Docu review done: Tue 17 Oct 2023 10:49:59 AM CEST
Table of Content
- Commands
- GPG Signature
- Keysigning Party
- Manually sign key and sed it to keyserver
- Chaning trust level of key
- Extend expired gpg key
- Revoce gpg key
- GPG Agent
- GPG2
- Export and Import private keys
- Delete only private key from keyring
Commands
| Commands | Description |
|---|---|
| `gpg [–recipient | -r] [mail@recipient] –output [outputfile] –encrypt [file2encrypt]` |
| `gpg [–hidden-recipient | -R] [mail@ricipient] –output [outputfile] –encrypt [file2encrypt]` |
gpg -r [mail1@recipient] -r [mail2@recipient] -r [mailX@recipient] --output [outputfile] --encrypt [file2encrypt] | allows to encrypt file + set multiple recipients, works with -R as well |
gpg --import [publickey].asc | imports public key |
gpg --export [mail@youraddresstoexport OR keyid] | will generate keyring pub file |
gpg --armor --export [mail@youraddresstoexport OR keyid] | exports pubkey |
gpg -u [keyid] | use different key as your current one e.g. gpg -u 1234 --sign-keys 5878 |
gpg --receive-keys [keyid] | fetches key with [keyid] from keyserver |
gpg --send-keys [keyid] | sends key with [keyid] to keyserver |
gpg --localuser [keyid] | lets you perform a command with [keyid] |
gpg --enarmor < key.gpg > key.asc | convert pub key key.gpg to key.asc without import to keyring |
gpg --keyid-format long --list-keys | keyid-format allows you to enforece the formating |
gpg --import-options show-only --import ./pubkey.asc | shows Key-ID, Name/eMail, Key-Type and creation/expiration date |
GPG Signature
Create signature on file
Usage signed copy
Both commands below will create a copy of the orignal file ( which includes the signature as well):
$ gpg --sign <file>
$ gpg --output --sign <signed_copy_file>.sig <file>
Using detached signate
Using the --detach-sign parameter, allows you to sign a file and only create the signature part in a seperate one:
$ gpg --detach-sign <file>
$ gpg --detach-sign --armor <file>
$ gpg --detach-sign --sign --output <signature_file>.sig <file>
Sample 1
$ gpg --sign ./titten
gpg: using "123412341234ASDFASDFASDF12341234ASDFASDF" as default secret key for signing
$ ls -la | grep titten.gpg
titten.gpg
Sample 2
$gpg --output titten.sig --sign ./titten
gpg: using "123412341234ASDFASDFASDF12341234ASDFASDF" as default secret key for signing
$ ls -la | grep titten
titten
titten.sig
Sample 3
$gpg --detatch-sign --sign --output ./titten.sig ./titten
gpg: using "123412341234ASDFASDFASDF12341234ASDFASDF" as default secret key for signing
$ ls -la | grep titten
titten
titten.sig
Verify signature of file
Usage with included signature and content
$ gpg --verify <file.gpg>
$ gpg --output <target file> --decrypt <encrypted and signed file> && gpg --verify <encrypted and signed file> <target file>
Usage with detachted signature
$ gpg --verify <signature-file> <file>
Sample 1
Verify when you have the pubkey in your keyring
$ gpg --verify titten.gpg
gpg: Signature made Day Nr Mon Year HH:MM:SS AP ZONE
gpg: using TYPE key 123412341234ASDFASDFASDF12341234ASDFASDF
gpg: Good signature from "MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>" [ultimate]
Sample 2
for detailed output (e.g. id if you dont have it in your trust chain)
$ gpg -v --status-fd 1 --verify titten.gpg
gpg: original file name='titten'
gpg: Signature made Thu 26 Sep 2013 06:51:39 AM EST using RSA key ID 35C7553C
[GNUPG:] ERRSIG 7FF2D37135C7553C 1 10 00 1380142299 9
[GNUPG:] NO_PUBKEY 7FF2D37135C7553C
gpg: Can't check signature: public key not found
Sample 3
Using gpgv and specific keyring file
$ gpgv --keyring ./pubkeyring.gpg titten.gpg
gpg: Signature made Day Nr Mon Year HH:MM:SS AP ZONE
gpg: using TYPE key 123412341234ASDFASDFASDF12341234ASDFASDF
gpg: Good signature from "MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>" [ultimate]
Sample 4
Using detached signature file to verify
$ gpg --verify ./my_file.sh.sig my_file.sh
gpg: Signature made Day Nr Mon Year HH:MM:SS AP ZONE
gpg: using TYPE key 123412341234ASDFASDFASDF12341234ASDFASDF
gpg: Good signature from "MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>" [ultimate]
Keysigning Party
apt install signing-party
/usr/bin/gpg-key2ps -1 -s <gpgid> -p a4 | gs -sDEVICE=pdfwrite -sOutputFile=out.pdf ; see out.pdf
Manually sign key and sed it to keyserver
$ gpg --keyserver myowngpgserver.sons-of-sparda.at --receive-keys 132412341234ASDFASDFASDF123412341234
$ gpg --sign-key 132412341234ASDFASDFASDF123412341234
$ gpg --keyserver myowngpgserver.sons-of-sparda.at --send-keys 132412341234ASDFASDFASDF123412341234
Chaning trust level of key
$ gpg --edit-key 132412341234ASDFASDFASDF123412341234
pub rsa4096/132412341234ASDFASDFASDF123412341234
created: 2019-10-07 expires: never usage: SC
trust: marginal validity: full
sub rsa4096/567856785678ASDFASDFASDF567856785678
created: 2019-10-07 expires: never usage: E
[ full ] (1). MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>
gpg> trust
pub rsa4096/1D3369BB8F0EE8FE
created: 2019-10-07 expires: never usage: SC
trust: marginal validity: full
sub rsa4096/5397BD70F1995324
created: 2019-10-07 expires: never usage: E
[ full ] (1). MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? [0-5m]
pub rsa4096/132412341234ASDFASDFASDF123412341234
created: 2019-10-07 expires: never usage: SC
trust: never validity: full
sub rsa4096/567856785678ASDFASDFASDF567856785678
created: 2019-10-07 expires: never usage: E
[ full ] (1). MY Sexy Titten Key (boobs) <ilikegpg@linuxis.sexy>
gpg> quit
Extend expired gpg key
Frist you need to get the gpg id, buy running
gpg --list-key | grep expire -B2
Next is to go into editing mode, this will start the gpg cli
gpg --edit-key <gpgid>
Now, place expire and add the timeframe
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) <yourchoice>
Key expires at <Date when it will expire>
Is this correct? (y/N) y
Final step is to save it, buy entering save ;)
gpg> save
Now you need to generate your now pubkey export by running
gpg --armor --export <mailaddress|gpgid>
Revoce gpg key
If gpg keys are not in use any more, you should revoke them.
