GPG: Difference between revisions
| (13 intermediate revisions by the same user not shown) | |||
| Line 42: | Line 42: | ||
| == Export Key == | == Export Key == | ||
| Export public key: | |||
|   gpg --armor --export [long_key_id] > public.gpg.asc |   gpg --armor --export [long_key_id] > public.gpg.asc | ||
|   gpg --armor --output public.gpg.asc --export [long_key_id] |   gpg --armor --output public.gpg.asc --export [long_key_id] | ||
| Line 54: | Line 54: | ||
| Note: <s>not sure why but the --output paramter has to come before the --export paramter??</s>  All paramters just need to come before the [long_key_id] at the end.  Example: | Note: <s>not sure why but the --output paramter has to come before the --export paramter??</s>  All paramters just need to come before the [long_key_id] at the end.  Example: | ||
|   gpg -a --export -o public.gpg.asc [long_key_id] |   gpg -a --export -o public.gpg.asc [long_key_id] | ||
| === Show Exported Key === | |||
| Trying to figure out what key is in a key file? | |||
|  gpg --show-keys < public.gpg.asc | |||
| == Default Key == | == Default Key == | ||
| Line 62: | Line 67: | ||
|   default-key <key-fpr> |   default-key <key-fpr> | ||
| replacing <key-fpr> with the id or fingerprint of the key you want to use by default. <ref>https://unix.stackexchange.com/questions/339077/set-default-key-in-gpg-for-signing</ref> | replacing <key-fpr> with the id or fingerprint of the key you want to use by default. <ref>https://unix.stackexchange.com/questions/339077/set-default-key-in-gpg-for-signing</ref> | ||
| --- or from the command line <ref>https://unix.stackexchange.com/questions/339077/set-default-key-in-gpg-for-signing</ref> | |||
|  gpg --list-signatures | |||
|  echo 'default-key:0:"xxxxxxxxxxxxxxxxxxxx' | gpgconf --change-options gpg | |||
| Cache password in gpg-agent: | |||
|  echo "" | gpg --clearsign | |||
|  ~/.bashrc | |||
|  alias gpgpass="echo '' | gpg --clearsign" | |||
| == gpg-agent default timeout == | |||
| Change to 8 hours <ref>https://stackoverflow.com/questions/61067967/git-gpg-failed-to-sign-the-data-in-visual-studio-code</ref> | |||
|  mkdir -p ~/.gnupg | |||
|  echo "default-cache-ttl 28800" >> ~/.gnupg/gpg-agent.conf | |||
|  echo "default-cache-ttl:0:28800" | gpgconf --change-options gpg-agent | |||
| echo "default-cache-ttl 28800"gpgconf --list-options gpg-agent | |||
|  default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::28800 | |||
|  default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800:: | |||
| == Encrypt Message == | == Encrypt Message == | ||
| Encrypt message to send to  | Encrypt message to send to another person: | ||
|   gpg --encrypt --sign --armor -r person@email.com name_of_file |   gpg --encrypt --sign --armor -r person@email.com name_of_file | ||
|  gpg --encrypt -r person@email.com -r person2@email.com name_of_file | |||
| Note: You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message. | Note: You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message. | ||
| Line 81: | Line 111: | ||
| Quiet descrypt (don't show all the keys that were attempted): | Quiet descrypt (don't show all the keys that were attempted): | ||
|   gpg --quiet --decrypt file.gpg |   gpg --quiet --decrypt file.gpg | ||
| == List Encrypted Receipients == | |||
| This will list public keys ID the file was encrypted with (as well as some other garbage that can be ignored).  If you also have the public key, it will also tell you friendly name for each of those packets (eg. name <email>) | |||
|  gpg --list-packets file.gpg | |||
| ref: [https://superuser.com/questions/1409511/how-to-check-if-a-gpg-encrypted-file-is-encrypted-using-a-specific-public-key] | |||
| == Sign Message == | == Sign Message == | ||
| Line 131: | Line 168: | ||
|   https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key |   https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key | ||
| === Generate GpG Key === | === Create Generate GpG Key === | ||
|   gpg --full-generate-key |   gpg --full-generate-key | ||
| Line 146: | Line 183: | ||
| Export private key: | Export private key: | ||
|   gpg --armor --output private.gpg.asc --export-secret-key [long_key_id] |   gpg --armor --output private.gpg.asc --export-secret-key [long_key_id] | ||
| === Import Key === | |||
|  cat [keyfile] | gpg --import | |||
| === Trust Key === | |||
|  gpg --edit-key [long_key_id] | |||
|   trust | |||
|   # - trust level (see below) | |||
|   save | |||
|   1 = I don't know or won't say | |||
|   2 = I do NOT trust | |||
