Skip to main content

GPG

# macOS
# pinentry-mac 对话框输入 密码
brew install gpg pinentry-mac

# 生成秘钥 - RSA 推荐至少 4096
gpg --default-new-key-algo rsa4096 --gen-key
# 推荐 ECC
gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "wener@wener.me"
# 完整生成逻辑
gpg --full-generate-key

gpg --list-keys --keyid-format=long # 完整的 keyid
gpg --list-secret-keys
gpg --export --armor 0000000000000000 # 导出为 PEM 格式

# 提交到服务器
gpg --keyserver hkp://pgp.mit.edu --send-keys $KEYID
# 验证是否成功
gpg --keyserver hkp://pgp.mit.edu --recv-keys $KEYID

# 导出
gpg --export-secret-keys $KEYID > private.key
# 导入
gpg --import private.key

# 配置信息
gpgconf --list-components
# check password
gpg --dry-run --passwd $KEYID

GnuPG

  • GNUPGHOME, --homedir
  • ~/.gnupg
    • S.gpg-agent
    • S.gpg-agent.ssh - --enable-ssh-support, --enable-putty-support
      • 实现 ssh-agent
      • SSH_AUTH_SOCK
      • ssh 8.2 才支持 FIDO2/U2F
    • S.gpg-agent.browser
      • keychain
      • 请求和缓存密码
    • S.gpg-agent.extra
      • 允许远程 gpg 使用本地 key
    • pubring.kbx
      • new public keyring using keybox format
    • pubring.gpg
      • legacy public keyring
    • trustdb.gpg
    • openpgp-revocs.d/
      • revocation certificates
      • <ID>.rev
    • private-keys-v1.d/
      • <ID>.key
  • GPG_AGENT_INFO
# 完整信息
gpg --with-colons --list-keys --with-fingerprint --with-fingerprint
  • Field 1 - Type of record
  • Field 2 - Validity
  • Field 3 - Key length
  • Field 4 - Public key algorithm
  • Field 5 - KeyID
  • Field 6 - Creation date
  • Field 7 - Expiration date
  • Field 8 - Certificate S/N, UID hash, trust signature info
  • Field 9 - Ownertrust
  • Field 10 - User-ID
  • Field 11 - Signature class
  • Field 12 - Key capabilities
  • Field 13 - Issuer certificate fingerprint or other info
  • Field 14 - Flag field
  • Field 15 - S/N of a token
  • Field 16 - Hash algorithm
  • Field 17 - Curve name
  • Field 18 - Compliance flags
  • Field 19 - Last update
  • Field 20 - Origin
  • Field 21 - Comment
abbr.for
secSECret key
ssbSecret SuBkey
pubPUBlic key
subpublic SUBkey - secondary key
uiduser id
sigkey signature
crtX.509 certificate
crsX.509 certificate and private key available
uatUser attribute (same as user id except for field 10).
revRevocation signature
fprFingerprint (fingerprint is in field 10)
pkdPublic key data
grpKeygrip
rvkRevocation key
truTrust database information
spkSignature subpacket
cfgConfiguration data
abbr.for
rsa2048RSA 2048
4096RRSA 4096
cv25519
ed25519

操作

flagfor
Signarure
-s,--sign
--clearsign,--clear-sign
-b,--detach-sign
--check-sigs,--check-signatures
Enc/Dec
-e,--encrypt
-c,--symmetric
--store
-d,--decrypt
--verify
Multi
--multifile
--verify-files--multifile --verify
--encrypt-files--multifile --encrypt
--decrypt-files--multifile --decrypt
Keys
-k,--list-keys,--list-pub-keys公钥列表
-K,--list-secret-keys私钥列表
--delete-keys NAME
--delete-secret-keys NAME
--delete-secret-and-public-key NAME
--locate-keys,--locate-external-keys
--show-keys显示给的 Key 的信息
--fingerprint
Smartcard
--edit-card,--card-edit
--card-status
--change-pin
Export/Restore
--export
--export-secret-keys,--export-secret-subkeys
--export-ssh-key
--import,--fast-import--import-options merge-only
--export-ownertrust
--import-ownertrust
Key Server
--send-keys KEYIDS
--recv-keys,--receive-keys KEYIDS
--refresh-keys
--search-keys NAMES
--fetch-keys URL
--update-trustdb
--check-trustdb
--rebuild-keydb-caches
Misc
--list-packets
--print-md algo
--print-mds计算文件所有摘要
--gen-random 0|1|2|16|30 COUNT生成随机数据
--gen-prime MODE BITS
--enarmor,--dearmor
capcreatefornote
ssignsign
eencrencrypt,decrypt
aauthauthenticatessh login
ccertcertify签名另外一个 key
# 生成 base64 随机
gpg -a --gen-random 1 20

