45

I have created multiple keys using gpg.

Whenever I try to sign any file, gpg automatically uses the first one I have created. How to set default key for signing in gpg. I don't want to delete/revoke the other one yet.

Otherwise, how can I change my default keys for signing?

mas
  • 1,849
  • 2
  • 18
  • 30
Aman Sharma
  • 551
  • 1
  • 4
  • 5

2 Answers2

55

To choose a default key without having to specify --default-key on the command-line every time, create a configuration file (if it doesn't already exist), ~/.gnupg/gpg.conf, and add a line containing

default-key <key-fpr>

replacing <key-fpr> with the id or fingerprint of the key you want to use by default.

Jbar
  • 40
  • 4
Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
  • 2
    but how do i get the '' ? In what format? When I do 'gpg -K' it prints long ID with spaces. – 400 the Cat Jun 29 '20 at 06:27
  • @400 take the “Key fingerprint” line from `gpg -K` and use the value after the = sign; you can include the spaces, so copy-paste works, you don’t even need quotes. – Stephen Kitt Jun 29 '20 at 06:54
  • 3
    your output must be different. I see 4 lines: `1) sec rsa4096 ...`, `2) what I think is the key id, ie: ffff ffff ffff ffff ffff ffff ffff ffff ffff ffff`, but there is no `=` sign, `3) my name and email`, `4) ssb rsa4096 ...` – 400 the Cat Jun 29 '20 at 07:41
  • @400 weird, I see a “Key fingerprint” line on all the platforms I’ve checked this on. Anyway, that long value is probably your fingerprint, not your key id, and you can use that as the `default-key` value. (Key ids are the values given with `rsa4096` etc.) – Stephen Kitt Jun 29 '20 at 07:45
  • I see the same output as @400theCat on Debian, gpg 2.2.27. The long value is the fingerprint, the last 16 chars of that is the long key id, and the last 8 chars is the short key id. You can also get the long key ids with `gpg --list-signatures` or the short key ids with `gpg --list-signatures --keyid-format short`. Anyway, the `default-key` option works with any of those options (fingerprint, long id, or short id). – Dario Seidl Aug 02 '21 at 13:31
1

These steps are for EVERY GPG signing. That is, you don’t want to use the tedious —default-key on the CLI anymore.

List your signatures:

gpg —list-signatures

Select your key to be that default. Then set the key default:

echo ‘default-key:0:”xxxxxxxxxxxxxxxxxxxx’ | gpgconf —change-options gpg

please note that there is only ONE double-quote, which signifies that a text string is about to begin. Also that there is a pair of single-quote surround the entire echo statement.

there are three values separated by two colon symbols.

  • First is the configuration keyword option “default-key”
  • Second is pretty much always ‘0’, which means no special flag bit set. ‘16’ means to delete the key from its configuration file. More on special flags

Also for gpgconf, the —change-options requires an argument. That argument indicates a component name that helps chooses which configuration file to make the change with. Component names used are commonly gpg for the ~/.gnupg/gpg.conf file and gpg-agent for ~/.gnupg/gpg-agent.conf file. More on component names here.

Once the setting of default key is done, if you want to use a different key of yours, use the —local-user <your name> on the gpg command line just for that message. Or the easier -u <your name> option instead.

Note that -u or --local-user overrides this —default-key at command line or in gpg.conf setting.

John Greene
  • 304
  • 1
  • 12