PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:se:pgp:gpg:gpg

GPG

GPG stands for GnuPG, GNU Privacy Guard.

wnoguchi@lasthope:~/.gnupg$ ls -ld ~/.gnupg/
drwx------ 5 wnoguchi wnoguchi 4096 Feb  6 18:56 /home/wnoguchi/.gnupg/
wnoguchi@lasthope:~/.gnupg$ ls -l ~/.gnupg/
total 36
drwx------ 2 wnoguchi wnoguchi 4096 Feb  4 12:48 crls.d
-rw-rw-r-- 1 wnoguchi wnoguchi   44 Jan 30 15:11 gpg-agent.conf
drwx------ 2 wnoguchi wnoguchi 4096 Feb  6 18:55 openpgp-revocs.d
drwx------ 2 wnoguchi wnoguchi 4096 Feb  4 12:18 private-keys-v1.d
-rw-rw-r-- 1 wnoguchi wnoguchi 6997 Feb  4 20:36 pubring.kbx
-rw-rw-r-- 1 wnoguchi wnoguchi 4530 Feb  4 12:48 pubring.kbx~
-rw------- 1 wnoguchi wnoguchi 1200 Jan 30 10:38 trustdb.gpg

Set Default Key

If you not configured default keys for signing or encryption in ~/.gnupg/gpg.conf.

gpg --default-key ABCDEF123456 ...

If you feel this argument harmful, configure already ~/.gnupg/gpg.conf

default-key ABCDEF123456

Export Public Key

gpg --export --armor EB46F8D643EF3A7CD686C002B4A5CEBBF13A8F59 | tee -a /var/tmp/wataru.noguchi.keys.gpg.asc

Import Key

gpg --recv-keys D94AA3F0EFE21092
gpg: key D94AA3F0EFE21092: 2 duplicate signatures removed
gpg: key D94AA3F0EFE21092: 64 signatures not checked due to missing keys
gpg: /home/wnoguchi/.gnupg/trustdb.gpg: trustdb created
gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

import key ring

gpg --fetch-keys https://pg1x.com/files/public-keys/gpg/wataru.noguchi.asc

Sign

Detached Signature

Following command generates ASCII based signature SHA512SUMS.gpg of SHA512SUMS.
I think most commonly used for software verification checksum files.

gpg --detach-sign --armor --output SHA512SUMS.gpg SHA512SUMS

Sign Public Key

gpg --sign-key ABCDEF123456

Verify

wnoguchi@hotaru:~/focal$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 23 Apr 2020 10:46:21 PM JST
gpg:                using RSA key D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

Verify SHA256 Checksum

grep ubuntu-20.04-live-server-amd64.iso SHA256SUMS | sha256sum -c
ubuntu-20.04-live-server-amd64.iso: OK

Encrypt

For other (TBD)

gpg --encrypt --sign --recipient 'wnoguchi@gp1x.com' gitlab-recovery-codes.txt

If you for you

gpg --encrypt --sign --default-recipient-self gitlab-recovery-codes.txt

encryption error because key configured

If you not configured encryption key, get error:

wnoguchi@lasthope:~/Downloads$ gpg --encrypt --sign --recipient 'wnoguchi@gp1x.com' gitlab-recovery-codes.txt
gpg: error retrieving 'wnoguchi@gp1x.com' via WKD: No data
gpg: wnoguchi@gp1x.com: skipped: No data
gpg: gitlab-recovery-codes.txt: sign+encrypt failed: No data

Decrypt

gpg -o gitlab-recovery-codes.txt --decrypt gitlab-recovery-codes.txt.gpg

Misc Topics

Generate Revocation Certificate

for future

gpg --output ~/.gnupg/openpgp-revocs.d/EB46F8D643EF3A7CD686C002B4A5CEBBF13A8F59.rev --gen-revoke EB46F8D643EF3A7CD686C002B4A5CEBBF13A8F59
wnoguchi@lasthope:~/.gnupg$ mkdir openpgp-revocs.d
wnoguchi@lasthope:~/.gnupg$ chmod 700 openpgp-revocs.d
wnoguchi@lasthope:~/.gnupg$ gpg --output ~/.gnupg/openpgp-revocs.d/EB46F8D643EF3A7CD686C002B4A5CEBBF13A8F59.rev --gen-revoke EB46F8D643EF3A7CD686C002B4A5CEBBF13A8F59

sec  rsa4096/B4A5CEBBF13A8F59 2020-03-07 Wataru Noguchi <wnoguchi@pg1x.com>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> 
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

Edit Trust

trust my key or someone trust key

gpg: Signature made Sun 07 Feb 2021 10:50:14 AM JST
gpg:                using RSA key EB46F8D643EF3A7CD686C002B4A5CEBBF13A8F59
gpg: Good signature from "Wataru Noguchi <wnoguchi@pg1x.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB46 F8D6 43EF 3A7C D686  C002 B4A5 CEBB F13A 8F59
gpg --edit-key <id> trust
wnoguchi@lasthope:~/Downloads$ gpg --edit-key EB46F8D643EF3A7CD686C002B4A5CEBBF13A8F59 trust
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/B4A5CEBBF13A8F59
     created: 2020-03-07  expires: 2022-03-07  usage: SC  
     trust: unknown       validity: unknown
ssb  rsa4096/0B01C2C37A3C328D
     created: 2020-03-07  expires: 2022-03-07  usage: E   
[ unknown] (1). Wataru Noguchi <wnoguchi@pg1x.com>

sec  rsa4096/B4A5CEBBF13A8F59
     created: 2020-03-07  expires: 2022-03-07  usage: SC  
     trust: unknown       validity: unknown
ssb  rsa4096/0B01C2C37A3C328D
     created: 2020-03-07  expires: 2022-03-07  usage: E   
[ unknown] (1). Wataru Noguchi <wnoguchi@pg1x.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

sec  rsa4096/B4A5CEBBF13A8F59
     created: 2020-03-07  expires: 2022-03-07  usage: SC  
     trust: ultimate      validity: unknown
ssb  rsa4096/0B01C2C37A3C328D
     created: 2020-03-07  expires: 2022-03-07  usage: E   
[ unknown] (1). Wataru Noguchi <wnoguchi@pg1x.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit

References

tech/se/pgp/gpg/gpg.txt · Last modified: 2021/02/07 13:07 by wnoguchi