gnugp

由 datahunter 在二, 06/12/2011 - 21:08 發表

指令

最後更新: 2017-01-24

有關檔案
常用選項
使用過程
Get Local KeyID
Delete Key
Export / Import
廢棄證書
上載 Key 到 KeyServer
在 Server 上找別人的 Key
把自己的 Public Key 比別人
簽名與鑑定
檔案的加密與解密
web of trust
應用: 在 Mutt 中使用 GnuPG
Trust code
PGP public key server
應用: Thunderbird - Enigmail
Verify Package

介紹

Gpg4Win <= 2.1.0 passphrase does not work in a non-English "Language"

有關檔案:

secret keys: secring.gpg
public keys: pubring.gpg
trust database:: trustdb.gpg
GnuPG configuration: gpg.conf

一般選項:

-v, --verbose verbose
-n, --dry-run do not make any changes

常用選項:

-k, --list-keys
-K, --list-secret-keys
--gen-key
--fingerprint
--delete-secret-keys
--delete-keys
--import
--export
--export-secret-keys

使用過程

# 建立 Key:

gpg --gen-key

"Name (Comment) <E-Mail>"

# 過程:

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?                                    <-- 按 Enter
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)                   <-- 按 Enter
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)                                  <-- 按 Enter
Key does not expire at all
Is this correct? (y/N) y                               <-- 按 y

GnuPG needs to construct a user ID to identify your key.
   
   
Real name: ???
Email address: ???@gmail.com
Comment:
You selected this USER-ID:
    "??? <???@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o   <-- 按 o
You need a Passphrase to protect your secret key.

# M$ 的 key 位置:

C:\Users\admin\AppData\Roaming\gnupg

# 清空它後, 可以用用 -k 及 -K 建立它

c:\e-mail_key>gpg -k

gpg: keyring `C:/Users/admin/AppData/Roaming/gnupg/pubring.gpg' created
gpg: C:/Users/admin/AppData/Roaming/gnupg/trustdb.gpg: trustdb created

c:\e-mail_key>gpg -K

gpg: keyring `C:/Users/admin/AppData/Roaming/gnupg/secring.gpg' created

Get Local KeyID

查看有什麼 Public Key:

gpg --list-keys [e-mail] <--- gpg -k

----------------------------------------------
pub   2048R/7CE3826E 2011-12-01 [expires: 2016-11-29]
uid                  ??? <???@yourdomain>
sub   2048R/927D9534 2011-12-01 [expires: 2016-11-29]

pub   2048R/BB840272 2012-10-22
uid                  ??? <???@gmail.com>
sub   2048R/0E142A39 2012-10-22

gpg --list-sigs

與 --list-keys 差不多, 多了 signatures

"L" for a local or non-exportable signature

"1-9" signature levels

gpg --check-sigs

pub   2048R/6F4131E7 2012-10-22
uid                  ??? <???@gmail.com>
sig!3        6F4131E7 2012-10-22  ??? <???@gmail.com>
sub   2048R/52338882 2012-10-22
sig!         6F4131E7 2012-10-22  ??? <???@gmail.com>

與 --list-sigs 差不多, 多了 verify

"!" successfully verified
"-" bad signature
"%" error occurred

查看所有 private key:

gpg --list-secret-keys <--- -K

C:/Users/admin/AppData/Roaming/gnupg/secring.gpg
----------------------------------------------
sec   2048R/BB840272 2012-10-22
uid                  Tim.Lau <???@gmail.com>
ssb   2048R/0E142A39 2012-10-22

fingerprint

gpg --fingerprint

----------------------------------------------
pub   2048R/7CE3826E 2011-12-01 [expires: 2016-11-29]
      Key fingerprint = 0BF0 A6AD CCAA FE7A 0225  11A3 6833 F82B 7CE3 826E
uid                  ??? <???@yourdomain>
sub   2048R/927D9534 2011-12-01 [expires: 2016-11-29]

pub   2048R/BB840272 2012-10-22
      Key fingerprint = CE72 DA62 F5C5 F1CF ADCA  18BB 2F81 4FEE BB84 0272
uid                  ??? <???@gmail.com>
sub   2048R/0E142A39 2012-10-22

