2010年5月23日星期日
GnuPG 使用详解
GnuPG (英文:GNU Privacy Guard,简称:GPG) 是一份开放源代码的PGP加密自由软件。GnuPG依照由IETF订定的OpenPGP技术标准设计(rfc 4880)。GnuPG是用于加密、数字签章及产生非对称匙对的软件。IETF正在为PGP协议进行标准化,标准化的PGP称为OpenPGP。当前版本的PGP及Veridis' Filecrypt与GnuPG或其他OpenPGP系统兼容。GnuPG是自由软件基金会的GNU计划的一部份,目前受德国政府资助。以GNU通用公共许可证第三版授权。GnuPG是按照OpenPGP标准的软件,因此OpenPGP的历史与GnuPG的关系密切。电子邮件加密协议则由Phil Zimmermann开发。GnuPG 2.0 于2006年11月13日发布,加入了S/MIME-多用途网际邮件扩充协议 (Secure Multipurpose Internet Mail Extensions. RFC 2311)。因为GnuPG 2.0的新的软件架构不支持某些用途,所以1.x与2.0是两个分支版本。
1、使用命令生成密钥对。
$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/home/erinzhang/.gnupg' created
gpg: new configuration file `/home/erinzhang/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/erinzhang/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/erinzhang/.gnupg/secring.gpg' created
gpg: keyring `/home/erinzhang/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
(注:第一个选项包括GPG的全部特性,默认选一)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) (默认密钥永不过期)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)"
Real name: woody shi
Email address: woody.shi@gmail.com
Comment: guy
You selected this USER-ID:
"woody shi (guy)"
(user ID 包括三部分:Real Name, Comment和Email Address)
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
(输入密码保护密钥,非对称加密时用私钥解密时会用得到)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++..+++++++++++++++..+++++.+++++++++++++++++++++++++.++++++++++.++++++++++++++++++++.++++++++++++++++++++++++++++++.+++++.+++++++++++++++..............>++++++++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 279 more bytes)
yihkhhjkhjkhkhhjhkjhuihuggkhgkhkjhjkhkhkhjlhhuhohuhuohuohuohouhohlhkjhkhkjhkjhjhjklhiuohyiuykuyiuyiyhoyhhhohjhhlklhjlhiuyiuyiuyoygouguogiogyigtgygggioigigigooogugogoguguogugguguggugiugiguogougigoigigoiguogggoggooggogugoggugougigougoguogogogogigoiggogougogoguogguoguogoguogougoguogogogoguougooguugogogougogoigogogoguogougoigogoguogouguoguiyuiyiyouhguhkgoyiyyyuiyuiyiuyiuyiuyui6u967yuiWe need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
(操作鼠标键盘生成随机因子)
+++++++++++++++++++++++++.+++++.+++++++++++++++++++++++++++++++++++.+++++.++++++++++.++++++++++++++++++++++y+g++++++++++++++++++++++iu+++++.+++++.++++++++++>++++++++++>+++++g.g.jg................................+++++^^^
gpg: /home/erinzhang/.gnupg/trustdb.gpg: trustdb created
gpg: key 87549EB3 marked as ultimately trusted
public and secret key created and signed.
