你的问题实际上是“如何使用加密方式而不让gpg因密钥不受信任而犹豫不决?”
一个答案是您可以对密钥进行签名。
gpg --edit-key YOUR_RECIPIENT
sign
yes
save
另一种方法是让gpg继续信任。
gpg --encrypt --recipient YOUR_RECIPIENT --trust-model always YOUR_FILE
恰好我有一个与 OP 相似的情况 - 我正在尝试使用公钥/私钥来为不同的嵌入式设备签名和加密固件。由于目前还没有回答显示如何向已导入的密钥添加信任,因此这是我的答案。
在测试机上创建和测试密钥后,我将其导出为 ascii 格式:
$ gpg --export -a <hex_key_id> > public_key.asc
$ gpg --export-secret-keys -a <hex_key_id> > private_key.asc
然后将它们进行了安全复制并导入到构建服务器:
$ gpg --import public_key.asc
$ gpg --import private_key.asc
现在编辑密钥以添加最终信任:
$ gpg --edit-key <user@here.com>
在gpg>
提示符下,输入trust
,然后输入5
表示绝对信任,接着输入y
确认,最后输入quit
。
现在使用测试文件进行测试:
$ gpg --sign --encrypt --yes --batch --status-fd 1 --recipient "recipient" --output testfile.gpg testfile.txt
报道的内容
...
[GNUPG:] END_ENCRYPTION
没有添加信任,我会得到各种错误(不限于以下内容):
gpg: There is no assurance this key belongs to the named user
gpg: testfile.bin: sign+encrypt failed: Unusable public key
使用--trust-model选项是告诉GPG信任它的所有密钥的更简单的方法:
gpg -a --encrypt -r <recipient key name> --trust-model always
从 man 页面中得知:
--trust-model pgp|classic|direct|always|auto
Set what trust model GnuPG should follow. The models are:
always Skip key validation and assume that used
keys are always fully trusted. You generally
won't use this unless you are using some
external validation scheme. This option also
suppresses the "[uncertain]" tag printed
with signature checks when there is no evidence
that the user ID is bound to the key. Note that
this trust model still does not allow the use
of expired, revoked, or disabled keys.
trusted-key 0x0123456789ABCDEF
后添加到~/.gnupg/gpg.conf
中。这相当于最终信任此密钥,这意味着由其完成的认证将被视为有效。仅将此密钥标记为有效而不信任它更加困难,需要签名或切换信任模型为direct。如果您确定只导入有效密钥,则可以通过添加trust-model always
将所有密钥都标记为有效。在后一种情况下,请确保禁用自动密钥检索(默认情况下未启用)。以下内容对我有帮助:
尝试加密文件时会出现以下响应:
gpg -e --yes -r <uid> <filename>
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
That causes my shell script to fail.
我:
$gpg --edit-key <uid>
gpg> trust
Please decide how far you trust this user to correctly verify other
users' keys (by looking at passports, checking fingerprints from
different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
echo -e "trust\n5\ny" > x.cmd
gpg2 --command-file x.cmd –edit-key AA11BB22
- rhoerbe# The "-E" makes this work with both GNU sed and OS X sed
gpg --list-keys --fingerprint --with-colons |
sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |
gpg --import-ownertrust
个人而言,我更喜欢一种将结果存储在trustdb文件本身中的解决方案,而不是依赖于共享Git存储库外部的用户环境。
gpg --export-ownertrust | sed 's/:.*/:5:/' | gpg --import-ownertrust
翻译: - dessert这里有一个我发现的用于自动化GnuPG密钥管理的技巧,提示是heredoc + --command-fd 0
就像魔法一样。以下是一个简化版本的脚本,旨在帮助自动化GnuPG。
#!/usr/bin/env bash
## First argument should be a file path or key id
Var_gnupg_import_key="${1}"
## Second argument should be an integer
Var_gnupg_import_key_trust="${2:-1}"
## Point to preferred default key server
Var_gnupg_key_server="${3:-hkp://keys.gnupg.net}"
Func_import_gnupg_key_edit_trust(){
_gnupg_import_key="${1:-${Var_gnupg_import_key}}"
gpg --no-tty --command-fd 0 --edit-key ${_gnupg_import_key} <<EOF
trust
${Var_gnupg_import_key_trust}
quit
EOF
}
Func_import_gnupg_key(){
_gnupg_import_key="${1:-${Var_gnupg_import_key}}"
if [ -f "${_gnupg_import_key}" ]; then
echo "# ${0##*/} reports: importing key file [${_gnupg_import_key}]"
gpg --no-tty --command-fd 0 --import ${_gnupg_import_key} <<EOF
trust
${Var_gnupg_import_key_trust}
quit
EOF
else
_grep_string='not found on keyserver'
gpg --dry-run --batch --search-keys ${_gnupg_import_key} --keyserver ${Var_gnupg_key_server} | grep -qE "${_grep_string}"
_exit_status=$?