gpg.conf

gpg-agent

  • for gpg, gpgsm
  • 会自动启动
# 主动退出
gpg-connect-agent /bye
gpgconf --kill gpg-agent

pidof gpg-agent

# 常用设置
GPG_TTY=$(tty)
export GPG_TTY

# .bashrc
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

# 查看缓存的 Key
gpg-connect-agent 'keyinfo --list' /bye
gpg-connect-agent "keyinfo --ssh-list --ssh-fpr" /bye
gpg-connect-agent "keyinfo --ssh-list --ssh-fpr=sha1" /bye

gpg-agent.conf

  • ~/.gnupg/gpg-agent.conf
# https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
enable-ssh-support
ttyname $GPG_TTY
pinentry-program /usr/local/bin/pinentry-mac

default-cache-ttl 60
max-cache-ttl 120
# pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-tty
#pinentry-program /usr/bin/pinentry-gtk-2
#pinentry-program /usr/bin/pinentry-x11
#pinentry-program /usr/bin/pinentry-qt
#pinentry-program /usr/local/bin/pinentry-curses
#pinentry-program /usr/local/bin/pinentry-mac
#pinentry-program /opt/homebrew/bin/pinentry-mac

FAQ

rsa2048

GPG 默认 RSA2048,但现在已经不推荐了,建议至少 4096 bit。

  • NIST Special Publication 800-57 - July 2012
    • 认为 rsa2048 在 2030 年前还是安全的
  • Github 要求 RSA4096+
  • 新 key 推荐 ECC/elliptical-curve
  • Github 支持的 Key 算法
    • RSA
    • ElGamal
    • DSA
    • ECDH
    • ECDSA
    • EdDSA

ssh

  • gpg-agent 支持作为 ssh-agent
  • ssh key 可导入到 gpg 但 不推荐
# 创建用于 SSH 登陆的 keu
gpg --quick-add-key $KEYID ed25519 auth 1y
gpg -k --with-keygrip $KEYID

gpg --export-ssh-key $KEYID
echo enable-ssh-support >> $HOME/.gnupg/gpg-agent.conf

# 启动
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye > /dev/null

# 通过 gpgconf 启动
# gpgconf --launch gpg-agent

gpg --list-keys --with-keygrip
echo $KEYGRIP >> ~/.gnupg/sshcontrol
ssh-add -l

# ssh-ed25519 XXXX openpgp:0xABCD
gpg --export-ssh-key $KEYID

# 如果配置了 github 可以测试
ssh -T git@github.com

backup & restore

KEYID=$(gpg -k wener@wener.me | sed '2q;d' | tr -d '[:blank:]')
gpg -a --export-secret-keys $KEYID > private.gpg
gpg -a --export-secret-subkeys $KEYID >> private.gpg
gpg --batch --yes --delete-secret-and-public-key $KEYID
gpg --show-keys private.gpg
gpg --import private.gpg
# 备份 secret master key
# -a 使用 PEM 格式
gpg -a -o secrets.gpg --export-secret-keys wener@wener.me
gpg -a -o subkeys.gpg --export-secret-subkeys wener@wener.me

gpg --show-keys secrets.gpg subkeys.gpg
gpg --list-packets secrets.gpg
gpg --list-packets subkeys.gpg

KEYID=$(gpg -k wener@wener.me | sed '2q;d' | tr -d '[:blank:]')
# --batch --yes 需要用 fingerprint
gpg --batch --yes --delete-secret-and-public-key $KEYID
gpg -K
gpg -k

