diff --git a/content/posts/2023-11-15-using_gpg_public_key.md b/content/posts/2023-11-15-using_gpg_public_key.md index c0f3cbd..a30edc1 100644 --- a/content/posts/2023-11-15-using_gpg_public_key.md +++ b/content/posts/2023-11-15-using_gpg_public_key.md @@ -2,24 +2,88 @@ title = "Using GPG Public Key" +++ -GNU Privacy Guart (GPG) is an pupular two factor encrytpion system often used for signing or encrypting emails, files or even git commits. -This post foruces on using provided public key to check signature validity for files signed using complementary public key. +GNU Privacy Guard (GPG) is an popular two factor encryption system often used for signing or encrypting emails, files or even git commits. +This post focuses on using provided public key to check signature validity for files signed using complementary public key. + +## Install GPG +On Linux it's found in nearly all distributions with package name of either gpg or gpg2. If both are present and gpg is not an +alias to gpg2 please use gpg2. +On Windows besides using WSL there is native GPG distribution named gpg4win. ## Importing Key -One way to keep prublic keys is by using a keyserver such as _hkps://keyserver.ubuntu.com_. -To import key with ID **3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2** from _hkps://keyserver.ubuntu.com_ keyserver +One way to keep public keys is by using a keyserver such as _hkps://keyserver.ubuntu.com_ or _hkp://pgp.mit.edu_. +To import key with ID _3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2_ from **hkps://keyserver.ubuntu.com** keyserver issue command: ```bash $ gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-key 3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2 ``` + +Output of the command above will look like: + +``` +gpg: /home/akill/.gnupg/trustdb.gpg: trustdb created +gpg: key 020C42B7A9ABA3E2: public key "Asmir A (new key 300523) " imported +gpg: Total number processed: 1 +gpg: imported: 1 +``` + It's also possible to use "short" ID by using only the last 8 digits of hexadecimal -ID representation, in our case **A9ABA3E2** - but it's discourages because of possible ID collisions. +ID representation, in our case _A9ABA3E2_ - but it's discouraged because of possible ID collisions. To search and import a key using email, example _asmir.abdulahovic@gmail.com_ issue command: ```bash -$ gpg2 --keyserver hkps://keyserver.ubuntu.com \ - --search-keys "asmir.abdulahovic@gmail.com" +$ gpg2 --keyserver hkps://keyserver.ubuntu.com --search-keys "asmir.abdulahovic@gmail.com" ``` -Note **hkps** protocol selection acts simmilary as **https** for **http**, -prefferably use it to avoid **MITM** and other attacks. +Note _hkps_ protocol selection acts similarly as _https_ for _http_, +preferably use it to avoid _MITM_ and other attacks. + +## Verify Signature +After successfully importing the public key it's possible to verify signature of a +given file by issuing following command: +```bash +$ gpg2 --verify my_file.png.asc +``` +Please notice .asc extension in the command above. +It's a result of using gpg to attach the signature at the end of the file while both file and signature are +represented in ASCII format. +It's, however, possible to compress the file and add signature in binary format. +In that case it's conventional practise is to use .gpg extension. +So in previous case file would be named _my_file.png.gpg_. +Verifying it would be identical to .asc file. + +After verifying we still need original file. To extract it use: +```bash +$ gpg2 --out my_file.png --decrypt my_file.png.asc +``` + +Interestingly for files like .pdf which ignore data appended to the end of the file it's possible to attach +a signature and use resulting file as normal .pdf while being able to check the same signature. +More on that in other post. + +## Export Key + +Simply issue: +``` +$ gpg2 --export --armor +``` + +Lastly I'll attach my public key, output of the command above, here which +can also be found in about/ section of this site. + +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZHZDwBYJKwYBBAHaRw8BAQdAPTwI6nfqQ+DtOgyGnwh2Z/rHmeIaw48Cj1ac +r7siWg60NkFzbWlyIEEgKG5ldyBrZXkgMzAwNTIzKSA8YXNtaXIuYWJkdWxhaG92 +aWNAZ21haWwuY29tPoiTBBMWCgA7FiEEO91ULJsL4YDVgC3/AgxCt6mro+IFAmR2 +Q8ACGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQAgxCt6mro+LMfgD/ +a1FeF7N7CxwCne8jD/4wPTCgNvo8JDLYIugd+b3w4fEA/Az6BIxa/s1Nf2fZmI9C +mvuMi9GztilFtCT+gHTtkAIPuDgEZHZDwBIKKwYBBAGXVQEFAQEHQE2Jm31r9Nv4 +1H5HFOeIHwrUE09XuL/CzQE3WcXviq0hAwEIB4h4BBgWCgAgFiEEO91ULJsL4YDV +gC3/AgxCt6mro+IFAmR2Q8ACGwwACgkQAgxCt6mro+KfqgD9HrUJdZ2Y6cvcYyt/ +yMoxPvGKDCYo4Pys9Qi3M1oKKUMBAMJ4Dt6xjWyZIrNDjXmJhm4Qap9CAo0+SPM1 +BudaRLwI +=nRnt +-----END PGP PUBLIC KEY BLOCK----- +```