Penguin
Blame: GPG/PGPNotes
EditPageHistoryDiffInfoLikePages
Annotated edit history of GPG/PGPNotes version 68, including all changes. View license author blame.
Rev Author # Line
65 CraigBox 1 PGP stands for "Pretty Good Privacy". An open-source version (that is compatible with PGP) is called GPG, for "[GNU] Privacy Guard". You can [get GnuPG from its webpage|http://www.gnupg.org]; Debian/Ubuntu users can type <tt>apt-get install gnupg</tt>.
58 StuartYeates 2
63 CraigBox 3 Below, we give examples of how to set up GPG ready for use on your system.
58 StuartYeates 4
63 CraigBox 5 !!! __Creating And Managing Keys__
58 StuartYeates 6
63 CraigBox 7 !! Graphical programs to help out
58 StuartYeates 8
9 ! SeaHorse
10
64 CraigBox 11 There is a graphical interface to key management called [Seahorse|http://seahorse.sourceforge.net/]. It makes it easy to see who has signed whose keys, and you can edit/create keys as well as sign and encrypt/decrypt messages. It is still in development, and does not use protected memory (ie it is not setuid), so don't type your passphrase into it if others have access to your machine (and you are paranoid). There is an official Debian package (<tt>apt-get install seahorse</tt>).
58 StuartYeates 12
13 !GNU Privacy Assistant
64 CraigBox 14 This is another front-end to [GPG], which is more complete and polished than SeaHorse. Debian users can simply <tt>apt-get install gpa</tt>.
58 StuartYeates 15
16 ----
17 !Notes about keys
64 CraigBox 18
58 StuartYeates 19 * Keys have at least two parts -- a public key and a private key. Only the key creator should have access to the private key - often it is protected by a "passphrase" so that you need to know the pass phrase to unscamble the private key. This is used for example on a machine that other people might have access to.
20
21 * There are different types of keys, using different algorithms. [DSA] can only be used for signing. ElGamal is used for encrypting. [RSA] is another encryption algorithm, and can be used for signing or for encrypting. Usually a GPG key will have the main public/private key for signing/verifying, and another pair as a sub-key for encryption/decryption. You are asked what type you want when you create a key (see below). The default is to create DSA and ElGamal keys so you can both sign and encrypt messages. If you create a sign-only key and later want to add another key so you can encrypt, you can do this interactively:
64 CraigBox 22 <pre>
23 $ gpg --edit-key <keyid-or-email>
24 ...
25 Secret key is available.
26 ...
27 Command> addkey
28 Key is protected.
29 Enter passphrase:
30 Please select what kind of key you want:
31 ...
32 Command> save
33 </pre>
34
58 StuartYeates 35 Don't forget to upload your key to a KeyServer again so everyone else can see this!
36
37 * A 10 byte [MD5] check-sum of the public key is called a "fingerprint" and is used to uniquely identify keys (in hexadecimal). You can refer to all the parts of a key with this ID. The last 4 bytes of the fingerprint can be used as a key ID in most places.
38
39 Here is an example:
64 CraigBox 40 <pre>
41 $ gpg --list-keys --fingerprint jrm21
42 pub 1024D/D3F9478C 2002-09-17 John R. ~McPherson <jrm21@cs.waikato.ac.nz>
43 Key fingerprint = EAC5 0592 EA7C 6F22 0548 CE09 83B7 E09C D3F9 478C
44 sub 1024g/148FC512 2002-09-17
45 </pre>
58 StuartYeates 46
47 # The command lists all keys matching the string "jrm21", and prints out the keys' fingerprints.
48 # The public key is using 1024 bit DSA. (Remember that DSA is used for signing). This key's ID is the last 4 bytes of the fingerprint, D3F9478C.
49 # This key has a subkey, which uses 1024-bit ElGamal. This key is used for encrypting and decrypting. However, to encrypt something for this user, you can use the "main" key's ID - you do not need to refer to the subkey's ID when encrypting.
50
51 ----
52 !!Creating a Key
53
64 CraigBox 54 Under Linux, you must first create a public key/private key pair. Assuming you have GPG installed, you can use the command <tt>gpg --gen-key</tt> to create a pair - you will have to answer a few easy questions.
58 StuartYeates 55
65 CraigBox 56 __Note__: If you're generating your key on a remote FreeBSD box, it may not have enough entropy to generate the required amount of random data. To get around it add: <tt>rand_irqs="14"</tt> to your /etc/rc.conf and reboot, or: <tt>rndcontrol -q -s 14</tt>, which is not persistent.
