gpg命令加解密及验证签名实例

一 . 探索 gpg 命令
$ which gpg
/usr/bin/gpg
$ rpm -qf /usr/bin/gpg
gnupg-1.0.6-5
$ rpm -ql gnupg
二 . 开始使用 GnuPG，你必须首先生成一组新的钥匙对：公匙 和 私匙。
.1. 用普通帐户权限来操作, 创建 ./gnupg 目录 跟 ./gnupg/options 文件 :
$ gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? [enter]
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) [enter]
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) [enter]
Key does not expire at all
Is this correct? (y/N) y[enter]

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: hello
Email address: xxxxx@163.com
Comment: no
You selected this USER-ID:
"hello (no) <xxxxx@163.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
[ 相对通信一方 ,输入真实用户名和 E-Mail ,Comment(注释)可不填 ]
输入密码
Enter passphrase:xxxxxxxxxx
Repeat passphrase:xxxxxxxxxx
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard,....................
.................................................
.................................................
+++.+++++++++++++++++++++++++.++++++++++.++++++++++++++++++++>+++++
public and secret key created and signed.
------------------------------------------------
[ 若对输入信息有所改动 ,可把 ~/.gnupg 目录下除 options 以外的文件删除 ,再运行 gpg --gen-key 命令 ,或者使用 gpg 的 edit 选项 . ]
钥匙对放在 ~/.gnupg 目录下 .输出你的钥匙：
$ gpg --list-keys
-------------------------------
gpg: Warning: using insecure memory!
/home/xxxxx/.gnupg/pubring.gpg
------------------------------
pub 1024D/A2CCCBF3 2005-06-21 hello (no) <xxxxx@163.com>
sub 1024g/84F6D7B9 2005-06-21
------------------------------
[ pub(公匙)--- public key , ID : A2CCCBF3
sub(私匙)--- secret key or private key , ID : 84F6D7B9 ]
[ gpg: Warning: using insecure memory! 警告没有锁定内存页 ,假如是root帐户操作就没这错误信息 ,一般是连接网上操作有关安全方面的问题 ,没碍 ! 若碍眼的 ,作这改动 : # chmod 4755 /usr/bin/gpg ]
## 实例 1 : 用 Gnupg密匙加密和解密文件 . ##
$ cd
$ vi gpg-test
------------------------
Hello !
good morning
viewer
The last viewer checked out of their rooms in the morning.
你不下班 ,别人回家还要煮饭 .
------------------------
加密成 ASCII 文件 :
$ gpg -ea -r hello gpg-test
$ ls gpg-test*
gpg-test gpg-test.asc
$ cat gpg-test.asc
解密文件 :
$ gpg -o gpg-test.file --decrypt gpg-test.asc
-----------------------------------
gpg: Warning: using insecure memory!
You need a passphrase to unlock the secret key for
user: "hello (no) <xxxxx@163.com>"
1024-bit ELG-E key, ID 84F6D7B9, created 2005-06-21 (main key ID A2CCCBF3)
Enter passphrase:[输入生成钥对时的那个密码 xxxxxxxxxx ]
gpg: encrypted with 1024-bit ELG-E key, ID 84F6D7B9, created 2005-06-21
"hello (no) <xxxxx@163.com>"
-----------------------------------
[ 这里所指密匙包括公匙与私匙 ,从以上ID号可知 ,文件是用公匙加密 ,用私匙解密文件 .假如你要求其他人用加密文件方式给你通信 ,你要把公匙告诉他们 .]
$ ls gpg-test*
gpg-test gpg-test.asc gpg-test.file
$ diff gpg-test gpg-test.file
$ cat gpg-test.file
[ 这里 加/解密方式采用RSA算法 ,公匙与私匙是互补 ,理论上是不可破解 ,也没有人尝试成功过. ]
## 实例 2 : Gnupg 检验软件包 ##
从安装光盘做试验 ,首先挂载光盘后复制软件 :
$ cp /mnt/cdrom/RedHat/RPMS/htmlview-2.0.0-1.noarch.rpm /tmp/
$ cd /tmp
用 rpm 验证软件 ( 选项: --checksig or -K )
$ rpm --checksig htmlview-2.0.0-1.noarch.rpm
htmlview-2.0.0-1.noarch.rpm: md5 (GPG) NOT OK (MISSING KEYS: GPG#DB42A60E)
[ 钥匙环不存在 htmlview 所属软件包组的公匙. ]
$ rpm --checksig --nogpg htmlview-2.0.0-1.noarch.rpm
htmlview-2.0.0-1.noarch.rpm: md5 OK
[ md5 OK 这条信息说明传送中软件没被篡改 .]
数字签名证明软件所属作者 .
( 数字签名是作者用私匙对软件特征值进行加密 . )
$ cp /mnt/cdrom/RPM-GPG-KEY ./
$ less ./RPM-GPG-KEY
导入软件组公匙 :
$ gpg --import RPM-GPG-KEY
gpg: Warning: using insecure memory!
gpg: key DB42A60E: public key imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --list-keys
gpg: Warning: using insecure memory!
/home/ideal/.gnupg/pubring.gpg
------------------------------
pub 1024D/A2CCCBF3 2005-06-21 hello (no) <xxxxx@163.com>
sub 1024g/84F6D7B9 2005-06-21
pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc <security@redhat.com>
sub 2048g/961630A2 1999-09-23
$ rpm --checksig htmlv*.rpm
htmlview-2.0.0-1.noarch.rpm: md5 gpg OK
## 实例 3 : 验证 Bastille RPM 发布软件包的分离签名 : ##
这里只介绍验证数字签名 , Bastille 1.3.0 版本没包括数字签名 ,有单独签名包 . 跟以上有点差别 .
在 http://www.sourcefourge.net/projects/bastille-linux 下载 :
主软件包: Bastille-1.3.0-1.0mdk.noarch.rpm
签名包: Bastille-1.3.0-1.0mdk.noarch.rpm.asc
http://www.bastille-linux.org/key 下载 Bastille 公匙 : bastille-key
导入公匙 :
$ gpg --import bastille-key
验证 Bastille 数字签名 :
$ gpg --verify Bastille-1.3.0-1.0mdk.noarch.rpm.asc Bastille-1.3.0-1.0mdk.noarch.rpm
显示 : .................. gpg ok