devbox
笔触狂放9
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

GPG使用方法总结(密钥管理,加解密文件)_gpg加密

作者:笔触狂放9 | 2024-02-22 08:18:23

gpg加密

文章目录

0、GnuPG 公用说明

1、生成密钥

2、密钥管理

3、加密和解密

4、签名

5、参考

6、公钥加密遇到的问题

gpg采用的是非对称加密方式,简单理解就是用公钥加密文件,用私钥解密文件。如果你需要发送加密信息,首先获取接收者的公钥,然后利用该公钥加密后传递,对方利用对应的私钥就可解密。也就是说,公钥是锁,私钥是钥匙。非对称加密方式很好地解决了传递信息的问题。

他人用公钥来加密,自己用私钥来解密
自己用私钥来签名,他人用公钥来验证

0、GnuPG 公用说明

0.1 词汇

简写含义
key pair密钥对(包含两部分)
primary key [master key]主密钥(包括主公钥,主私钥)
public keypub
secret keysec私钥
sub-keysub子公钥
secret sub-keyssb子私钥
key fingerprint密钥指纹

0.2 功能

  • 有些功能是私钥部分的,例如: 认证[C]、签名[S]、解密
    删除私钥部分则无法完成操作
  • 有些功能是公钥部分的,例如: 验证签名、加密[E]
    删除私钥部分可以完成操作
标识含义作用
Ssign签名功能
Eencrypt加密功能
Aauthenticate身份验证功能,在其他协议中用于身份验证,例如SSH TLS。只能通过 --expert 选项制作具有该功能的子公钥。
Ccertify认证,主密钥必备能力,且只有主密钥具有

0.3 使用过程(加密与签名)

  • 加密过程中:
    别人用你的公钥加密数据后发给你;
    这些数据只有你的私钥能解密。
  • 签名过程中:
    你先用摘要算法(例如 SHA-256)给数据提取出一个指纹(摘要、哈希值);
    你用私钥,把这串哈希值加密,得到一个数字签名,和文件一起发出去;
    别人收到文件+签名后,先计算文件的哈希值;
    别人用你的公钥,从数字签名中解密出你给的哈希值,和他计算的对比,如果两者一致,那么签名就是有效的。

注意这两个过程中,私钥的作用是相反的:

加密方案中的私钥:用于解密信息
签名方案中的私钥:用于加密信息

GPG 密钥的能力中, [C]、[S]、[A] 均属于签名方案,只有 [E] 是加密方案。

  • 大家可能会奇怪:公私钥是可互换的吗?
    是的!数学上来讲,它们是等价的,可以角色互换。
    一个加密另一个就能解密。
    但是!在具体的算法实现上,两者有很大不同。
    我们要保证加密-解密的高效,同时保证抗破解的安全。
    实际应用中的私钥与公钥生成,算法设计上是有偏向的。
    这也是为什么 GPG 会为密钥分出不同用途,用户方便,算法设计者也方便。

1、生成密钥

1.1 生成主密钥

  1. $ gpg --full-generate-key
  2.  
  3. 新版版用
  4. $ gpg --gen-key

回车后,会出现如下文字:

  1. gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
  2. This is free software: you are free to change and redistribute it.
  3. There is NO WARRANTY, to the extent permitted by law.
  4.  
  5. Please select what kind of key you want:
  6.    (1) RSA and RSA (default)
  7.    (2) DSA and Elgamal
  8.    (3) DSA (sign only)
  9.    (4) RSA (sign only)
  10. Your selection?

第一段是版权声明,然后让用户自己选择加密算法。默认选择第一个选项,表示加密和签名都使用RSA算法
然后,系统就会问你密钥的长度:

  1. RSA keys may be between 1024 and 4096 bits long.
  2. What keysize do you want? (3072)

密钥越长越安全,默认是3072位,接着设定密钥的有效期:

  1. Please specify how long the key should be valid.
  2.          0 = key does not expire
  3.       <n>  = key expires in n days
  4.       <n>w = key expires in n weeks
  5.       <n>m = key expires in n months
  6.       <n>y = key expires in n years
  7. Key is valid for? (0)

回答完上面三个问题以后,系统让你确认:

Is this correct? (y/N)

输入y,系统就要求你提供个人信息:

  1. GnuPG needs to construct a user ID to identify your key.
  2.  
  3. Real name:
  4. Email address: 
  5. Comment:

"真实姓名"填入你姓名的英文写法,"电子邮件地址"填入你的邮件地址,"注释"这一栏可以空着。
然后,你的"用户ID"生成了:

  1. You selected this USER-ID:
  2.     "psadmin <psadmin@psadmin.com>"
  3.  
  4. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

输入O表示"确定"。
接着,系统会让你设定一个私钥的密码。这是为了防止误操作,或者系统被侵入时有人擅自动用私钥。
然后,系统就开始生成密钥了,这时会要求你做一些随机的举动,以生成一个随机数:

  1. We need to generate a lot of random bytes. It is a good idea to perform
  2. some other action (type on the keyboard, move the mouse, utilize the
  3. disks) during the prime generation; this gives the random number
  4. generator a better chance to gain enough entropy.
  5. We need to generate a lot of random bytes. It is a good idea to perform
  6. some other action (type on the keyboard, move the mouse, utilize the
  7. disks) during the prime generation; this gives the random number
  8. generator a better chance to gain enough entropy.

稍后秘钥就生成成功了:

  1.  
  2. gpg: key 30B117F460FCAF5F marked as ultimately trusted
  3. gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/5550D5D614E9CC36F1B731B930B117F460FCAF5F.rev'
  4. public and secret key created and signed.
  5.  
  6. pub   rsa2048 2022-01-07 [SC]
  7.       5550D5D614E9CC36F1B731B930B117F460FCAF5F
  8. uid                      psadmin <psadmin@psadmin.com>
  9. sub   rsa2048 2022-01-07 [E]

请注意上面的字符串"5550D5D614E9CC36F1B731B930B117F460FCAF5F",这是"用户ID"的Hash字符串,可以用来替代"用户ID"。
这时,最好再生成一张"撤销证书",以备以后密钥作废时,可以请求外部的公钥服务器撤销你的公钥。

$ gpg --gen-revoke [用户ID]

1.2 创建子密钥

1.2.1 创建具有签名功能的子密钥【S】

  1. $ gpg --expert --edit-key 9543E7CAC2C14FBA1ADACF575A0C80A216FD94B1
  2. gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
  3. This is free software: you are free to change and redistribute it.
  4. There is NO WARRANTY, to the extent permitted by law.
  5.  
  6. Secret key is available.
  7.  
  8. gpg: checking the trustdb
  9. gpg: marginals needed: 3  completes needed: 1  trust model: pgp
  10. gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
  11. gpg: next trustdb check due at 2023-01-05
  12. sec  rsa2048/5A0C80A216FD94B1
  13.      created: 2022-01-10  expires: never       usage: SC  
  14.      trust: ultimate      validity: ultimate
  15. ssb  rsa2048/5244E5713764B743
  16.      created: 2022-01-10  expires: never       usage: E   
  17. [ultimate] (1). zhaoyl <willingtolove@qq.com>
  18.  
  19. gpg> addkey
  20. Please select what kind of key you want:
  21.    (3) DSA (sign only)
  22.    (4) RSA (sign only)
  23.    (5) Elgamal (encrypt only)
  24.    (6) RSA (encrypt only)
  25.    (7) DSA (set your own capabilities)
  26.    (8) RSA (set your own capabilities)
  27.   (10) ECC (sign only)
  28.   (11) ECC (set your own capabilities)
  29.   (12) ECC (encrypt only)
  30.   (13) Existing key
  31. Your selection? 4
  32. RSA keys may be between 1024 and 4096 bits long.
  33. What keysize do you want? (3072) 
  34. Requested keysize is 3072 bits
  35. Please specify how long the key should be valid.
  36.          0 = key does not expire
  37.       <n>  = key expires in n days
  38.       <n>w = key expires in n weeks
  39.       <n>m = key expires in n months
  40.       <n>y = key expires in n years
  41. Key is valid for? (0) 
  42. Key does not expire at all
  43. Is this correct? (y/N) y
  44. Really create? (y/N) y
  45. We need to generate a lot of random bytes. It is a good idea to perform
  46. some other action (type on the keyboard, move the mouse, utilize the
  47. disks) during the prime generation; this gives the random number
  48. generator a better chance to gain enough entropy.
  49.  
  50. sec  rsa2048/5A0C80A216FD94B1
  51.      created: 2022-01-10  expires: never       usage: SC  
  52.      trust: ultimate      validity: ultimate
  53. ssb  rsa2048/5244E5713764B743
  54.      created: 2022-01-10  expires: never       usage: E   
  55. ssb  rsa3072/EA76BD6BA5824067
  56.      created: 2022-01-10  expires: never       usage: S   
  57. [ultimate] (1). zhaoyl <willingtolove@qq.com>
  58. gpg> save