# 导入
# key 后面显示 # 表示 key 非本地存储
gpg --import subkeys.gpg
gpg -K
gpg --import secrets.gpg
gpg -K
gpg -k

# 可以合并为单个文件
# cat subkeys.gpg secrets.gpg > backup.gpg

# 信任
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key $KEYID trust

uid unknown

  • 重新 trust 即可
  • ~/.gnupg/trustdb.gpg
gpg --edit-key $KEYID
trust
5
save

# 批处理
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key wener@wener.me trust

fingerprint

gpg -k wener@wener.me | head -n 2 | tail -n 1 | tr -d '[:blank:]'
gpg -k wener@wener.me | sed '2q;d' | tr -d '[:blank:]'

失效后操作

gpg --edit-key $KEYID
list

key 0
expire

key 1
expire

list # 确认
save # 保存退出

gpg: lookup_hashtable failed: Unknown system error

gpg --fix-trustdb

cd ~/.gnupg
gpg --export-ownertrust > otrust.tmp
rm trustdb.gpg
gpg --import-ownertrust < otrust.tmp

A locale function failed

subkeys

No pinentry

gpgconf --kill gpg-agent

gpg --help

gpg (GnuPG) 2.2.5
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/user/.gnupg
支持的算法:
公钥:RSA, ELG, DSA, ECDH, ECDSA, EDDSA
对称加密:IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256,
TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256
散列:SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
压缩:不压缩, ZIP, ZLIB, BZIP2

Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data

指令:

-s, --sign make a signature
--clear-sign make a clear text signature
-b, --detach-sign 生成一份分离的签名
-e, --encrypt 加密数据
-c, --symmetric 仅使用对称加密
-d, --decrypt 解密数据(默认)
--verify 验证签名
-k, --list-keys 列出密钥
--list-signatures 列出密钥和签名
--check-signatures 列出并检查密钥签名
--fingerprint 列出密钥和指纹
-K, --list-secret-keys 列出私钥
--generate-key 生成一副新的密钥对
--quick-generate-key quickly generate a new key pair
--quick-add-uid quickly add a new user-id
--quick-revoke-uid quickly revoke a user-id
--quick-set-expire quickly set a new expiration date
--full-generate-key full featured key pair generation
--generate-revocation 生成一份吊销证书
--delete-keys 从公钥钥匙环里删除密钥
--delete-secret-keys 从私钥钥匙环里删除密钥
--quick-sign-key quickly sign a key
--quick-lsign-key quickly sign a key locally
--sign-key 为某把密钥添加签名
--lsign-key 为某把密钥添加本地签名
--edit-key 编辑某把密钥或为其添加签名
--change-passphrase change a passphrase
--export 导出密钥
--send-keys 把密钥导出到某个公钥服务器上
--receive-keys 从公钥服务器上导入密钥
--search-keys 在公钥服务器上搜寻密钥
--refresh-keys 从公钥服务器更新所有的本地密钥
--import 导入/合并密钥
--card-status 打印卡状态
--edit-card 更改卡上的数据
--change-pin 更改卡的 PIN
--update-trustdb 更新信任度数据库
--print-md print message digests
--server run in server mode
--tofu-policy VALUE set the TOFU policy for a key

选项:

-a, --armor 输出经 ASCII 封装
-r, --recipient USER-ID encrypt for USER-ID
-u, --local-user USER-ID use USER-ID to sign or decrypt
-z N set compress level to N (0 disables)
--textmode 使用标准的文本模式
-o, --output FILE write output to FILE
-v, --verbose 详细模式
-n, --dry-run 不做任何改变
-i, --interactive 覆盖前先询问
--openpgp 行为严格遵循 OpenPGP 定义

(请参考在线说明以获得所有命令和选项的完整清单)

Examples:

-se -r Bob [file] sign and encrypt for user Bob
--clear-sign [file] make a clear text signature
--detach-sign [file] make a detached signature
--list-keys [names] show keys
--fingerprint [names] show fingerprints

请向 <https://bugs.gnupg.org> 报告程序缺陷。
请向 <zuxyhere@eastday.com> 反映简体中文翻译的问题。