My GnuPG Configuration
Since there is a comment for nearly every option I've set, I won't go into much detail here. The GnuPG documentation and the manpage will provide more about information.
The configuration for GnuPG is spread across three files. One for each component.
gpg.conf
#
# This is an implementation of the Riseup OpenPGP Best Practices
# https://help.riseup.net/en/security/message-security/openpgp/best-practices
#
#-----------------------------
# Default key
#-----------------------------
# The default key to sign with. If this option is not used, the default key is
# the first key found in the secret keyring.
default-key <FINGERPRINT>
#-----------------------------
# Behavior
#-----------------------------
# Disable inclusion of the version string in ASCII armored output.
no-emit-version
# Disable comment string in clear text signatures and ASCII armored messages.
no-comments
# Display long key IDs.
keyid-format 0xlong
# List all keys (or the specified ones) along with their fingerprints.
with-fingerprint
# Display the calculated validity of user IDs during key listings.
list-options show-uid-validity
verify-options show-uid-validity
# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
# the agent before it asks for a passphrase.
use-agent
# Use UTF-8 character encoding.
display-charset utf-8
utf8-strings
#-----------------------------
# Keyserver
#-----------------------------
# This is the server that --recv-keys, --send-keys, and --search-keys will
# communicate with to receive keys from, send keys to, and search for keys on.
keyserver hkps://keys.openpgp.org
# When using --refresh-keys, if the key in question has a preferred keyserver
# URL, then disable use of that preferred keyserver to refresh the key from.
keyserver-options no-honor-keyserver-url
# When searching for a key with --search-keys, include keys that are marked on
# the keyserver as revoked.
keyserver-options include-revoked
#-----------------------------
# Algorithm and ciphers
#-----------------------------
# List of personal digest preferences. When multiple digests are supported by
# all recipients, choose the strongest one.
personal-cipher-preferences AES256 AES192 AES CAST5
# List of personal digest preferences. When multiple ciphers are supported by
# all recipients, choose the strongest one.
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# Message digest algorithm used when signing a key.
cert-digest-algo SHA512
# The cipher algorithm for symmetric encryption with a passphrase.
s2k-cipher-algo AES256
# The digest algorithm used to mangle the passphrases for symmetric encryption.
s2k-digest-algo SHA512
# Treat the specified digest algorithm as weak. Signatures made over weak
# digests algorithms are normally rejected.
weak-digest SHA1
# Never allow the use as cipher algorithm.
disable-cipher-algo 3DES
# This preference list is used for new keys and becomes the default for
# "setpref" in the edit menu.
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
gpg-agent.conf
# Program used for entering the PIN.
pinentry-program /usr/local/bin/pinentry-mac
# Enable OpenSSH Agent (ssh-agent) protocol support.
enable-ssh-support
# Set number of seconds for which cache entries are valid.
default-cache-ttl 300
default-cache-ttl-ssh 300
max-cache-ttl 900
max-cache-ttl-ssh 900
dirmngr.conf
keyserver hkps://keys.openpgp.org