For now I'm just interested in adjusting some security defaults.
Whenever possible I'll be relying on Seahorse for the dirty work.
Maybe because I'm lazy or because I don't want details at this moment.
The key adjustment that's highly recommended is the replacement of SHA-1.
Until the advent of SHA-3, it's recommended to use SHA-256 or SHA-512.
As note here, don't create new RSA keys less than 4096 bits either.
In Solaris, GNUPG is delivered by the following IPS package:
$ pkg info -r gnupg
Name: crypto/gnupg
Summary: GNU Privacy Guard
Description: ... OpenPGP Standard as defined by RFC4880.
Category: Applications/System Utilities
State: Installed
Publisher: solaris
Version: 2.0.17
Build Release: 5.11
Branch: 0.175.1.0.0.24.0
Packaging Date: September 4, 2012 05:06:14 PM
Size: 7.98 MB
FMRI: pkg://solaris/crypto/gnupg@...
Two fundamental CLI programs are:
- gpg2 (documented in GPG2(1))
- gpgconf (documented in GPGCONF(1))
- gpg-zip (documented in GPG-ZIP(1))
The configuration files are "two level" (local and global).
The local settings override the global settings.
By the way, this is quite traditional in Unix.
They are:
- .gnupg/gpg.conf
- /etc/gnupg/gpgconf.conf (doesn't exist by default)
Finally, to achieve what I need, according to The Appache Software Foundation the following adjustments are required to avoid SHA-1 weakness:
$ tail .gnupg/gpg.conf
...
#
# Setting Defaults
#
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 \
AES256 AES192 AES \
CAST5 ZLIB BZIP2 ZIP Uncompressed