资源
本文大部分根据 https://juejin.cn/post/7075615737015959566#heading-4 进行整理。
如果在开源社区进行交流的话,gpg加密文件是必须需要的。不然,就会造成巨大的乌龙事件。可以在本章的最后看下具体的应用场景。
解释
- key秘钥: 每个key都包含两个部分: Public key和private key。
- Fingerprint: 指纹是Public key的散列值
vimer@debian-local:~$ gpg --list-keys [email protected] pub rsa4096 2022-04-09 [SC] E2521CB8175736A97052B2F8954E6A70100598A2 # Fingerprint keys uid [ 绝对 ] Bo YU <[email protected]> sub rsa4096 2022-04-09 [E]这里Fingerprint就是下面的keyid。
- KeyId就是上面的Fingerprint,用来标识一个Key。这里有两种标识方式:一种long,long就是Fingerprint的后16位字符来表示, short形式就是Fingerprint后8位表示。可以使用下面的命令展示:
vimer@debian-local:~$ gpg --keyid-format LONG -k 0xE2521CB8175736A97052B2F8954E6A70100598A2 pub rsa4096/954E6A70100598A2 2022-04-09 [SC] E2521CB8175736A97052B2F8954E6A70100598A2 uid [ 绝对 ] Bo YU <[email protected]> sub rsa4096/66681FECEFF9AC75 2022-04-09 [E]pub后面的
0x95开头就是long型的keyid。 short型的如下:vimer@debian-local:~$ gpg --keyid-format SHORT -k 0xE2521CB8175736A97052B2F8954E6A70100598A2 pub rsa4096/100598A2 2022-04-09 [SC] E2521CB8175736A97052B2F8954E6A70100598A2 uid [ 绝对 ] Bo YU <[email protected]> sub rsa4096/EFF9AC75 2022-04-09 [E]我们一般就是使用LONG型的keyid。
- UserID: 一个KeyID必须绑定一个USerID,当然,同一个userid可以绑定多个keyid。
- keying: 秘钥环,保存在
~/gnupg/pubring.kbx文件中。vimer@debian-local:~$ gpg --list-keys /home/vimer/.gnupg/pubring.kbx ------------------------------ pub rsa4096 2022-04-09 [SC] E2521CB8175736A97052B2F8954E6A70100598A2 uid [ 绝对 ] Bo YU <[email protected]> sub rsa4096 2022-04-09 [E] - gpg config: gpg config文件
~/.gnupg/gpg.conf,可以作为gpg的配置文件。 - key server: 可以找一个key server进行upload key文件。
- keygrip:
vimer@debian-local:~$ gpg -k --with-keygrip /home/vimer/.gnupg/pubring.kbx ------------------------------ pub rsa4096 2022-04-09 [SC] E2521CB8175736A97052B2F8954E6A70100598A2 Keygrip = DBE2A5E6810C9C3E58E34C385107C9EB6CDDC43B uid [ 绝对 ] Bo YU <[email protected]> sub rsa4096 2022-04-09 [E] Keygrip = DBFC45BC6B077D5A7A5A3A58E7BF7F0965C8B058Keygrip与Fingerprint的区别是 他可以唯一区别key。用户是删除masterkey.
gpg --delete-secret-keys [master-keyid]会删除Master Key的同时问你是否删除Sub key,否则会删除失败。如果只想删除Master key,则可以只删除keygrip. -
Master 和 Sub keys 前面已经介绍了master keys。二者之间的联系就是,通过 Binding Signature,master key对sub key进行签名,宣布对Subkey的owner身份;同时 Sub keys也对Masster Key进行签名,声明自己对Master Key的Member关系。
- 总结:GPG keys的四种用途
- Ceritfy
- Sign
- Encryption
- Authentication
Cerity其实就是加密工作,本质sig,也叫签名。 签名一般有两种对象:一个是普通的文件(数据),另一个就是我们本文使用的key.对数据进行加密就是sig,而对秘钥(Public key)进行加密就是Ceritfy。对数据进行加密的命令
--sign, 对key加密使用--sign-key。
试验
因为需要上传Debian package,不得已需要一个GPG key。
请参考github生成gpg key
生成 gpg key
vimer@debian-local:~/git/git-multimail$ gpg --full-generate-key
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
请选择您要使用的密钥类型:
(1) RSA 和 RSA (默认)
(2) DSA 和 Elgamal
(3) DSA(仅用于签名)
(4) RSA(仅用于签名)
(14) Existing key from card
您的选择是?