(87549Eb3是公钥的key ID,取自生成公钥指纹的后32位)
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/87549EB3 2010-05-22
Key fingerprint = D8F6 DC21 34F6 43CF 9948 26B7 82CA D30A 8754 9EB3
uid woody shi (guy)
sub 2048g/20C756EC 2010-05-22
2、查看刚生成的密钥。
查看公钥:
$gpg --list-keys
/home/erinzhang/.gnupg/pubring.gpg
----------------------------------
pub 1024D/87549EB3 2010-05-22
uid woody shi (guy)
sub 2048g/20C756EC 2010-05-22
上例中1024D/87549EB3中的87549EB3称为key ID。
3、导出生成的公钥
$ gpg --export -a 87549EB3 > woodyshi-pubkey.asc
或
$ gpg -o woodyshi-pubkey.asc -a --export woody shi
分别以key ID和user ID导出公钥,"-a"表示以ascii方式导出,缺省是二进制格式。
查看该公钥,
$ vi woodyshi-pubkey.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)
mQGiBEv3YrgRBAC7m+NnRAEBvVx2CWLfdQtPmVnDbSe7CyFgiG0MOPcwcQUzSEIh
iixqs8vBo03QT/IRDMghEOItTXKKNOwhf/MO8ITe5OnXiOxcZCYpE7frt6yskhEZ
11WHeBMrbGEQUDagFDACeKem8HQN4dJV/yM5rw6kD22OuG3uH8dUq6Tb4wCg+nqd
YCVqJTUJZRcdISuRjXMpvUUD/0G7rMm4uFGoqxlzH6DsILjS3DwD2gO2bq8zFCBM
erM4mygxfgbQ3zn+4Mld7af3dcYTnAn+6dwrVIQ3MLYNQVSgVYdeycV2fQhiwqoA
uU7LmKNToV6xr4204VQ38YbYDbzimTa+rojAIiK1Gf8LB9N3TAPqjmi1deT0BKeo
u6l3A/9cq865W/4zZ0mBynqnzMvkdZs+R6HodZ8PEy9LM4c5Uqa1N3peGMBN1bQ0
kpDmNGaP4ivPiLVQH8F4Ht3u2ypB8dzLxUlv01BsZSuwfqaV6Sz2FM9LtzRgRgoc
vq67/DWbTkoDiSc+9wLqYuDMHJ3d8KiaWAOYDBRPCxO49z1sXLQld29vZHkgc2hp
IChndXkpIDx3b29keS5zaGlAZ21haWwuY29tPohgBBMRAgAgBQJL92K4AhsDBgsJ
CAcDAgQVAggDBBYCAwECHgECF4AACgkQgsrTCodUnrN84gCgjoabrvHcCuEivxVC
5m6C2HvUx2oAoPH+LLB3YOJMy6OPMyK6ruuyGV1KuQINBEv3YrgQCACPD9dJbXR5
z+gLMkJ3Glcxg4nkqRGGArjOssrlLgXkWE9jh4HztT0XPAhsACEy/SCAYLXUZ1Zw
XSNgYNDXV3onyAT4QPFUysFa4kjf6Oc9CHB4+25l3DS9wyIGKlUGKOIhkDTbIJYf
TIETGU1d5bMPJxQOYosDQPopZdI9iMov5y+4uY6rgfdNV7XxV253hmrnehYdqu7Z
5JL70UaUCnWWbpmDY/R/Ieb7VXzh/uAbLMlaKwLMuvWO4Wa1u80e66GNsEnitd9W
RMU99eSiHHPtL8+KyjU44ZbhNBPKiPBMwu/LeyLTuPbfiWDjG8eteBIuUONEsQ3L
zyzruhnp23CDAAMFB/wOE7VvyHeMix1wHH0wgX/TZfoPQzWJ6PePrYXqFg7StvoF
pJOVwTXU/zCvF8rlReU+Bo8KlbS2kumXcRWVM/SrRlGF8nsRXR2I8lKD94PlU6zn
BRI4LYmOKabpMsD5LhUdrwhlE2nfb/0SNz+vkIJmBuCndQsn7cU3IwiW99eVJKOb
dZMQ9DeMQhcv/d2Buad0Qg2BbP7p8jPrIfRHioBdicVeyCu/Z9vj/VXocqb1AzAX
+97yETEY6GIelUZCubTlP9CYp2cT7inq9n/ZFEy8PXPCVkVo6wT1FDDFuI+2+BPm
yY2Hq9fuG8yOHhkkB41D8IWYiaQX82h+vvU/QsCeiEkEGBECAAkFAkv3YrgCGwwA
CgkQgsrTCodUnrPM3gCglZ/hkdf2NMy/iOnI7igx3vKXbbIAn2yf44/WfAQpjPeS
5yabAtgmkp0T
=mvBw
-----END PGP PUBLIC KEY BLOCK-----
4、发布自己的公钥。
http://pgp.mit.edu/是key server pgpkeys.mit.edu的webinterface,可以提交公钥。
5、导出私钥,用于备份。
$ gpg --export-secret-keys -a 87549EB3 > woodyshi-seckey.asc