|   3 = I trust marginally | |||
|   4 = I trust fully | |||
|   5 = I trust ultimately | |||
| === Sign Commit === | === Sign Commit === | ||
| Line 168: | Line 222: | ||
|      signingkey = B96CBB1FCF115C2XXXXXXXXXXXXXXXXXXXXX |      signingkey = B96CBB1FCF115C2XXXXXXXXXXXXXXXXXXXXX | ||
| To have Git use GPG with a password: | |||
|  export GPG_TTY=$(tty) | |||
| This will prevent this error when signing: | |||
|  error: gpg failed to sign the data | |||
|  fatal: failed to write commit object | |||
|  # or when using gpg directly | |||
|  gpg: signing failed: Inappropriate ioctl for device | |||
|  gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device | |||
| Have gpg-agent cache the password. | |||
| To force test sign from command line, before using an app like Visual Code: | |||
|  echo "test" | gpg --clearsign | |||
|  alias gitready='echo '\'''\'' | gpg --clearsign' | |||
| ref: [https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits] | ref: [https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits] | ||
| Line 230: | Line 301: | ||
| ref: [https://unix.stackexchange.com/questions/407062/gpg-list-keys-command-outputs-uid-unknown-after-importing-private-key-onto] | ref: [https://unix.stackexchange.com/questions/407062/gpg-list-keys-command-outputs-uid-unknown-after-importing-private-key-onto] | ||
| == Delete Key == | |||
| Delete secret key first: | |||
|  gpg --delete-secret-key [LONGID] | |||
|  gpg --delete-key [LONGID] | |||
| == Remove Passphrase == | |||
| # gpg --list-secret-keys | |||
| ## get key id | |||
| # gpg --edit-key XXX | |||
| # gpg> passed | |||
| ## enter old password | |||
| ## enter new password (leave blank) twice | |||
| # save | |||
| # quit | |||
| Ref: https://superuser.com/questions/1360324/gpg-remove-passphrase | |||
| == keywords == | == keywords == | ||
Latest revision as of 21:37, 20 October 2025
GPG
Install
For basic gpg command:
apt install gpg
For gpg2 command installed: (just a symlink to gpg) - some programs seem to look for gpg2?
apt install gnupg2
If you want extra documentation and examples: (very very options)
apt install gnupg
Summary:
- gpg has the /usr/bin/gpg (and man)
- gnupg2' has the /usr/bin/gpg2 (and man)
- gnupg has the /usr/share/man and /usr/share/doc for general gnupg related (very very optional)
Summary Commands
gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>
gpg --import <your-file>.gpg
gpg --receive-keys A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
gpg --verify apache-tomcat-9.0.16-windows-x64.zip.asc
ref: [1]
Show Keys
List public keys:
gpg --list-public-keys gpg --list-keys gpg -k
List secret keys:
gpg --list-secret-keys gpg -K
Export Key
Export public key:
gpg --armor --export [long_key_id] > public.gpg.asc gpg --armor --output public.gpg.asc --export [long_key_id] gpg -a -o public.gpg.asc --export [long_key_id]
Export private key:
gpg --armor --export-secret-key [long_key_id] > private.gpg.asc gpg --armor --output private.gpg.asc --export-secret-key [long_key_id] gpg -a -o private.gpg.asc --export-secret-key [long_key_id]
Note: not sure why but the --output paramter has to come before the --export paramter??  All paramters just need to come before the [long_key_id] at the end.  Example:
gpg -a --export -o public.gpg.asc [long_key_id]
Show Exported Key
Trying to figure out what key is in a key file?
gpg --show-keys < public.gpg.asc
Default Key
To choose a default key without having to specify --default-key on the command-line every time...
~/.gnupg/gpg.conf
default-key <key-fpr>
replacing <key-fpr> with the id or fingerprint of the key you want to use by default. [1]
--- or from the command line [2]
gpg --list-signatures
echo 'default-key:0:"xxxxxxxxxxxxxxxxxxxx' | gpgconf --change-options gpg
Cache password in gpg-agent:
echo "" | gpg --clearsign
~/.bashrc alias gpgpass="echo | gpg --clearsign"
gpg-agent default timeout
Change to 8 hours [3]
mkdir -p ~/.gnupg echo "default-cache-ttl 28800" >> ~/.gnupg/gpg-agent.conf
echo "default-cache-ttl:0:28800" | gpgconf --change-options gpg-agent
echo "default-cache-ttl 28800"gpgconf --list-options gpg-agent
default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::28800 default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800::
Encrypt Message
Encrypt message to send to another person:
gpg --encrypt --sign --armor -r person@email.com name_of_file gpg --encrypt -r person@email.com -r person2@email.com name_of_file
Note: You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message.