RSA 密钥的长度应在 1024 位与 4096 位之间。
您想要使用的密钥长度?(3072) 4096 选4096
GPG key id
gpg --list-secret-keys --keyid-format=long
vimer@debian:~/build_test/jimtcl$ gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/vimer/.gnupg/pubring.kbx
------------------------------
sec rsa4096/42A2928E26E21C2 2022-03-04 [SC]
DD7E8C65E3F5992F52AAA07A452A2928E26E21C2
uid [ultimate] vimer <[email protected]>
ssb rsa4096/3338B86BD4FCE12A 2022-03-04 [E]
我们这里需要注意的就是42A2928E26E21C2,也就是下面需要的id.
打印自己的gpg(ASCII 形式)
gpg --armor --export id
目前是一个pc(一个开发环境一个key),这样的方式有点笨拙。
可以参考这里解决这个问题。
备份所有keys
vimer@dev:~/gpg_key/home-lod$ gpg -ao primary-secret-key.gpg --export-secret-keys 954E6A70100598A2!
vimer@dev:~/gpg_key/home-lod$ gpg -ao subkey-sign-key-secret-key.gpg --export-secret-keys F9154FDE143E4BAF!
vimer@dev:~/gpg_key/home-lod$ ls
primary-keys-revoke.gpg primary-public-key.txt primary-secret-key.gpg subkey-sign-key-secret-key.gpg vimer
只需把subkey的密钥import 其他pc上即可。
加密tar包
tar -czvf - secret-keys | openssl des3 -salt -k {passwd} -out gpg-backup.tar.gz
解压文件:
openssl des3 -d -k ${passwd} -salt -in gpg-backup.tar.gz | tar xzvf -
这个passwd 要保护好了。
删除所有keys
gpg --delete-secret-keys linus # 删除私钥, UID 也可以替换成子密钥ID, 主密钥Key ID
gpg --delete-keys linus # 删除公钥
subkeys
在Debian中, https://wiki.debian.org/Subkeys是分开使用的。master key自己默认会有一个 signing 和 encryption的key,那么,我们的subkeys可以把这两个功能给拆分开。
假设我们把所有的责任和希望寄托于master key上,其后果是非常严重的: 基于GPG key建立起来的信任链,如果被其他人利用的话,会对Debian社区造成非常大的危害,万一有人投毒的话,你所有的 reputation都被毁掉。所以,得想办法,杜绝自己的key被偷被盗。 在这个场景下,subkey的场景就凸显出来了。
如果使用 subkeys,则事情比较简单了: 创建一个 encryption(加密) key和 一个signing (签名)key,然后将subkeys上传到服务器,然后别人就可以像使用master (primary)key那样加密消息和验证你的信息签名,反过来,你也可以使用subkey进行解密和签名信息。
什么时候再一次使用你的master key或者primary key呢?
- 当你给别人进行签名时或者revoke an exist signature(撤销已有的签名)
- 当你新加一个UID或者使能一个存在的UID作为primary
- 当你创造新的subkey
- 当你revoke an existing UID or subkey(撤销)
- when you change the preferences (e.g., with setpref) on a UID(不懂这个术语)
- 当你改变subkey的过期日期时或者primary的过期日期也改变时
- when you revoke or generate a revocation certificate for the complete key.