6、导入别人的公钥(以便给别人发送加密文件,公钥用来加密)
$ gpg --import woodyshi.gpg
gpg: /Users/woody/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 密钥 87549EB3:公钥“woody shi (guy)”已导入
gpg: 合计被处理的数量:1
gpg: 已导入:1
7、用别人的公钥加密文件
创建测试文件test。
$ gpg -o test.gpg -e test
您没有指定用户标识。(您可以在命令行中用“-r”指定)
当前收件人:
输入用户标识。以空白行结束:woody shi
gpg: 20C756EC:没有证据表明这把密钥真的属于它所声称的持有者
pub 2048g/20C756EC 2010-05-22 woody shi (guy)
主钥指纹: D8F6 DC21 34F6 43CF 9948 26B7 82CA D30A 8754 9EB3
子钥指纹: 6E77 55C7 59E5 2A6A 94CF 568A 3AF7 FBDC 20C7 56EC
这把密钥并不一定属于用户标识声称的那个人。如果您真的知道自
己在做什么,您可以在下一个问题回答 yes。
无论如何还是使用这把密钥吗?(y/N)y
当前收件人:
2048g/20C756EC 2010-05-22 "woody shi (guy)"
文件输出位test.gpg,-e表示加密,-r后可直接跟接收者的user ID
或
$ gpg -o test.gpg -ea test
-a 选项告诉GPG加密成ASCII,这样适合邮件发送,而且还可以查看。
8、文件解密
$ gpg -o test -d test.gpg
You need a passphrase to unlock the secret key for
user: "woody shi (guy)"
2048-bit ELG-E key, ID 20C756EC, created 2010-05-22 (main key ID 87549EB3)
(输入passphrase,用于解密)
gpg: encrypted with 2048-bit ELG-E key, ID 20C756EC, created 2010-05-22
"woody shi (guy)"
9、使用对称密钥加密
$ gpg -o test.sym -c test
-c表示对称加密方式,需要输入两次密码。
$gpg -o test -d test.sym
gpg: CAST5 加密过的数据
gpg: 以 1 个密码加密
gpg: 警告:报文未受到完整的保护
解密,输入刚才设置的口令。
10、数字签名
$ gpg -o test.sig -s test
You need a passphrase to unlock the secret key for
user: "woody shi (guy)"
1024-bit DSA key, ID 87549EB3, created 2010-05-22
(输入保护密钥的passphrase)
gpg: Invalid passphrase; please try again ...
You need a passphrase to unlock the secret key for
user: "woody shi (guy)"
1024-bit DSA key, ID 87549EB3, created 2010-05-22
test.sig包含了原文件和签名,是二进制的。
$ gpg --verify test.sig
gpg: 于 六 5/22 23:01:20 2010 CST 创建的签名,使用 DSA,钥匙号 87549EB3
gpg: 完好的签名,来自于“woody shi (guy)”
gpg: 警告:这把密钥未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: D8F6 DC21 34F6 43CF 9948 26B7 82CA D30A 8754 9EB3
$gpg -o test.sig -se test
既签名又加密。
11、文本签名
$ gpg -o testclear.sig --clearsign test
You need a passphrase to unlock the secret key for
user: "woody shi (guy)"
1024-bit DSA key, ID 87549EB3, created 2010-05-22
$ vi testclear.sig
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
fjlasdjfkdyjfjadfla
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkv38lwACgkQgsrTCodUnrNZvACfY43L6V/t0aJeQVpB9AgHbZTX
Q3kAoOBJ26jH3KdEVab89pNSIyrbQRPa
=WEYV
-----END PGP SIGNATURE-----
这样产生的testclear.sig同样包含原文件和签名,其中签名是文本的,而原文件不变(fjlasdjfkdyjfjadfla)。
12、分离式签名
$ gpg -o testdetached.sig -ab doc
testdetached.sig仅包括签名,分离式签名的意思是原文件和签名是分开的。如要验证签名,必须有被签名的源文件才可。
