project-cloud/content/posts/2023-11-15-using_gpg_public_key.md
2023-11-15 22:06:56 +01:00

96 lines
3.6 KiB
Markdown

+++
title = "Using GPG Public Key"
[taxonomies]
tags = ["gpg", "encryption"]
[extra]
toc = true
comments = false
+++
GNU Privacy Guard (GPG) is an popular two factor encryption system often used for signing or encrypting emails, files or even git commits.
This post focuses on using provided public key to check signature validity for files signed using complementary public key.
## Install GPG
On Linux it's found in nearly all distributions with package name of either gpg or gpg2. If both are present and gpg is not an
alias to gpg2 please use gpg2.
On Windows besides using WSL there is native GPG distribution named gpg4win.
## Importing Key
One way to keep public keys is by using a keyserver such as _hkps://keyserver.ubuntu.com_ or _hkp://pgp.mit.edu_.
To import key with ID _3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2_ from **hkps://keyserver.ubuntu.com** keyserver
issue command:
```bash
$ gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-key 3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2
```
Output of the command above will look like:
```
gpg: /home/akill/.gnupg/trustdb.gpg: trustdb created
gpg: key 020C42B7A9ABA3E2: public key "Asmir A (new key 300523) <asmir.abdulahovic@gmail.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
```
It's also possible to use "short" ID by using only the last 8 digits of hexadecimal
ID representation, in our case _A9ABA3E2_ - but it's discouraged because of possible ID collisions.
To search and import a key using email, example _asmir.abdulahovic@gmail.com_ issue command:
```bash
$ gpg2 --keyserver hkps://keyserver.ubuntu.com --search-keys "asmir.abdulahovic@gmail.com"
```
Note _hkps_ protocol selection acts similarly as _https_ for _http_,
preferably use it to avoid _MITM_ and other attacks.
## Verify Signature
After successfully importing the public key it's possible to verify signature of a
given file by issuing following command:
```bash
$ gpg2 --verify my_file.png.asc
```
Please notice .asc extension in the command above.
It's a result of using gpg to attach the signature at the end of the file while both file and signature are
represented in ASCII format.
It's, however, possible to compress the file and add signature in binary format.
In that case it's conventional practise is to use .gpg extension.
So in previous case file would be named _my_file.png.gpg_.
Verifying it would be identical to .asc file.
After verifying we still need original file. To extract it use:
```bash
$ gpg2 --out my_file.png --decrypt my_file.png.asc
```
Interestingly for files like .pdf which ignore data appended to the end of the file it's possible to attach
a signature and use resulting file as normal .pdf while being able to check the same signature.
More on that in other post.
## Export Key
Simply issue:
```
$ gpg2 --export --armor <KEY_ID>
```
Lastly I'll attach my public key, output of the command above, here which
can also be found in about/ section of this site.
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZHZDwBYJKwYBBAHaRw8BAQdAPTwI6nfqQ+DtOgyGnwh2Z/rHmeIaw48Cj1ac
r7siWg60NkFzbWlyIEEgKG5ldyBrZXkgMzAwNTIzKSA8YXNtaXIuYWJkdWxhaG92
aWNAZ21haWwuY29tPoiTBBMWCgA7FiEEO91ULJsL4YDVgC3/AgxCt6mro+IFAmR2
Q8ACGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQAgxCt6mro+LMfgD/
a1FeF7N7CxwCne8jD/4wPTCgNvo8JDLYIugd+b3w4fEA/Az6BIxa/s1Nf2fZmI9C
mvuMi9GztilFtCT+gHTtkAIPuDgEZHZDwBIKKwYBBAGXVQEFAQEHQE2Jm31r9Nv4
1H5HFOeIHwrUE09XuL/CzQE3WcXviq0hAwEIB4h4BBgWCgAgFiEEO91ULJsL4YDV
gC3/AgxCt6mro+IFAmR2Q8ACGwwACgkQAgxCt6mro+KfqgD9HrUJdZ2Y6cvcYyt/
yMoxPvGKDCYo4Pys9Qi3M1oKKUMBAMJ4Dt6xjWyZIrNDjXmJhm4Qap9CAo0+SPM1
BudaRLwI
=nRnt
-----END PGP PUBLIC KEY BLOCK-----
```