if [ "${_exit_status}" != "0" ]; then
_key_fingerprint="$(gpg --no-tty --batch --dry-run --search-keys ${_gnupg_import_key} | awk '/key /{print $5}' | tail -n1)"
_key_fingerprint="${_key_fingerprint//,/}"
if [ "${#_key_fingerprint}" != "0" ]; then
echo "# ${0##*/} reports: importing key [${_key_fingerprint}] from keyserver [${Var_gnupg_key_server}]"
gpg --keyserver ${Var_gnupg_key_server} --recv-keys ${_key_fingerprint}
Func_import_gnupg_key_edit_trust "${_gnupg_import_key}"
else
echo "# ${0##*/} reports: error no public key [${_gnupg_import_key}] as file or on key server [${Var_gnupg_key_server}]"
fi
else
echo "# ${0##*/} reports: error no public key [${_gnupg_import_key}] as file or on key server [${Var_gnupg_key_server}]"
fi
fi
}
if [ "${#Var_gnupg_import_key}" != "0" ]; then
Func_import_gnupg_key "${Var_gnupg_import_key}"
else
echo "# ${0##*/} needs a key to import."
exit 1
fi
运行 script_name.sh 'path/to/key' '1'
或 script_name.sh 'key-id' '1'
导入一个密钥并分配一个信任值为 1
,或使用 script_name.sh 'path/to/key' '1' 'hkp://preferred.key.server'
编辑所有值。
现在加密应该没有问题了,但即使有问题,以下选项 --always-trust
也应允许加密。
gpg --no-tty --batch --always-trust -e some_file -r some_recipient -o some_file.gpg
这个一行代码会从标准输入中提取指纹,将其格式化为--import-ownertrust
标志所需的格式,并使用所有者信任值更新信任数据库。
根据gpg手册的详细说明,如果信任数据库严重损坏并且/或者您有最近的所有者信任备份,则应使用此标志重新创建信任数据库。
gpg --list-keys --fingerprint \
| grep ^pub -A 1 \
| tail -1 \
| tr -d ' ' \
| awk 'BEGIN { FS = "\n" } ; { print $1":6:" }' \
| gpg --import-ownertrust
Unix based:
echo -e "5\ny\n" | gpg --homedir . --command-fd 0 --expert --edit-key user@exaple.com trust;
如需更多信息,请阅读此帖子。如果您正在创建多个密钥,它会详细介绍。
echo
命令是做什么用的? - Nico Haase信任导入的 GPG 密钥的一种方法:
gpg --import <user-id.keyfile>
fpr=`gpg --with-colons --fingerprint <user-id> |awk -F: '$1 == "fpr" {print$10; exit}'`
gpg --export-ownertrust && echo $fpr:6: |gpg --import-ownertrust
在这里,我假设你使用<user-id.keyfile>
中的<user-id>
导入了一个密钥。第二行仅提取指纹,如果您事先知道指纹,则可以放弃它。