$ gpg testdetached.sig
分离的签名。
请输入数据文件的名称: test
gpg: 于 六 5/22 23:09:55 2010 CST 创建的签名,使用 DSA,钥匙号 87549EB3
gpg: 完好的签名,来自于“woody shi (guy)”
gpg: 警告:这把密钥未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: D8F6 DC21 34F6 43CF 9948 26B7 82CA D30A 8754 9EB3
1、使用命令生成密钥对。
$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/home/erinzhang/.gnupg' created
gpg: new configuration file `/home/erinzhang/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/erinzhang/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/erinzhang/.gnupg/secring.gpg' created
gpg: keyring `/home/erinzhang/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
(注:第一个选项包括GPG的全部特性,默认选一)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
Key is valid for? (0) (默认密钥永不过期)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)
Real name: woody shi
Email address: woody.shi@gmail.com
Comment: guy
You selected this USER-ID:
"woody shi (guy)
(user ID 包括三部分:Real Name, Comment和Email Address)
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
(输入密码保护密钥,非对称加密时用私钥解密时会用得到)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++..+++++++++++++++..+++++.+++++++++++++++++++++++++.++++++++++.++++++++++++++++++++.++++++++++++++++++++++++++++++.+++++.+++++++++++++++..............>++++++++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 279 more bytes)
yihkhhjkhjkhkhhjhkjhuihuggkhgkhkjhjkhkhkhjlhhuhohuhuohuohuohouhohlhkjhkhkjhkjhjhjklhiuohyiuykuyiuyiyhoyhhhohjhhlklhjlhiuyiuyiuyoygouguogiogyigtgygggioigigigooogugogoguguogugguguggugiugiguogougigoigigoiguogggoggooggogugoggugougigougoguogogogogigoiggogougogoguogguoguogoguogougoguogogogoguougooguugogogougogoigogogoguogougoigogoguogouguoguiyuiyiyouhguhkgoyiyyyuiyuiyiuyiuyiuyui6u967yuiWe need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
(操作鼠标键盘生成随机因子)
+++++++++++++++++++++++++.+++++.+++++++++++++++++++++++++++++++++++.+++++.++++++++++.++++++++++++++++++++++y+g++++++++++++++++++++++iu+++++.+++++.++++++++++>++++++++++>+++++g.g.jg................................+++++^^^
gpg: /home/erinzhang/.gnupg/trustdb.gpg: trustdb created
gpg: key 87549EB3 marked as ultimately trusted
public and secret key created and signed.
(87549Eb3是公钥的key ID,取自生成公钥指纹的后32位)
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/87549EB3 2010-05-22
Key fingerprint = D8F6 DC21 34F6 43CF 9948 26B7 82CA D30A 8754 9EB3
uid woody shi (guy)
sub 2048g/20C756EC 2010-05-22
2、查看刚生成的密钥。
查看公钥:
$gpg --list-keys
/home/erinzhang/.gnupg/pubring.gpg
