GPG: Difference between revisions

From Omnia
Jump to navigation Jump to search
 
(22 intermediate revisions by the same user not shown)
Line 1: Line 1:
== GPG ==
== GPG ==
== Install ==
For basic gpg command:
apt install gpg
For gpg2 command installed: (just a symlink to gpg) - some programs seem to look for gpg2?
apt install gnupg2
If you want extra documentation and examples: (very very options)
apt install gnupg
Summary:
* '''gpg''' has the /usr/bin/gpg (and man)
* '''gnupg2'''' has the /usr/bin/gpg2 (and man)
* ''gnupg'' has the /usr/share/man and /usr/share/doc for general gnupg related (very very optional)
== Summary Commands ==


  gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>
  gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>
Line 21: Line 39:
  gpg --list-secret-keys
  gpg --list-secret-keys
  gpg -K
  gpg -K
== Export Key ==
Exoprt public key:
gpg --armor --export [long_key_id] > public.gpg.asc
gpg --armor --output public.gpg.asc --export [long_key_id]
gpg -a -o public.gpg.asc --export [long_key_id]
Export private key:
gpg --armor --export-secret-key [long_key_id]  > private.gpg.asc
gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]
gpg -a -o private.gpg.asc --export-secret-key [long_key_id]
Note: <s>not sure why but the --output paramter has to come before the --export paramter??</s>  All paramters just need to come before the [long_key_id] at the end.  Example:
gpg -a --export -o public.gpg.asc [long_key_id]
== Default Key ==
To choose a default key without having to specify --default-key on the command-line every time...
~/.gnupg/gpg.conf
default-key <key-fpr>
replacing <key-fpr> with the id or fingerprint of the key you want to use by default. <ref>https://unix.stackexchange.com/questions/339077/set-default-key-in-gpg-for-signing</ref>
== Encrypt Message ==
Encrypt message to send to another person:
gpg --encrypt --sign --armor -r person@email.com name_of_file
gpg --encrypt -r person@email.com -r person2@email.com name_of_file
Note: You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message.
== Decrypt Message ==
ASCII Armor decrypt:
gpg file_name.asc
Binary decrypt
gpg file.gpg
gpg --decrypt file.gpg
Quiet descrypt (don't show all the keys that were attempted):
gpg --quiet --decrypt file.gpg
== List Encrypted Receipients ==
This will list public keys ID the file was encrypted with (as well as some other garbage that can be ignored).  If you also have the public key, it will also tell you friendly name for each of those packets (eg. name <email>)
gpg --list-packets file.gpg
ref: [https://superuser.com/questions/1409511/how-to-check-if-a-gpg-encrypted-file-is-encrypted-using-a-specific-public-key]
== Sign Message ==
Sign with detached signature:
# binary signature
gpg --detach-sign -o sig.gpg inputdata.txt
# binary signature (if you don't specify output will generate inputdata.txt.gpg)
gpg --detach-sign inputdata.txt
# detach with ASCII armor signature
gpg --detach-sign --armor -o inputdata.txt.asc inputdata.txt
# detach with ASCII armor signature (will generate inputdata.txt.asc)
gpg --detach-sign --armor inputdata.txt
Clear sign ASCII (text) input data, including original message in the clear:
gpg --clearsign -o output.txt inputdata.txt
# will write it as inputdata.txt.asc
gpg --clearsign inputdata.txt
Sign with other key:
echo "hi" | gpg --clearsign --default-key other@test.com
== Verify Signed Message ==
Verify with detached signature:
gpg --verify sig.gpg inputdata.txt
Note: Please remember that the signature file (.sig or .asc) should be the first file given on the command line.
Verify clear signed message:
gpg --verify output.txt
Decrypt message: (Show contents)
gpg --decrypt output.txt
# write original to file, without signature
gpg -d -o original.txt output.txt
== Import SSH to Remote System ==
gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import


== GitHub GPG ==
== GitHub GPG ==
Line 27: Line 139:
  https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
  https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key


=== Generate GpG Key ===
=== Create Generate GpG Key ===


  gpg --full-generate-key
  gpg --full-generate-key
Line 38: Line 150:


Exoprt public key:
Exoprt public key:
gpg --armor --export [long_key_id] > public.gpg.asc
  gpg --armor --output public.gpg.asc --export [long_key_id]
  gpg --armor --output public.gpg.asc --export [long_key_id]
gpg -a -o public.gpg.asc --export [long_key_id]


