GnuPG,关联 GPG, OpenGPG, key management, key server, 私钥, 公钥, arch linux, manjaro, pacman
- 参考
GnuPG,也被称为GPG, 是 OpenGPG 标准(RFC 4880,即 PGP)的完整免费实现。
安装:
1 | sudo pacman -S gnupg |
KDE 下安装图形前端:
1 2 3 4 | # archlinux sudo pacman -S kgpg # ubuntu sudo apt install kgpg |
配置
默认存储配置的目录: ~/.gnupg
,这个目录权限一般是 700
,其中文件的权限是 600
gpg 程序的配置文件: gpg.conf
gpg
程序是 GnuPG 主要入口。
用户的 gpg.conf 在 ~/.gnupg/gpg.conf
全局的 gpg.conf 在 /etc/gnupg/gpg.conf
配置文件的语法: gpg 命令的参数,去掉 --
可写入配置文件中,每行一个参数
例如,命令 gpg --no-default-keyring --keyring keyring-path ...
对应配置文件的例子:
1 2 | no-default-keyring keyring keyring-path |
dirmngr 程序的配置文件: dirmngr.conf
dirmngr
是一个内部程序,被 gpg
调用来访问 keyserver。
用户的 dirmngr.conf 在 ~/.gnupg/dirmngr.conf
全局的 dirmngr.conf 在 /etc/gnupg/dirmngr.conf
pacman
pacman
uses a different set of configuration files for package signature verification.
使用
Create a key pair
1 | gpg --full-gen-key |
- 默认使用 RSA 加密
- 默认 key 大小为 3072
- key 有效期一般设置为一年,后期可续期,不用重新生成key。
- 不用设置comment,这个功能据说有问题。
name
和email
,是公共信息,任何后面导入 key 的用户都能看见。--gen-key
参数,只需要输入name
和email
,其他都是默认值。
List keys
1 2 3 4 5 | # To list keys in your public key ring: $ gpg --list-keys # To list keys in your secret key ring: $ gpg --list-secret-keys |
Export your public key
To generate an ASCII version of a user’s public key to file public-key.asc (e.g. to distribute it by e-mail):
1 | $ gpg --export --armor --output public-key.asc user-id
|
- Add
--no-emit-version
to avoid printing the version number, or add the corresponding setting to your configuration file. - You can omit the
user-id
to export all public keys within your keyring. This is useful if you want to share multiple identities at once, or for importing in another application, e.g. Thunderbird.
Import a public key
In order to encrypt messages to others, as well as verify their signatures, you need their public key.
使用 gpg --import
命令或者 keyserver
来导入公钥。
1 2 3 | To import a public key with file name public.key to your public key ring:
$ gpg --import public-key.asc
|
arch-linux pacman包需要导入 key ID,参见:
keyserver
发布公钥
1 | gpg --send-keys key-id |
搜索公钥
1 | gpg --search-keys user-id |
To import a key from a key server:
1 | gpg --recv-keys key-id |
auto-key-retrieve
添加到 GPG 的配置文件,将会在需要时候,自动下载公钥。
key servers
有名的 keyserver:
- Ubuntu Keyserver: federated, no verification, keys cannot be deleted.
https://keyserver.ubuntu.com/ - Mailvelope Keyserver: central, verification of email IDs, keys can be deleted.
https://keys.mailvelope.com/ - keys.openpgp.org: central, verification of email IDs, keys can be deleted, no third-party signatures (i.e. no Web of Trust support).