Decrypt Message
ASCII Armor decrypt:
gpg file_name.asc
Binary decrypt
gpg file.gpg gpg --decrypt file.gpg
Quiet descrypt (don't show all the keys that were attempted):
gpg --quiet --decrypt file.gpg
List Encrypted Receipients
This will list public keys ID the file was encrypted with (as well as some other garbage that can be ignored). If you also have the public key, it will also tell you friendly name for each of those packets (eg. name <email>)
gpg --list-packets file.gpg
ref: [2]
Sign Message
Sign with detached signature:
# binary signature gpg --detach-sign -o sig.gpg inputdata.txt
# binary signature (if you don't specify output will generate inputdata.txt.gpg) gpg --detach-sign inputdata.txt
# detach with ASCII armor signature gpg --detach-sign --armor -o inputdata.txt.asc inputdata.txt
# detach with ASCII armor signature (will generate inputdata.txt.asc) gpg --detach-sign --armor inputdata.txt
Clear sign ASCII (text) input data, including original message in the clear:
gpg --clearsign -o output.txt inputdata.txt
# will write it as inputdata.txt.asc gpg --clearsign inputdata.txt
Sign with other key:
echo "hi" | gpg --clearsign --default-key other@test.com
Verify Signed Message
Verify with detached signature:
gpg --verify sig.gpg inputdata.txt
Note: Please remember that the signature file (.sig or .asc) should be the first file given on the command line.
Verify clear signed message:
gpg --verify output.txt
Decrypt message: (Show contents)
gpg --decrypt output.txt
# write original to file, without signature gpg -d -o original.txt output.txt
Import SSH to Remote System
gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import
GitHub GPG
Generating a new GPG key - GitHub Docs https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
Create Generate GpG Key
gpg --full-generate-key
List Keys
gpg --list-secret-keys --keyid-format=long
Export Key
Exoprt public key:
gpg --armor --output public.gpg.asc --export [long_key_id]
Export private key:
gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]
Import Key
cat [keyfile] | gpg --import
Trust Key
gpg --edit-key [long_key_id] trust # - trust level (see below) save
1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately
Sign Commit
Manually:
git commit -S -m "YOUR_COMMIT_MESSAGE"
Automatic for current local repository
git config commit.gpgsign true
Automatic for all repositories:
git config --global commit.gpgsign true
Which will set ~/.gitconfig:
[commit] gpgsign = true
[user] name = First Last email = first.last@email.com # can specify the signing key: signingkey = B96CBB1FCF115C2XXXXXXXXXXXXXXXXXXXXX
To have Git use GPG with a password:
export GPG_TTY=$(tty)
This will prevent this error when signing:
error: gpg failed to sign the data fatal: failed to write commit object
# or when using gpg directly gpg: signing failed: Inappropriate ioctl for device gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device
Have gpg-agent cache the password.
To force test sign from command line, before using an app like Visual Code:
echo "test" | gpg --clearsign
alias gitready='echo '\'\ | gpg --clearsign'
ref: [3]
Show Log Signatures
git log --show-signature
Example:
commit dceb035ce7a3de3dc49e62ce61061efd86XXXXXX (HEAD -> ci) gpg: Signature made Fri 09 Jun 2023 05:12:54 PM PDT gpg: using RSA key 6827A8ADAF633B8B03286E15C4D210675xxxxxxx gpg: issuer "name@example.com" gpg: Good signature from "Name <name@example.com>" [ultimate] Author: Name <name@example.com>
gpg --keyserver certserver.pgp.com --recv-key 0xBB7576AC
gpg --keyserver certserver.pgp.com --send-key blake@cyb.org
ref: [4]
Unknown Trust
ultimate vs unknown
You can edit your trust of a key:
gpg --edit-key user@useremail.com edit # (trust level 1-5) list quit
gpg --edit-key user@useremail.com
     trust: unknown          validity: unknown
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu
Your decision? 5
gpg> save
gpg> quit
ref: [5]
Delete Key
Delete secret key first:
gpg --delete-secret-key [LONGID] gpg --delete-key [LONGID]
Remove Passphrase
- gpg --list-secret-keys
- get key id
 
- gpg --edit-key XXX
- gpg> passed
- enter old password
- enter new password (leave blank) twice
 
- save
- quit
Ref: https://superuser.com/questions/1360324/gpg-remove-passphrase