diff --git a/README.md b/README.md index 315f843..13fe760 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d * [Setup environment](#setup-environment) * [Renewing sub-keys](#renewing-sub-keys) * [Rotating keys](#rotating-keys-1) +- [Adding notations](#adding-notations) - [SSH](#ssh) * [Create configuration](#create-configuration) * [Replace agents](#replace-agents) @@ -1875,6 +1876,30 @@ $ sudo umount /mnt/public Disconnect the storage device and follow the original steps to transfer new keys (4, 5 and 6) to YubiKey, replacing existing ones. Reboot or securely erase the GPG temporary working directory. +# Adding notations + +Notations can be added to users ID(s) and can be used in conjunction with [Keyoxide](https://keyoxide.org) to create [OpenPGP identity proofs](https://keyoxide.org/guides/openpgp-proofs). + +The setup environment can be created by using this [section](#setup-environment) from this guide. + +After having completed the environment setup, it is possible to follow any of the guides listed under "Adding proofs" from the Keyoxide ["Guides"](https://keyoxide.org/guides/) page __up until the notation is saved using the `save` command`. + +At this point the public key can be exported: + +```console +$ gpg --export $KEYID > pubkey.gpg +``` + +The public key can now be transferred to the computer where the GPG key is used and it is imported with: + +```console +$ gpg --import pubkey.gpg +``` + +N.B.: The `showpref` command can be issued to ensure that the notions were correctly added. + +It is now possible to continue following the Keyoxide guide and upload the key to WKD or to keys.openpgp.org. + # SSH [gpg-agent](https://wiki.archlinux.org/index.php/GnuPG#SSH_agent) supports the OpenSSH ssh-agent protocol (`enable-ssh-support`), as well as Putty's Pageant on Windows (`enable-putty-support`). This means it can be used instead of the traditional ssh-agent / pageant. There are some differences from ssh-agent, notably that gpg-agent does not _cache_ keys rather it converts, encrypts and stores them - persistently - as GPG keys and then makes them available to ssh clients. Any existing ssh private keys that you'd like to keep in `gpg-agent` should be deleted after they've been imported to the GPG agent.