GnuPG

From YobiWiki
Jump to navigation Jump to search

French part was converted with HTML::WikiConverter::MediaWiki from my old phpwiki site

Intro

Un très bon point de départ: http://www.gnupg.org/gph/fr/manual.html

Une introduction a GnuPG(vulgaristation): http://www.vilya.org/gpg/

Mes clés

On peut les trouver un peu partout.

   gpg --keyserver wwwkeys.pgp.net --recv-key 0x7A135F579AD7E3DB

Serveurs publics

Key Signing Coordination

http://www.biglumber.com/

Distance entre clés

Par exemple
http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=135EA668&to=9AD7E3DB
http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=449FA3AB&to=9AD7E3DB
Remplacer les IDs des clés pour essayer d'autres chemins.

Update: les URLs précédentes ne fonctionnent apparemment plus, vous pouvez essayer avec celles-ci:
http://pgp.cs.uu.nl/mk_path.cgi?FROM=135EA668&TO=9AD7E3DB&PATHS=trust+paths
http://pgp.cs.uu.nl/mk_path.cgi?FROM=449FA3AB=9AD7E3DB&PATHS=trust+paths

http://www.cs.uu.nl/people/henkp/henkp/pgp/pathfinder/mk_path.cgi?STAT=9AD7E3DB&STATS=statistics

Strong Set

Une analyse globale est disponible ici: http://pgp.cs.uu.nl/plot/
J'y suis rentré en août 2002 avec une distance moyenne de 6.9916 (merci adulau ;-)
Des analyses mensuelles sont disponibles ici: http://keyserver.kjsl.com/~jharris/ka

Date Mean dist World class From Set to ID From ID to Set Max hops Strong set Average mean

08-2002

6.9916 >1000 - - 15 14159 6.5105

11-08-2002

5.7041 >1000 - - 14 14353 6.5222

25-08-2002

5.6948 >1000 - - 14 14586 6.5327

08-09-2002

5.6979 >1000 - - 14 14797 6.5561

22-09-2002

5.6648 >1000 - - 14 14973 6.5084

06-10-2002

5.6414 >1000 - - 14 15169 6.5101

20-10-2002

5.6296 >1000 9 12 14 15370 6.5037

03-11-2002

5.5183 >1000 19 27 13 15575 6.5045

17-11-2002

5.4787 >1000 24 27 13 15787 6.5017

01-12-2002

5.4420 >1000 24 27 13 15949 6.4797

15-12-2002

5.4373 >1000 24 27 13 16174 6.4806

29-12-2002

5.3922 >1000 24 27 13 16305 6.4931

12-01-2003

5.3865 >1000 24 27 13 16474 6.4804

26-01-2003

5.2183 >1000 24 27 13 16673 6.4706

09-02-2003

5.2173 >1000 24 27 13 16951 6.4849

23-02-2003

4.7102 496 43 63 13 17338 6.4773

09-03-2003

4.7024 507 45 63 13 17620 6.4711

23-03-2003

4.6933 500 46 63 13 17861 6.4675

06-04-2003

4.6794 481 47 63 13 18197 6.6484

20-04-2003

4.6373 367 51 67 13 19075 6.6624

04-05-2003

4.6281 358 51 67 13 19372 6.6584

18-05-2003

4.6027 330 51 67 13 19641 6.6410

01-06-2003

4.6002 331 51 67 13 19833 6.6261

15-06-2003

4.5854 335 52 68 13 20095 6.6038

29-06-2003

4.5700 330 52 68 13 20305 6.5954

13-07-2003

4.5531 327 52 68 13 20602 6.5762

27-07-2003

4.5189 419 52 68 13 20814 6.5251

10-08-2003

4.4803 440 52 68 13 21025 6.4861

24-08-2003

4.4676 461 58 75 13 21333 6.4784

07-09-2003

4.4565 462 59 76 13 21487 6.4721

05-10-2003

4.4456 482 59 76 13 21843 6.4762

17-02-2008

4.4435 1761 16 91 14 40282 5.98?

