最後更新: 2020-07-08
目錄
- 有關檔案
- 常用選項
- 使用過程
- Get Local KeyID
- Display key details without importing it
- Delete Key
- Export / Import
- 廢棄證書
- Public Key Server
- 上載 Key 到 KeyServer
- 在 Server 上找別人的 Key
- 把自己的 Public Key 比別人
- 簽名與鑑定
- 檔案的加密與解密
- Web of Trust
- 應用: 在 Mutt 中使用 GnuPG
- Trust code
- gpg4win
- 應用: Verify Package
- cross-certify
- 應用: Thunderbird - Enigmail
- 應用: 獲得 MariaDB 的 Key
有關檔案
- secret keys: secring.gpg
- public keys: pubring.gpg
- trust database:: trustdb.gpg
- GnuPG configuration: gpg.conf
一般選項
- -v, --verbose verbose
- -n, --dry-run do not make any changes
常用選項
- -k, --list-keys
- -K, --list-secret-keys
- --gen-key
- --fingerprint
- --delete-secret-keys
- --delete-keys
- --import
- --export
- --export-secret-keys
建立 Private Key
建立 Secret Key:
gpg --gen-key
"Name (Comment) <E-Mail>"
過程:
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? <-- 按 Enter RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) <-- 按 Enter Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) <-- 按 Enter Key does not expire at all Is this correct? (y/N) y <-- 按 y GnuPG needs to construct a user ID to identify your key. Real name: ??? Email address: [email protected] Comment: You selected this USER-ID: "??? <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o <-- 按 o You need a Passphrase to protect your secret key.
Key 在 M$ 的位置:
C:\Users\admin\AppData\Roaming\gnupg
清空它後, 可以用 -k 及 -K 建立它
# -k, --list-keys
c:\e-mail_key>gpg -k
gpg: keyring `C:/Users/admin/AppData/Roaming/gnupg/pubring.gpg' created
gpg: C:/Users/admin/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
# -K, --list-secret-keys
c:\e-mail_key>gpg -K
gpg: keyring `C:/Users/admin/AppData/Roaming/gnupg/secring.gpg' created
Key Format (short, long, full)
short form: 0xC74CD1D8
long form: 0xF1656F24C74CD1D8
full fingerprint: 177F 4010 FE56 CA33 3630 0305 F165 6F24 C74C D1D8
Key Content
# 匯出 keybox 某 key (/root/.gnupg/pubring.kbx)
gpg --export --armour 1BB943DB > mariadb-signing-key.asc
-----BEGIN PGP PUBLIC KEY BLOCK----- ... -----END PGP PUBLIC KEY BLOCK-----
Get Local KeyID
查看有什麼 Public Key:
gpg --list-keys [e-mail] # 相當於 "gpg -k"
gpg --list-keys [public_key]
/root/.gnupg/pubring.kbx ------------------------ pub rsa4096 2014-01-11 [SC] E7FB0CAEC8173D669066514CBAEFF88C22F6E216 # RSA key uid [ unknown] LXC pre-built images <[email protected]>
gpg --list-sigs
# 與 --list-keys 差不多, 多了 signatures
/root/.gnupg/pubring.kbx ------------------------ pub rsa4096 2014-01-11 [SC] E7FB0CAEC8173D669066514CBAEFF88C22F6E216 uid [ unknown] LXC pre-built images <[email protected]> sig 3 BAEFF88C22F6E216 2014-01-11 LXC pre-built images <[email protected]>
"1-9" signature levels
gpg --check-sigs
/root/.gnupg/pubring.kbx ------------------------ pub rsa4096 2014-01-11 [SC] E7FB0CAEC8173D669066514CBAEFF88C22F6E216 uid [ unknown] LXC pre-built images <[email protected]> sig!3 BAEFF88C22F6E216 2014-01-11 LXC pre-built images <[email protected]> gpg: 1 good signature
與 --list-sigs 差不多, 多了 verify
- "!" successfully verified
- "-" bad signature
- "%" error occurred
Key 的功能
pub rsa4096 2014-01-11 [SC]
- S -> for signing
- E -> for encrypting
- C -> Certify: sign a key
- A -> authentication (用來認證登入 i.e. ssh key)
Certify
It means that the owner of that key has the authority to verify the authenticity and integrity of other keys
This helps establish a chain of trust within the PKI system
