GnuPG,关联 GPG, OpenGPG, key management, key server, 私钥, 公钥, arch linux, manjaro, pacman

GnuPG,也被称为GPG, 是 OpenGPG 标准(RFC 4880,即 PGP)的完整免费实现。

安装:

1
sudo pacman -S gnupg

KDE 下安装图形前端:

1
2
3
4
# archlinux
sudo pacman -S kgpg
# ubuntu
sudo apt install kgpg

配置

默认存储配置的目录: ~/.gnupg ,这个目录权限一般是 700 ,其中文件的权限是 600

gpg 程序的配置文件: gpg.conf

gpg 程序是 GnuPG 主要入口。

用户的 gpg.conf 在 ~/.gnupg/gpg.conf
全局的 gpg.conf 在 /etc/gnupg/gpg.conf

配置文件的语法: gpg 命令的参数,去掉 -- 可写入配置文件中,每行一个参数

例如,命令 gpg --no-default-keyring --keyring keyring-path ...

对应配置文件的例子:

1
2
no-default-keyring
keyring keyring-path

dirmngr 程序的配置文件: dirmngr.conf

dirmngr 是一个内部程序,被 gpg 调用来访问 keyserver。

用户的 dirmngr.conf 在 ~/.gnupg/dirmngr.conf
全局的 dirmngr.conf 在 /etc/gnupg/dirmngr.conf

pacman

pacman uses a different set of configuration files for package signature verification.

参考 : pacman/Package signing

使用

Create a key pair

1
gpg --full-gen-key
  • 默认使用 RSA 加密
  • 默认 key 大小为 3072
  • key 有效期一般设置为一年,后期可续期,不用重新生成key。
  • 不用设置comment,这个功能据说有问题。
  • nameemail,是公共信息,任何后面导入 key 的用户都能看见。
  • --gen-key 参数,只需要输入 nameemail,其他都是默认值。

List keys

1
2
3
4
5
# To list keys in your public key ring:
$ gpg --list-keys

# To list keys in your secret key ring:
$ gpg --list-secret-keys

Export your public key

To generate an ASCII version of a user’s public key to file public-key.asc (e.g. to distribute it by e-mail):

1
$ gpg --export --armor --output public-key.asc user-id
  • Add --no-emit-version to avoid printing the version number, or add the corresponding setting to your configuration file.
  • You can omit the user-id to export all public keys within your keyring. This is useful if you want to share multiple identities at once, or for importing in another application, e.g. Thunderbird.

Import a public key

In order to encrypt messages to others, as well as verify their signatures, you need their public key.

使用 gpg --import 命令或者 keyserver 来导入公钥。

1
2
3
To import a public key with file name public.key to your public key ring:

$ gpg --import public-key.asc

arch-linux pacman包需要导入 key ID,参见:

keyserver

发布公钥

1
gpg --send-keys key-id

搜索公钥

1
gpg --search-keys user-id

To import a key from a key server:

1
gpg --recv-keys key-id

auto-key-retrieve 添加到 GPG 的配置文件,将会在需要时候,自动下载公钥。

key servers

有名的 keyserver:

更多的key server , 参见: https://en.wikipedia.org/wiki/Key_server_(cryptographic)#Keyserver_examples

设置 key server

配置文件设置:

~/.gnupg/dirmngr.conf

1
keyserver hkp://keyserver.ubuntu.com

命令中临时指定:

1
gpg --keyserver hkps://keys.openpgp.org/ --search-keys user-id

当前使用的 key server

参考:

有名的 key server 之间会相互同步公钥,所以其实使用哪个都差不多,除了网速上可能有不同。

要知道默认使用的什么 key server ,可以 search key 看下,例如:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 到pacman缓存的包文件找个签名,看下包签名的key id
cd /var/cache/pacman/pkg

gpg --verify zxing-cpp-1.4.0-1-x86_64.pkg.tar.zst.sig 
gpg: 假定被签名的数据在‘zxing-cpp-1.4.0-1-x86_64.pkg.tar.zst’
gpg: 签名建立于 Fri 08 Jul 2022 03:50:49 AM CST
gpg:               使用 RSA 密钥 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4
gpg: 无法检查签名:缺少公钥

gpg -v --search-keys 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4
gpg: data source: https://162.213.33.9:443
(1)     Antonio Rojas <arojas@archlinux.org>
        Antonio Rojas <nqn76sw@gmail.com>
        Antonio Rojas <nqn1976@gmail.com>
        Antonio Rojas <arojas@us.es>
          4096 bit RSA key 4AC5588F941C2A25, 创建于:2014-10-21

# 看下这个服务器域名,原来就是 keyserver.ubuntu.com
host 162.213.33.9
9.33.213.162.in-addr.arpa domain name pointer keyserver.ubuntu.com.

下载并设置信任,解决verify之”Can’t check signature: No public key”

1
2
3
4
5
6
# 防止443端口有问题,从80端口下载
sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 2B2458BF

gpg --edit-key 2B2458BF
# 进入编辑状态,输入 trust 命令,选择 'I trust ultimately'
# 在 verify 就不会报 No Public key

tips

  • If receiving fails with the message gpg: keyserver receive failed: General error, and you use the default hkps keyserver pool, make sure set the HKPS pool verification certificate with hkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem in your dirmngr.conf and kill the old dirmngr process.

  • If receiving fails with the message gpg: keyserver receive failed: Connection refused, try using a different DNS server.

  • You can connect to the keyserver over Tor with Tor#Torsocks. Or using the --use-tor command line option.

  • You can connect to a keyserver using a proxy by setting the http_proxy environment variable and setting honor-http-proxy in dirmngr.conf. Alternatively, set http-proxy host[:port] in the configuration file to override the environment variable of the same name. Restart the dirmngr.service user service for the changes to take effect.

Web Key Directory

The Web Key Service (WKS) 是一个key分发的新标准,根据email 的 domain 确定的 key server,称为 Web Key Directory(WKD)。

When encrypting to an email address (e.g. user@example.com), GnuPG (>=2.1.16) will query the domain (example.com) via HTTPS for the public OpenPGP key if it is not already in the local keyring.

The option auto-key-locate will locate a key using the WKD protocol if there is no key on the local keyring for this email address.

1
gpg --recipient user@example.org --auto-key-locate --encrypt doc

To check if your key can be found in the WKD you can use this webinterface.

Key 维护

备份私钥

备份

1
gpg --export-secret-keys --armor --output private-key.asc user-id

导入

1
gpg --import private-key.asc

pacman 包的签名和认证

/etc/pacman.conf 配置文件中有定义包签名认证的相关安全选项:

  • SigLevel 选项

决定 pacman -S 安装软件时,认证的强度(the level of trust)。

The SigLevel directive is valid in both the [options] and repository sections.

If used in [options], it sets a default value for any repository that does not provide the setting.

  • If set to Never, no signature checking will take place.
  • If set to Optional , signatures will be checked when present, but unsigned databases and packages will also be accepted.
  • If set to Required, signatures will be required on all packages and databases.

When to Check

These options control if and when signature checks should take place.
Never

All signature checking is suppressed, even if signatures are present.

Optional (default)

Signatures are checked if present; absence of a signature is not an error. An invalid signature is a fatal error, as is a signature from a key not in the keyring.

Required

Signatures are required; absence of a signature or an invalid signature is a fatal error, as is a signature from a key not in the keyring.

What is Allowed

These options control what signatures are viewed as permissible. Note that neither of these options allows acceptance of invalid or expired signatures, or those from revoked keys.

TrustedOnly (default)

If a signature is checked, it must be in the keyring and fully trusted; marginal trust does not meet this criteria.

TrustAll

If a signature is checked, it must be in the keyring, but is not required to be assigned a trust level (e.g., unknown or marginal trust).

Options in both groups can additionally be prefixed with either Package or Database, which will cause it to only take effect on the specified object type. For example, PackageTrustAll would allow marginal and unknown trust level signatures for packages.