Export private key:
Export private key:
gpg --armor --export-secret-key [long_key_id]  > private.gpg.asc
  gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]
  gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]
gpg -a -o private.gpg.asc --export-secret-key [long_key_id]


Note: not sure why but the --output paramter has to come before the --export paramter??
=== Import Key ===
 
cat [keyfile] | gpg --import
 
=== Trust Key ===
 
gpg --edit-key [long_key_id]
  trust
  # - trust level (see below)
  save
 
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately


=== Sign Commit ===
=== Sign Commit ===
Line 59: Line 182:
Automatic for all repositories:
Automatic for all repositories:
  git config --global commit.gpgsign true
  git config --global commit.gpgsign true
Which will set ~/.gitconfig:
[commit]
    gpgsign = true
[user]
    name = First Last
    email = first.last@email.com
    # can specify the signing key:
    signingkey = B96CBB1FCF115C2XXXXXXXXXXXXXXXXXXXXX




Line 78: Line 211:


== Share Key ==
== Share Key ==
gpg --keyserver certserver.pgp.com --recv-key 0xBB7576AC


  gpg --keyserver certserver.pgp.com --send-key blake@cyb.org
  gpg --keyserver certserver.pgp.com --send-key blake@cyb.org


ref: [https://www.gnupg.org/gph/en/manual/x457.html#:~:text=One%20or%20more%20keys%20may,command%2Dline%20option%20%2D%2Dkeyserver.]
ref: [https://www.gnupg.org/gph/en/manual/x457.html]


== Unknown Trust ==
== Unknown Trust ==
Line 92: Line 227:
  edit
  edit
  #  (trust level 1-5)
  #  (trust level 1-5)
list
  quit
  quit


<pre>
<pre>
gpg --edit-key user@useremail.com
gpg --edit-key user@useremail.com
    trust: unknown          validity: unknown


gpg> trust
gpg> trust
Line 110: Line 248:


Your decision? 5
Your decision? 5
gpg> save
gpg> quit
</pre>
</pre>


ref: [https://unix.stackexchange.com/questions/407062/gpg-list-keys-command-outputs-uid-unknown-after-importing-private-key-onto]
ref: [https://unix.stackexchange.com/questions/407062/gpg-list-keys-command-outputs-uid-unknown-after-importing-private-key-onto]
== Delete Key ==
Delete secret key first:
gpg --delete-secret-key [LONGID]
gpg --delete-key [LONGID]
== Remove Passphrase ==
# gpg --list-secret-keys
## get key id
# gpg --edit-key XXX
# gpg> passed
## enter old password
## enter new password (leave blank) twice
# save
# quit
Ref: https://superuser.com/questions/1360324/gpg-remove-passphrase


== keywords ==
== keywords ==

Latest revision as of 02:40, 25 June 2024

GPG

Install

For basic gpg command:

apt install gpg

For gpg2 command installed: (just a symlink to gpg) - some programs seem to look for gpg2?

apt install gnupg2

If you want extra documentation and examples: (very very options)

apt install gnupg

Summary:

  • gpg has the /usr/bin/gpg (and man)
  • gnupg2' has the /usr/bin/gpg2 (and man)
  • gnupg has the /usr/share/man and /usr/share/doc for general gnupg related (very very optional)

Summary Commands

gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>
gpg --import <your-file>.gpg
gpg --receive-keys A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
gpg --verify apache-tomcat-9.0.16-windows-x64.zip.asc

ref: [1]

Show Keys

List public keys:

gpg --list-public-keys
gpg --list-keys
gpg -k

List secret keys:

gpg --list-secret-keys
gpg -K

Export Key

Exoprt public key:

gpg --armor --export [long_key_id] > public.gpg.asc
gpg --armor --output public.gpg.asc --export [long_key_id]
gpg -a -o public.gpg.asc --export [long_key_id]

Export private key:

gpg --armor --export-secret-key [long_key_id]  > private.gpg.asc
gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]
gpg -a -o private.gpg.asc --export-secret-key [long_key_id]

Note: not sure why but the --output paramter has to come before the --export paramter?? All paramters just need to come before the [long_key_id] at the end. Example:

gpg -a --export -o public.gpg.asc [long_key_id]

Default Key

To choose a default key without having to specify --default-key on the command-line every time...

