GPG
GPG
Install
For basic gpg command:
apt install gpg
For gpg2 command installed: (just a symlink to gpg) - some programs seem to look for gpg2?
apt install gnupg2
If you want extra documentation and examples: (very very options)
apt install gnupg
Summary:
- gpg has the /usr/bin/gpg (and man)
- gnupg2' has the /usr/bin/gpg2 (and man)
- gnupg has the /usr/share/man and /usr/share/doc for general gnupg related (very very optional)
Summary Commands
gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>
gpg --import <your-file>.gpg
gpg --receive-keys A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
gpg --verify apache-tomcat-9.0.16-windows-x64.zip.asc
ref: [1]
Show Keys
List public keys:
gpg --list-public-keys gpg --list-keys gpg -k
List secret keys:
gpg --list-secret-keys gpg -K
Export Key
Exoprt public key:
gpg --armor --export [long_key_id] > public.gpg.asc gpg --armor --output public.gpg.asc --export [long_key_id] gpg -a -o public.gpg.asc --export [long_key_id]
Export private key:
gpg --armor --export-secret-key [long_key_id] > private.gpg.asc gpg --armor --output private.gpg.asc --export-secret-key [long_key_id] gpg -a -o private.gpg.asc --export-secret-key [long_key_id]
Note: not sure why but the --output paramter has to come before the --export paramter?? All paramters just need to come before the [long_key_id] at the end. Example:
gpg -a --export -o public.gpg.asc [long_key_id]
Default Key
To choose a default key without having to specify --default-key on the command-line every time...
~/.gnupg/gpg.conf
default-key <key-fpr>
replacing <key-fpr> with the id or fingerprint of the key you want to use by default. [1]
Encrypt Message
Encrypt message to send to other person:
gpg --encrypt --sign --armor -r person@email.com name_of_file
Note: You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message.
Decrypt Message
ASCII Armor decrypt:
gpg file_name.asc
Binary decrypt
gpg file.gpg gpg --decrypt file.gpg
Quiet descrypt (don't show all the keys that were attempted):
gpg --quiet --decrypt file.gpg
Sign Message
Sign with detached signature:
# binary signature gpg --detach-sign -o sig.gpg inputdata.txt
# binary signature (if you don't specify output will generate inputdata.txt.gpg) gpg --detach-sign inputdata.txt
# detach with ASCII armor signature gpg --detach-sign --armor -o inputdata.txt.asc inputdata.txt
# detach with ASCII armor signature (will generate inputdata.txt.asc) gpg --detach-sign --armor inputdata.txt
Clear sign ASCII (text) input data, including original message in the clear:
gpg --clearsign -o output.txt inputdata.txt
# will write it as inputdata.txt.asc gpg --clearsign inputdata.txt
Sign with other key:
echo "hi" | gpg --clearsign --default-key other@test.com
Verify Signed Message
Verify with detached signature:
gpg --verify sig.gpg inputdata.txt
Note: Please remember that the signature file (.sig or .asc) should be the first file given on the command line.
Verify clear signed message:
gpg --verify output.txt
Decrypt message: (Show contents)
gpg --decrypt output.txt
# write original to file, without signature gpg -d -o original.txt output.txt
Import SSH to Remote System
gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import
GitHub GPG
Generating a new GPG key - GitHub Docs https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
Generate GpG Key
gpg --full-generate-key
List Keys
gpg --list-secret-keys --keyid-format=long
Export Key
Exoprt public key:
gpg --armor --output public.gpg.asc --export [long_key_id]
Export private key:
gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]
Sign Commit
Manually:
git commit -S -m "YOUR_COMMIT_MESSAGE"
Automatic for current local repository
git config commit.gpgsign true
Automatic for all repositories:
git config --global commit.gpgsign true
Which will set ~/.gitconfig:
[commit] gpgsign = true
[user] name = First Last email = first.last@email.com # can specify the signing key: signingkey = B96CBB1FCF115C2XXXXXXXXXXXXXXXXXXXXX
ref: [2]
Show Log Signatures
git log --show-signature
Example:
commit dceb035ce7a3de3dc49e62ce61061efd86XXXXXX (HEAD -> ci) gpg: Signature made Fri 09 Jun 2023 05:12:54 PM PDT gpg: using RSA key 6827A8ADAF633B8B03286E15C4D210675xxxxxxx gpg: issuer "name@example.com" gpg: Good signature from "Name <name@example.com>" [ultimate] Author: Name <name@example.com>
gpg --keyserver certserver.pgp.com --recv-key 0xBB7576AC
gpg --keyserver certserver.pgp.com --send-key blake@cyb.org
ref: [3]
Unknown Trust
ultimate vs unknown
You can edit your trust of a key:
gpg --edit-key user@useremail.com edit # (trust level 1-5) list quit
gpg --edit-key user@useremail.com trust: unknown validity: unknown gpg> trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 gpg> save gpg> quit
ref: [4]