58 StuartYeates 57
58 This allows the system to get entropy from IRQ 14 which will be your IDE controller, so access your disk and you'll get enough entropy
59
64 CraigBox 60 Then you can find your key ID: <tt>gpg --list-keys</tt>
58 StuartYeates 61
64 CraigBox 62 And submit it to a GPG KeyServer: <tt>$gpg --send-key --keyserver the.earth.li <your public key ID></tt>
58 StuartYeates 63
64 CraigBox 64 If you like, you can now register yourself as being interested in having other people come and sign your key at [biglumber|http://www.biglumber.com/index.html].
58 StuartYeates 65
66 ----
60 MattBrown 67 !!Finding Other Keys
58 StuartYeates 68
64 CraigBox 69 To get a key by it's keyid you can use <tt>gpg --recv-key ''keyid''</tt>.
58 StuartYeates 70
67 CraigBox 71 You will need to tell gpg which keyserver to use. You can either add <tt>--keyserver <domain name></tt> to every command, or add a line like <tt>keyserver wwwkeys.pgp.net</tt> to the ''~~/.gnupg/gpg.conf'' file (create it if it doesn't exist).
58 StuartYeates 72
64 CraigBox 73 To get a key by email address you need to either use the web interfaces on the key servers (http://the.earth.li/) or if you are running a recent version of gpg(1) (more recent than the one in Debian 3.0) you can use <tt>gpg --search-key ''email@address''</tt>.
58 StuartYeates 74
64 CraigBox 75 Also for recent versions of gpg(1) (1.2.1 and later) you can also do <tt>gpg --refresh-keys</tt>to download any new signatures for all of the keys in your keyring.
58 StuartYeates 76
65 CraigBox 77 For example: Perry's gpg ID is
64 CraigBox 78
65 CraigBox 79 <pre>
80 pub 1024D/2F33F144 2000-09-23 Perry Lorier (Local network) <perry@coders.tla>
81 Key fingerprint = 0A5F E3C9 8CF7 7FB7 378D 3C1C 7008 11A7 2F33 F144
82 <pre>
83
84 PerryLorier's key id is 2F33F144, so you do <tt>gpg --recv-key 2F33F144</tt> and a few seconds later you have his GPG key. You need to use the --keyserver option if it has not already been set:
85 <pre>
86 gpg --keyserver the.earth.li --recv-key 2F33F144
87 </pre>
58 StuartYeates 88
89 You should see a message like:
65 CraigBox 90 <pre>
91 $ gpg --keyserver the.earth.li --recv-key 2F33F144
92 gpg: requesting key 2F33F144 from the.earth.li ...
93 gpg: key 2F33F144: public key imported
94 gpg: Total number processed: 1
95 gpg: imported: 1
96 $
97 </pre>
58 StuartYeates 98
65 CraigBox 99 You can double check by doing <tt>gpg --list-keys</tt> again.
58 StuartYeates 100
65 CraigBox 101 If the full key is posted on a website, try <tt>gpg --import key.asc</tt>: for example, you can find [Red Hat's public key|http://www.redhat.com/solutions/security/news/publickey.html] on their website.
58 StuartYeates 102
103 Here is what a full key looks like. ''Disclaimer: do __NOT__ import this key off this page, as it may have been tampered with (being a public wiki)'':
64 CraigBox 104 <pre>
105 Type bits/keyID Date User ID
106 pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc. (security@redhat.com)
107 sub 2048g/961630A2 1999-09-23
58 StuartYeates 108
64 CraigBox 109 -----BEGIN PGP PUBLIC KEY BLOCK-----
110 Version: GnuPG v1.0.0 (GNU/Linux)
111 Comment: For info see http://www.gnupg.org
58 StuartYeates 112
64 CraigBox 113 mQGiBDfqVDgRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8
114 HQzcxAZ57m8ssA1LK1Fx93coJhDzM130+p5BG9mYSWShLabR3N1KXdXQYYcowTOM
115 GxdwYRGr1Spw8QydLhjVfU1VSl4xt6bupPbWJbyjkg5Z3P7BlUOUJmrx3wCgobNV
116 EDGaWYJcch5z5B1of/41G8kEAKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjS
117 ZVG7rKANEK2mxg1VB+vc/uUc4k49UxJJfCZg1gu1sPFV3GSa+Y/7jsiLktQvCiLP
118 lncQt1dV+ENmHR5BdIDPWDzKBVbgWnSDnqQ6KrZ7T6AlZ74VMpjGxxkWU6vV2xsW