Delete Key

# Private:

gpg --delete-secret-keys 7CE3826E

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

# Public:

gpg --delete-keys 7CE3826E

Delete this key from the keyring? (y/N) y

# 一次過 Delete Pri & Pub key:

--delete-secret-and-public-key name

Export / Import

ASCII格式:

gpg -a --export BB840272 <--- --armor

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
.....................................................
-----END PGP PUBLIC KEY BLOCK-----

二進制格式:

gpg -o key.bin --export BB840272 <--- --output FILE

Export Private Key:

gpg -a -o key.txt --export-secret-keys 6F4131E7

import all keyrings(public key):

gpg --import <keyring_files>

gpg: key BB840272: public key "??? <???@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

# Import pub & pri

gpg --import key.txt

gpg: key 6F4131E7: secret key imported
gpg: key 6F4131E7: public key "??? <???@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

廢棄證書

gpg --output revocation-certificate.asc --gen-revoke <KeyID>

報廢過程:

載入 revocation-certificate 到本地的 keyring

gpg --import revocation-certificate.asc

上載到 KeyServer

gpg --send-keys <ID>

Example:

gpg --output revocation-certificate.txt --gen-revoke 6F4131E7

sec  2048R/6F4131E7 2012-10-22 ??? <???@gmail.com>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y
NOTE: This key is not protected!
ASCII armored output forced.
Revocation certificate created.

上載 Key 到 KeyServer

查看本機有的 Public Key 先:

gpg -k

pub   2048R/6F4131E7 2012-10-22
uid                  ??? <???@gmail.com>
sub   2048R/52338882 2012-10-22

上載它:

gpg --send-keys 0xKeyID

gpg --keyserver hkp://subkeys.pgp.net --send-keys <KeyID>

設定預設 KeyServer 的 configure

預設的穩定 keyserver 寫在 $HOME/.gnupg/gpg.conf

...........................
keyserver hkp://keys.gnupg.net
...........................

(只能指定一個 keyserver)

Centos6 default:

-rw-------. 1 root root 7856 Aug 13 15:33 gpg.conf

require-cross-certification
keyserver hkp://keys.gnupg.net

在 Server 上找別人的 Key

用 E-Mail 在 Server 上找某人的 Key:

gpg --keyserver hkp://subkeys.pgp.net --search-keys '???@gmail.com'

找不到 key:

gpg: searching for "'???@gmail.com'" from hkp server subkeys.pgp.net
gpg: key "'???@gmail.com'" not found on keyserver

當 key 存在:

gpg: searching for "'???@gmail.com'" from hkp server subkeys.pgp.net
(1)     Tim.Lau <???@gmail.com>
          2048 bit RSA key 6F4131E7, created: 2012-10-22
Keys 1-1 of 1 for "'???@gmail.com'".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 6F4131E7 from hkp server subkeys.pgp.net
gpg: key 6F4131E7: "Tim.Lau <???@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

從 KeyServer 下載別人的 Key 回來:

gpg --recv-keys IDs

從 Server 下載 Local 有的 Key 回來:

gpg --refresh-keys

把自己的 Public Key 比別人

建立有你 fingerprint, type, size 的紙條

gpg-key2ps

確認對方的公匙

gpg --fingerprint < UID >

導入對方的公匙

gpg --import < filename >

簽名與鑑定

簽名:

gpg [-o filename.gpg] -s filename # (簽名+內容)

gpg -b filename # (簽名, 內容)

生成的簽名檔案有兩類及兩種保存方式

簽名, 內容 (-b)

.sig (default)
.asc (-b -a)

簽名+內容 (default)

asc - ASCII file (-a)
gpg - binary (default)

鑑定:

gpg --verify filename.sig [filename]

i.e.

gpg --verify dovecot-2.1.17.tar.gz.sig

The output should say "Good signature":

gpg: Signature made Thu 27 Jun 2013 03:05:07 AM HKT using DSA key ID 40558AC9
gpg: Good signature from "Timo Sirainen <tss@iki.fi>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E643 F0BD FDCD 04D9 FFCB  6279 C948 5251 4055 8AC9

那 WARNING 的意思是 "none of those people have also signed your key."

