no-default-keyring

# Keyring Options
# Specify the primary public keyring
# keyring           ~/.gnupg/pubring.kbx
# trustdb-name      ~/.gnupg/trustdb.gpg
# primary-keyring   ~/.gnupg/pubring.kbx

# Automatically retrieve missing keys from keyserver when verifying signatures
# This makes signature verification more seamless by fetching required keys
auto-key-retrieve

# Keyserver Options
# Don't add additional comments in downloaded certificates
keyserver-options no-include-attributes

# Honor the preferred keyserver URL from the key
keyserver-options honor-keyserver-url

# Do not include key signatures from keyserver responses
keyserver-options no-include-revoked

# Include subkeys when downloading keys from keyserver
keyserver-options include-subkeys

# Automatically fetch keys from keyserver when verifying signatures
keyserver-options auto-key-retrieve

# Include revoked keys in search results
keyserver-options include-revoked

# Number of seconds to wait for a keyserver response
keyserver-options timeout=10

# Default keyserver to use
keyserver hkps://keys.openpgp.org
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

# keyserver hkp://pgp.mit.edu
# keyserver hkp://pool.sks-keyservers.net
# keyserver hkp://keys.gnupg.net
# keyserver hkps://keyserver.ubuntu.com
# keyserver hkps://pgp.mit.edu
# keyserver hkp://keyoxide.org
# keyserver hkp://na.pool.sks-keyservers.net
# keyserver https://sks-keyservers.net/status/
# keyserver hkp://keyserver.ubuntu.com
# keyserver hkp://keybase.io
# keyserver hkp://keyserver.undergrid.net
# keyserver hkp://keyring.debian.org
# keyserver hkp://hkps.pool.sks-keyservers.net

# Define a keygroup named 'purse_keygroup'
# This allows you to refer to multiple keys as a single group
# group purse_keygroup = 0xFF123456 0xABCDEF01 0x12345678

org.gnupg.gpg-agent.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>org.gnupg.gpg-agent</string>
    <key>ProgramArguments</key>
    <array>
      <string>$HOME/.local/bin/start-gpg-agent.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
    <key>StandardErrorPath</key>
    <string>~/.gnupg/gpg-agent.log</string>
    <key>StandardOutPath</key>
    <string>~/.gnupg/gpg-agent.log</string>
</plist>

sshcontrol

# Using a PGP key for SSH authentication 

# List of allowed ssh keys.  Only keys present in this file are used
# in the SSH protocol.  The ssh-add tool may add new entries to this
# file to enable them; you may also add them manually.  Comment
# lines, like this one, as well as empty lines are ignored.  Lines do
# have a certain length limit but this is not serious limitation as
# the format of the entries is fixed and checked by gpg-agent. A
# non-comment line starts with optional white spaces, followed by the
# keygrip of the key given as 40 hex digits, optionally followed by a
# caching TTL in seconds, and another optional field for arbitrary
# flags.   Prepend the keygrip with an '!' mark to disable it.

# gpg --list-keys --with-keygrip | awk '/^sub/{p=1;next} /Keygrip/{if(p){print $3;p=0}}' >> $HOME/.gnupg/sshcontrol
FF8852FA7D6ED25CF4169132698BBA5536A68134

startup-gpg-agent.sh

#!/usr/bin/env bash

# The configuration will keep your GPG agent running smoothly across all applications!
if [ -f $HOME/.gnupg/.gpg-agent-info ] && [ -n "$(pgrep gpg-agent)" ]; then
    source $HOME/.gnupg/.gpg-agent-info
    export GPG_AGENT_INFO
else
    eval $(gpg-agent --daemon --write-env-file $HOME/.gnupg/.gpg-agent-info)
fi

# This line is important for GUI tools to also find it
launchctl setenv GPG_AGENT_INFO $GPG_AGENT_INFO