查看是否创建成功:

  1. $ gpg -k
  2. /root/.gnupg/pubring.kbx
  3. ------------------------
  4. pub   rsa2048 2022-01-10 [SC]
  5.       9543E7CAC2C14FBA1ADACF575A0C80A216FD94B1
  6. uid           [ultimate] zhaoyl <willingtolove@qq.com>
  7. sub   rsa2048 2022-01-10 [E]
  8. sub   rsa3072 2022-01-10 [S]
  9.  
  10. $ gpg -K
  11. /root/.gnupg/pubring.kbx
  12. ------------------------
  13. sec   rsa2048 2022-01-10 [SC]
  14.       9543E7CAC2C14FBA1ADACF575A0C80A216FD94B1
  15. uid           [ultimate] zhaoyl <willingtolove@qq.com>
  16. ssb   rsa2048 2022-01-10 [E]
  17. ssb   rsa3072 2022-01-10 [S]

1.2.2 创建具有验证功能的子密钥【A】

  1. gpg --expert --edit-key 9543E7CAC2C14FBA1ADACF575A0C80A216FD94B1
  2. gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
  3. This is free software: you are free to change and redistribute it.
  4. There is NO WARRANTY, to the extent permitted by law.
  5.  
  6. Secret key is available.
  7.  
  8. sec  rsa2048/5A0C80A216FD94B1
  9.      created: 2022-01-10  expires: never       usage: SC  
  10.      trust: ultimate      validity: ultimate
  11. ssb  rsa2048/5244E5713764B743
  12.      created: 2022-01-10  expires: never       usage: E   
  13. ssb  rsa3072/EA76BD6BA5824067
  14.      created: 2022-01-10  expires: never       usage: S   
  15. [ultimate] (1). zhaoyl <willingtolove@qq.com>
  16.  
  17. gpg> addkey
  18. Please select what kind of key you want:
  19.    (3) DSA (sign only)
  20.    (4) RSA (sign only)
  21.    (5) Elgamal (encrypt only)
  22.    (6) RSA (encrypt only)
  23.    (7) DSA (set your own capabilities)
  24.    (8) RSA (set your own capabilities)
  25.   (10) ECC (sign only)
  26.   (11) ECC (set your own capabilities)
  27.   (12) ECC (encrypt only)
  28.   (13) Existing key
  29. Your selection? 8
  30.  
  31. Possible actions for a RSA key: Sign Encrypt Authenticate 
  32. Current allowed actions: Sign Encrypt 
  33.  
  34.    (S) Toggle the sign capability
  35.    (E) Toggle the encrypt capability
  36.    (A) Toggle the authenticate capability
  37.    (Q) Finished
  38.  
  39. Your selection? s
  40.  
  41. Possible actions for a RSA key: Sign Encrypt Authenticate 
  42. Current allowed actions: Encrypt 
  43.  
  44.    (S) Toggle the sign capability
  45.    (E) Toggle the encrypt capability
  46.    (A) Toggle the authenticate capability
  47.    (Q) Finished
  48.  
  49. Your selection? e
  50.  
  51. Possible actions for a RSA key: Sign Encrypt Authenticate 
  52. Current allowed actions: 
  53.  
  54.    (S) Toggle the sign capability
  55.    (E) Toggle the encrypt capability
  56.    (A) Toggle the authenticate capability
  57.    (Q) Finished
  58.  
  59. Your selection? a
  60.  
  61. Possible actions for a RSA key: Sign Encrypt Authenticate 
  62. Current allowed actions: Authenticate 
  63.  
  64.    (S) Toggle the sign capability
  65.    (E) Toggle the encrypt capability
  66.    (A) Toggle the authenticate capability
  67.    (Q) Finished
  68.  
  69. Your selection? q
  70. RSA keys may be between 1024 and 4096 bits long.
  71. What keysize do you want? (3072) 2048
  72. Requested keysize is 2048 bits
  73. Please specify how long the key should be valid.
  74.          0 = key does not expire
  75.       <n>  = key expires in n days
  76.       <n>w = key expires in n weeks
  77.       <n>m = key expires in n months
  78.       <n>y = key expires in n years
  79. Key is valid for? (0) 0
  80. Key does not expire at all
  81. Is this correct? (y/N) y
  82. Really create? (y/N) y
  83. We need to generate a lot of random bytes. It is a good idea to perform
  84. some other action (type on the keyboard, move the mouse, utilize the
  85. disks) during the prime generation; this gives the random number
  86. generator a better chance to gain enough entropy.
  87.  
  88. sec  rsa2048/5A0C80A216FD94B1
  89.      created: 2022-01-10  expires: never       usage: SC  
  90.      trust: ultimate      validity: ultimate
  91. ssb  rsa2048/5244E5713764B743
  92.      created: 2022-01-10  expires: never       usage: E   
  93. ssb  rsa3072/EA76BD6BA5824067
  94.      created: 2022-01-10  expires: never       usage: S   
  95. ssb  rsa2048/99A0AD13CDF31B72
  96.      created: 2022-01-10  expires: never       usage: A   
  97. [ultimate] (1). zhaoyl <willingtolove@qq.com>
  98.  
  99. gpg> save
  100.