--2008

4. - 0 0 0 - 6.
#!/bin/bash
# gpg-setstats retrieves stats about the strongset & your key
REF="http://skylane.kjsl.com/~jharris/ka"
MYKEY=${1:-"9AD7E3DB"}
 
for URL in $(lynx -dump $REF|grep "$REF/200"|cut -c 7-53); do
  select q in "Stats for the ${URL#$REF}" "Skip" "Quit";do
  if [ "$q" == "Stats for the ${URL#$REF}" ]; then
    echo =======================================
    echo Retrieve infos for ${URL#$REF}:
    wget -O - -q ${URL}other.txt
    wget -O - -q ${URL}status.txt|grep "strongly connected"
    wget -O - -q $URL${MYKEY:0:2}/$MYKEY|grep "^KeyID\|^Total\|^Mean\|^Farthest"
    echo -n "World Class:"
    lynx -dump ${URL}top1000table.html|grep $MYKEY|grep -v kjsl
    echo =======================================
    break; fi
  if [ "$q" == "Skip"  ]; then
    break; fi
  if [ "$q" == "Quit" ]; then
    exit; fi
  echo test $URL
  done
done

Tips

Pour fetcher ttes les UIDs qui ont signé une clé

  for key in $(gpg --list-sigs $1|grep ^sig|cut -c 13-20|sort|uniq);
  do
   gpg --recv-key $key
  done

quintuple-agent

  eval `q-agent &`
  q-client put 9AD7E3DB -t 3600
  or directly use agpg instead of gpg

Support de OpenPGP dans KMail:


 wget ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/debian/libksba0_0.4.3-1_i386.deb
 dpkg -i libksba0_0.4.3-1_i386.deb
 wget ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/debian/pinentry-gtk_0.6.3-1_i386.deb
 dpkg -i pinentry-gtk_0.6.3-1_i386.deb
 wget ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/debian/gpgsm_0.3.9-1_i386.deb
 dpkg -i gpgsm_0.3.9-1_i386.deb
 gpg --rebuild-keydb-caches

Editer ~/.gnupg/gpg.conf -> use-agent
Dans KMail, Settings->Configure KMail->Security->Crypto Plugins et ajouter gpgme-openpgp.so plugin.
Laisser "update URL" vide et mettre un nom comme par ex. "OpenPGP", "location": /usr/lib/cryptplug/gpgme-opengpg.so

/usr/local/bin/gpg-kmail:

 
#!/bin/bash
launch_me(){
   eval "$(gpg-agent --pinentry-program /usr/bin/pinentry-gtk --no-grab --default-cache-ttl 1800 )"
   kmail $* --nofork
   echo $GPG_AGENT_INFO|cut -d: -f2|xargs kill
}
launch_me $* &
exit 0

Support of Enigmail in Firefox

A promising solution for webmails...
See http://www.camrdale.org/GoogleSoC.html

Paper backup of the secret keys

apt-get install paperkey
gpg --export-secret-key key_id | paperkey

Notes on signing-parties

Old notes

Pas mal d'infos sur http://skylane.kjsl.com/~jharris/keysigning.html
Ainsi que des exemples d'annonce par Adulau sur http://www.ael.be/action/gnupg/ et http://www.ael.be/action/gnupg/fosdem/
Mais un problème courant est la coordination physique des gens pour que chacun rencontre chacun.

