PGP stands for "Pretty Good Privacy". An open-source version (that is compatible with PGP) is called GPG, for "GNU Privacy Guard". You can get GnuPG from its webpage; Debian/Ubuntu users can type apt-get install gnupg.
Below, we give examples of how to set up GPG ready for use on your system.
There is a graphical interface to key management called Seahorse. It makes it easy to see who has signed whose keys, and you can edit/create keys as well as sign and encrypt/decrypt messages. It is still in development, and does not use protected memory (ie it is not setuid), so don't type your passphrase into it if others have access to your machine (and you are paranoid). There is an official Debian package (apt-get install seahorse).
This is another front-end to GPG, which is more complete and polished than SeaHorse. Debian users can simply apt-get install gpa.
$ gpg --edit-key <keyid-or-email> ... Secret key is available. ... Command> addkey Key is protected. Enter passphrase: Please select what kind of key you want: ... Command> save
Don't forget to upload your key to a KeyServer again so everyone else can see this!
Here is an example:
$ gpg --list-keys --fingerprint jrm21 pub 1024D/D3F9478C 2002-09-17 John R. McPherson <jrm21@cs.waikato.ac.nz> Key fingerprint = EAC5 0592 EA7C 6F22 0548 CE09 83B7 E09C D3F9 478C sub 1024g/148FC512 2002-09-17
Under Linux, you must first create a public key/private key pair. Assuming you have GPG installed, you can use the command gpg --gen-key to create a pair - you will have to answer a few easy questions.
Note: If you're generating your key on a remote FreeBSD box, it may not have enough entropy to generate the required amount of random data. To get around it add: rand_irqs="14" to your /etc/rc.conf and reboot, or: rndcontrol -q -s 14, which is not persistent.
This allows the system to get entropy from IRQ 14 which will be your IDE controller, so access your disk and you'll get enough entropy
Then you can find your key ID: gpg --list-keys
And submit it to a GPG KeyServer: $gpg --send-key --keyserver the.earth.li <your public key ID>
If you like, you can now register yourself as being interested in having other people come and sign your key at biglumber.
To get a key by it's keyid you can use gpg --recv-key keyid.
You will need to tell gpg which keyserver to use. You can either add --keyserver <domain name> to every command, or add a line like keyserver wwwkeys.pgp.net to the ~/.gnupg/gpg.conf file (create it if it doesn't exist).
To get a key by email address you need to either use the web interfaces on the key servers (http://the.earth.li/) or if you are running a recent version of gpg(1) (more recent than the one in Debian 3.0) you can use gpg --search-key email@address.
Also for recent versions of gpg(1) (1.2.1 and later) you can also do gpg --refresh-keysto download any new signatures for all of the keys in your keyring.
For example: Perry's gpg ID is
pub 1024D/2F33F144 2000-09-23 Perry Lorier (Local network) <perry@coders.tla> Key fingerprint = 0A5F E3C9 8CF7 7FB7 378D 3C1C 7008 11A7 2F33 F144 <pre> PerryLorier's key id is 2F33F144, so you do gpg --recv-key 2F33F144 and a few seconds later you have his GPG key. You need to use the --keyserver option if it has not already been set: <pre> gpg --keyserver the.earth.li --recv-key 2F33F144
You should see a message like:
$ gpg --keyserver the.earth.li --recv-key 2F33F144 gpg: requesting key 2F33F144 from the.earth.li ... gpg: key 2F33F144: public key imported gpg: Total number processed: 1 gpg: imported: 1 $
You can double check by doing gpg --list-keys again.
If the full key is posted on a website, try gpg --import key.asc: for example, you can find Red Hat's public key on their website.
Here is what a full key looks like. Disclaimer: do NOT import this key off this page, as it may have been tampered with (being a public wiki):
Type bits/keyID Date User ID pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc. (security@redhat.com) sub 2048g/961630A2 1999-09-23 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDfqVDgRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8 HQzcxAZ57m8ssA1LK1Fx93coJhDzM130+p5BG9mYSWShLabR3N1KXdXQYYcowTOM GxdwYRGr1Spw8QydLhjVfU1VSl4xt6bupPbWJbyjkg5Z3P7BlUOUJmrx3wCgobNV EDGaWYJcch5z5B1of/41G8kEAKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjS ZVG7rKANEK2mxg1VB+vc/uUc4k49UxJJfCZg1gu1sPFV3GSa+Y/7jsiLktQvCiLP lncQt1dV+ENmHR5BdIDPWDzKBVbgWnSDnqQ6KrZ7T6AlZ74VMpjGxxkWU6vV2xsW XCLPA/9P/vtImA8CZN3jxGgtK5GGtDNJ/cMhhuv5tnfwFg4b/VGo2Jr8mhLUqoIb E6zeGAmZbUpdckDco8D5fiFmqTf5+++pCEpJLJkkzel/32N2w4qzPrcRMCiBURES PjCLd4Y5rPoU8E4kOHc/4BuHN903tiCsCPloCrWsQZ7UdxfQ5LQiUmVkIEhhdCwg SW5jIDxzZWN1cml0eUByZWRoYXQuY29tPohVBBMRAgAVBQI36lQ4AwsKAwMVAwID FgIBAheAAAoJECGRgM3bQqYOsBQAnRVtg7B25Hm11PHcpa8FpeddKiq2AJ9aO8sB XmLDmPOEFI75mpTrKYHF6rkCDQQ36lRyEAgAokgI2xJ+3bZsk8jRA8ORIX8DH05U