当时这样一操作你会发现,在这种模式下,原来的primary key的价值变得更加重要。也就是你的subkey可以丢失或者被偷,这个时候,你再使用你的primary把subkey进行更新或者撤销等。因为你的primary可以对subkey进行把绑定或者签名,所以,你的primary key积累的 reputation不会清0: 尽管你使用subkey,当时reputation是积累在primary key上的。
How
备份:
umask 077; tar -cf $HOME/gnupg-backup.tar $HOME .gnupg
Create new subkey with signing:
vimer@debian-local:~$ gpg --list-keys [email protected]
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
gpg --edit-key YOURPRIMARYKEYID
add subkey
>addkey
gpg> addkey
请选择您要使用的密钥类型:
(3) DSA(仅用于签名)
(4) RSA(仅用于签名)
(5) ElGamal(仅用于加密)
(6) RSA(仅用于加密)
(14) Existing key from card
您的选择是? 4
RSA 密钥的长度应在 1024 位与 4096 位之间。
您想要使用的密钥长度?(3072) 4096
请求的密钥长度是 4096 位
请设定这个密钥的有效期限。
0 = 密钥永不过期
<n> = 密钥在 n 天后过期
<n>w = 密钥在 n 周后过期
<n>m = 密钥在 n 月后过期
<n>y = 密钥在 n 年后过期
密钥的有效期限是?(0) 20220414T120000 #以 yyyymmddThhmmss的形式指定什么时候过期
密钥于 2022年04月14日 星期四 20时00分00秒 HKT 过期
这些内容正确吗? (y/N) y
真的要创建吗?(y/N) y
我们需要生成大量的随机字节。在质数生成期间做些其他操作(敲打键盘
、移动鼠标、读写硬盘之类的)将会是一个不错的主意;这会让随机数
发生器有更好的机会获得足够的熵。
^[[A # 敲击键盘
sd
sec rsa4096/954E6A70100598A2
创建于:2022-04-09 有效至:永不 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa4096/66681FECEFF9AC75
创建于:2022-04-09 有效至:永不 可用于:E
ssb rsa4096/656717DFA59353D0
创建于:2022-04-13 有效至:2022-04-14 可用于:S
[ 绝对 ] (1). Bo YU <[email protected]>
密钥的有效期限是?(0) 20220414T120000
密钥于 2022年04月14日 星期四 20时00分00秒 HKT 过期
这些内容正确吗? (y/N) y
真的要创建吗?(y/N)
gpg> save #保存退出即可
You can repeat this, and create an “RSA (encrypt only)” subkey as well, 对于debian来说,signing keys就够了。
保存primary的文件夹 重要
保存目前的 .gnupg的目录: tar -zcvf gnugpg-primary-2022-04-13.tar.gz ~/.gnupg
一定要把目前的tar的保存在离线的U盘或者操作时在离线时进行,真的需要特别谨慎。
引入subkey
在另一台pc上,也就是你想引入subkey的pc上:
删除primary key的keygrip
vimer@debian-local:~$ gpg --with-keygrip --list-keys [email protected]
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
Keygrip = DBE2A5E6810C9C3E58E34C385107C9EB6CDDC43B
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
Keygrip = DBFC45BC6B077D5A7A5A3A58E7BF7F0965C8B058
sub rsa4096 2022-04-13 [S] [有效至:2022-04-14]
Keygrip = DD49743E6A71BD63CF91387B2E998722F1CA8C01
上面的那个pub下面的keygrip就是primary key的keygrip,现在就可以使用前面的命令进行删除了。或者使用下面的命令强制删除也是可以的:
rm .gnupg/private-keys-v1.d/DBE2A5E6810C9C3E58E34C385107C9EB6CDDC43B.key
那么,如何验证删除keygrip成功了呢?