Before the party

There are some useful tools in Debian:

apt-get install signing-party

Here is an example based on my participation to the keysigning-party of FOSDEM 2008

  • Importing keys: the organizer provided a file with all the keys exported
tar xzvf keys.tgz
for i in keys/*; do gpg --import $i;done
  • Preparing the given list of keys: the organizer provided a list such as in the examples provided here: /usr/share/doc/signing-party/gpgsigs/examples/. To prepare that file, compute its checksums and add the pictures when possible:
gpgsigs --latex 9ad7e3db ksp-fosdem2008.txt ksp-fosdem2008
latex ksp-fosdem2008
dvips ksp-fosdem2008.dvi
ps2pdf ksp-fosdem2008.ps > ksp-fosdem2008.pdf
  • Preparing a stock of our own fingerprints, in case of...
gpg-key2ps 9ad7e3db |ps2pdf - 9ad7e3db.pdf
  • But after all how was produced the list of fingerprints from the organizer? I created a script to generate such list: (proposed at Debian)
#!/bin/bash

# License: GPLv3
# Copyright Philippe Teuwen <phil a teuwen o org> 2008
if [[ $# -ne 5 ]]; then
    cat <<EOF
Usage: $0 input output datestring organizer title
Or:    $0 -     output datestring organizer title
       to read from STDIN
Example:
       echo 9AD7E3DB 54C12701 |\\
       $0 - ksp-file.txt "20080222 1100" "Philippe Teuwen <phil a teuwen o org>" "my party 08"
EOF
    exit 0
fi

input="$1"
[ "$input" == "-" ] && input="";
output="$2"
date="$3"
org="$4"
title=$(echo "$5"|tr a-z A-Z|sed 's/\(.\)/\1 /g')

exec > "$output"

# Date of event
LANG=C date --date="$date" +"%A, %B %e, %Y;  %H:%M"
# Organiser contact
printf "%80s\n\n\n" "$org"
# Title
printf "%*s\n\n" $(((72+$(echo "$title"|wc -c))/2)) "$title"
# Header
cat <<EOF
                     List of Participants  (v 1.0)


Here's what you have to do with this file:
(1) Print this file to paper.
(2) Compute this file's MD5 checksum and optionally also its SHA1 checksum.
   gpg --print-md md5  $output  (or use md5sum)
   gpg --print-md sha1 $output  (or use sha1sum)
(3) fill in the hash values on the printout.
(4) Bring the printout, a pen, and proof of identity to the keysigningparty (and be on time!).

MD5 Checksum:  __ __ __ __ __ __ __ __    __ __ __ __ __ __ __ __           [ ]



SHA1 Checksum: ____ ____ ____ ____ ____    ____ ____ ____ ____ ____         [ ]




EOF

k=0;
for i in $(cat $input); do 
    k=$(($k+1)); 
    printf "\n%03d  [ ] Fingerprint OK        [ ] ID OK\n" $k;
    gpg --fingerprint $i|grep -v "^sub";
done

At the party

Old notes...

Soient N personnes prêtes à signer
Ces personnes se numérotent de 0 à N-1


  for (i=0;i<N;i++)
  { x signe (N-x+i)%N }

Puisque l'on fait ça N fois et que chacun ne doit signer que N-1 personnes, chacun sera passif lors d'UNE des itérations, simplement celle pour laquelle l'algo lui dit: x signe x
Bref tout le monde est occupé (N-1/N) % du temps :-)

Physiquement on peut se disposer en double file comme ceci: (ceux mis sur les bords ne signent pas)


      |   i=0   |   i=1   |   i=2   |   i=3   |   i=4   |   i=5
  ----+---------+---------+---------+---------+---------+---------
      |   1 2   |   1 2   |   2 3   |   2 3   |   3 4   |
  N=5 | 0 | |   |   | | 3 | 1 | |   |   | | 4 | 2 | |   |
      |   4 3   |   0 4   |   0 4   |   1 0   |   1 0   |
  ----+---------+---------+---------+---------+---------+---------
      |   1 2   |  1 2 3  |   2 3   |  2 3 4  |   3 4   |  3 4 5
  N=6 | 0 | | 3 |  | | |  | 1 | | 4 |  | | |  | 2 | | 5 |  | | |
      |   5 4   |  0 5 4  |   0 5   |  1 0 5  |   1 0   |  2 1 0
  ----+---------+---------+---------+---------+---------+---------

Avantage de l'algo: lorsqu'on prépare les feuilles avec les fingerprints, on peut aussi préparer pour chacun l'ordre dans lequel il doit signer les autres:

#!/bin/bash
# argument: nbre total de personnes
N=$1
for ((x=0;x<N;x++)); do
   echo -n "$x signera dans l'ordre: "
   for ((i=0;i<N;i++)); do
      echo -n "$((($N-$x+$i)%$N)) "
   done
   echo ""
done

UPDATE: intéressant, lors du FOSDEM 2008 c'est en double-rang que l'on a effectivement progressé, avec 200 personnes sur la liste il y avait intéret à optimiser en effet ;-)

After the signing party

  • I clean the list ksp-fosdem2008.txt to keep only those I met.
  • I extract the fingerprints
cat ksp-fosdem2008-ok.txt |grep fingerprint|sed 's/^.*= //;s/ //g'> ksp-fosdem2008-finger.txt
  • I configure caff, the first time it creates a template in ~/.caffrc which was nearly ok, I let only my usual public key, told to encrypt also for that key, activated the default email template, chose agpg as signing gpg program and finally chose a public keyserver:
$CONFIG{'local-user'} = [ qw{7A135F579AD7E3DB} ];
$CONFIG{'also-encrypt-to'} = [ qw{7A135F579AD7E3DB} ];
$CONFIG{'gpg-sign'} = '/usr/bin/agpg';
$CONFIG{'keyserver'} = 'wwwkeys.pgp.net';
  • I could not get caff working until I finally copied ~/.gnupg/pubring.gpg and ~/.gnupg/trustdb.gpg to ~/.caff/gnupghome/ then everything worked including import of new keys from the keyserver.
  • Signing only:
caff --no-download --no-export-old --no-mail $(cat ksp-fosdem2008-finger.txt)
yes / save (check twice the uids as you could have forgotten to remove it in ksp-fosdem2008-ok.txt)
  • Sending emails:
caff --no-download --no-sign --no-export-old $(cat ksp-fosdem2008-finger.txt)
  • I got some undeliverable emails, some obviously being jabber ids, so I recovered the email content from ~/.caff/keys/2008-02-24 and sent it over jabber.
  • Short way for a professional signing-party using an internal keyserver:
#!/bin/bash

for i in $(cat <<EOF
98851B2B8B5B43104A25ECA1A6F4CF46E9A11073
56CFE246BB33A42F1142646EE9E8031D67147274
...
EOF) ; do
    gpg --recv-key $i;
    agpg -u nxp --sign-key $i;
    gpg --send-key $i;
done
  • In case you mistype your passphrase with quintuple-agent (agpg), you've to delete the stored passphrase before trying again:
q-client list
q-client delete 54C12701
  • You'll receive also the signatures of (some of) your peers by mail. If you use Enigmail, you can simply right-click on the attachment and choose "Import OpenPGP key", that's it!
    Don't forget to retrieve also your key from the keyservers as some people push directly their signature instead of sending you a mail.
  • Check who has signed your key:
gpglist 9AD7E3DB

Later after the signing-party

A post of Philip on his blog highlighted the fact that a certain amount of people don't do their homework.

So I wrote a small script to see my own status:

#!/bin/bash

# Copyright: Philippe Teuwen <phil a teuwen o org>
# License:   GPLv2 or later
# This requires the gpglist and caff tools provided with signing-party package

##########################################################

# DATE is a globbing pattern for the folders in ~/.caff/keys
# Leave * to consider all mails you've sent through caff
DATE="2008*"

KEYID=

##########################################################

# If no keyid given, let's take the first one we find:
if [ "$KEYID" == "" ]; then
    KEYID=$(gpg --list-secret-keys|\
		awk '/^sec/{sub(/.*\//,"",$2);print $2;exit}')
fi
WHODIDSIGN=/tmp/who-did-sign-$$
WHODIDUPLOAD=/tmp/who-did-upload-$$

# Generating a temp list of those who signed my key
gpglist $KEYID |\
    sed '1,/^1/d;s/^[x ]\+//;s/ .*$//' \
    > $WHODIDSIGN