https://keys.openpgp.org/
更多的key server , 参见: https://en.wikipedia.org/wiki/Key_server_(cryptographic)#Keyserver_examples
设置 key server
配置文件设置:
~/.gnupg/dirmngr.conf
1 | keyserver hkp://keyserver.ubuntu.com |
命令中临时指定:
1 | gpg --keyserver hkps://keys.openpgp.org/ --search-keys user-id |
当前使用的 key server
参考:
有名的 key server 之间会相互同步公钥,所以其实使用哪个都差不多,除了网速上可能有不同。
要知道默认使用的什么 key server ,可以 search key 看下,例如:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | # 到pacman缓存的包文件找个签名,看下包签名的key id cd /var/cache/pacman/pkg gpg --verify zxing-cpp-1.4.0-1-x86_64.pkg.tar.zst.sig gpg: 假定被签名的数据在‘zxing-cpp-1.4.0-1-x86_64.pkg.tar.zst’ gpg: 签名建立于 Fri 08 Jul 2022 03:50:49 AM CST gpg: 使用 RSA 密钥 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4 gpg: 无法检查签名:缺少公钥 gpg -v --search-keys 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4 gpg: data source: https://162.213.33.9:443 (1) Antonio Rojas <arojas@archlinux.org> Antonio Rojas <nqn76sw@gmail.com> Antonio Rojas <nqn1976@gmail.com> Antonio Rojas <arojas@us.es> 4096 bit RSA key 4AC5588F941C2A25, 创建于:2014-10-21 # 看下这个服务器域名,原来就是 keyserver.ubuntu.com host 162.213.33.9 9.33.213.162.in-addr.arpa domain name pointer keyserver.ubuntu.com. |
下载并设置信任,解决verify之”Can’t check signature: No public key”
- refer
1 2 3 4 5 6 | # 防止443端口有问题,从80端口下载 sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 2B2458BF gpg --edit-key 2B2458BF # 进入编辑状态,输入 trust 命令,选择 'I trust ultimately' # 在 verify 就不会报 No Public key |
tips
-
If receiving fails with the message gpg:
keyserver receive failed: General error,
and you use the default hkps keyserver pool, make sure set the HKPS pool verification certificate withhkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem
in yourdirmngr.conf
and kill the old dirmngr process. -
If receiving fails with the message
gpg: keyserver receive failed: Connection refused
, try using a different DNS server. -
You can connect to the keyserver over
Tor
withTor#Torsocks
. Or using the--use-tor
command line option. -
You can connect to a keyserver using a proxy by setting the
http_proxy
environment variable and settinghonor-http-proxy
indirmngr.conf
. Alternatively, sethttp-proxy host[:port]
in the configuration file to override the environment variable of the same name. Restart thedirmngr.service
user service for the changes to take effect.
Web Key Directory
The Web Key Service (WKS) 是一个key分发的新标准,根据email 的 domain 确定的 key server,称为 Web Key Directory(WKD)。
When encrypting to an email address (e.g. user@example.com), GnuPG (>=2.1.16) will query the domain (example.com) via HTTPS for the public OpenPGP key if it is not already in the local keyring.
The option auto-key-locate
will locate a key using the WKD protocol if there is no key on the local keyring for this email address.
1 | gpg --recipient user@example.org --auto-key-locate --encrypt doc |
To check if your key can be found in the WKD you can use this webinterface.
Key 维护
备份私钥
备份
1 | gpg --export-secret-keys --armor --output private-key.asc user-id |
导入
1 | gpg --import private-key.asc |
pacman 包的签名和认证
/etc/pacman.conf
配置文件中有定义包签名认证的相关安全选项:
SigLevel
选项
决定 pacman -S
安装软件时,认证的强度(the level of trust)。
The SigLevel
directive is valid in both the [options]
and repository sections.
If used in [options]
, it sets a default value for any repository that does not provide the setting.
- If set to
Never
, no signature checking will take place. - If set to
Optional
, signatures will be checked when present, but unsigned databases and packages will also be accepted. - If set to
Required
, signatures will be required on all packages and databases.
When to Check
These options control if and when signature checks should take place.
Never
All signature checking is suppressed, even if signatures are present.
Optional
(default)
Signatures are checked if present; absence of a signature is not an error. An invalid signature is a fatal error, as is a signature from a key not in the keyring.
Required
Signatures are required; absence of a signature or an invalid signature is a fatal error, as is a signature from a key not in the keyring.
What is Allowed
These options control what signatures are viewed as permissible. Note that neither of these options allows acceptance of invalid or expired signatures, or those from revoked keys.
TrustedOnly
(default)
If a signature is checked, it must be in the keyring and fully trusted; marginal trust does not meet this criteria.
TrustAll
If a signature is checked, it must be in the keyring, but is not required to be assigned a trust level (e.g., unknown or marginal trust).
Options in both groups can additionally be prefixed with either Package
or Database
, which will cause it to only take effect on the specified object type. For example, PackageTrustAll
would allow marginal and unknown trust level signatures for packages.