GPG

From Omnia
Revision as of 22:16, 11 February 2024 by Kenneth (talk | contribs) (→‎Install)
Jump to navigation Jump to search

GPG

Install

For basic gpg command:

apt install gpg

For gpg2 command installed: (just a symlink to gpg) - some programs seem to look for gpg2?

apt install gnupg2

If you want extra documentation and examples: (very very options)

apt install gnupg

Summary:

  • gpg has the /usr/bin/gpg (and man)
  • gnupg2' has the /usr/bin/gpg2 (and man)
  • gnupg has the /usr/share/man and /usr/share/doc for general gnupg related (very very optional)

Summary Commands

gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>
gpg --import <your-file>.gpg
gpg --receive-keys A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
gpg --verify apache-tomcat-9.0.16-windows-x64.zip.asc

ref: [1]

Show Keys

List public keys:

gpg --list-public-keys
gpg --list-keys
gpg -k

List secret keys:

gpg --list-secret-keys
gpg -K

Export Key

Exoprt public key:

gpg --armor --export [long_key_id] > public.gpg.asc
gpg --armor --output public.gpg.asc --export [long_key_id]
gpg -a -o public.gpg.asc --export [long_key_id]

Export private key:

gpg --armor --export-secret-key [long_key_id]  > private.gpg.asc
gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]
gpg -a -o private.gpg.asc --export-secret-key [long_key_id]

Note: not sure why but the --output paramter has to come before the --export paramter?? All paramters just need to come before the [long_key_id] at the end. Example:

gpg -a --export -o public.gpg.asc [long_key_id]

Default Key

To choose a default key without having to specify --default-key on the command-line every time...

~/.gnupg/gpg.conf

default-key <key-fpr>

replacing <key-fpr> with the id or fingerprint of the key you want to use by default. [1]

Encrypt Message

Encrypt message to send to other person:

gpg --encrypt --sign --armor -r person@email.com name_of_file

Note: You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message.

Decrypt Message

ASCII Armor decrypt:

gpg file_name.asc

Binary decrypt

gpg file.gpg
gpg --decrypt file.gpg

Quiet descrypt (don't show all the keys that were attempted):

gpg --quiet --decrypt file.gpg

Sign Message

Sign with detached signature:

# binary signature
gpg --detach-sign -o sig.gpg inputdata.txt
# binary signature (if you don't specify output will generate inputdata.txt.gpg)
gpg --detach-sign inputdata.txt
# detach with ASCII armor signature
gpg --detach-sign --armor -o inputdata.txt.asc inputdata.txt
# detach with ASCII armor signature (will generate inputdata.txt.asc)
gpg --detach-sign --armor inputdata.txt

Clear sign ASCII (text) input data, including original message in the clear:

gpg --clearsign -o output.txt inputdata.txt
# will write it as inputdata.txt.asc
gpg --clearsign inputdata.txt

Sign with other key:

echo "hi" | gpg --clearsign --default-key other@test.com

Verify Signed Message

Verify with detached signature:

gpg --verify sig.gpg inputdata.txt

Note: Please remember that the signature file (.sig or .asc) should be the first file given on the command line.

Verify clear signed message:

gpg --verify output.txt

Decrypt message: (Show contents)

gpg --decrypt output.txt
# write original to file, without signature
gpg -d -o original.txt output.txt

Import SSH to Remote System

gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import

GitHub GPG

Generating a new GPG key - GitHub Docs
https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Generate GpG Key

gpg --full-generate-key

List Keys

gpg --list-secret-keys --keyid-format=long

Export Key

Exoprt public key:

gpg --armor --output public.gpg.asc --export [long_key_id]

Export private key:

gpg --armor --output private.gpg.asc --export-secret-key [long_key_id]

Sign Commit

Manually:

git commit -S -m "YOUR_COMMIT_MESSAGE"

Automatic for current local repository

git config commit.gpgsign true

Automatic for all repositories:

git config --global commit.gpgsign true

Which will set ~/.gitconfig:

[commit]
   gpgsign = true
[user]
   name = First Last
   email = first.last@email.com
   # can specify the signing key:
   signingkey = B96CBB1FCF115C2XXXXXXXXXXXXXXXXXXXXX


ref: [2]

Show Log Signatures

git log --show-signature

Example:

commit dceb035ce7a3de3dc49e62ce61061efd86XXXXXX (HEAD -> ci)
gpg: Signature made Fri 09 Jun 2023 05:12:54 PM PDT
gpg:                using RSA key 6827A8ADAF633B8B03286E15C4D210675xxxxxxx
gpg:                issuer "name@example.com"
gpg: Good signature from "Name <name@example.com>" [ultimate]
Author: Name <name@example.com>

Share Key

gpg --keyserver certserver.pgp.com --recv-key 0xBB7576AC
gpg --keyserver certserver.pgp.com --send-key blake@cyb.org

ref: [3]

Unknown Trust

ultimate vs unknown

You can edit your trust of a key:

gpg --edit-key user@useremail.com
edit
#  (trust level 1-5)
list
quit
gpg --edit-key user@useremail.com

     trust: unknown          validity: unknown

gpg> trust

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5

gpg> save

gpg> quit

ref: [4]

keywords