查看是否创建成功:

  1. $ gpg -k 5A0C80A216FD94B1
  2. pub   rsa2048 2022-01-10 [SC]
  3.       9543E7CAC2C14FBA1ADACF575A0C80A216FD94B1
  4. uid           [ultimate] zhaoyl <willingtolove@qq.com>
  5. sub   rsa2048 2022-01-10 [E]
  6. sub   rsa3072 2022-01-10 [S]
  7. sub   rsa2048 2022-01-10 [A]
  8. $ gpg -K 5A0C80A216FD94B1
  9. sec   rsa2048 2022-01-10 [SC]
  10.       9543E7CAC2C14FBA1ADACF575A0C80A216FD94B1
  11. uid           [ultimate] zhaoyl <willingtolove@qq.com>
  12. ssb   rsa2048 2022-01-10 [E]
  13. ssb   rsa3072 2022-01-10 [S]
  14. ssb   rsa2048 2022-01-10 [A]
  15.

2、密钥管理

2.1 列出密钥

  1. $ gpg --list-keys
  2.  
  3. --list-keys:显示所有公钥
  4.  
  5. --list-secret-key:显示所有私钥
  1. /root/.gnupg/pubring.kbx
  2. ------------------------
  3. pub   rsa2048 2017-05-21 [SC]
  4.       E52218E7087897DC6DEA6D6D97DB7443D5EDEB74
  5. uid           [ unknown] OpenResty Admin <admin@openresty.com>
  6. sub   rsa2048 2017-05-21 [E]
  7.  
  8. pub   rsa2048 2022-01-07 [SC]
  9.       5550D5D614E9CC36F1B731B930B117F460FCAF5F
  10. uid           [ultimate] psadmin <psadmin@psadmin.com>
  11. sub   rsa2048 2022-01-07 [E]
  12.

第一行显示公钥文件名(pubring.kbx),第二行显示公钥特征(2048位,Hash字符串和生成时间),第三行显示"用户ID",第四行显示私钥特征。

2.2 删除密钥

2.2.1 删除密钥

  1. # 先删除私钥部分才能删除公钥部分
  2. $ gpg --delete-secret-keys  [用户ID]  # 删除私钥
  3. $ gpg --delete-keys  [用户ID]     # 删除公钥

2.2.2 删除子密钥

  1. gpg --expert --edit-key D2673C470EDD2A1EE169781C86A5F36CA4FAD524
  2. gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
  3. This is free software: you are free to change and redistribute it.
  4. There is NO WARRANTY, to the extent permitted by law.
  5.  
  6. Secret key is available.
  7.  
  8. sec  rsa3072/86A5F36CA4FAD524
  9.      created: 2022-01-10  expires: never       usage: SC  
  10.      trust: ultimate      validity: ultimate
  11. ssb  rsa3072/87E977522ACB63C9
  12.      created: 2022-01-10  expires: never       usage: E   
  13. ssb  rsa2048/6DC53EC22366279E
  14.      created: 2022-01-10  expires: never       usage: S   
  15. [ultimate] (1). zhaoyl <zhaoyl@qq.com>
  16.  
  17. gpg> key 6DC53EC22366279E
  18.  
  19. sec  rsa3072/86A5F36CA4FAD524
  20.      created: 2022-01-10  expires: never       usage: SC  
  21.      trust: ultimate      validity: ultimate
  22. ssb  rsa3072/87E977522ACB63C9
  23.      created: 2022-01-10  expires: never       usage: E   
  24. ssb* rsa2048/6DC53EC22366279E
  25.      created: 2022-01-10  expires: never       usage: S   
  26. [ultimate] (1). zhaoyl <zhaoyl@qq.com>
  27.  
  28. gpg> delkey 6DC53EC22366279E
  29. Do you really want to delete this key? (y/N) y
  30.  
  31. sec  rsa3072/86A5F36CA4FAD524
  32.      created: 2022-01-10  expires: never       usage: SC  
  33.      trust: ultimate      validity: ultimate
  34. ssb  rsa3072/87E977522ACB63C9
  35.      created: 2022-01-10  expires: never       usage: E   
  36. [ultimate] (1). zhaoyl <zhaoyl@qq.com>
  37.  
  38. gpg> save
  39.