lMH27qFYzLbT6npXwXYIOtVn0K2/iMDj+oEB1Aa2au4OnddYaLWp06v3d+XyS0t+ 5ab2ZfIQzdh7wCwxqRkzR+/H5TLYbMG+hvtTdylfqIX0WEfoOXMtWEGSVwyUsnM3 Jy3LOi48rQQSCKtCAUdV20FoIGWhwnb/gHU1BnmES6UdQujFBE6EANqPhp0coYoI hHJ2oIO8ujQItvvNaU88j/s/izQv5e7MXOgVSjKe/WX3s2JtB/tW7utpy12wh1J+ JsFdbLV/t8CozUTpJgx5mVA3RKlxjTA+On+1IEUWioB+iVfT7Ov/0kcAzwADBQf9 E4SKCWRand8K0XloMYgmipxMhJNnWDMLkokvbMNTUoNpSfRoQJ9EheXDxwMpTPwK ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8 BwjyRymXQp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE5 4XFtOd04NMgWI63uqZc4zkRa+kwEZtmbz3tHSdRCCE+Y7YVP6IUf/w6YPQFQriWY FiA6fD10eB+BlIUqIw80VgjsBKmCwvKkn4jg8kibXgj4/TzQSx77uYokw1EqQ2wk OZoaEtcubsNMquuLCMWijYhGBBgRAgAGBQI36lRyAAoJECGRgM3bQqYOhyYAnj7h VDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTksnI+4O1765F7tA== =3AHZ -----END PGP PUBLIC KEY BLOCK-----
If you are using the WebOfTrust, you can import it off the website and it doesn't matter if someone has tampered with it because any tampering will get cause the CryptographicHash not to match and so it won't be trusted anyway.
gpg --edit-key your@email.address > list the uid number you want eg: > 1 > primary > save
I spent ages trying to figure out what the parameter to "primary" was, when in fact it has none. Doh!
This is the same for deleting a uid with "deluid". You don't say deluid 2, you say
> 2 > deluid
gpg --rebuild-keydb-caches increases the speed of many operations for existing keyrings.
sig 21100060 2005-02-05 [User ID not found]
So, who are all these numbers that have signed my key?
gpg --with-colons --list-sigs <your-key-id> | \ cut -f 5 -d':' | xargs gpg --recv-key
(2003). After the famous ftp.gnu.org compromise, the FSF changed their policy - instead of uploading package MD5 checksum to the ftp server, package maintainers now GPG-sign the packages. This makes it impossible for a cracker to modify a package without anyone noticing, since the cracker can't generate the signature (unless they managed to compromise or steal the person's private key).
(2002-10) In the last few months there have been several ftp servers exploited, and sources to programs are being replaced with ones that have a trojaned configure script. There have been some rather critical programs exploited, libpcap, openssh etc. The first few were easily noticable: the md5sum file no longer matched the archive. The hackers quickly got smart and replaced the md5sum files too. If you are going to release files, then you should consider creating a detached signature for people to verify.
gpg --armour --detach-sign foo.tar.bz2
this creates a .asc file to go with the tar.bz2. When you receive a file, and it's .asc file, you do
gpg --verify foo.tar.bz2.asc foo.tar.bz2
which should say something like "Good signature from someone". Your web of trust should be large enough to verify this key (if it's not you need to find more people who have keys to sign). You should also verify "someone" is someone you trust to release this tarball.
See also WhySignEmail.
This error is the result of a breakdown of trust. There can be several issues: It can occur on your own keys if the trust database is deleted. The solution is to use:
gpg --edit 0x012345678 ... trust
and tell GPG that you trust yourself. It can also occur if you are trying to send encrypted email to someone whose key you haven't signed, the solution is to sign their key or use --trusted-key for this operation.
gpg --export-secret-key 0x12345678 | gpgsplit --no-split --secret-to-public | gpg --import
Generating keys with expiry dates is good because it allows the keys to be flushed from keyservers and keyrings aftre a fixed length of time and limits the period revocation certificates have to be circulated. However, often it is advisable to extend the life of a key which is embedded in the web of trust.
This can be done using the command gpg --edit 0x12345678, and then the "expire" option. Some signatures have expiry dates within them which co-incide with the expiry date of the key. There is no way to extend these, except to get the signer to sign the updated key.
A comprehensive table of what algorithms are supported by every version of PGP/GnuPG is available.
The PGP Global Directory does not appear to generate new signatures use used as standard via the --refresh option. Here's a little script that will do this for every key on your keyring:
gpg --with-colons --list-sigs | awk -F: '/pub/{pub=$5;}/sig:::17:/{if ($5="9710B89BCA57AD7C") print pub}' | sort | uniq | awk '{printf "wget https://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0x%s\n", $0;}' > cmds source cmds gpg --import DownloadKey?.event\?keyid\=0x* gpg --with-colons --list-sigs | awk -F: '/pub/{pub=$5;}/sig:::17:/{if ($5="9710B89BCA57AD7C") print pub}' | sort | uniq | awk '{printf "gpg --send %s\n", $0;}' > cmds2 source cmds2
Part of CategoryCryptography