查看 public key 的 fingerprint
# 與 "--list-keys" 差不多, 只係 RSA 會每 4 個字母一組
gpg --fingerprint
/root/.gnupg/pubring.kbx ------------------------ pub rsa4096 2014-01-11 [SC] E7FB 0CAE C817 3D66 9066 514C BAEF F88C 22F6 E216 uid [ unknown] LXC pre-built images <[email protected]>
查看所有 private key:
gpg --list-secret-keys <--- gpg -K
C:/Users/admin/AppData/Roaming/gnupg/secring.gpg ---------------------------------------------- sec 2048R/BB840272 2012-10-22 uid Tim.Lau <[email protected]> ssb 2048R/0E142A39 2012-10-22
Display key details without importing it
gpg --show-keys [--with-fingerprint] <filename>
gpg --show-keys MariaDB-Server-GPG-KEY pub dsa1024 2010-02-02 [SC] 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB uid MariaDB Package Signing Key <[email protected]> sub elg4096 2010-02-02 [E]
pub dsa1024 2010-02-02 [SC]
1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB
uid MariaDB Package Signing Key <[email protected]>
sub elg4096 2010-02-02 [E]
Delete Key
Private:
gpg --delete-secret-keys 7CE3826E
Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y
Public:
gpg --delete-keys 7CE3826E
Delete this key from the keyring? (y/N) y
一次過 Delete Pri & Pub key:
--delete-secret-and-public-key name
Export / Import Key
ASCII 格式 export public key:
gpg -a --export BB840272 # -a = --armor
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) ..................................................... -----END PGP PUBLIC KEY BLOCK-----
二進制格式:
gpg -o key.bin --export BB840272 # -o = --output FILE
Export Private Key:
gpg -a -o key.txt --export-secret-keys 6F4131E7
Import Public key:
gpg --import <keyring_files>
i.e.
gpg --verify burp-2.2.18.tar.bz2.asc
gpg: assuming signed data in 'burp-2.2.18.tar.bz2'
gpg: Signature made Sun 24 Feb 2019 12:51:39 PM HKT
gpg: using RSA key 28386B441AB24FD49766FBF73A68D2214C21357C
gpg: Can't check signature: No public key
wget https://burp.grke.org/downloads/grke.gpg
gpg --import grke.gpg
gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '/root/.gnupg/secring.gpg' to gpg-agent gpg: migration succeeded gpg: key 3A68D2214C21357C: public key "Graham Keeling <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1
gpg --verify burp-2.2.18.tar.bz2.asc
gpg: assuming signed data in 'burp-2.2.18.tar.bz2' gpg: Signature made Sun 24 Feb 2019 12:51:39 PM HKT gpg: using RSA key 28386B441AB24FD49766FBF73A68D2214C21357C gpg: Good signature from "Graham Keeling <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2838 6B44 1AB2 4FD4 9766 FBF7 3A68 D221 4C21 357C
Config Files
Lists the directories used by gpgconf
gpgconf --list-dirs
sysconfdir:/etc/gnupg ... homedir:/root/.gnupg
Global Config
/etc/gnupg/gpg.conf
Per User Config
~/.gnupg/gpg.conf
廢棄證書
gpg --output revocation-certificate.asc --gen-revoke <KeyID>
報廢過程:
載入 revocation-certificate 到本地的 keyring
gpg --import revocation-certificate.asc
上載到 KeyServer
gpg --send-keys <ID>
Example:
gpg --output revocation-certificate.txt --gen-revoke 6F4131E7
sec 2048R/6F4131E7 2012-10-22 ??? <[email protected]> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Reason for revocation: Key has been compromised (No description given) Is this okay? (y/N) y NOTE: This key is not protected! ASCII armored output forced. Revocation certificate created.
Public Key Server
- keyserver.ubuntu.com
- keyring.debian.org
- keys.openpgp.org
- pgp.mit.edu
指定用那 key server
i.e.