At local keyring
To revoce an existing key in your local keyring you need to import your revocation key.
If you havn’t create one during the key creation, perform the following command:
$ gpg --output ./revoke.asc --gen-revoke <GPG-KEY-ID4REVOCE>
Make sure you have the right revokation file, double check!
If you are sure, just import it like so:
$ gpg --import ./revoke.asc
Now the gpg key with the ID you placed instead of <GPG-KEY-ID4REVOCE> got revoked
At remote keyserver
If youn are not sure that you placed your gpg key on the keyserver, use can search for it before you uploaded your revocation
$ gpg --keyserver <KEY-SERVER-URL> --search-keys <GPG-KEY-ID4REVOCE>
To revoke a key on a remote keyserver, you have to revoce it first locally (see above) and perform then --send-keys to upload the revocation.
$ gpg --keyserver <KEY-SERVER-URL> --send-keys <GPG-KEY-ID4REVOCE>
Now also on the remote server the gpg key is shown as revoked.
GPG Agent
The gpg agents allows you to cache several gpg keys.
GPG Connect Agent
The gpg-connect-agent is used to connect to the gpg-agent and interact with it.
$ gpg-connect-agent
> [youcommands]
> [enter or bye to leave]
To list all loaded key you can run the command keyinfo --list
$ gpg-connect-agent
> keyinfo --list
S KEYINFO 1234123412341234ASDFASDFASDF12341234ASDF D - - 1 P - - -
OK
>
The 1 shown in the list above, indecates that this keygrip is cached.
This happens for example when you key got unlocked and is cached now.
You can also pass commands directly to gpg-connect-agent to stdin
$ echo "keyinfo --list" | gpg-connect-agent
S KEYINFO 1234123412341234ASDFASDFASDF12341234ASDF D - - 1 P - - -
OK
GPG2
Errors
“Inappropriate ioctl for device”
Add the export for GPG_TTY into your ~/.profile or ~/.bashrc or ~/.zshrc or what every you use like this
export GPG_TTY=$(tty)
Restart your shell/session and your are good to go
Export and Import private keys
To migrate your private key with all your subkeys you just have to run one command on the client where it is stored.
$ gpg -a --export-secret-key "[mail|key-id]" > private.key
Now you will get asked to enter your pwd, if you have set one and get the file created.
If you move fully your key, dont forget about the revocation files e.g.
~/.gnupg/openpgp-revocs.d/*.rev
Next, just move the key(s) in a secure way to your other client and just perform a import withe the additional parameter --allow-secret-key-import.
There you will get again the pwd dialog.
$ gpg --allow-secret-key-import --import private.key
After that is done, just make sure that you trust it full, by editing the key:
$ gpg --edit-key [keyid]
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec ed25519/AAAAAAAAAABBBBBB
created: 2021-04-20 expires: 2042-04-20 usage: SC
trust: <trustvalue> validity: <validityvalue>
ssb cv25519/CCCCCCCCCCDDDDDD
created: 2021-04-20 expires: 2042-04-20 usage: E
[<trustvalue>] (1). My Fancy Name <my_fany_name@my_fancy_domain.me>
[<trustvalue>] (2). My Fancy Name <my_fany_name@my_fancy_domain.me2>
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Yur decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
sec ed25519/AAAAAAAAAABBBBBB
created: 2021-04-20 expires: 2042-04-20 usage: SC
trust: ultimate validity: ultimate
ssb cv25519/CCCCCCCCCCDDDDDD
created: 2021-04-20 expires: 2042-04-20 usage: E
[ultimate] (1). My Fancy Name <my_fany_name@my_fancy_domain.me>
[ultimate] (2). My Fancy Name <my_fany_name@my_fancy_domain.me2>
gpg> save
And you are done ;)
Delete only private key from keyring
Makue sure you know what you do there and maybe have a backup of your gpg home, at least somewhere
If you want only to remove your private key from your keyring use --delete-secret-keys instead of --delete-keys.
gpg --homedir ./ --delete-secret-keys AAAAAAAAAAAAAABBBBBBBBBBBBBBEEEEEEEEEEEE
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa8192/BBBBEEEEEEEEEEEE 2021-04-20 My Fancy Name <my_fancy_name@delete_privatekey_of.me>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
For each subkey you have, yo will get an additional question, if you really want to remove this.
After that, you can have a look at gpg --list-keys and see that the pubkeys are still avaiable.