diff --git a/modules/programs/gpg.nix b/modules/programs/gpg.nix
index 4588c59c8..1c77d871e 100644
--- a/modules/programs/gpg.nix
+++ b/modules/programs/gpg.nix
@@ -5,25 +5,30 @@ with lib;
 let
   cfg = config.programs.gpg;
 
-  cfgText =
-    concatStringsSep "\n"
-    (attrValues
-    (mapAttrs (key: value:
-      if isString value
-      then "${key} ${value}"
-      else optionalString value key)
-    cfg.settings));
+  mkKeyValue = key: value:
+    if isString value
+    then "${key} ${value}"
+    else optionalString value key;
 
-in {
+  cfgText = generators.toKeyValue {
+    inherit mkKeyValue;
+    listsAsDuplicateKeys = true;
+  } cfg.settings;
+
+  primitiveType = types.oneOf [ types.str types.bool ];
+in
+{
   options.programs.gpg = {
     enable = mkEnableOption "GnuPG";
 
     settings = mkOption {
-      type = types.attrsOf (types.either types.str types.bool);
-      example = {
-        no-comments = false;
-        s2k-cipher-algo = "AES128";
-      };
+      type = types.attrsOf (types.either primitiveType (types.listOf types.str));
+      example = literalExample ''
+        {
+          no-comments = false;
+          s2k-cipher-algo = "AES128";
+        }
+      '';
       description = ''
         GnuPG configuration options. Available options are described
         in the gpg manpage:
diff --git a/tests/modules/programs/gpg/override-defaults-expected.conf b/tests/modules/programs/gpg/override-defaults-expected.conf
index 3198183f7..4b4f132d0 100644
--- a/tests/modules/programs/gpg/override-defaults-expected.conf
+++ b/tests/modules/programs/gpg/override-defaults-expected.conf
@@ -14,6 +14,8 @@ require-cross-certification
 s2k-cipher-algo AES128
 s2k-digest-algo SHA512
 throw-keyids
+trusted-key 0xXXXXXXXXXXXXX
+trusted-key 0xYYYYYYYYYYYYY
 use-agent
 verify-options show-uid-validity
-with-fingerprint
\ No newline at end of file
+with-fingerprint
diff --git a/tests/modules/programs/gpg/override-defaults.nix b/tests/modules/programs/gpg/override-defaults.nix
index 850334dc5..905b984c5 100644
--- a/tests/modules/programs/gpg/override-defaults.nix
+++ b/tests/modules/programs/gpg/override-defaults.nix
@@ -11,6 +11,10 @@ with lib;
         no-comments = false;
         s2k-cipher-algo = "AES128";
         throw-keyids = true;
+        trusted-key = [
+          "0xXXXXXXXXXXXXX"
+          "0xYYYYYYYYYYYYY"
+        ];
       };
     };