CLI:
--keyserver keyserver.ubuntu.com
Config:
~/.gnupg/gpg.conf
keyserver hkps://keyserver.ubuntu.com
上載 Public Key 到 KeyServer
[1] 查看本機有的 Public Key:
gpg -k
/root/.gnupg/pubring.kbx ------------------------ pub rsa4096 2014-01-11 [SC] E7FB0CAEC8173D669066514CBAEFF88C22F6E216 uid [ unknown] LXC pre-built images <[email protected]>
[2] 上載它到 Server:
gpg --send-keys 0xKeyID
OR
gpg --keyserver hkp://subkeys.pgp.net --send-keys <KeyID>
設定預設 KeyServer
預設的穩定 keyserver 寫在 $HOME/.gnupg/gpg.conf
... keyserver pool.sks-keyservers.net ...
* 只能指定一個 keyserver
* "pool.sks-keyservers.net" 好多時無反應, 可嘗試轉用 "keyserver.ubuntu.com"
Environment Variable
DOWNLOAD_KEYSERVER
i.e.
DOWNLOAD_KEYSERVER="pgp.mit.edu" lxc-create -t download ...
Centos 6 Default:
-rw-------. 1 root root 7856 Aug 13 15:33 gpg.conf
gpg.conf
require-cross-certification keyserver hkp://keys.gnupg.net
在 Server 上找別人的 Key
用 E-Mail 在 Server 上找某人的 Key:
gpg --keyserver hkp://subkeys.pgp.net --search-keys '[email protected]'
找不到 key:
gpg: searching for "'[email protected]'" from hkp server subkeys.pgp.net gpg: key "'[email protected]'" not found on keyserver
當 key 存在:
gpg: searching for "'[email protected]'" from hkp server subkeys.pgp.net (1) Tim.Lau <[email protected]> 2048 bit RSA key 6F4131E7, created: 2012-10-22 Keys 1-1 of 1 for "'[email protected]'". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key 6F4131E7 from hkp server subkeys.pgp.net gpg: key 6F4131E7: "Tim.Lau <[email protected]>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
從 KeyServer 下載別人的 Key 回來:
gpg --recv-keys IDs
從 Server 更新 Local 有的 Key:
gpg --refresh-keys
把自己的 Public Key 比別人
建立有你 fingerprint, type, size 的紙條
gpg-key2ps
確認對方的公匙
gpg --fingerprint < UID >
導入對方的公匙
gpg --import < filename >
簽名與鑑定
# --detach-sign | -b
gpg -b filename # (簽名, 內容)在 2 個 File
# --sign | -s
gpg [-o filename.gpg] -s filename # (簽名+內容)在同一 File
生成的簽名檔案有兩類及 2 種保存方式
(1)簽名, 內容 (-b)
- .sig # Default
- .asc # -b -a
(2)簽名+內容 (default)
- gpg - binary # Default
- asc - ASCII file # -a
gpg --verify filename.sig [filename]
i.e.
gpg --verify dovecot-2.1.17.tar.gz.sig
The output should say "Good signature":
gpg: Signature made Thu 27 Jun 2013 03:05:07 AM HKT using DSA key ID 40558AC9 gpg: Good signature from "Timo Sirainen <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E643 F0BD FDCD 04D9 FFCB 6279 C948 5251 4055 8AC9
- 那 WARNING 的意思是 "none of those people have also signed your key."
Summary
- --detach-sign | -b
- --sign | -s
- --armor | -a
- --output | -o
- --recipient | -r
檔案的加密與解密:
加密:
gpg -r < 對方的E-Mail > -e <file>
解密:
gpg -d < file >
-e, --encrypt
-d, --decrypt
-r, --recipient
Web of Trust
簽名的目的是證明您完全信任這個證書的合法性
# revsig revoke signatures on the selected user IDs
gpg --sign-key < UID > // Signs a public key with your secret key.
gpg --check-sigs < UID >
Your -T-> Alice -T-> Bob
If your friend Bob already has a trusted key from Alice, then Bob can certify the integrity of that key for you.