vimer@debian-local:~$ gpg -K
/home/vimer/.gnupg/pubring.kbx
------------------------------
sec# rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
ssb rsa4096 2022-04-09 [E]
ssb rsa4096 2022-04-13 [S] [有效至:2022-04-14]
此时, sec由sec#所代替,代表确实删除keygrip成功了。
更新新的subkey密码
gpg --edit-key 954E6A70100598A2 passwd
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
私密子密钥可用。
pub rsa4096/954E6A70100598A2
创建于:2022-04-09 有效至:永不 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa4096/66681FECEFF9AC75
创建于:2022-04-09 有效至:永不 可用于:E
ssb rsa4096/656717DFA59353D0
创建于:2022-04-13 有效至:2022-04-14 可用于:S
[ 绝对 ] (1). Bo YU <[email protected]>
gpg: 密钥 954E6A70100598A2/954E6A70100598A2:修改密码时出现错误:No secret key
这里首先输入的是Primary key的密码,也就是之前设置的,等认证成功后,这里再次确认的密码是新的 sub key的密码。
导出subkey的私钥及公钥
gpg --keyid-format SHORT -k 0xE2521CB8175736A97052B2F8954E6A70100598A2
pub rsa4096/100598A2 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096/EFF9AC75 2022-04-09 [E]
sub rsa4096/A59353D0 2022-04-13 [S] [有效至:2022-04-14]
vimer@debian-local:~$ gpg -ao subkey-siging-EFF9AC75-private.gpg --export-secret-subkeys EFF9AC75
# 这里需要键入你刚才设置的密码 导出私钥
gpg -ao subkey-siging-EFF9AC75-pub.asc --export EFF9AC75
# 导出公钥
注意上面导出的是Encryption,而不是signing key.再次强调一下,debian社区中只使用signing key就可以解决问题。
多台pc使用同一个subkey
我们以debian为例:首先导出subkey(我默认是在primary下删除keygrip导出subkey)
gpg -ao subkey-siging-A59353D0-private.gpg --export-secret-subkeys A59353D0
# 0xA59353D0是 subkey id,这个时候需要输入subkey的密码
gpg -ao subkey-siging-A59353D0-pub.asc --export A59353D0
# 导出0xA59353D0 (subkey)的公钥
然后将这个subkey导出来的 私钥 gpg文件发送到另一台pc上。根据这篇文章
You can’t. GnuPG does not currently support merging secret subkeys. To do it, you need to delete the secret key on the second machine and re-import the whole key.
下面就是删除所有的秘钥(第二台pc)
vimer@debian:~/git/jimtcl$ gpg -k --with-keygrip [email protected]
# 找出 秘钥
pub rsa4096 2022-03-04 [SC]
DD7E8C65E3F5992F52AAA07A452A2928E26E21C2
Keygrip = 6E45478330550567D65B4E4A2F44A25BD643F8B7
uid [ultimate] vimer <[email protected]>
sub rsa4096 2022-03-04 [E]
Keygrip = 8427BBA3FAC38FA9C6FCC29116CAECCCCFCCA048
vimer@debian:~/git/jimtcl$ gpg-connect-agent "DELETE_KEY 6E45478330550567D65B4E4A2F44A25BD643F8B7" /bye
# 删除
OK
vimer@debian:~/git/jimtcl$ gpg-connect-agent "DELETE_KEY 8427BBA3FAC38FA9C6FCC29116CAECCCCFCCA048" /bye
OK
其实还可以删除.gnugp目录下的key文件。接着在第二台pc上导入subkey的私钥:
vimer@debian:~$ gpg --import subkey-siging-A59353D0-private.gpg
gpg: key 954E6A70100598A2: public key "Bo YU <[email protected]>" imported
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 954E6A70100598A2: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
通过以上的log我们知道,当前pc上primary还是存在的,虽然私钥不存在。import一个其他的primary key的subkey后,如下:
vimer@debian:~$ gpg -k
/home/vimer/.gnupg/pubring.kbx
------------------------------
pub rsa4096 2022-03-04 [SC]
DD7E8C65E3F5992F52AAA07A452A2928E26E21C2
uid [ultimate] vimer <[email protected]>
sub rsa4096 2022-03-04 [E]
pub rsa4096 2022-04-09 [SC] # 其实是第一台pc的primary
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ unknown] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
sub rsa4096 2022-04-13 [S] [expires: 2022-04-14]
假设我们在A上导出了subkey的公钥,在B上导入了A primary key下的subkey的私钥,然后在B上使用刚才引入的subkey id。 比如给文件sig之类的。已经试验验证了。
使用备份primary key
正如前面我们已经表明的态度,我们把 master 和 subkey分离以后,主要就是为了安全,安全,安全,重要的事情说三遍 下面记录如何操作使用备份的primary key再次生成subkeys,只有这样,整个gpg的闭环流程打通。
首先将原来的primary key tar文件解压,这个tar文件一定保护好,几次加密都不为过。一般的教程都是让你使用离线USB或者智能卡, 或者进行以下操作时,要把电脑断网,哈哈。
解压文件
vimer@dev:~/gpg_key$ tar zxvf gnugpg-primary-2022-04-13.tar.gz
home/vimer/.gnupg/
home/vimer/.gnupg/random_seed
home/vimer/.gnupg/trustdb.gpg
home/vimer/.gnupg/openpgp-revocs.d/
home/vimer/.gnupg/openpgp-revocs.d/E2521CB8175736A97052B2F8954E6A70100598A2.rev
home/vimer/.gnupg/.#lk0x0000564a3684e210.debian-local.12373
home/vimer/.gnupg/private-keys-v1.d/