119 XCLPA/9P/vtImA8CZN3jxGgtK5GGtDNJ/cMhhuv5tnfwFg4b/VGo2Jr8mhLUqoIb
120 E6zeGAmZbUpdckDco8D5fiFmqTf5+++pCEpJLJkkzel/32N2w4qzPrcRMCiBURES
121 PjCLd4Y5rPoU8E4kOHc/4BuHN903tiCsCPloCrWsQZ7UdxfQ5LQiUmVkIEhhdCwg
122 SW5jIDxzZWN1cml0eUByZWRoYXQuY29tPohVBBMRAgAVBQI36lQ4AwsKAwMVAwID
123 FgIBAheAAAoJECGRgM3bQqYOsBQAnRVtg7B25Hm11PHcpa8FpeddKiq2AJ9aO8sB
124 XmLDmPOEFI75mpTrKYHF6rkCDQQ36lRyEAgAokgI2xJ+3bZsk8jRA8ORIX8DH05U
125 lMH27qFYzLbT6npXwXYIOtVn0K2/iMDj+oEB1Aa2au4OnddYaLWp06v3d+XyS0t+
126 5ab2ZfIQzdh7wCwxqRkzR+/H5TLYbMG+hvtTdylfqIX0WEfoOXMtWEGSVwyUsnM3
127 Jy3LOi48rQQSCKtCAUdV20FoIGWhwnb/gHU1BnmES6UdQujFBE6EANqPhp0coYoI
128 hHJ2oIO8ujQItvvNaU88j/s/izQv5e7MXOgVSjKe/WX3s2JtB/tW7utpy12wh1J+
129 JsFdbLV/t8CozUTpJgx5mVA3RKlxjTA+On+1IEUWioB+iVfT7Ov/0kcAzwADBQf9
130 E4SKCWRand8K0XloMYgmipxMhJNnWDMLkokvbMNTUoNpSfRoQJ9EheXDxwMpTPwK
131 ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8
132 BwjyRymXQp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE5
133 4XFtOd04NMgWI63uqZc4zkRa+kwEZtmbz3tHSdRCCE+Y7YVP6IUf/w6YPQFQriWY
134 FiA6fD10eB+BlIUqIw80VgjsBKmCwvKkn4jg8kibXgj4/TzQSx77uYokw1EqQ2wk
135 OZoaEtcubsNMquuLCMWijYhGBBgRAgAGBQI36lRyAAoJECGRgM3bQqYOhyYAnj7h
136 VDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTksnI+4O1765F7tA==
137 =3AHZ
138 -----END PGP PUBLIC KEY BLOCK-----
139 </pre>
58 StuartYeates 140
64 CraigBox 141 If you are using the WebOfTrust, you can import it off the website and it doesn't matter if someone has tampered with it because any tampering will get cause the CryptographicHash not to match and so it won't be trusted anyway.
58 StuartYeates 142
143 ----
144
145 !!!General Notes
146
64 CraigBox 147 ; How do I delete/cancel a key? : <tt>gpg --gen-revoke <key-id></tt>. Copy the text from this output somewhere very safe, because anyone can use this to revoke your PGP key.
59 CraigBox 148
66 CraigBox 149 ; How do I ''use'' a revocation cert once you've generated one? : <tt>gpg --import revoke.asc</tt><br><tt>gpg --send-key <key-id></tt>
59 CraigBox 150
64 CraigBox 151 ; How do you change your primary uid? : In 1.0.7+ there is a "primary" command when you use --edit-key which makes the __currently selected__ uid your primary uid. So, to change your UID, you do:
152 <pre>
153 gpg --edit-key ''your@email.address''
154 > list
155 ''the uid number you want eg:''
156 > 1
157 > primary
158 > save
159 </pre>
59 CraigBox 160
161 I spent ages trying to figure out what the parameter to "primary" was, when in fact it has none. Doh!
58 StuartYeates 162
65 CraigBox 163 This is the same for deleting a uid with "deluid". You don't say <tt>deluid 2</tt>, you say
164 <pre>
165 > 2
166 > deluid
167 </pre>
59 CraigBox 168 !!Periodic Maintenance
58 StuartYeates 169
64 CraigBox 170 <tt>gpg --rebuild-keydb-caches</tt> increases the speed of many operations for existing keyrings.
62 CraigBox 171
172 !!How to get all the keys of people who have signed your key
64 CraigBox 173 <pre>
66 CraigBox 174 sig 21100060 2005-02-05 ~[User ID not found]
64 CraigBox 175 </pre>
62 CraigBox 176
177 So, who are all these numbers that have signed my key?
178
64 CraigBox 179 <pre>gpg --with-colons --list-sigs <your-key-id> | \
180 cut -f 5 -d':' | xargs gpg --recv-key
181 </pre>
58 StuartYeates 182
183 ----
184 !!!How to verify files with gpg/pgp
185 (2003). After the famous ftp.gnu.org compromise, the [FSF] changed their policy - instead of uploading package [MD5] checksum to the ftp server, package maintainers now GPG-sign the packages. This makes it impossible for a cracker to modify a package without anyone noticing, since the cracker can't generate the signature (unless they managed to compromise or steal the person's private key).