He can do this by giving you a signed copy of Alice's key.
If you trust Bob to sign public keys only when he is absolutely confident of their authenticity,
you can then gain trust in Alice's key even if you can't obtain it from her in person.
如果別人已把金鑰上傳到 key server, 您可以從 key server 下載您的新金鑰
gpg --keyserver wwwkeys.uk.pgp.net --recv-keys your_keyid
"local" signatures (--lsign-key)
A local signature is one that cannot be exported together with the public key to which it applies.
This prevents your signature from being propagated if you send a copy of the signed key to anyone else.
tsign
sign selected user IDs with a trust signature
nrsign
sign selected user IDs with a non-revocable signature
應用: 在 Mutt 中使用 GnuPG
在 ~/.muttrc 中加入下列的內容,則如果你在 index 選單中輸入 `S' 的話,將會自動啟動一個低速的 GnuPG。
macro index S ":toggle pgp_verify_sig\n"
set pgp_verify_sig=no
在 Vim 中使用 GnuPG
將 examples subdirectory 中的 _vimrc 文件的內容加到 ~/.vimrc 就可以自然的執行 GnuPG.
Trust code
- - No ownertrust assigned / not yet calculated.
- e 計算信任度失敗。
- q 計算所需的資訊不足。
- n 永不信任這把 key。
- m Marginally trusted.
- f 完全信任 (Fully trusted)。
- u 極度信任 (Ultimately trusted)。
Gpg4Win
Window 上的 opengpg
Download: https://www.gpg4win.de/download.html
Package
- gpg4win-light-2.3.4.exe @20191008
- gpg4win-3.1.10.exe @20191008
Remark
Gpg4Win <= 2.1.0 passphrase does not work in a non-English "Language"
light & vanilla
gpg4win-vanilla and gpg4win-light have been left on the now outdated and not maintained 2.0 gpg branch.
These packages have not been updated for more than a year and are potentially putting users of these at risk.
Verify Package
.asc file
-----BEGIN PGP SIGNATURE----- ... -----END PGP SIGNATURE-----
# Verify Package by ".asc" file
# .tar.gz 與 .tar.gz.asc 不在用一目錄時
gpg --verify rsync-3.1.2.tar.gz.asc rsync-3.1.2.tar.gz
gpg: Signature made Tue 22 Dec 2015 04:25:56 AM HKT using DSA key ID 4B96A8C5
gpg: Can't check signature: No public key
Remark1: 在同一目錄時
gpg --verify rsync-3.1.2.tar.gz.asc
Remark 2:
fingerprint
# Get Public Key & Verify
gpg --recv-keys 4B96A8C5
gpg: requesting key 4B96A8C5 from hkp server keys.gnupg.net gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 4B96A8C5: public key "Wayne Davison <[email protected]>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
gpg --verify rsync-3.1.2.tar.gz.asc
gpg: Signature made Tue 22 Dec 2015 04:25:56 AM HKT using DSA key ID 4B96A8C5 gpg: Good signature from "Wayne Davison <[email protected]>" gpg: aka "Wayne Davison <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0048 C8B0 26D4 C96F 0E58 9C2F 6C85 9FB1 4B96 A8C5
Warning
gpg: WARNING: This key is not certified with a trusted signature!
the key in your keyring & the signatures are valid, but either you have not marked the keys as trusted
=> no proof it belongs to whom it pretends to
=> Compare the fingerprints with those shown on business cards / homepage
How to trust an imported key
Trust level (當 fingerprint 對完 homeage 正確時)
Edit trust level of keys by running "gpg --edit-key", and then using the trust command.
i.e.
gpg --edit-key <fingerprint>
gpg> trust
... 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu
Your decision? 3
gpg> quit
Trust in a key's owner(1~5)
A key's trust level is something that you alone assign to the key,
and it is considered private information.
It is not packaged with the key when it is exported;
It is even stored separately from your keyrings in a separate database.
There are 4 trust levels:
unknown(1)
Nothing is known about the owner's judgement in key signing.