home/vimer/.gnupg/private-keys-v1.d/DBFC45BC6B077D5A7A5A3A58E7BF7F0965C8B058.key
home/vimer/.gnupg/private-keys-v1.d/DBE2A5E6810C9C3E58E34C385107C9EB6CDDC43B.key
home/vimer/.gnupg/private-keys-v1.d/DD49743E6A71BD63CF91387B2E998722F1CA8C01.key
home/vimer/.gnupg/tofu.db
home/vimer/.gnupg/pubring.kbx~
home/vimer/.gnupg/.#lk0x0000558544ab6210.debian-local.8206
home/vimer/.gnupg/pubring.kbx
导入gpg的环境变量
vimer@dev:~/gpg_key$ ls
gnugpg-primary-2022-04-13.tar.gz home
vimer@dev:~/gpg_key$ export GNUPGHOME=./home/vimer/.gnupg/
vimer@dev:~/gpg_key$ gpg -K
/home/vimer/gpg_key/./home/vimer/.gnupg/pubring.kbx
---------------------------------------------------
sec rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ultimate] Bo YU <[email protected]>
ssb rsa4096 2022-04-09 [E]
看到sec这个tag没有,也就是这里的primary key是生效的。 接下来,我们就是按照上面的方式添加一个signing 的subkey就可以了。不过为了方便,还是记录一下。
vimer@dev:~/gpg_key$ gpg --edit-key E2521CB8175736A97052B2F8954E6A70100598A2
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(14) Existing key from card
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2m
Key expires at Sat 18 Jun 2022 11:44:56 AM +08
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2022-06-18 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> save
注意,我在这里再次注册了一个为期2个月的signing 的subkey。看下面的log,我们尽管被提示说,有一个04-14过期的subkey,当时我还在想,在目前的情况下,我还在想需不需要通知原来的那份备份的primary去revoke。其实不用的,原因是你接着使用-k去打印:
vimer@dev:~/gpg_key$ gpg -K
/home/vimer/gpg_key/./home/vimer/.gnupg/pubring.kbx
---------------------------------------------------
sec rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ultimate] Bo YU <[email protected]>
ssb rsa4096 2022-04-09 [E]
ssb rsa4096 2022-04-19 [S] [expires: 2022-06-18]
看到没有,这样就解决了(这一章节基于04/19)。
延长subkey的期限
这一个不太常见,但是肯定用得到。首先找到subkey的keyid(用 –keyid-format) 参考这里
vimer@dev:~/gpg_key/home-lod$ gpg --edit-key F9154FDE143E4BAF
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2022-06-18 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> list
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2022-06-18 usage: S
[ultimate] (1). Bo YU <[email protected]>
首先进入 edit-keys的交互界面,然后使用list就可以看见所有的keys了。下面才是关键:
什么都不输入,直接回车是编辑 primary或者key n来选择你要expire的subkey。这里primary key是0,subkey是
从0依次加1的。
选中的标志是会在提示前带一个*号的。
gpg> key 3
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb* rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2022-06-18 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon 22 May 2023 10:25:49 PM +08
Is this correct? (y/N) y
gpg> save
然后将这个变化上传到 服务器上(确定了,这里是subkey的KEY_ID):
gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
注意,这个keyserver,最好是在 export GPG时将最新的primary key
上传。
撤销一个subkeys
vimer@dev:~/gpg_key/home-lod$ gpg --edit-key [email protected]
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2023-05-22 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> list
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2023-05-22 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> key 2
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb* rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2023-05-22 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> revkey
Do you really want to revoke this subkey? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
Your decision? 3
Enter an optional description; end it with an empty line:
> revoke the key
>
Reason for revocation: Key is no longer used
revoke the key
Is this okay? (y/N) y
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
The following key was revoked on 2022-05-23 by RSA key 954E6A70100598A2 Bo YU <[email protected]>
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 revoked: 2022-05-23 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2023-05-22 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> save
使用 key {n}的方式选中subkey.
