On Fri, Sep 28, 2018 at 11:33:44AM -0400, Jim Popovitch wrote: > Hello! > > What is the best way to maintain consistency of a user's gnupg > signing/verifying capabilities between 2 or more desktop systems? >
You may find this article helpful: http://www.connexer.com/articles/openpgp-subkeys It is a bit dated, but I still follow the procedure every year when I extend the expiration of my subkeys. Essentially, what you want is a primary secret key that remains offline (except for when you need to sign other keys and to extend the expiration of the primary and/or subkeys, if you choose to give them expiration dates). Then, the multiple devices each get a signing subkey which can be used for signing only. The only thing not covered in the article is the verifying part, but that is a simple sync of ~/.gnupg/pubring.gpg. You can probably do that via cron or some other file sync approach (maybe that detects when you connect to your home network or whatever). If you really only care about signing and verifying then that is pretty much it. However, note (as covered in the article) if you want to decrypt you will need to copy the same encryption subkey to every device. This is because while a given primary GPG key can have an aribtrary number of signing subkeys, it only makes sense to have one encryption subkey (I am not sure if that is also enforced on the technical side). Regards, -Roberto -- Roberto C. Sánchez
