序
PGP,全称 Pretty Good Privacy,是一个被设计用来加密信息,保护隐私的软件
但因为PGP是商业软件,万能的开源社区搞了一个基于OpenPGP标准的免费开源实现 —— GPG(Gnu PG);在本文里,GPG与PGP是等价的
但请注意,通常 "GPG"/"GnuPG" 仅用于指示一个软件,而GPG遵循OpenPGP标准,其相关概念与产物最好用 "PGP" 描述。例如:
- PGP 密钥 ✅; GPG 密钥 ❌
- PGP 签名 ✅; GPG 签名 ❌
GPG Key 管理
概念
在进入正文之前,我们先来了解一下GPG密钥的相关概念
GPG Key基于非对称加密,但不能简单地理解为Private Key/Public Key,它由1个主密钥和多个子密钥组成;GPG Key具有以下信息:
Key ID | GPG Key 的唯一标识,值为主公钥的指纹,支持多种格式 |
UID | 标识该GPG Key的信息,每个 UID 由 name、email、comment 组成,email 和 comment 可以为空;一个GPG Key可以拥有多个UID |
Expire | 过期时间,可以设置为永不过期 |
Keys | 子密钥的集合,允许只存在主密钥 |
Key 的类型
Key类型 | 全名 | 缩写 | 用途 | 说明 |
主私钥 | Secret Key | sec | SC | 有且只有一个 主私钥,可以选择一种或多种 Usage |
主公钥 | Public Key | pub | SC | 有且只有一个 主公钥,可以选择一种或多种 Usage |
子私钥 | Secret Subkey | ssb | S/A/E | 可以拥有多个子私钥,每个子私钥可以选择一种或多种 Usage |
子公钥 | Public Subkey | sub | S/A/E | 可以拥有多个子公钥,每个子公钥可以选择一种或多种 Usage |
Key 的用途
缩写 | 全名 | 用途说明 |
C | Certificating | 可以用于管理GPG Key,如添加/删除/吊销等操作;主密钥必定具有C |
S | Signing | 签名,如文件签名,邮件签名,Git Commit签名;主密钥必定具有S |
A | Authenticating | 身份验证,如SSH登录 |
E | Encrypting | 加密 |
关于 C
用途的补充说明:
- 添加或吊销子密钥的用途
- 添加、更改或吊销密钥关联的身份(UID)
- 添加或更改本身或其他子密钥的到期时间
- 为了网络信任目的为其它密钥签名
- 只有这个密钥可以进行以上操作
GPG Public Key
公钥(Public Key),顾名思义,是需要对外公开的,GPG公钥具有以下信息:
注意事项:
- 在导出GPG公钥时,GPG会使用私钥对公钥进行签名,防止公钥被篡改
- 如果你已经将公钥公布,任何对GPG Key的删除操作将不会生效,因为GPG更新公钥操作是合并新公钥与旧公钥,被删除的子密钥/UID会被恢复,正确的做法应当是吊销子密钥/UID
- 任何对GPG Key的操作都需要重新发布GPG公钥
创建 GPG Key
生成Primary Key
执行以下命令,以生成主密钥:
| $ gpg --full-gen-key |
| gpg (GnuPG) 2.2.41-unknown; Copyright (C) 2022 g10 Code GmbH |
| This is free software: you are free to change and redistribute it. |
| There is NO WARRANTY, to the extent permitted by law. |
| |
| Please select what kind of key you want: |
| (1) RSA and RSA (default) |
| (2) DSA and Elgamal |
| (3) DSA (sign only) |
| (4) RSA (sign only) |
| (14) Existing key from card |
| Your selection? 1 |
| |
| RSA keys may be between 1024 and 4096 bits long. |
| What keysize do you want? (3072) 4096 |
| Requested keysize is 4096 bits |
| |
| Please specify how long the key should be valid. |
| 0 = key does not expire |
| <n> = key expires in n days |
| <n>w = key expires in n weeks |
| <n>m = key expires in n months |
| <n>y = key expires in n years |
| Key is valid for? (0) 0 |
| Key does not expire at all |
| Is this correct? (y/N) y |
| |
| GnuPG needs to construct a user ID to identify your key. |
| |
| |
| Real name: example |
| Email address: example@gmail.com |
| Comment: |
| You selected this USER-ID: |
| "example <example@gmail.com>" |
| |
| Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O |
| |
| |
| |
| We need to generate a lot of random bytes. It is a good idea to perform |
| some other action (type on the keyboard, move the mouse, utilize the |
| disks) during the prime generation; this gives the random number |
| generator a better chance to gain enough entropy. |
| |
| |
| gpg: revocation certificate stored as '/c/Users/Tanuoxi/.gnupg/openpgp-revocs.d/39A2594E58C3681D10A3D27090A33BCEC0C88DE1.rev' |
| public and secret key created and signed. |
| |
| pub rsa4096 2024-03-05 [SC] |
| 39A2594E58C3681D10A3D27090A33BCEC0C88DE1 |
| uid example <example@gmail.com> |
| sub rsa4096 2024-03-05 [E] |