--sign | -s

--armor | -a

--output | -o

--recipient | -r

--detach-sign | -b

檔案的加密與解密:

加密:

gpg -r < 對方的E-Mail > -e <file>

解密:

gpg -d < file >

-e, --encrypt

-d, --decrypt

-r, --recipient

web of trust

簽名的目的是證明您完全信任這個證書的合法性

gpg --sign-key < UID > // Signs a public key with your secret key.

gpg --check-sigs < UID >

If your friend Bob already has a trusted key from Alice, then Bob can certify the integrity of that key for you. He can do this by giving you a signed copy of Alice's key. If you trust Bob to sign public keys only when he is absolutely confident of their authenticity, you can then gain trust in Alice's key even if you can't obtain it from her in person.

To sign a public key

gpg --sign-key <name>

如果別人已把金鑰上傳到 key server ，您可以從 key server 下載您的新金鑰

gpg --keyserver wwwkeys.uk.pgp.net --recv-keys your_keyid

"local" signatures. (--lsign-key)

A local signature is one that cannot be exported together with the public key to which it applies.

This prevents your signature from being propagated if you send a copy of the signed key to anyone else.

應用: 在 Mutt 中使用 GnuPG

在 ~/.muttrc 中加入下列的內容，則如果你在 index 選單中輸入 `S' 的話，將會自動啟動一個低速的 GnuPG。

macro index S ":toggle pgp_verify_sig\n"
set pgp_verify_sig=no

在 Vim 中使用 GnuPG

將 examples subdirectory 中的 _vimrc 文件的內容加到 ~/.vimrc 就可以自然的執行 GnuPG.

Trust code:

- No ownertrust assigned / not yet calculated.
e 計算信任度失敗。
q 計算所需的資訊不足。
n 永不信任這把 key。
m Marginally trusted.
f 完全信任 (Fully trusted)。
u 極度信任 (Ultimately trusted)。

PGP public key server

wwwkeys.pgp.net
wwwkeys.uk.pgp.net
subkeys.pgp.net

應用: Thunderbird - Enigmail

http://www.enigmail.net/home/index.php

收件設定: Decryt & Verify

寄件設定:

信任對方的 Key:

<MIME Header>

PGP/MIME is a standard defined in RFC 3156 (inline-PGP standard)

當別人的 E-Mail Client 無 GPG 功能時, 那"簽名"就會以附件形式存在: signature.asc

內容則是 html 形式存在

已知支援的 Client: 2014-02-20

(Apple Mail, Becky, Evolution, KMail, Mulberry, Sylpheed and The Bat!.)

不用 MIME 的 Mail:

當格式是 HTML 時, 就會有 Warning

Mail 的 Source 內容:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
test
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
 
iQEcBAEBAgAGBQJQjSNoAAoJEMNEx0ZvQTHnoYcIAL82miLiUo2n/Yj+rflVtMLd
................................................................
-----END PGP SIGNATURE-----

用 MIME 的 Mail Source:

Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigC43BDF83D84A140632D2F633"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigC43BDF83D84A140632D2F633
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

testing


--------------enigC43BDF83D84A140632D2F633
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQjRzyAAoJEMNEx0ZvQTHnRQIIAIMzAGC1+50h+mVdrdnWCrhB
..............................................................
-----END PGP SIGNATURE-----

--------------enigC43BDF83D84A140632D2F633--

指明自己是用那個 keyserver

Advanced -> Send 'OpenPGP' Header -> Send URL for key retrieval

# OpenPGP: url=pool.sks-keyservers.net

Verify Package

# Verify Package by ".asc" file

gpg --verify rsync-3.1.2.tar.gz.asc rsync-3.1.2.tar.gz

gpg: Signature made Tue 22 Dec 2015 04:25:56 AM HKT using DSA key ID 4B96A8C5
gpg: Can't check signature: No public key

# tar.gz 與 tar.gz.asc 不在用一目錄時

gpg --verify rsync-3.1.2.tar.gz.asc

gpg: no signed data

gpg: can't hash datafile: No data

# Get Public Key & Verify

gpg --recv-keys 4B96A8C5

gpg: requesting key 4B96A8C5 from hkp server keys.gnupg.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4B96A8C5: public key "Wayne Davison <wayned@users.sourceforge.net>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1