51

I have created multiple keys using gpg.

Whenever I try to sign any file, gpg automatically uses the first one I have created. How to set default key for signing in gpg. I don't want to delete/revoke the other one yet.

Otherwise, how can I change my default keys for signing?

Improve this question

3 Answers 3

Reset to default
62

To choose a default key without having to specify --default-key on the command-line every time, create a configuration file (if it doesn't already exist), ~/.gnupg/gpg.conf, and add a line containing

default-key <key-fpr>

replacing <key-fpr> with the id or fingerprint of the key you want to use by default.

Improve this answer
5
  • 3
    but how do i get the '<key-fpr>' ? In what format? When I do 'gpg -K' it prints long ID with spaces. Commented Jun 29, 2020 at 6:27
  • @400 take the “Key fingerprint” line from gpg -K and use the value after the = sign; you can include the spaces, so copy-paste works, you don’t even need quotes. Commented Jun 29, 2020 at 6:54
  • 3
    your output must be different. I see 4 lines: 1) sec rsa4096 ..., 2) what I think is the key id, ie: ffff ffff ffff ffff ffff ffff ffff ffff ffff ffff, but there is no = sign, 3) my name and email, 4) ssb rsa4096 ... Commented Jun 29, 2020 at 7:41
  • @400 weird, I see a “Key fingerprint” line on all the platforms I’ve checked this on. Anyway, that long value is probably your fingerprint, not your key id, and you can use that as the default-key value. (Key ids are the values given with rsa4096 etc.) Commented Jun 29, 2020 at 7:45
  • 1
    I see the same output as @400theCat on Debian, gpg 2.2.27. The long value is the fingerprint, the last 16 chars of that is the long key id, and the last 8 chars is the short key id. You can also get the long key ids with gpg --list-signatures or the short key ids with gpg --list-signatures --keyid-format short. Anyway, the default-key option works with any of those options (fingerprint, long id, or short id). Commented Aug 2, 2021 at 13:31
2

These steps are for EVERY GPG signing. That is, you don’t want to use the tedious --default-key on the CLI anymore.

List your signatures:

gpg --list-signatures

Select your key to be that default. Then set the key default:

echo 'default-key:0:"xxxxxxxxxxxxxxxxxxxx' | gpgconf --change-options gpg

Please note that there is only ONE double-quote, which signifies that a text string is about to begin. Also that a pair of single-quotes surround the entire echo statement.

There are three values separated by two colon symbols:

  • First is the configuration keyword option “default-key”
  • Second is pretty much always ‘0’, which means no special flag bit set. ‘16’ means to delete the key from its configuration file. More on special flags.

Also for gpgconf, the --change-options requires an argument. That argument indicates a component name that helps chooses which configuration file to make the change with. Component names used are commonly gpg for the ~/.gnupg/gpg.conf file and gpg-agent for ~/.gnupg/gpg-agent.conf file. More on component names here.

Once the setting of default key is done, if you want to use a different key of yours, use the --local-user <your name> on the gpg command line just for that message. Or the easier -u <your name> option instead.

Note that -u or --local-user overrides this --default-key on the command line or in gpg.conf settings.

Improve this answer
3
  • Sorry, had to down vote this because it seems "nonsense" when trying it out: gpg --list-signatures shows every signature of anyone I have, which totally scrolls out of my scroll history of 2000 lines and is useless. Then I tried echo 'default-key:0:"0xC155A4EEE4E527A2' | gpgconf --change-options gpg which prints gpg:OpenPGP:/usr/bin/gpg:1:1: and in no way I see a change. I don't think this did anything at all (hopefully :/). That is - I then inspected ~/.gnupg/gpg.conf and what it did was disable an existing default-key entry and adding a new one (with the wrong format). You probably Commented Dec 30, 2024 at 17:13
  • should explain what that xxxxxxxxxxxxx has to look like. Commented Dec 30, 2024 at 17:13
  • I'm using GnuPG version 2.2.27 and at least it shows long key id for gpg --list-secret-keys. Commented Apr 3 at 14:21
0

You can verify what your current default key for signing is, if any, by running:

>echo "test" | gpg --sign --verbose

If a default key is configured, it will print something like:

gpg: using "something here" as default secret key for signing

where the something here is what is configured in your ~/.gnupg/gpg.conf after the default-key keyword. For example:

default-key something here

Note that no quotes are used. You can put there anything that you normally can use to identify a key, long, short key ID or fingerprint with or without spaces. It is easy to test if it worked because echo "test" | gpg --sign --verbose will print the key that was actually used after the above line;

for example, if I use

default-key 8020B2666305EE2FD53E6827C155A4EEE4E527A2

Then I get:

>echo "test" | gpg --sign --verbose
gpg: enabled compatibility flags:
gpg: using pgp trust model
gpg: using "8020B2666305EE2FD53E6827C155A4EEE4E527A2" as default secret key for signing
gpg: writing to stdout
gpg: pinentry launched (530143 gnome3 1.3.1 - xterm-256color :0.0 - 1000/1000 0)
gpg: DSA/SHA512 signature from: "0xC155A4EEE4E527A2 Carlo Wood (CarloWood on Libera) <[email protected]>"
-----BEGIN PGP MESSAGE-----

owJ4nJvAy8zAJXgwdMm7J0/VFzGe5k5iSC+6eaoktbiEq6OUhUGQi0FWTJGlQWFT
WjLrO/2rdhnqMMWsTCCVDFycAjCRyQUM//1UhTudplzXq3yd1l/x1uTQjwnKv5rC
7siwdaz+/F1Sdz7D/4jrex99n9k78+ni6wq86/O27Enm04laJFYdr3SzJuObQjkA
zvZCkA==
=B0sh
-----END PGP MESSAGE-----

Showing that 0xC155A4EEE4E527A2 (long id) was used, which is what I also could have used instead, in ~/.gnupg/gpg.conf, i.e.

default-key 0xC155A4EEE4E527A2
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.