----------------------------------
pub 1024D/87549EB3 2010-05-22
uid woody shi (guy)
sub 2048g/20C756EC 2010-05-22
上例中1024D/87549EB3中的87549EB3称为key ID。
3、导出生成的公钥
$ gpg --export -a 87549EB3 > woodyshi-pubkey.asc
或
$ gpg -o woodyshi-pubkey.asc -a --export woody shi
分别以key ID和user ID导出公钥,"-a"表示以ascii方式导出,缺省是二进制格式。
查看该公钥,
$ vi woodyshi-pubkey.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)
mQGiBEv3YrgRBAC7m+NnRAEBvVx2CWLfdQtPmVnDbSe7CyFgiG0MOPcwcQUzSEIh
iixqs8vBo03QT/IRDMghEOItTXKKNOwhf/MO8ITe5OnXiOxcZCYpE7frt6yskhEZ
11WHeBMrbGEQUDagFDACeKem8HQN4dJV/yM5rw6kD22OuG3uH8dUq6Tb4wCg+nqd
YCVqJTUJZRcdISuRjXMpvUUD/0G7rMm4uFGoqxlzH6DsILjS3DwD2gO2bq8zFCBM
erM4mygxfgbQ3zn+4Mld7af3dcYTnAn+6dwrVIQ3MLYNQVSgVYdeycV2fQhiwqoA
uU7LmKNToV6xr4204VQ38YbYDbzimTa+rojAIiK1Gf8LB9N3TAPqjmi1deT0BKeo
u6l3A/9cq865W/4zZ0mBynqnzMvkdZs+R6HodZ8PEy9LM4c5Uqa1N3peGMBN1bQ0
kpDmNGaP4ivPiLVQH8F4Ht3u2ypB8dzLxUlv01BsZSuwfqaV6Sz2FM9LtzRgRgoc
vq67/DWbTkoDiSc+9wLqYuDMHJ3d8KiaWAOYDBRPCxO49z1sXLQld29vZHkgc2hp
IChndXkpIDx3b29keS5zaGlAZ21haWwuY29tPohgBBMRAgAgBQJL92K4AhsDBgsJ
CAcDAgQVAggDBBYCAwECHgECF4AACgkQgsrTCodUnrN84gCgjoabrvHcCuEivxVC
5m6C2HvUx2oAoPH+LLB3YOJMy6OPMyK6ruuyGV1KuQINBEv3YrgQCACPD9dJbXR5
z+gLMkJ3Glcxg4nkqRGGArjOssrlLgXkWE9jh4HztT0XPAhsACEy/SCAYLXUZ1Zw
XSNgYNDXV3onyAT4QPFUysFa4kjf6Oc9CHB4+25l3DS9wyIGKlUGKOIhkDTbIJYf
TIETGU1d5bMPJxQOYosDQPopZdI9iMov5y+4uY6rgfdNV7XxV253hmrnehYdqu7Z
5JL70UaUCnWWbpmDY/R/Ieb7VXzh/uAbLMlaKwLMuvWO4Wa1u80e66GNsEnitd9W
RMU99eSiHHPtL8+KyjU44ZbhNBPKiPBMwu/LeyLTuPbfiWDjG8eteBIuUONEsQ3L
zyzruhnp23CDAAMFB/wOE7VvyHeMix1wHH0wgX/TZfoPQzWJ6PePrYXqFg7StvoF
pJOVwTXU/zCvF8rlReU+Bo8KlbS2kumXcRWVM/SrRlGF8nsRXR2I8lKD94PlU6zn
BRI4LYmOKabpMsD5LhUdrwhlE2nfb/0SNz+vkIJmBuCndQsn7cU3IwiW99eVJKOb
dZMQ9DeMQhcv/d2Buad0Qg2BbP7p8jPrIfRHioBdicVeyCu/Z9vj/VXocqb1AzAX
+97yETEY6GIelUZCubTlP9CYp2cT7inq9n/ZFEy8PXPCVkVo6wT1FDDFuI+2+BPm
yY2Hq9fuG8yOHhkkB41D8IWYiaQX82h+vvU/QsCeiEkEGBECAAkFAkv3YrgCGwwA
CgkQgsrTCodUnrPM3gCglZ/hkdf2NMy/iOnI7igx3vKXbbIAn2yf44/WfAQpjPeS
5yabAtgmkp0T
=mvBw
-----END PGP PUBLIC KEY BLOCK-----
4、发布自己的公钥。
http://pgp.mit.edu/是key server pgpkeys.mit.edu的webinterface,可以提交公钥。
5、导出私钥,用于备份。
$ gpg --export-secret-keys -a 87549EB3 > woodyshi-seckey.asc
6、导入别人的公钥(以便给别人发送加密文件,公钥用来加密)
$ gpg --import woodyshi.gpg
gpg: /Users/woody/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 密钥 87549EB3:公钥“woody shi (guy)
gpg: 合计被处理的数量:1
gpg: 已导入:1
7、用别人的公钥加密文件
创建测试文件test。
$ gpg -o test.gpg -e test
您没有指定用户标识。(您可以在命令行中用“-r”指定)
