diff --git a/content/about.md b/content/about.md
index 5bc3ef3..2539cda 100644
--- a/content/about.md
+++ b/content/about.md
@@ -15,7 +15,7 @@ fingerprint QR-code. Feel free to scan it using the
[OpenKeychain](https://www.openkeychain.org/) app! I'll provide it here in-case
you are on a mobile device, and my full public key:
-
+
`70A4 AA02 555D BD55 9189 B4E0 F32B E05E ADAA 54FC`
@@ -23,7 +23,6 @@ you are on a mobile device, and my full public key:
{{% admonition info "Public Key" true %}}
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.2.13 (GNU/Linux)
mQINBFoTpoMBEADDIjRewOTvJBQF4ZxK/LS7yBL0TuU7VbZzEH3s5YKj63P/Rmvx
8/jMm0iop+uiPNo+0imIGYsdfW77bt95I9+kBm27eVf8mDMldMiS/LBCCmnuQ19u
@@ -36,45 +35,81 @@ ds1OzX0A5RWzfYLPerx5ssKqHa5n09bq634FNHOXnjr9wQuRpxLmNrBgXWvohpuq
E2+ZgdCIh9YmGsjrnlmjPZRUi5Bl/snTYEy422mJ11Mq04IYlS2IW4USxT1iOzt1
nNc+PJ1n921Hy5z9ZG/g0+POrQe9PjCUwlou+2mNutHGvQJNzPOwSq0D7UbFrumi
Ak0TZ0QJCLOLG5pREeMuJYkd+SQ/1qTmQ5i9WQY3CmmlGXdM+gD3O0OP7wARAQAB
-tCdCYXN0aWFuIGRlIEJ5bCA8YmFzdGlhbmRlYnlsQGdtYWlsLmNvbT6JAk4EEwEK
-ADgWIQRwpKoCVV29VZGJtODzK+BerapU/AUCWhOmgwIbAwULCQgHAgYVCgkICwIE
-FgIDAQIeAQIXgAAKCRDzK+BerapU/L/+D/0XtboLkk8+f9z0kNO+4Vw/6cQaDFaN
-376IBvZneq5lvDV1BjWcsbEnUMFEBDm14hEN5gvsfMT+c+7wS2zYn41rCkhVFV/h
-EczuVCWKaCVjeIM9sC8iHbyZgYlrJBU1YKKue1ZC+OIQwScnUu7Ex+b2wze/Unif
-471fANTBJcaaulFo92EaDhRWwdvuC0yT5B7qj02Qrpw5Q4udpaWmUE4ZtFFS4+7L
-tZ5A39NOntwsIUBZJkWSUj0AdRl2DCq9jEKObibEbPieAkfevkCrkpd4yS+3JQsM
-iAsHxNVbs9pPIFQKhwrnJ1XvkekqngTaP8oZ2t0r/Kqg8Fk6WMHJkYMlyP4H59+/
-WVIrRU8+FjrT2GGF37+lM9xk/ebgqarujw3FXOw64HaRkzDYDuZc6yLLjt/qAjP1
-+vcAm1QGaR3t1Xjf9UgEnf3qBeafFcCnxyHzeyNgGewOva4E9xvPWnU3OK49JwJn
-rrLmjoWmndPCGTDr4DCLw0Z47Y6eLeEJLuzlnjb3FvJS0D/7FQsU74iY7UcOGNtp
-7+sF8LDpGFzfKix6xEMeFPrICxfNOrXj45J7NMIG4/2vVAJwNFTUYh3BMgLta36K
-ckkT510Iw9w5m1iazrQoEntmD+/FXMuCGFTvyfAWzUaorQo7e0yHz8b5orBh6bek