# Getting a list of those we've only unidirectional signatures on the keyservers
wget -q -O - "http://pgp.cs.uu.nl/mk_path.cgi?STAT=$KEYID&STATS=statistics"|\
    awk '
	/<\/UL>/ {b=0}
	/<LI>/ && b==1 {
	    match($0,/.*SMALL>(.*)<\/SMALL.*/,a);
	    print a[1]
	}
	/by this key/ {b=1}' \
    > $WHODIDUPLOAD

# Print some stats of nr I signed (via caff):
echo -n "==== Nr of people I signed: "
find ~/.caff/keys/$DATE/*.mail.1.* -type f|wc -l

echo "==== Those who didn't sign me in turn: (in red the leechers)"
# Generating list of those I signed (via caff) and substracting the first list
# Displaying results, in red those leechers who uploaded your sig on their key
# but were too lazy to do their homework to sign your key
find ~/.caff/keys/$DATE/*.mail.1.* -type f -exec basename {} \;|\
    grep -v -f $WHODIDSIGN|\
    sed 's/\.mail\.1\./ /'|\
    sort -k 2 |\
    grep --color=auto -C1000 -f $WHODIDUPLOAD

rm -f $WHODIDSIGN $WHODIDUPLOAD

Note that the script does not take into account the fact that some people came with several keys and already signed my key with one of their keys.

Here is a (cleaned) output, replacing the red flags by !! after Fosdem 2008:

==== Nr of people I signed: 85
==== Those who didn't sign me in turn: (in !! the leechers)
   99CBF9FDF4516C2D Adam Boardman
!! 28B5F4DD948F646C Adrien Kunysz (Krunch)
!! B7511409FC15DBEC Alexios Zavras (zvr)
!! 152865FB627CCF95 Bas Wijnen
!! 8F70629AC718D347 Bradley John Smith
!! 6FD13DDCD7CDE9E6 Bram Van Dam
   37E950505B625015 David Vuorio
!! 103CAA693891CD0B Guido Serra (GNU_Linux sysadmin, developer)
!! 9C19DB3C039ACDF0 Jose Maria Casanova Crespo (Chema)
   269CC0A1EEE120A2 Katharina Peter
   8D3867D89DDB992B Luca Capello
   C87C13316AA2C883 Machteld de Kok
!! 3C4DE8C0E4B48C48 Nanaea Geyer (Privat)
!! 85E7F6EC89789A18 Sebastian Noack
   3048C78B7984A4FD Toni Timonen
   9D9D7CE70BF3708E Xavier Lagorce

Short GnuPG reference card

Note on commands syntax:

  • keywords are written between <> and are supposed to be replaced by something meaningful...
  • optional items are written between []
  • some options have an alternative short notation, proposed behind a |, e.g. --decrypt|-d (choose only one syntax)

Setting a keyserver as default

Edit ~/.gnupg/gpg.conf:

keyserver  hkp://<my.best.keyserver.org>

If you do so you won't need to specify the keyserver manually anymore as option in the commands given in the next sections.

WinPT: "Keyserver" menu -> right-click somewhere in the white area -> "Add" -> HKP Keyserver, Hostname: <my.best.keyserver.org>, Port: 11371 -> "Add" -> Select your keyserver and press "Set default".

encrypting (and signing) a file

gpg [[--local-user|-u <yourself@foo.com>] --sign|-s]  # if you want to sign (opt with another key than your main key)
   [--armor|-a]                                      # if you want to armor (ASCII) the output, else it's binary
   --encrypt|-e 
   --recipient|-r <someone@foo.com> 
   [--encrypt-to <second_recipient@foo.com>]         # if you want other people to be able to decrypt as well
   [--encrypt-to <yourself@foo.com>]                 # if you want yourself to be able to decrypt as well
   [--output|-o <file.asc>]
   <file>

decrypting (and verifying) a file

gpg [--decrypt|-d]
   [--output|-o <file>]
   <file.asc>

So, yes, without any option gpg will decrypt/verify

searching a key on the keyserver

gpg --keyserver <my.best.keyserver.org>
   --search <someone>                              # search only on full words