当前收件人:
输入用户标识。以空白行结束:woody shi
gpg: 20C756EC:没有证据表明这把密钥真的属于它所声称的持有者
pub 2048g/20C756EC 2010-05-22 woody shi (guy)
主钥指纹: D8F6 DC21 34F6 43CF 9948 26B7 82CA D30A 8754 9EB3
子钥指纹: 6E77 55C7 59E5 2A6A 94CF 568A 3AF7 FBDC 20C7 56EC
这把密钥并不一定属于用户标识声称的那个人。如果您真的知道自
己在做什么,您可以在下一个问题回答 yes。
无论如何还是使用这把密钥吗?(y/N)y
当前收件人:
2048g/20C756EC 2010-05-22 "woody shi (guy)
文件输出位test.gpg,-e表示加密,-r后可直接跟接收者的user ID
或
$ gpg -o test.gpg -ea test
-a 选项告诉GPG加密成ASCII,这样适合邮件发送,而且还可以查看。
8、文件解密
$ gpg -o test -d test.gpg
You need a passphrase to unlock the secret key for
user: "woody shi (guy)
2048-bit ELG-E key, ID 20C756EC, created 2010-05-22 (main key ID 87549EB3)
(输入passphrase,用于解密)
gpg: encrypted with 2048-bit ELG-E key, ID 20C756EC, created 2010-05-22
"woody shi (guy)
9、使用对称密钥加密
$ gpg -o test.sym -c test
-c表示对称加密方式,需要输入两次密码。
$gpg -o test -d test.sym
gpg: CAST5 加密过的数据
gpg: 以 1 个密码加密
gpg: 警告:报文未受到完整的保护
解密,输入刚才设置的口令。
10、数字签名
$ gpg -o test.sig -s test
You need a passphrase to unlock the secret key for
user: "woody shi (guy)
1024-bit DSA key, ID 87549EB3, created 2010-05-22
(输入保护密钥的passphrase)
gpg: Invalid passphrase; please try again ...
You need a passphrase to unlock the secret key for
user: "woody shi (guy)
1024-bit DSA key, ID 87549EB3, created 2010-05-22
test.sig包含了原文件和签名,是二进制的。
$ gpg --verify test.sig
gpg: 于 六 5/22 23:01:20 2010 CST 创建的签名,使用 DSA,钥匙号 87549EB3
gpg: 完好的签名,来自于“woody shi (guy)
gpg: 警告:这把密钥未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: D8F6 DC21 34F6 43CF 9948 26B7 82CA D30A 8754 9EB3
$gpg -o test.sig -se test
既签名又加密。
11、文本签名
$ gpg -o testclear.sig --clearsign test
You need a passphrase to unlock the secret key for
user: "woody shi (guy)
1024-bit DSA key, ID 87549EB3, created 2010-05-22
$ vi testclear.sig
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
fjlasdjfkdyjfjadfla
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkv38lwACgkQgsrTCodUnrNZvACfY43L6V/t0aJeQVpB9AgHbZTX
Q3kAoOBJ26jH3KdEVab89pNSIyrbQRPa
=WEYV
-----END PGP SIGNATURE-----
这样产生的testclear.sig同样包含原文件和签名,其中签名是文本的,而原文件不变(fjlasdjfkdyjfjadfla)。
12、分离式签名
$ gpg -o testdetached.sig -ab doc
testdetached.sig仅包括签名,分离式签名的意思是原文件和签名是分开的。如要验证签名,必须有被签名的源文件才可。
$ gpg testdetached.sig
分离的签名。
请输入数据文件的名称: test
gpg: 于 六 5/22 23:09:55 2010 CST 创建的签名,使用 DSA,钥匙号 87549EB3
gpg: 完好的签名,来自于“woody shi (guy)
gpg: 警告:这把密钥未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: D8F6 DC21 34F6 43CF 9948 26B7 82CA D30A 8754 9EB3
// 发贴者:放牛娃的春天 @ 五月 23, 2010 
订阅 博文 [Atom]