生成作为 ssh pubkey 的 subkey
gpg使用案例
具体场景
加密
echo "hello gpg" > hello.txt
vimer@debian-local:~$ gpg -o hello.txt.asc --encrypt --recipient [email protected] hello.txt
解密
vimer@debian-local:~$ gpg -o decrypted-hello.txt --decrypt --recipient [email protected] hello.txt.asc
gpg: 由 4096 位的 RSA 密钥加密,标识为 66681FECEFF9AC75,生成于 2022-04-09
“Bo YU <[email protected]>”
vimer@debian-local:~$ cat decrypted-hello.txt
hello gpg
Sign the package
debsign jimtcl_0.81+dfsg0-1_amd64.changes // 还有一个source.changes
然后就需要输入密码了,一定不要忘记gpg的密码。
debsign的设置需要去看看tools的gpg使用方法。debsign的配置文件在 ~/.devscripts文件中,具体配置如下:
vimer@debian:~$ cat .devscripts
DEBSIGN_KEYID=$(subkey-id)
Sign the repo
以reprepro为例:首先生成一个让外部用户的公钥:
gpg --export --armor ${keyID} > ${DEB_PATH}/gpg-public.key
其实这里${keyID}可以是subkey的。
distributions 的配置文件要指明你的subkey:
Origin: ubuntu
Suite: xenial
Label: ubuntu
Codename: xenial
Architectures: i386 amd64
# components 可以添加多个以空格风格,客户端系统可以根据实际需要添加
# 参考 source.list 里的写法
Components: main multiverse universe
Description: Apt repository for project x
# 使用哪个 gpg 钥匙进行签名,ID获取方法参考上面 GPG 钥匙部分
SignWith: ${keyID}
然后 reprepro export 就可以支持 release有release.gpg文件了。
然后需要用户使用 apt-key add gpg-public.key添加支持了.
签名 commit
最好不需要 global
1. git config --global user.signingkey "GPG key ID"
2. git config --global commit.gpgsign true
3. git config gpg.program gpg
最好每次执行这个环境变量:
export GPG_TTY=$(tty)
git commit issues
error: gpg failed to sign the data
fatal: failed to write commit object
https://gist.github.com/paolocarrasco/18ca8fe6e63490ae1be23e84a7039374?permalink_comment_id=3976510
如果还不行,需要执行这个命令去重新激活:
gpgconf --kill gpg-agent
参考
更为详细的教程(包括如何为别人签名): https://viccuad.me/blog/Revisited-secure-yourself-part-1-airgapped-computer-and-gpg-smartcards
这里有很多debian的资源可以利用: https://lists.debian.org/debian-project/2017/08/msg00022.html
master key的其他作用
以下也是摘自ML:
I see no reason why the master key should ever be used for signatures in such a scenario, so it seems sensible to indicate that it is purely for certification.
Well, it can be useful. A SC master key (Sign and Certify) can be used to sign messages explaining to someone else the need for a new subkey when you had to revoke every subkey, when just adding the subkey itself is not enough, or when adding subkeys is subject to a delay.
Suppose you forget to renew/upload a new subkey in your Debian key set, and the current subkeys expire: it takes time for a new subkey upload to clear keyring maint. During that time, an SC master key can be used in an emergency to sign a vote or an upload.