-FaPznygEozBVc7kCDQRaE6aDARAA1lqJBqZWseKWeIsZCBqm2a56+BSEFuL5aWt+
-pmbuM4udLGexX1kP5+8dYDWQwBC2jXnrCgoaG5ZPkVNSHQ3LObknGhNteNLn3+Mr
-pgv/sBSKmo4cDa9wiEgjw/7zlpjmrZoKCgpVSuFigS077EMhsX4YmzZO1J+AxGSr
-Wd+DZ3Ye89hcOZqMWW98kjJiEfwFtQfEI2+qRUJ4JyoDjj+znQHJrp2VIloPFvKW
-EzArM/ujUYZpP4eaes6/o+iGPwY3qbcnRFeZQLd/CyJFQn4dKVM/7H3VOsJTKnFX
-5LfDZgFYXmFsSuzBy7n6UWd6t+6gzbrzhf+UyvM6EBS8gZUCYCuSRP/GoWjoCekD
-oxSo510O+JV8nScbf9sV8hGjfy7+j6jngwSltBGrDXEScvK+cQwdAN9YNt+4i9TP
-3Hn4GZpC3uq2HSCLX3rmrgT22L1X2QXFKyO1I2S7ksK5DmFQVuV1PR7GgWBLZzx3
-j3I1Q1pZHgv6BXjCj/h70ycgS8Sg20GYedLS+W0PEbd8AKelIOPjthPdQpvBQY8l
-3TV7W+7RN3tGpZylhCng28gytoAjbK+IBIXRIQqeq/NYRSgPg9hEjL3ArBKcBlwJ
-p6g7/WAuMoTwCMNssNCbK6jKX3IRvztVPdPaQZU5TZMrrb+ZJQtCbDkUArQaFaJG
-+C/6X1UAEQEAAYkCNgQYAQoAIBYhBHCkqgJVXb1VkYm04PMr4F6tqlT8BQJaE6aD
-AhsMAAoJEPMr4F6tqlT8gMoQAIDp09TEAuDxJuuH5wPOdeV03bsHYcenqhqRY2qV
-4lCwUkinJZXzXLrvRwOcKJf23UkdJDQEMggfJc5DLuSgW3qavXBHOQBnGF5Fa2Jo
-Cr2eblHg1/SwkSuQ3xh5UCELPwG0xeAoU0aeuncwOtN3Comp9Uo30FPqLzR63pi8
-BCrEY/+f0IhAZggu82l3rbf6pm7sKoucZ12jll6tML+La4qpHLoyrU0clwNylJVz
-tWPgfKcpvtbHmMpHLBx5cpuJJQKjuybCB7ODT45xLr/kNkNDb9YJ1DxMuY+sySXX
-Bl9exhYmrsYms6+NHxG0w1EmqmGln31JLsjgQVktUuMnFWFTKSO61ZGbnibPmF/Y
-RdlRZsjDpetX+VXiFEcgPbYEZBuEz8O1aUK+HCUwBx+a40WNjro90CUk9YZ2s3yR
-c1uH47bijOiRLeH5kuDtcEAzqFdvuMAr1BXNejFUPeAEGt8k8fQ0bzGPYICB4Msi
-36FPRhHgzA/DpWDKgJ5N3w56RHe7XD96LiHkTp/eyOdgKkM9JY9Q5CoqdJ1q91gT
-2NJV6ifF4yeTsCjUhmouuZ+H2Bfi/6XDR1U6ACJq2JYOLa8MZeVlVGgkkeBR6ifv
-hRN2IsW1+4Xdb42E0Xjb6QIfbnrWP/4AjiZvVmCYJhLAGgw4ugzJNTx9X5rWKrlW
-d65s
-=QdhV
+tCdCYXN0aWFuIGRlIEJ5bCA8YmFzdGlhbmRlYnlsQGdtYWlsLmNvbT6JAlQEEwEK
+AD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQRwpKoCVV29VZGJtODzK+Be
+rapU/AUCXHCqDgUJBD43CwAKCRDzK+BerapU/AswEACCY1JDmZPRdpkfNfjuvS/M
+SKpHsHwSuNljYVHKGYmVcBGKqA1feZZMBn8bUqKEhmuZNQ6Df6zCximoHKecR7qI