From here you can directly import a key by providing its numeral (1, 2, 3...)

importing a key from the keyserver

gpg --keyserver <my.best.keyserver.org>
   --recv-key <key_id>                             # key-id is the last 8 bytes of the fingerprint

exporting a key to the keyserver

gpg --keyserver <my.best.keyserver.org>
   --send-key <key_id>                             # key-id is the last 8 bytes of the fingerprint

importing a key from a file

gpg  --import <pubkey.asc>

exporting your publickey to a file

gpg  --armor|-a --output|-o <yourpubkey.asc> --export <yourself@foo.com>

printing your fingerprint

(e.g. to put in your mails footers)

gpg --fingerprint <yourself>|grep -i fingerprint

printing the fingerprint of an exported keyfile

gpg --with-fingerprint <exported_keyfile>|grep -i fingerprint

signing a key

(see also below)

gpg --sign-key <someone>

Then you can upload it to the keyserver
WinPT: When signing, don't forget to un-check the "Sign local only" box otherwise your signature cannot be exported to the server.

trusting a key owner

How far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.)

gpg --edit-key <someone>
Command> trust

=> Choose the proper trust level

Command> quit

=> save changes Remember that trust is not exported and purely local

revoking a subkey or a UID

(old email address,...)

gpg --edit-key <yourself>

=> select UID(s) or subkey(s) by its numeral: 1, 2, 3...

Command> uid/key <n>
Command> revuid/revkey
Command> quit

=> save changes

Then you can upload it to the keyserver

extracting a session key

If you're forced to by a decryption order...

gpg --show-session-key --output|-o /dev/null <encrypted_file>

This will give you a long string: the session key
It can be used to decrypt that file

gpg --override-session-key <9:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF>  <encrypted_file> 

Creating fresh keys

Preferably RSA keys >= 2048 bits
E.g. create first a RSA key for signing only then add a RSA encryption key:

gpg --expert --gen-key
=> (5) RSA (sign only)
=> 2048 or bigger
=> validity: forever is ok
=> your name & email
=> choose a strong passphrase and be sure not to forget it!
gpg --edit-key <yourself>
Command> addkey
=> re-type your passphrase
=> (6) RSA (encrypt only)
=> 2048 or bigger
=> validity: forever is ok
Command> quit
=> save changes

Importing a secret key from PGP

If you've already a PGP key you can import it into GnuPG:
Under PGP, choose to export your key and ack to export also the secret key, tell where to put your ascii file, e.g. mykey.asc
With GnuPG, import the ascii file with the following command:

gpg --import --allow-secret-key-import < <mykey.asc>

Recovering a public key from a secret key

In case you destroyed your public key and cannot fetch it from the keyserver, you can reconstruct it:

gpg --export-secret-key <myname> | gpgsplit --no-split --secret-to-public |gpg import

Generating a revocation certificate

just in case...

Print it and keep it safe in case your key is compromised or you definitively forgot your passphrase:

gpg --gen-revoke <yourself>

Signing keys the right way

Signing keys involve more than a few GPG commands as it implies trust.
Get the public key of someone, either via keyserver or import file
Get the owner of the key in contact with you
Verify his identity (authenticate the owner)
Show him the fingerprint of his key from your computer (when you want to sign the soft will show you the fingerprint)
He must verify his fingerprint and make sure you are about to sign *his* key (the owner authenticates his key)
Sign the key, in an exportable way
Send the signed key to the server
Skipping the social aspect, a signature via gpg will look like:

gpg --keyserver <my.best.keyserver.org> --search <someone>
# either import interactively the key or find the key_id and get it:
gpg --keyserver <my.best.keyserver.org> --recv-key <key_id>
gpg --sign-key <key_id>
gpg --keyserver <my.best.keyserver.org> --send-key <key_id>