在最后的输出中,可以看到:
- 生成了一个主密钥和一个用于加密的子密钥
39A2594E58C3681D10A3D27090A33BCEC0C88DE1
为该GPG Key的指纹
添加 Sub Key
进入目标GPG Key的编辑模式
| # --expert为高级模式,因为gpg没有Auth Sub Key的预设,需要自行配置 |
| $ gpg --expert --edit-key 39A2594E58C3681D10A3D27090A33BCEC0C88DE1 |
| |
| gpg (GnuPG) 2.2.41-unknown; Copyright (C) 2022 g10 Code GmbH |
| This is free software: you are free to change and redistribute it. |
| There is NO WARRANTY, to the extent permitted by law. |
| |
| Secret key is available. |
|
|
| # 90A33BCEC0C88DE1为主密钥Key ID |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
|
|
| |
| # DA91B926B4C0AB90 为子密钥Key ID |
| ssb rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1). example <example@gmail.com> |
|
|
| gpg> |
Sign Sub Key
| gpg> addkey |
| Please select what kind of key you want: |
| (3) DSA (sign only) |
| (4) RSA (sign only) |
| (5) Elgamal (encrypt only) |
| (6) RSA (encrypt only) |
| (7) DSA (set your own capabilities) |
| (8) RSA (set your own capabilities) |
| (10) ECC (sign only) |
| (11) ECC (set your own capabilities) |
| (12) ECC (encrypt only) |
| (13) Existing key |
| (14) Existing key from card |
| Your selection? 4 # 选择用于签名的RSA密钥 |
| |
| RSA keys may be between 1024 and 4096 bits long. |
| What keysize do you want? (3072) 4096 # 输入RSA密钥长度 |
| Requested keysize is 4096 bits |
| {1} |
| Please specify how long the key should be valid. |
| 0 = key does not expire |
| <n> = key expires in n days |
| <n>w = key expires in n weeks |
| <n>m = key expires in n months |
| <n>y = key expires in n years |
| Key is valid for? (0) # 设置有效期 |
| Key does not expire at all |
| Is this correct? (y/N) y # 确认 |
| Really create? (y/N) y # 再次确认 |
| # 输入主密钥的密码进行认证 |
| |
| gpg> save # 别忘了保存 |
Encrypt Sub Key
| gpg> addkey |
| Please select what kind of key you want: |
| (3) DSA (sign only) |
| (4) RSA (sign only) |
| (5) Elgamal (encrypt only) |
| (6) RSA (encrypt only) |
| (7) DSA (set your own capabilities) |
| (8) RSA (set your own capabilities) |
| (10) ECC (sign only) |
| (11) ECC (set your own capabilities) |
| (12) ECC (encrypt only) |
| (13) Existing key |
| (14) Existing key from card |
| Your selection? 6 # 选择用于加密的RSA密钥 |
| |
| RSA keys may be between 1024 and 4096 bits long. |
| What keysize do you want? (3072) 4096 # 输入RSA密钥长度 |
| Requested keysize is 4096 bits |
| {1} |
| Please specify how long the key should be valid. |
| 0 = key does not expire |
| <n> = key expires in n days |
| <n>w = key expires in n weeks |
| <n>m = key expires in n months |
| <n>y = key expires in n years |
| Key is valid for? (0) # 设置有效期 |
| Key does not expire at all |
| Is this correct? (y/N) y # 确认 |
| Really create? (y/N) y # 再次确认 |
| # 输入主密钥的密码进行认证 |
| |
| gpg> save # 别忘了保存 |
Authentication Key
| gpg> addkey |
| Please select what kind of key you want: |
| (3) DSA (sign only) |
| (4) RSA (sign only) |
| (5) Elgamal (encrypt only) |
| (6) RSA (encrypt only) |
| (7) DSA (set your own capabilities) |
| (8) RSA (set your own capabilities) |
| (10) ECC (sign only) |
| (11) ECC (set your own capabilities) |
| (12) ECC (encrypt only) |
| (13) Existing key |
| (14) Existing key from card |
| Your selection? 8 |
| |
