96 lines
3.6 KiB
Markdown
96 lines
3.6 KiB
Markdown
+++
|
|
title = "Using GPG Public Key"
|
|
[taxonomies]
|
|
tags = ["gpg", "encryption"]
|
|
|
|
[extra]
|
|
toc = true
|
|
comments = false
|
|
+++
|
|
|
|
GNU Privacy Guard (GPG) is an popular two factor encryption system often used for signing or encrypting emails, files or even git commits.
|
|
This post focuses on using provided public key to check signature validity for files signed using complementary public key.
|
|
|
|
## Install GPG
|
|
On Linux it's found in nearly all distributions with package name of either gpg or gpg2. If both are present and gpg is not an
|
|
alias to gpg2 please use gpg2.
|
|
On Windows besides using WSL there is native GPG distribution named gpg4win.
|
|
|
|
## Importing Key
|
|
One way to keep public keys is by using a keyserver such as _hkps://keyserver.ubuntu.com_ or _hkp://pgp.mit.edu_.
|
|
To import key with ID _3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2_ from **hkps://keyserver.ubuntu.com** keyserver
|
|
issue command:
|
|
```bash
|
|
$ gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-key 3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2
|
|
```
|
|
|
|
Output of the command above will look like:
|
|
|
|
```
|
|
gpg: /home/akill/.gnupg/trustdb.gpg: trustdb created
|
|
gpg: key 020C42B7A9ABA3E2: public key "Asmir A (new key 300523) <asmir.abdulahovic@gmail.com>" imported
|
|
gpg: Total number processed: 1
|
|
gpg: imported: 1
|
|
```
|
|
|
|
It's also possible to use "short" ID by using only the last 8 digits of hexadecimal
|
|
ID representation, in our case _A9ABA3E2_ - but it's discouraged because of possible ID collisions.
|
|
|
|
To search and import a key using email, example _asmir.abdulahovic@gmail.com_ issue command:
|
|
```bash
|
|
$ gpg2 --keyserver hkps://keyserver.ubuntu.com --search-keys "asmir.abdulahovic@gmail.com"
|
|
```
|
|
|
|
Note _hkps_ protocol selection acts similarly as _https_ for _http_,
|
|
preferably use it to avoid _MITM_ and other attacks.
|
|
|
|
## Verify Signature
|
|
After successfully importing the public key it's possible to verify signature of a
|
|
given file by issuing following command:
|
|
```bash
|
|
$ gpg2 --verify my_file.png.asc
|
|
```
|
|
Please notice .asc extension in the command above.
|
|
It's a result of using gpg to attach the signature at the end of the file while both file and signature are
|
|
represented in ASCII format.
|
|
It's, however, possible to compress the file and add signature in binary format.
|
|
In that case it's conventional practise is to use .gpg extension.
|
|
So in previous case file would be named _my_file.png.gpg_.
|
|
Verifying it would be identical to .asc file.
|
|
|
|
After verifying we still need original file. To extract it use:
|
|
```bash
|
|
$ gpg2 --out my_file.png --decrypt my_file.png.asc
|
|
```
|
|
|
|
Interestingly for files like .pdf which ignore data appended to the end of the file it's possible to attach
|
|
a signature and use resulting file as normal .pdf while being able to check the same signature.
|
|
More on that in other post.
|
|
|
|
## Export Key
|
|
|
|
Simply issue:
|
|
```
|
|
$ gpg2 --export --armor <KEY_ID>
|
|
```
|
|
|
|
Lastly I'll attach my public key, output of the command above, here which
|
|
can also be found in about/ section of this site.
|
|
|
|
```
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEZHZDwBYJKwYBBAHaRw8BAQdAPTwI6nfqQ+DtOgyGnwh2Z/rHmeIaw48Cj1ac
|
|
r7siWg60NkFzbWlyIEEgKG5ldyBrZXkgMzAwNTIzKSA8YXNtaXIuYWJkdWxhaG92
|
|
aWNAZ21haWwuY29tPoiTBBMWCgA7FiEEO91ULJsL4YDVgC3/AgxCt6mro+IFAmR2
|
|
Q8ACGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQAgxCt6mro+LMfgD/
|
|
a1FeF7N7CxwCne8jD/4wPTCgNvo8JDLYIugd+b3w4fEA/Az6BIxa/s1Nf2fZmI9C
|
|
mvuMi9GztilFtCT+gHTtkAIPuDgEZHZDwBIKKwYBBAGXVQEFAQEHQE2Jm31r9Nv4
|
|
1H5HFOeIHwrUE09XuL/CzQE3WcXviq0hAwEIB4h4BBgWCgAgFiEEO91ULJsL4YDV
|
|
gC3/AgxCt6mro+IFAmR2Q8ACGwwACgkQAgxCt6mro+KfqgD9HrUJdZ2Y6cvcYyt/
|
|
yMoxPvGKDCYo4Pys9Qi3M1oKKUMBAMJ4Dt6xjWyZIrNDjXmJhm4Qap9CAo0+SPM1
|
|
BudaRLwI
|
|
=nRnt
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
```
|