2.3 输出密钥

公钥文件(.gnupg/pubring.kbx)以二进制形式储存,armor参数可以将其转换为ASCII码显示;

$ gpg --armor --output public-key.txt --export [用户ID]

"用户ID"指定哪个用户的公钥,output参数指定输出文件名(public-key.txt)。
类似地,export-secret-keys参数可以转换私钥。

$ gpg --armor --output private-key.txt --export-secret-keys [用户ID]

导出公钥到终端:

gpg --export --export-options export-minimal --armor  5550D5D614E9CC36F1B731B930B117F460FCAF5F

2.4 上传公钥

公钥服务器是网络上专门储存用户公钥的服务器。

  • 网页上传
    可访问下列网址上传公钥:
    keys.openpgp.org
    keyserver.ubuntu.com
    网页上传后,ubuntu和opengpg会进行邮箱验证,可能会被认为是垃圾邮件;
    在搜索栏输入0xUID 即可查询公钥信息和下载;
    比如输入 0xE52218E7087897DC6DEA6D6D97DB7443D5EDEB74

  • 命令上传

$ gpg --send-keys [用户ID] --keyserver keyring.debian.org

使用上面的命令,你的公钥就被传到了服务器keyring.debian.org,然后通过交换机制,所有的公钥服务器最终都会包含你的公钥。
由于公钥服务器没有检查机制,任何人都可以用你的名义上传公钥,所以没有办法保证服务器上的公钥的可靠性,通过公钥指纹校验。

2.5 公钥指纹

你可以在网站上公布一个公钥指纹,让其他人核对下载到的公钥是否为真。fingerprint参数生成公钥指纹。

$ gpg --fingerprint [用户ID]

2.6 导入密钥

除了生成自己的密钥,还需要将他人的公钥或者你的私钥密钥输入系统。这时可以使用import参数。
导入公钥和私钥;

$ gpg --import [密钥文件公钥/私钥]

为了获得他人的公钥,可以让对方直接发给你,或者到公钥服务器上寻找。

$ gpg --keyserver keys.openpgp.org --search-keys [用户ID]

从服务器导入公钥:

$ gpg --keyserver keys.openpgp.org --recv-keys 5550D5D614E9CC36F1B731B930B117F460FCAF5F

正如前面提到的,我们无法保证服务器上的公钥是否可靠,下载后还需要用其他机制验证.

3、加密和解密

3.1 加密

假定有一个文本文件test.txt,怎样对它加密呢?
encrypt参数用于加密,recipient指定ID来加密

  1. $ gpg --recipient [用户ID] --output test.en.txt --encrypt test.txt
  2. $ gpg --recipient 5550D5D614E9CC36F1B731B930B117F460FCAF5F --output test.en.txt --encrypt test.txt

recipient参数指定接收者的公钥,output参数指定加密后的文件名,encrypt参数指定源文件。运行上面的命令后,test.en.txt就是已加密的文件,可以把它发给对方。

3.2 解密

对方收到加密文件以后,就用自己的私钥解密。

$ gpg --output test.de.txt --decrypt test.en.txt

decrypt参数指定需要解密的文件,output参数指定解密后生成的文件。运行上面的命令,test.de.txt就是解密后的文件。

4、签名

4.1 对文件签名

有时候,我们不需要对文件进行加密,只需要对文件进行签名,表示这个文件确实是我本人发出的。使用sign参数来签名。
如果想生成单独的签名文件,与原文件内容分开存放,可以使用detach-sign参数。
如果想让生成的签名文件内容采用ASCII码的形式,要加上armor参数。

gpg --local-user 5550D5D614E9CC36F1B731B930B117F460FCAF5F --armor --detach-sign test.txt