+xUi55YkBtwchY66pMF+xAPIxVl9TLgwCJfNmmzbJHU9ZoCwERJD4IsMZOhv2qCzM
++Mbtat8hyCNroFtUPaJu0uR6Wudl9QWKKDLBErZa1caVMSpjXrnUP1U1A7SGqxCw
+LbHOm42SyiclNcy2WA7yzGhLq1DviClOdFEk/158fNVimI7zgNwVRtHeOTlF9Klj
+PDdp5Ut5UV05R8apA2rvu+PUcTVyfKiUnkaD3cnwL6gORfi4phDXTBEMdntBPToy
+K0pPpUms1XJVumOnFrIGNr9jI8LlOScYkL3kIcT3lqDrjjeWEHUlMrSIVe19FfSr
+snoA0gZima4fePGi8KviAJLBwKeh5i/vHwF6pdjdIby+Dq5cKvR6qwtJktMMEd12
+FXAIpxDIv0b6nXNsrvGDASHtsdjXYrv4bvFvce0pEUzW0XNCpM0uJsE++DD/mkEP
+WxhFDV7+0K4L5unlfcpCP3zN38xlgxcIPMhieckYm1s35FAkMEXd3ei7SvPKrzna
+eQ5sq0PmroED51K8SJSahMkcRP5Y47BwknJNVa1fZGJ4lD8uNrTBIqnBGmDizbX1
+lKGAr/F4IojfVM7kEF2strkCDQRaE6aDARAA1lqJBqZWseKWeIsZCBqm2a56+BSE
+FuL5aWt+pmbuM4udLGexX1kP5+8dYDWQwBC2jXnrCgoaG5ZPkVNSHQ3LObknGhNt
+eNLn3+Mrpgv/sBSKmo4cDa9wiEgjw/7zlpjmrZoKCgpVSuFigS077EMhsX4YmzZO
+1J+AxGSrWd+DZ3Ye89hcOZqMWW98kjJiEfwFtQfEI2+qRUJ4JyoDjj+znQHJrp2V
+IloPFvKWEzArM/ujUYZpP4eaes6/o+iGPwY3qbcnRFeZQLd/CyJFQn4dKVM/7H3V
+OsJTKnFX5LfDZgFYXmFsSuzBy7n6UWd6t+6gzbrzhf+UyvM6EBS8gZUCYCuSRP/G
+oWjoCekDoxSo510O+JV8nScbf9sV8hGjfy7+j6jngwSltBGrDXEScvK+cQwdAN9Y
+Nt+4i9TP3Hn4GZpC3uq2HSCLX3rmrgT22L1X2QXFKyO1I2S7ksK5DmFQVuV1PR7G
+gWBLZzx3j3I1Q1pZHgv6BXjCj/h70ycgS8Sg20GYedLS+W0PEbd8AKelIOPjthPd
+QpvBQY8l3TV7W+7RN3tGpZylhCng28gytoAjbK+IBIXRIQqeq/NYRSgPg9hEjL3A
+rBKcBlwJp6g7/WAuMoTwCMNssNCbK6jKX3IRvztVPdPaQZU5TZMrrb+ZJQtCbDkU
+ArQaFaJG+C/6X1UAEQEAAYkCPAQYAQoAJgIbDBYhBHCkqgJVXb1VkYm04PMr4F6t
+qlT8BQJccKoWBQkEPjcTAAoJEPMr4F6tqlT8VNQP+gN+pGZ7R42uLoqLb0746vrV
+62kGb7kgWIa9/vxzRNA+ud6mtHs983QaOzNow/2uFFsi3EtZ+t5SKbDUpTtaqI+8
+Q8VGJzx0P2qZVKNbHYfvW0Udn9axoXdMeiwCOvRPsqXQKSEaihWtQT5RzcVwJu7Y
+LOWI36hH6tpbx3+yMz22+bXWfLw7Em/1JObS/19WonsfwSAKLaAIyGnQadralzNa
+DKQil3Uj0BW6dbYMOuPZF/YoXIr9yQtJsUhInuYkbUGKBjB5dvTLSl1p8Gk2/3Ou
+MAfYCF81wDKgtTGJ2NYxi8hALKcDPS+vq4hilhPvfa3hXV0An0viXnsABxQY+xB9
+/BdYMp0VuuCWY51HSljKj2skL92fB1QhMAu/Fz2fHRdn2IWKr7PEH92rufdRanw2