| Possible actions for a RSA key: Sign Encrypt Authenticate |
| Current allowed actions: Sign Encrypt |
| |
| (S) Toggle the sign capability |
| (E) Toggle the encrypt capability |
| (A) Toggle the authenticate capability |
| (Q) Finished |
| |
| Your selection? A |
| |
| Possible actions for a RSA key: Sign Encrypt Authenticate |
| Current allowed actions: Sign Encrypt Authenticate |
| |
| (S) Toggle the sign capability |
| (E) Toggle the encrypt capability |
| (A) Toggle the authenticate capability |
| (Q) Finished |
| |
| Your selection? S |
| |
| Possible actions for a RSA key: Sign Encrypt Authenticate |
| Current allowed actions: Encrypt Authenticate |
| |
| (S) Toggle the sign capability |
| (E) Toggle the encrypt capability |
| (A) Toggle the authenticate capability |
| (Q) Finished |
| |
| Your selection? E |
| |
| |
| Possible actions for a RSA key: Sign Encrypt Authenticate |
| Current allowed actions: Authenticate |
| |
| (S) Toggle the sign capability |
| (E) Toggle the encrypt capability |
| (A) Toggle the authenticate capability |
| (Q) Finished |
| |
| Your selection? Q |
| |
| |
| RSA keys may be between 1024 and 4096 bits long. |
| What keysize do you want? (3072) 4096 |
| Requested keysize is 4096 bits |
| |
| Please specify how long the key should be valid. |
| 0 = key does not expire |
| <n> = key expires in n days |
| <n>w = key expires in n weeks |
| <n>m = key expires in n months |
| <n>y = key expires in n years |
| Key is valid for? (0) |
| Key does not expire at all |
| Is this correct? (y/N) y |
| Really create? (y/N) y |
| |
| |
| gpg> save |
吊销Sub Key
进入目标GPG Key的编辑模式
| |
| $ gpg --expert --edit-key 39A2594E58C3681D10A3D27090A33BCEC0C88DE1 |
| |
| gpg (GnuPG) 2.2.41-unknown; Copyright (C) 2022 g10 Code GmbH |
| This is free software: you are free to change and redistribute it. |
| There is NO WARRANTY, to the extent permitted by law. |
| |
| Secret key is available. |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| ssb rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1). example <example@gmail.com> |
| |
| gpg> key 1 |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| ssb* rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1). example <example@gmail.com> |
| |
| gpg> revkey |
| Do you really want to revoke this subkey? (y/N) y |
| Please select the reason for the revocation: |
| 0 = No reason specified |
| 1 = Key has been compromised |
| 2 = Key is superseded |
| 3 = Key is no longer used |
| Q = Cancel |
| Your decision? 0 |
| Enter an optional description; end it with an empty line: |
| > |
| Reason for revocation: No reason specified |
| (No description given) |
| Is this okay? (y/N) y |
| |
| |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| The following key was revoked on 2024-03-05 by RSA key 90A33BCEC0C88DE1 example <example@gmail.com> |
| ssb rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 revoked: 2024-03-05 usage: E |
| [ultimate] (1). example <example@gmail.com> |
| |
| gpg>save |
删除Sub Key
进入目标GPG Key的编辑模式
| |
| $ gpg --expert --edit-key 39A2594E58C3681D10A3D27090A33BCEC0C88DE1 |
| |
| gpg (GnuPG) 2.2.41-unknown; Copyright (C) 2022 g10 Code GmbH |
| This is free software: you are free to change and redistribute it. |
| There is NO WARRANTY, to the extent permitted by law. |
| |
| Secret key is available. |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| ssb rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1). example <example@gmail.com> |
| |
| gpg> key 1 |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| ssb* rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1). example <example@gmail.com> |
| |
| gpg> delkey |
| Do you really want to delete this key? (y/N) y |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| [ultimate] (1). example <example@gmail.com> |
| |
| |
| gpg> save |
添加UID
| |
| $ gpg --edit-key 39A2594E58C3681D10A3D27090A33BCEC0C88DE1 |
| gpg> add uid |
| Real name: example |
| Email address: 1@1.com |
| Comment: |
| You selected this USER-ID: |
| "example <1@1.com>" |
| |
| Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O |
| gpg> save |
UID吊销与删除
| |
| $ gpg --edit-key 39A2594E58C3681D10A3D27090A33BCEC0C88DE1 |
| gpg> uid 2 |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| ssb rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1) example <example@gmail.com> |
| [ unknown] (2)* example <1@1.com> |
| |
| gpg> revuid |
| Really revoke this user ID? (y/N) y #确认吊销 |
| Please select the reason for the revocation: |
| 0 = No reason specified |
| 4 = User ID is no longer valid |
| Q = Cancel |
| (Probably you want to select 4 here) |
| Your decision? 4 # 选择吊销原因 |
| Enter an optional description; end it with an empty line: |
| > |
| Reason for revocation: User ID is no longer valid |
| (No description given) |
| Is this okay? (y/N) y # 确认吊销 |
| {1} |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| ssb rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1) example <example@gmail.com> |
| [ revoked] (2). example <1@1.com> |
| |
| gpg> save |
| |
| |
| |
| gpg> uid 2 |
| |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| ssb rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1). example <example@gmail.com> |
| [ revoked] (2)* example <1@1.com> |
| |
| gpg> deluid |
| Really remove this user ID? (y/N) y # 确认操作 |
| {1} |
| sec rsa4096/90A33BCEC0C88DE1 |
| created: 2024-03-05 expires: never usage: SC |
| trust: ultimate validity: ultimate |
| ssb rsa4096/DA91B926B4C0AB90 |
| created: 2024-03-05 expires: never usage: E |
| [ultimate] (1). example <example@gmail.com> |
| |
| gpg> save |
导入,导出与删除
导出
| |
| gpg --output publicKey.asc --armor --export 你的GPG Key指纹 |
| |
| gpg --output allPrivateKey.asc --armor --export-secret-keys 你的GPG Key指纹 |
| |
| gpg --output subPrivateKey.asc --armor --export-secret-subkeys 你的GPG Key指纹 |
导入
gpg --import 导出的文件
删除
| |
| gpg --delete-secret-keys UID 或 子秘钥 KeyID 或 主密钥 KeyID |
| |
| |
| gpg --delete-keys UID 或 子秘钥 KeyID 或 主密钥 KeyID |
Git commit 签名配置
Git 配置
注意,用于签名的GPG Key密钥需要具有 S
| # 设置用于签名的Key ID |
| git config --global user.signingkey Key ID |
| # 全局开启Commit签名 |
| git config --global commit.gpgsign true |
Github 配置
| |
| gpg --armor --export 你的GPG Key指纹 |
将 gpg --armor --export 你的GPG Key指纹
输出的文本粘贴至Github 的GPG配置项即可
End.
参考文章
Comments | NOTHING