–local-user 指定本地ID进行签名。默认情况下选择最新未被吊销的具有[S]功能的密钥。

4.2 签名+加密

如果想同时签名和加密,可以使用下面的命令,产生test.txt.asc文件,这个文件包含被加密文件和签名信息。

  1. $ gpg --local-user [发信者ID] --recipient [接收者ID] --armor --sign --encrypt log.txt
  2. $ gpg --local-user 5550D5D614E9CC36F1B731B930B117F460FCAF5F --recipient C38E35B04D86C16BF51A0E5D00C672A21827A648 --armor --sign --output test.en.txt --encrypt test.txt

local-user参数指定用发信者的私钥签名,recipient参数指定用接收者的公钥加密,armor参数表示采用ASCII码形式显示,sign参数表示需要签名,--output 指定加密后文件的输出路径, encrypt参数表示指定源文件。

4.3 验证签名

我们收到别人签名后的文件,需要用对方的公钥验证签名是否为真。使用verify参数来验证。
签名asc文件和文件本身分离,验证命令如下:

$ gpg --verify test.txt.asc test.txt

举例:使用openresty做个测试。

  1. $ wget https://openresty.org/download/openresty-1.21.4.1rc1.tar.gz
  2. $ wget https://openresty.org/download/openresty-1.21.4.1rc1.tar.gz.asc
  3. $ gpg --verify openresty-1.21.4.1rc1.tar.gz.asc openresty-1.21.4.1rc1.tar.gz
  4. gpg: Signature made Wed 22 Dec 2021 09:49:37 AM CST
  5. gpg:                using RSA key E52218E7087897DC6DEA6D6D97DB7443D5EDEB74
  6. gpg: Can't check signature: No public key
  8. $ gpg --keyserver keyserver.ubuntu.com --recv-keys E52218E7087897DC6DEA6D6D97DB7443D5EDEB74
  9. gpg: /root/.gnupg/trustdb.gpg: trustdb created
  10. gpg: key 97DB7443D5EDEB74: public key "OpenResty Admin <admin@openresty.com>" imported
  11. gpg: Total number processed: 1
  12. gpg:               imported: 1
  14. $ gpg --verify openresty-1.21.4.1rc1.tar.gz.asc openresty-1.21.4.1rc1.tar.gz
  15. gpg: Signature made Wed 22 Dec 2021 09:49:37 AM CST
  16. gpg:                using RSA key E52218E7087897DC6DEA6D6D97DB7443D5EDEB74
  17. gpg: Good signature from "OpenResty Admin <admin@openresty.com>" [unknown]
  18. gpg: WARNING: This key is not certified with a trusted signature!
  19. gpg:          There is no indication that the signature belongs to the owner.
  20. Primary key fingerprint: E522 18E7 0878 97DC 6DEA  6D6D 97DB 7443 D5ED EB74

5、参考

简明 GPG 概念 - 知乎

GPG入门教程 - 阮一峰的网络日志

6、公钥加密遇到的问题

[user@webss shell]$ ./gpgEncryptFil
gpg: 51538612BA: There is no assurance this key belongs to the named user

pub  5168G/51538612BA 2016-04-21 XXX
 Primary key fingerprint: XXXXX
      Subkey fingerprint: XXXX

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N)

每次执行需要选择Y/N,这个是因为为设置key可信.

按如下描述设置即可

只要将证书设置为可信就好了,
--no-tty 是参数是不在控制台输出数据,去掉的话也能看到问题 ~~

gpg 需设置key为可信,不然每次都会提示"Use this key anyway? (y/N)"
命令:
gpg --edit-key Todaynic
然后参照:
When importing a public key onto another machine, you may have configure gpg to
trust the key. Otherwise, when you use the key to do encryption, you may
see a prompt like this:
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
To trust the key, run:


gpg --edit-key NAME


gpg will output some information, and show a line like:
trust: undefined validity: unknown
You will be at a console, and you have to type "trust":
Command> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

Type "quit" to quit. If you run gpg --edit-key NAME again, you will
see a line as below, which means the key is now trusted.
trust: ultimate validity: ultimate

gpg> quit
 

转载至https://blog.csdn.net/willingtolove/article/details/122362705

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/129261
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号