+fGNPH6aOTBdD/G1XQ5S+vQs/gy8VsvlzUc32ntwfygBdA68WQvHqNrgY9PCQ2oqg
+BjixZ178jTv9PW8SFPZBg5dEb7p6RG2ErSmjzCQbXnvKx1lHGTy/MMBdU/qq9GCo
+gM5PsYAnjCs8x9XNxpnqFuYQT/z6OLYuLzDY795eLRzYB2rJYz6aBp80Ry6h7QwB
+6mfGI4O7rqaOW2+hxAfwcoAYvYjRFRQq/TbHJGPMVim3YW0+JII2DYnpIQ2WGjnx
+K9KToYW84EkYowriS/ZFuQINBFxwqh0BEADNCoVsNHTXHC1zp0uwciILDJ8GSihs
+zIFQkffnbAkP39F0ugdDLM6zvZheWKgw7cu5ddVZ8S6riN+uqIOYBc91enI92kXi
+vVvPIVtfQWihSjvR4aPXi9hZUG8VpYL+uyN8hVcv+gqewyjEAQaHVVMiNGijX2QO
+X/OigW3n5pcOJt0pjMMs66ZN2M9PRxCDoKbr9hJuONoccgxZik9iy9J1lEeQRSm5
+MjaQvUH5t3Ti/4knnMZ6yDzud3gWboDcQSTvFRbRkO+7mZ9vXRVEQ59Ox/Nr8TD7
+pRo9GFw4fIiJHyGRHFvfxXMNPs1eaqVRAp+VjdbKDn8MXt2Vwu/SAnx3vCajYXQC
+6cr2rTgZEHQeOiv7nvCjLSHUSyCBhKVPqiRKV7SkkTGtncHVraW2QJYGqLv84bdM
+BVIhGZi0yUAOM85HgXD/EU2LsKUn6IXR+jF8mKPvKELx8p/KJoUy9zlpi08znsPE
+hgZ4zGIER2NMAcqX5B/4OjbRGu4eLIBe6OkH1r/Jb2jhGqvgEXAA9R2G96kj6qYZ
+aU3QdHXHg6Jk281XFHIIHZrvRWe9fdPdB0JKcZBDHCZURCvR60wasXa4JGtwwsbL
+2YZIYltFf1DPt4cYIi5FUCqsY7bAtBJzhvfVWDIAAyafov5iikK9JS9jYOAwdXv4
+6Lt17lkoeXDx7wARAQABiQRyBBgBCAAmFiEEcKSqAlVdvVWRibTg8yvgXq2qVPwF
+Alxwqh0CGwIFCQHhM4ACQAkQ8yvgXq2qVPzBdCAEGQEIAB0WIQS108zp70t1/tr8
+fBOy3P6/h1lTogUCXHCqHQAKCRCy3P6/h1lTohOvEACYFk8GRTwFkTCsMD6Wyfw9
+ia5doD1AhxFQKm3Xyis3UdvfxiUDjgN5EZLhSJGsXaIEbug7CUCKnBIYDu6fP+v/
+y4lvpKNqxJkpIIesbr9KMm73UQVL/kdbw2GYWUWecSeQH1joItL6JXlw4Jn7b9Oj
+e/J0DF73/RMHfj322EquLLvjlIcuR+ImXHH4vy5eJJvzvDYUAnFBNR1/PjHf21zI
+3YgApiRs4XpCieBC0TBfNJLJaWHTuBVnsSZ6BM6H3LghL8ca1EWsob1c1G0qUqni
+O3rjmmZbbx7qF7tYV6974wx7vMxTCYmqyfVRP35RjKSbkT2Y3G9+opFOuixdOA3C
+x3eXcGeIQEBQTZG5TQj9zcf/Hq0YJMxGQQHDzaEvn4MpnHKvJchelgyZGBjJ+u9O
+zjjJ2nthb6EciYP5h1X29jeFGsCJAJBYzLTJZLiYDwYdgJzpz4fdW66G2kh+8Rfv
+4Ai5q4oDQQL8PO+mXd2X8Wmr2ZvPvEgA70HrZxlO5v0ekGGCKBSeyRrBSKbtqzDD
+54pHB1bf8QXmYG7fi0vC3xYAUPXfkFif/8dLor6MVcAzy2zgY+8Vxt++W9Fqm2OB
+CZJwmBkMPMJAnQbjPQbNLGrbeXuA/QPYL/RC7/mQRyLpDWGsSy7GCoFmUVk8IxuM
+jFqjmav/2fixclffKf7CEqP7D/9Qoos+nr7WiQPa9yW4a8LDkm/KR6Jl5zZZAGsE
+K+yqkEBHrmCNd8Q8i67b1xXCRNJHxXvoBhV1Ct/pEJ9mPgvjbyh/6TrhKN2u7fBn
+jwEHPKOeWtBD/+45Rvi0woDBrjqg74ZP2BK089RyWE6MMufsTg1Yw1yPyEFCn+DQ
+3shX1+ebtP62yBh6sYozq/zhNfCHUgqmWbnmc2UFZ+tGi9UiEMTwcjB1QimnBt4c
+GllJ+HHo8I14v+LMiVC+6z1YiTY7HZi7hWmujAc26bi/NaFSDj8NFoTSYDVRDL9o
+SkjedttjNbNskNxCqNsiCINI+9XfwE6UWtTDIvWrE8uLr06em9Rq2mn5ZOdoJ+7i
+ZTtVDwlsBjjSDML+pOiKDLh2c1TvvNVBexGfsDlnqO0VFYt0lztWJV6yZqHrgW2A
+XEJwxgd6GqnYx3gSmrZIvU7HJaumrURCp1TbIyxIF52aNSF5UNrfgZmmxY26ui8Z
+azCSBJyi6EnE9kDYJVRyfk260VQ54K+jsqJW3bUuGa+9Fn9ZVRXnVVguizDlpqn3
+jkxFiRR9iFiPaRnGk5NjJLgymfa166VZBn9YzNS9T0hHqrdFxhsebfLNtdUbMdd4
+sZQNaO9sqwN7NSafZ16x97GH5Tsqk2cSRcMy0wKw2QQzMz7f8GS7Es7nbNikN7m1
+XsiDHQ==
+=yi65
-----END PGP PUBLIC KEY BLOCK-----
+
```
{{% /admonition %}}
diff --git a/content/post/gpg_best_practices_and_git.md b/content/post/gpg_best_practices_and_git.md
index 5da56ad..4f30585 100644
--- a/content/post/gpg_best_practices_and_git.md
+++ b/content/post/gpg_best_practices_and_git.md
@@ -1,44 +1,61 @@
---
title: "OpenPGP Best Practices (and Git)"
date: 2019-02-17
-lastmod: 2019-02-18
+lastmod: 2019-02-22
categories: ["Blog"]
tags: ["linux"]
---
I decided to start signing my Git commits for personal, and work Git
repositories. Currently, most third-party Git repository hosts only support
-signing commits, but **do not** support signing pushes.
+signed commits and **do not** support signed pushes.
-That being said, I've added my public key to my
-[GitLab](https://gitlab.com/bdebyl), and set the global config to use my key,
-and sign all of my commits:
+That being said, I have added my public key to my
+[GitLab](https://gitlab.com/bdebyl), and set the global config to use my signing
+key, and sign all of my commits.
```bash
-git config --global user.signingKey ADAA54FC
+git config --global user.signingKey 875953A2
git config --global commit.gpgSign true
```
-_Note: I am using git version `2.20.1` in the above example._
+
+For reference, I am directly referencing the subkey ID I use for **signing only**
+denoted by `[S]`:
+```
+pub rsa4096/ADAA54FC 2017-11-21 [SC] [expires: 2020-02-23]
+uid Bastian de Byl
+sub rsa4096/A72FC2F1 2017-11-21 [E] [expires: 2020-02-23]
+sub rsa4096/875953A2 2019-02-23 [S] [expires: 2020-02-23]
+```
+Note: _I am using git version `2.20.1` in the above example._
+
# Getting Started with OpenPGP
It is recommended to read through the
[Getting Started](https://www.gnupg.org/gph/en/manual/c14.html) page on the
-official GnuPG website. However, I would **strongly** recommend using the
-`--full-gen-key` option in place of the `--gen-key`. This will allow you to
-specify additional details about your key, such as using a 4096-bit RSA key.
+official GnuPG website. It is also **strongly** recommend to use the
+`--full-gen-key` option in place of `--gen-key`. This will allow you to specify
+additional details about your key, such as using a 4096-bit RSA key. Lastly,
+create a separate subkey for **signing only** -- read more about that
+[here](https://wiki.debian.org/Subkeys).
# OpenPGP Keyserver Pool
-In addition to that, there came the addition of using the
-[SKS Keyserver Pool](https://sks-keyservers.net/overview-of-pools.php) for
-sending and receiving keys for OpenPGP. This can be done by obtaining the CA and
-verifying the signature on the
-[HKPS Pool Verification](https://sks-keyservers.net/verify_tls.php) page.
+As of GnuPG version
+[2.1.11](https://github.com/riseupnet/riseup_help/issues/294#issuecomment-192913705),
+the `hpks.pool.sks-keyservers.net` CA certificate is installed and made use by
+default meaning there is nothing to do.
+
+However, if you are using older versions then obtain the CA and verify the
+signature. Instructions can be found on the
+[HKPS Pool Verification](https://sks-keyservers.net/verify_tls.php) page or by
+reading further below.
## Verification
+To verify and retrieve the necessary keys to do so (automatically, if possible):
```
gpg --auto-key-retrieve --verify sks-keyservers.netCA.pem.asc sks-keyservers.netCA.pem
```
-The output received was as follows:
+The expected output:
```
gpg: Signature made Wed 30 Mar 2016 11:06:29 AM EDT
gpg: using RSA key 250B7AFED6379D85
@@ -59,8 +76,12 @@ Primary key fingerprint: 94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
## Adding the HKPS Pool CA
Once the signature has been verified, the CA can be moved over to
-`/usr/share/ca-certificates` to add to your CA certificates via `sudo
-update-ca-trust` (_Arch_) or `sudo update-ca-certificates` (_Debian/Ubuntu_).
+`/usr/share/ca-certificates` to update the list of trusted CA certificates. Do
+this via:
+
++ `sudo update-ca-trust` (_Arch_)
++ `sudo update-ca-certificates` (_Debian/Ubuntu, RHEL_)
+
{{% admonition tip "CA Path" %}}
On my system the full path to the CA certs is:
@@ -102,10 +123,11 @@ keyserver-options no-honor-keyserver-url
---
# More Information
-There is a whole load of information on
-[OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices).
-A few noteworthy points worth exploring:
+The
+[OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices)
+page is a good resource for finding out more on best practices. A few points
+worth exploring, that I personally recommend:
-- **Keep an encrypted backup of your secret key**
-- Have a separate subkey for signing
+- Keep an encrypted backup of your secret key
- Keep your primary key entirely offline
+- Have a separate subkey for signing