Notes on GPG
I will use my FreeBSD with QEMU, as a sandbox but this could be easily replicated on many other systems.
Install:
# pkg install gnupg
Import, (don’t) trust, verify:
Let’s import binaryfate’s public key from the monero gpg keys
% gpg --import binaryfate.asc
gpg: key F0AF4D462A0BDF92: 2 signatures not checked due to missing keys
gpg: key F0AF4D462A0BDF92: public key "binaryFate <binaryfate@getmonero.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
Now I can see it on my key ring
% gpg -k
[keyboxd]
---------
pub rsa4096 2019-12-12 [SCEA]
81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92
uid [ unknown] binaryFate <binaryfate@getmonero.org>
sub rsa4096 2019-12-12 [SEA]
Since this key appears on the official repository I would assume is legit so I could trust it marginally.
% gpg --edit-key 81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92
gpg (GnuPG) 2.4.9; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/F0AF4D462A0BDF92
created: 2019-12-12 expires: never usage: SCEA
trust: unknown validity: unknown
sub rsa4096/2593838EABB1F655
created: 2019-12-12 expires: never usage: SEA
[ unknown] (1). binaryFate <binaryfate@getmonero.org>
gpg> trust
pub rsa4096/F0AF4D462A0BDF92
created: 2019-12-12 expires: never usage: SCEA
trust: unknown validity: unknown
sub rsa4096/2593838EABB1F655
created: 2019-12-12 expires: never usage: SEA
[ unknown] (1). binaryFate <binaryfate@getmonero.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 3
pub rsa4096/F0AF4D462A0BDF92
created: 2019-12-12 expires: never usage: SCEA
trust: marginal validity: unknown
sub rsa4096/2593838EABB1F655
created: 2019-12-12 expires: never usage: SEA
[ unknown] (1). binaryFate <binaryfate@getmonero.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> save
Key not changed so no update needed.
Now I could verify files signed by binaryfate:
% curl -O https://www.getmonero.org/downloads/hashes.txt
% gpg --verify hashes.txt
gpg: Signature made Tue Mar 10 04:08:37 2026 UTC
gpg: using RSA key 81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: Good signature from "binaryFate <binaryfate@getmonero.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 81AC 591F E9C4 B65C 5806 AFC3 F0AF 4D46 2A0B DF92
Create, subkeys, export :
When creating a new key expiration date is a good practice in case of losing control of the private key. Plus it is possible to extend it later.
% gpg --full-gen-key
...
...
% gpg -k
[keyboxd]
---------
pub rsa4096 2019-12-12 [SCEA]
81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92
uid [ unknown] binaryFate <binaryfate@getmonero.org>
sub rsa4096 2019-12-12 [SEA]
pub ed25519 2026-03-25 [SC] [expires: 2027-03-25]
88C3FFF231B6B9FB7E956CD0164B4A8F9B37843E
uid [ unknown] tuco <tuco@astrek.net>
sub cv25519 2026-03-25 [E] [expires: 2027-03-25]
Gnupg created a pair of keys: public and private ([S]igning, and [C]ertification) plus a subkey for encrypt, [E]ncryption. In order to increase security I could use only subkeys on the host and keep the master on the VM or, even better, offline. Let’s create a [S]igning subkey and save it:
% gpg --edit-key 88C3FFF231B6B9FB7E956CD0164B4A8F9B37843E
gpg> addkey
Now I can export the subkeys and ssh to the host for import First the public:
% gpg --output tuco_pub.gpg --export 88C3FFF231B6B9FB7E956CD0164B4A8F9B37843E
then the subkeys:
% gpg --output tuco_secsub.gpg --export-secret-subkeys 88C3FFF231B6B9FB7E956CD0164B4A8F9B37843E
Sign, encrypt, decrypt:
% gpg --encrypt --sign --recipient 'user ID' <file>
% gpg --output <file> --decrypt <encrypted-and-signed file>
Write a comment