GnuPG for many reasons provides not the best config out of the box. There are some recommendations I personally follow.
In order to use a pool of keyservers with HKPS hkps.pool.sks-keyservers.net its certificate should be available locally:
# curl -L https://sks-keyservers.net/sks-keyservers.netCA.pem | install --owner=root --group=root --mode=0644 /dev/stdin /usr/local/etc/ssl/sks-keyservers.netCA.pem $ openssl x509 -in /usr/local/etc/ssl/sks-keyservers.netCA.pem -noout -fingerprint SHA1 Fingerprint=79:1B:27:A3:8E:66:7F:80:27:81:4D:4E:68:E7:C4:78:A4:5D:5A:17compare the fingerprint with one at their web page (it should match exactly): SKS Keyservers: Verify SSL/TLS certificate
Install the configuration skeleton:
# cat > /usr/share/gnupg/options.skel <<"EOF" use-agent cipher-algo aes cert-digest-algo SHA512 keyid-format 0xlong with-fingerprint require-cross-certification keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url keyserver-options no-auto-key-retrieve keyserver-options check-cert,ca-cert-file=/usr/local/etc/ssl/sks-keyservers.netCA.pem EOFDistribute this configuration file among users with existing homedirs. It should be in theirs ~/.gnupg/gpg.conf and /etc/skel/.gnupg/gpg.conf.
Note that options.skel will be modified on «gnupg» package upgrade. In order to prevent the default one from use in future:
# dpkg-statoverride --update --add root root 0 /usr/share/gnupg/options.skel
GnuPG before 2.x does not support HKPS, an additional package required for this:
# apt-get install gnupg-curl
apt-key passes --no-options parameter by default, use --options=/usr/share/gnupg/options.skel for receiving/refreshing database:
# apt-key adv --options=/usr/share/gnupg/options.skel --refresh
Once the key expired (it must occur from time to time):
$ gpg --edit ygrex@ygrex.ru gpg> expire Key is valid for? (0) 6m Is this correct? (y/N) y gpg> key 1 gpg> expire Key is valid for? (0) 6m Is this correct? (y/N) y gpg> save $ gpg --with-colons --list-keys ygrex@ygrex.ru | grep ^fpr fpr:::::::::3B1FD0B97D298E0AAA1D15C489C4F9311C97F47F: $ gpg --send-keys 3B1FD0B97D298E0AAA1D15C489C4F9311C97F47FPut this sequence of commands to the calendar event that you have to remind yourself to update your personal key.