(Keys on your public keyring that you do not own initially have this trust level.)
none(2)
The owner is known to improperly sign other keys.
marginal(3)
The owner understands the implications of key signing and properly validates keys before signing them.
fully(4)
The owner has an excellent understanding of key signing,
and his signature on a key would be as good as your own.
Find out when it expires
# -k, --list-keys
gpg -k 4B96A8C5
pub 1024D/4B96A8C5 2003-12-19 uid Wayne Davison <[email protected]> uid Wayne Davison <[email protected]> sub 1024g/29C67D63 2003-12-19
Update Keys
gpg --refresh-keys
Key usage Flag
S -> for signing
E -> for encrypting
C -> Certification (Sign a key)
A -> Authentication (logging in)
D -> to indicate a disabled key
Defaults to no flag
Subkey Cross-certify
"Verifying a signature from someone" 出現 => "signing subkey is not cross-certified"
Reason
The signature that you verified has not been tampered with,
but might not have been issued by the person who sent it to you.
An OpenPGP key is made up of several keys:
- Primary key
- Subkeys
PriKey --> SubKey --> Package --> Verify /\ || Attacker: PriKey
Primary key
which is used to digitally sign things, and optionally, subkeys that can be used to sign or encrypt things.
To prove that the subkeys "belong" to the key and were not inserted by an attacker,
they are digitally signed by the primary key.
Most users use their primary key for signing, and a subkey for encryption,
and this is the default key style in both GnuPG and PGP.
Signing subkeys weakness
There is a subtle weakness in the OpenPGP design for signing subkeys.
Recall that subkeys are signed by the primary key to show they belong to the primary key.
However, the signing subkey does not sign the primary to show that it is owned by the primary.
This allows an attacker to take a signing subkey and attach it to their own key.
Subkey cross-certification
sometimes called "back signing". involves the subkey issuing a signature on the primary key,
just like the primary key signature on the subkey.
Fix
gpg --edit-key (yourkey)
then enter "cross-certify"
應用: Thunderbird - Enigmail
http://www.enigmail.net/home/index.php
收件設定: Decryt & Verify
寄件設定:
信任對方的 Key:
<MIME Header>
PGP/MIME is a standard defined in RFC 3156 (inline-PGP standard)
當別人的 E-Mail Client 無 GPG 功能時, 那"簽名"就會以附件形式存在: signature.asc
內容則是 html 形式存在
已知支援的 Client: 2014-02-20
(Apple Mail, Becky, Evolution, KMail, Mulberry, Sylpheed and The Bat!.)
不用 MIME 的 Mail:
當格式是 HTML 時, 就會有 Warning
Mail 的 Source 內容:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 test -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQjSNoAAoJEMNEx0ZvQTHnoYcIAL82miLiUo2n/Yj+rflVtMLd ................................................................ -----END PGP SIGNATURE-----
用 MIME 的 Mail Source:
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigC43BDF83D84A140632D2F633" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC43BDF83D84A140632D2F633 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable testing --------------enigC43BDF83D84A140632D2F633 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQjRzyAAoJEMNEx0ZvQTHnRQIIAIMzAGC1+50h+mVdrdnWCrhB .............................................................. -----END PGP SIGNATURE----- --------------enigC43BDF83D84A140632D2F633--
指明自己是用那個 keyserver
Advanced -> Send 'OpenPGP' Header -> Send URL for key retrieval
# OpenPGP: url=pool.sks-keyservers.net
應用: 獲得 MariaDB 的 Key
gpg --keyserver hkp://pgp.mit.edu --recv-keys 1BB943DB
gpg: key 84DF8D521BB943DB: public key "Totally Legit Signing Key <[email protected]>" imported gpg: key CBCB082A1BB943DB: public key "MariaDB Package Signing Key <[email protected]>" imported gpg: Total number processed: 2 gpg: imported: 2
# 會 export 了 [email protected] 的 pubkey !!
gpg --export --armour 1BB943DB > mariadb-signing-key.asc
# import 了就出事 !!
rpm --import mariadb-signing-key.asc
Summary
官網例出 full key 很重要
1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB
建議
rpm --import https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY