Updated about with larger QR code, updated gpg best practices

content/post/gpg_best_practices_and_git.md

@@ -1,44 +1,61 @@
 ---
 title: "OpenPGP Best Practices (and Git)"
 date: 2019-02-17
-lastmod: 2019-02-18
+lastmod: 2019-02-22
 categories: ["Blog"]
 tags: ["linux"]
 ---
 I decided to start signing my Git commits for personal, and work Git
 repositories. Currently, most third-party Git repository hosts only support
-signing commits, but **do not** support signing pushes.
+signed commits and **do not** support signed pushes.
 <!--more-->
 
-That being said, I've added my public key to my
-[GitLab](https://gitlab.com/bdebyl), and set the global config to use my key,
-and sign all of my commits:
+That being said, I have added my public key to my
+[GitLab](https://gitlab.com/bdebyl), and set the global config to use my signing
+key, and sign all of my commits.
 ```bash
-git config --global user.signingKey ADAA54FC
+git config --global user.signingKey 875953A2
 git config --global commit.gpgSign true
 ```
-_Note: I am using git version `2.20.1` in the above example._
+
+For reference, I am directly referencing the subkey ID I use for **signing only**
+denoted by `[S]`:
+```
+pub   rsa4096/ADAA54FC 2017-11-21 [SC] [expires: 2020-02-23]
+uid                    Bastian de Byl <bastiandebyl@gmail.com>
+sub   rsa4096/A72FC2F1 2017-11-21 [E] [expires: 2020-02-23]
+sub   rsa4096/875953A2 2019-02-23 [S] [expires: 2020-02-23]
+```
+<sub>Note: _I am using git version `2.20.1` in the above example._</sub>
+
 
 # Getting Started with OpenPGP
 It is recommended to read through the
 [Getting Started](https://www.gnupg.org/gph/en/manual/c14.html) page  on the
-official GnuPG website. However, I would **strongly** recommend using the
-`--full-gen-key` option in place of the `--gen-key`. This will allow you to
-specify additional details about your key, such as using a 4096-bit RSA key.
+official GnuPG website. It is also **strongly** recommend to use the
+`--full-gen-key` option in place of `--gen-key`. This will allow you to specify
+additional details about your key, such as using a 4096-bit RSA key. Lastly,
+create a separate subkey for **signing only** -- read more about that
+[here](https://wiki.debian.org/Subkeys).
 
 # OpenPGP Keyserver Pool
-In addition to that, there came the addition of using the
-[SKS Keyserver Pool](https://sks-keyservers.net/overview-of-pools.php) for
-sending and receiving keys for OpenPGP. This can be done by obtaining the CA and
-verifying the signature on the
-[HKPS Pool Verification](https://sks-keyservers.net/verify_tls.php) page.
+As of GnuPG version
+[2.1.11](https://github.com/riseupnet/riseup_help/issues/294#issuecomment-192913705),
+the `hpks.pool.sks-keyservers.net` CA certificate is installed and made use by
+default meaning there is nothing to do.
+
+However, if you are using older versions then obtain the CA and verify the
+signature. Instructions can be found on the
+[HKPS Pool Verification](https://sks-keyservers.net/verify_tls.php) page or by
+reading further below.
 
 ## Verification
+To verify and retrieve the necessary keys to do so (automatically, if possible):
 ```
 gpg --auto-key-retrieve --verify sks-keyservers.netCA.pem.asc sks-keyservers.netCA.pem
 ```
 
-The output received was as follows:
+The expected output:
 ```
 gpg: Signature made Wed 30 Mar 2016 11:06:29 AM EDT
 gpg:                using RSA key 250B7AFED6379D85
@@ -59,8 +76,12 @@ Primary key fingerprint: 94CB AFDD 3034 5109 5618  35AA 0B7F 8B60 E3ED FAE3
 
 ## Adding the HKPS Pool CA
 Once the signature has been verified, the CA can be moved over to
-`/usr/share/ca-certificates` to add to your CA certificates via `sudo
-update-ca-trust` (_Arch_) or `sudo update-ca-certificates` (_Debian/Ubuntu_).
+`/usr/share/ca-certificates` to update the list of trusted CA certificates. Do
+this via:
+
++ `sudo update-ca-trust` (_Arch_)
++ `sudo update-ca-certificates` (_Debian/Ubuntu, RHEL_)
+
 
 {{% admonition tip "CA Path" %}}
 On my system the full path to the CA certs is:
@@ -102,10 +123,11 @@ keyserver-options no-honor-keyserver-url
 ---
 
 # More Information
-There is a whole load of information on
-[OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices).
-A few noteworthy points worth exploring:
+The
+[OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices)
+page is a good resource for finding out more on best practices. A few points
+worth exploring, that I personally recommend:
 
-- **Keep an encrypted backup of your secret key**
-- Have a separate subkey for signing
+- Keep an encrypted backup of your secret key
 - Keep your primary key entirely offline
+- Have a separate subkey for signing