Suppose you forget to renew/upload a new subkey in your Debian key set, and the current subkeys expire: it takes time for a new subkey upload to clear keyring maint. During that time, an SC master key can be used in an emergency to sign a vote or an upload.
I see this as a failure to manage the signing subkey correctly, and a certification only master key as helping to prevent the temptation to just make use of the master for signing (and potentially avoid jumping through all of the hoops required to use it securely).
(That said, I’m very conscious that a lot of crypto comes down to a set of tradeoffs and I’m all in favour of people who have strong informed opinions about how to do things differently doing those things if they want. But if you ask me for a base line set of advice to J. Random DD I’d still go with the certification only master.)
J.
gpg primary key
pub rsa4096 2022-04-09 [SC]
E252 1CB8 1757 36A9 7052 B2F8 954E 6A70 1005 98A2
uid [ unknown] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
sub rsa4096 2022-04-19 [S] [expires: 2022-06-18]
生成primary key的撤销凭证
首先引入整个gpg环境(说白了就是包含primary keys)的环境,如果你是新建立的primary key,则可以直接使用下面的方法。
vimer@dev:~/gpg_key/home-lod$ gpg --gen-revoke -ao primary-keys-revoke.gpg [email protected]
sec rsa4096/954E6A70100598A2 2022-04-09 Bo YU <[email protected]>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
> simple revoke primary key
>
Reason for revocation: Key is no longer used
simple revoke primary key
Is this okay? (y/N) y
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
vimer@dev:~/gpg_key/home-lod$ ls
primary-keys-revoke.gpg vimer
这个primary-keys-revoke.gpg就是撤销凭证,一定要保存在很远的地方,远离网络环境。
生成的revoke.pgp就是撤销凭证, 有了这个撤销凭证,你可以在没有密码的情况下使一个公钥失效,所以一定要妥善保存,而且最好比主密钥多一份。
撤销主密钥
这里暂时不使用我的primary keys做实验。还是直接摘抄上文链接, 原理都应该是差不多的。
gpg --import gpg-linus.asc # 在一台新的电脑上导入你的公钥
gpg: key 99F583599B7E31F1: "linus <[email protected]>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg --import revoke # 导入你备份的撤销凭证,直接会导致密钥不可用
gpg: key 99F583599B7E31F1: "linus <[email protected]>" revocation certificate imported
gpg: Total number processed: 1
gpg: new key revocations: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2021-09-29
gpg -k # 查看密钥,已经revoke
pub rsa3072 2021-01-11 [SC] [revoked: 2021-01-11]
705358AB85366CAB05C0220F99F583599B7E31F1
uid [ revoked] linus <[email protected]>
upload subkey到服务器
https://keys.openpgp.org/upload
可以直接上传导出的文本,就是签名的pub,然后在浏览器里拖拽上传即可。
gpg --keyserver https://keys.openpgp.org --send-keys F9154FDE143E4BAF
gpg: sending key 954E6A70100598A2 to https://keys.openpgp.org
发布公钥的命令行像这样:
1 gpg –keyserver hkps://keyserver.ubuntu.com –send-keys 17AFB9B1
潜在的风险点
我的子秘钥到期后怎么通知呢?
gpg常用整理
目前,先把这个整理放在这里,等后面看上去差不多了再单独整理成一个page.
列出keys
gpg -k
这个方式只能列出primary key的 keyid(fingerprint)
vimer@dev:~/gpg_key/home-lod$ gpg -k [email protected]
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ultimate] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
sub rsa4096 2022-04-19 [S] [expires: 2022-06-18]
gpg –keyid-format L/S -k pri-keys
如果想累出所有key的keyid,则可以进行如下的操作:
vimer@dev:~/gpg_key/home-lod$ gpg --keyid-format LONG -k 100598A2
pub rsa4096/954E6A70100598A2 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ultimate] Bo YU <[email protected]>
sub rsa4096/66681FECEFF9AC75 2022-04-09 [E]
sub rsa4096/F9154FDE143E4BAF 2022-04-19 [S] [expires: 2022-06-18]