0x61nas · May 5, 2024 00:46
diff --git a/gnupg.nix b/gnupg.nix
 { lib, pkgs, config, ... }:
 {
  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
    # Cache the PIN for 3 hours
    defaultCacheTtl = 3600*3;
    #grabKeyboardAndMouse = false;
    #pinentryPackage = pkgs.pinentry;
  };
  programs.gpg = {
    enable = true;
    #homedir = "${config.xdg.dataHome}/gnupg";
    settings = {
      # Assume that command line arguments are given as UTF8 strings.
    utf8-strings = true;
     
    # when outputting certificates, view user IDs distinctly from keys:
    fixed-list-mode = true;
     
    # long keyids are more collision-resistant than short keyids (it's trivial to make a key
    # with any desired short keyid)
    # NOTE: this breaks kmail gnupg support!
    keyid-format = "0xlong";
     
    # when multiple digests are supported by all recipients, choose the strongest one:
    personal-digest-preferences = "SHA512 SHA384 SHA256 SHA224";
     
    # preferences chosen for new keys should prioritize stronger algorithms:
    default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed";
     
    # You should always know at a glance which User IDs GPG thinks are legitimately bound to
    # the keys in the keyring:
    verify-options = "show-uid-validity";
    list-options = "show-uid-validity";
     
    # include an unambiguous indicator of which key made a signature:
    # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
    # (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html)
    sig-notation = "[email protected]=%g";
     
    # when making an OpenPGP certification, use a stronger digest than the default SHA1:
    cert-digest-algo = "SHA512";
    s2k-cipher-algo = "AES256";
    s2k-digest-algo = "SHA512";

    #keyserver = "keys.openpgp.org";

    };
  };

 }
	{ lib, pkgs, config, ... }:
	{
	services.gpg-agent = {
	enable = true;
	enableSshSupport = true;
	# Cache the PIN for 3 hours
	defaultCacheTtl = 3600*3;
	#grabKeyboardAndMouse = false;
	#pinentryPackage = pkgs.pinentry;
	};
	programs.gpg = {
	enable = true;
	#homedir = "${config.xdg.dataHome}/gnupg";
	settings = {
	# Assume that command line arguments are given as UTF8 strings.
	utf8-strings = true;

	# when outputting certificates, view user IDs distinctly from keys:
	fixed-list-mode = true;

	# long keyids are more collision-resistant than short keyids (it's trivial to make a key
	# with any desired short keyid)
	# NOTE: this breaks kmail gnupg support!
	keyid-format = "0xlong";

	# when multiple digests are supported by all recipients, choose the strongest one:
	personal-digest-preferences = "SHA512 SHA384 SHA256 SHA224";

	# preferences chosen for new keys should prioritize stronger algorithms:
	default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed";

	# You should always know at a glance which User IDs GPG thinks are legitimately bound to
	# the keys in the keyring:
	verify-options = "show-uid-validity";
	list-options = "show-uid-validity";

	# include an unambiguous indicator of which key made a signature:
	# (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
	# (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html)
	sig-notation = "[email protected]=%g";

	# when making an OpenPGP certification, use a stronger digest than the default SHA1:
	cert-digest-algo = "SHA512";
	s2k-cipher-algo = "AES256";
	s2k-digest-algo = "SHA512";

	#keyserver = "keys.openpgp.org";

	};
	};

	}