186
187 (2002-10) In the last few months there have been several ftp servers exploited, and sources to programs are being replaced with ones that have a trojaned configure script. There have been some rather critical programs exploited, libpcap, openssh etc. The first few were easily noticable: the md5sum file no longer matched the archive. The hackers quickly got smart and replaced the md5sum files too. If you are going to release files, then you should consider creating a detached signature for people to verify.
188 gpg --armour --detach-sign foo.tar.bz2
189 this creates a .asc file to go with the tar.bz2. When you receive a file, and it's .asc file, you do
190 gpg --verify foo.tar.bz2.asc foo.tar.bz2
191 which should say something like "Good signature from ''someone''". Your web of trust should be large enough to verify this key (if it's not you need to find more people who have keys to sign). You should also verify "someone" is someone you trust to release this tarball.
192
64 CraigBox 193 See also WhySignEmail.
58 StuartYeates 194
195 ----
196 !!!"There is no indication that this key really belongs to the owner"
197
198 This error is the result of a breakdown of trust. There can be several issues:
199 It can occur on your own keys if the trust database is deleted. The solution is to use:
64 CraigBox 200 <pre>
58 StuartYeates 201 gpg --edit 0x012345678
202 ...
203 trust
64 CraigBox 204 </pre>
58 StuartYeates 205 and tell [GPG] that you trust yourself. It can also occur if you are trying to send encrypted email to someone whose key you haven't signed, the solution is to sign their key or use --trusted-key for this operation.
206 ----
207 !!!Recover a public key from the corresponding secret key
64 CraigBox 208 <pre>
58 StuartYeates 209 gpg --export-secret-key 0x12345678 | gpgsplit --no-split --secret-to-public | gpg --import
64 CraigBox 210 </pre>
58 StuartYeates 211 ----
212 !!!Extend the lifetime of, or "unexpire", a key
213
64 CraigBox 214 Generating keys with expiry dates is good because it allows the keys to be flushed from keyservers and keyrings aftre a fixed length of time and limits the period revocation certificates have to be circulated. However, often it is advisable to extend the life of a key which is embedded in the web of trust.
58 StuartYeates 215
64 CraigBox 216 This can be done using the command <tt>gpg --edit 0x12345678</tt>, and then the "expire" option. Some signatures have expiry dates within them which co-incide with the expiry date of the key. There is no way to extend these, except to get the signer to sign the updated key.
58 StuartYeates 217
218 ----
219 !!!Ensuring compatibility with old versions of [PGP]/[GnuPG]:
220
64 CraigBox 221 [A comprehensive table of what algorithms are supported by every version of PGP/GnuPG|https://netfiles.uiuc.edu/ehowes/www/pgp-summ.htm] is available.
68 StuartYeates 222
223 ----
224 !!!Getting new keys from the PGP Global Directory
225
226 The PGP Global Directory does not appear to generate new signatures use used as standard via the --refresh option. Here's a little script that will do this for every key on your keyring:
227
228 <pre>
229 gpg --with-colons --list-sigs | awk -F: '/pub/{pub=$5;}/sig:::17:/{if ($5="9710B89BCA57AD7C") print pub}' | sort | uniq | awk '{printf "wget https://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0x%s\n", $0;}' > cmds
230 source cmds
231 gpg --import DownloadKey.event\?keyid\=0x*
232 gpg --with-colons --list-sigs | awk -F: '/pub/{pub=$5;}/sig:::17:/{if ($5="9710B89BCA57AD7C") print pub}' | sort | uniq | awk '{printf "gpg --send %s\n", $0;}' > cmds2
233 source cmds2
234 </pre>
235
236
63 CraigBox 237
238 !!!See also
239
240 * [GnuPG Keysigning Party HOWTO | http://www.cryptnet.net/fdp/crypto/gpg-party.html]
241 * [GPGMailClients], for integrating encryption into your favourite email client.
242 * [KeySigningScripts]
58 StuartYeates 243 ----
244 Part of CategoryCryptography

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 5 times)