~/.gnupg/gpg.conf

default-key <key-fpr>

replacing <key-fpr> with the id or fingerprint of the key you want to use by default. [1]

Encrypt Message

Encrypt message to send to another person:

gpg --encrypt --sign --armor -r person@email.com name_of_file
gpg --encrypt -r person@email.com -r person2@email.com name_of_file

Note: You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message.

Decrypt Message

ASCII Armor decrypt:

gpg file_name.asc

Binary decrypt

gpg file.gpg
gpg --decrypt file.gpg

Quiet descrypt (don't show all the keys that were attempted):

gpg --quiet --decrypt file.gpg

List Encrypted Receipients

This will list public keys ID the file was encrypted with (as well as some other garbage that can be ignored). If you also have the public key, it will also tell you friendly name for each of those packets (eg. name <email>)

gpg --list-packets file.gpg

ref: [2]

Sign Message

Sign with detached signature:

# binary signature
gpg --detach-sign -o sig.gpg inputdata.txt
# binary signature (if you don't specify output will generate inputdata.txt.gpg)
gpg --detach-sign inputdata.txt
# detach with ASCII armor signature
gpg --detach-sign --armor -o inputdata.txt.asc inputdata.txt
# detach with ASCII armor signature (will generate inputdata.txt.asc)
gpg --detach-sign --armor inputdata.txt

Clear sign ASCII (text) input data, including original message in the clear:

gpg --clearsign -o output.txt inputdata.txt
# will write it as inputdata.txt.asc
gpg --clearsign inputdata.txt

Sign with other key:

echo "hi" | gpg --clearsign --default-key other@test.com

Verify Signed Message

Verify with detached signature:

gpg --verify sig.gpg inputdata.txt

Note: Please remember that the signature file (.sig or .asc) should be the first file given on the command line.

Verify clear signed message:

gpg --verify output.txt

Decrypt message: (Show contents)

gpg --decrypt output.txt
# write original to file, without signature
gpg -d -o original.txt output.txt

Import SSH to Remote System

gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import

GitHub GPG

Generating a new GPG key - GitHub Docs
https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Create Generate GpG Key

gpg --full-generate-key

List Keys

gpg --list-secret-keys --keyid-format=long

Export Key

Exoprt public key:

gpg --armor --output public.gpg.asc --export [long_key_id]

Export private key:

gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]

Import Key

cat [keyfile] | gpg --import

Trust Key

gpg --edit-key [long_key_id]
 trust
 # - trust level (see below)
 save
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately

Sign Commit

Manually:

git commit -S -m "YOUR_COMMIT_MESSAGE"

Automatic for current local repository

git config commit.gpgsign true

Automatic for all repositories:

git config --global commit.gpgsign true

Which will set ~/.gitconfig:

[commit]
   gpgsign = true
[user]
   name = First Last
   email = first.last@email.com
   # can specify the signing key:
   signingkey = B96CBB1FCF115C2XXXXXXXXXXXXXXXXXXXXX


ref: [3]

Show Log Signatures

git log --show-signature

Example:

commit dceb035ce7a3de3dc49e62ce61061efd86XXXXXX (HEAD -> ci)
gpg: Signature made Fri 09 Jun 2023 05:12:54 PM PDT
gpg:                using RSA key 6827A8ADAF633B8B03286E15C4D210675xxxxxxx
gpg:                issuer "name@example.com"
gpg: Good signature from "Name <name@example.com>" [ultimate]
Author: Name <name@example.com>

Share Key

gpg --keyserver certserver.pgp.com --recv-key 0xBB7576AC
gpg --keyserver certserver.pgp.com --send-key blake@cyb.org

ref: [4]

Unknown Trust

ultimate vs unknown

You can edit your trust of a key:

gpg --edit-key user@useremail.com
edit
#  (trust level 1-5)
list
quit
gpg --edit-key user@useremail.com

     trust: unknown          validity: unknown

gpg> trust

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5

gpg> save

gpg> quit

ref: [5]

Delete Key

Delete secret key first:

gpg --delete-secret-key [LONGID]
gpg --delete-key [LONGID]

Remove Passphrase

  1. gpg --list-secret-keys
    1. get key id
  2. gpg --edit-key XXX
  3. gpg> passed
    1. enter old password
    2. enter new password (leave blank) twice
  4. save
  5. quit

Ref: https://superuser.com/questions/1360324/gpg-remove-passphrase

keywords