一 . 探索 gpg 命令
$ which gpg
/usr/bin/gpg
$ rpm -qf /usr/bin/gpg
gnupg-1.0.6-5
$ rpm -ql gnupg
二 . 開始使用 GnuPG,你必須首先生成一組新的鑰匙對:公匙 和 私匙。
.1. 用普通帳戶許可權來操作, 創建 ./gnupg 目錄 跟 ./gnupg/options 文件 :
$ gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? [enter]
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) [enter]
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) [enter]
Key does not expire at all
Is this correct? (y/N) y[enter]
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: hello
Email address: xxxxx@163.com
Comment: no
You selected this USER-ID:
"hello (no) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
[ 相對通信一方 ,輸入真實用戶名和 E-Mail ,Comment(註釋)可不填 ]
輸入密碼
Enter passphrase:xxxxxxxxxx
Repeat passphrase:xxxxxxxxxx
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard,....................
.................................................
.................................................
+++.+++++++++++++++++++++++++.++++++++++.++++++++++++++++++++>+++++
public and secret key created and signed.
------------------------------------------------
[ 若對輸入信息有所改動 ,可把 ~/.gnupg 目錄下除 options 以外的文件刪除 ,再運行 gpg --gen-key 命令 ,或者使用 gpg 的 edit 選項 . ]
鑰匙對放在 ~/.gnupg 目錄下 .輸出你的鑰匙:
$ gpg --list-keys
-------------------------------
gpg: Warning: using insecure memory!
/home/xxxxx/.gnupg/pubring.gpg
------------------------------
pub 1024D/A2CCCBF3 2005-06-21 hello (no)
sub 1024g/84F6D7B9 2005-06-21
------------------------------
[ pub(公匙)--- public key , ID : A2CCCBF3
sub(私匙)--- secret key or private key , ID : 84F6D7B9 ]
[ gpg: Warning: using insecure memory! 警告沒有鎖定內存頁 ,假如是root帳戶操作就沒這錯誤信息 ,一般是連接網上操作有關安全方面的問題 ,沒礙 ! 若礙眼的 ,作這改動 : # chmod 4755 /usr/bin/gpg ]
## 實例 1 : 用 Gnupg密匙加密和解密文件 . ##
$ cd
$ vi gpg-test
------------------------
Hello !
good morning
viewer
The last viewer checked out of their rooms in the morning.
你不下班 ,別人回家還要煮飯 .
------------------------
加密成 ASCII 文件 :
$ gpg -ea -r hello gpg-test
$ ls gpg-test*
gpg-test gpg-test.asc
$ cat gpg-test.asc
解密文件 :
$ gpg -o gpg-test.file --decrypt gpg-test.asc
-----------------------------------
gpg: Warning: using insecure memory!
You need a passphrase to unlock the secret key for
user: "hello (no) "
1024-bit ELG-E key, ID 84F6D7B9, created 2005-06-21 (main key ID A2CCCBF3)
Enter passphrase:[輸入生成鑰對時的那個密碼 xxxxxxxxxx ]
gpg: encrypted with 1024-bit ELG-E key, ID 84F6D7B9, created 2005-06-21
"hello (no) "
-----------------------------------
[ 這裡所指密匙包括公匙與私匙 ,從以上ID號可知 ,文件是用公匙加密 ,用私匙解密文件 .假如你要求其他人用加密文件方式給你通信 ,你要把公匙告訴他們 .]
$ ls gpg-test*
gpg-test gpg-test.asc gpg-test.file
$ diff gpg-test gpg-test.file
$ cat gpg-test.file
[ 這裡 加/解密方式採用RSA演算法 ,公匙與私匙是互補 ,理論上是不可破解 ,也沒有人嘗試成功過. ]
## 實例 2 : Gnupg 檢驗軟體包 ##
從安裝光碟做試驗 ,首先掛載光碟后複製軟體 :
$ cp /mnt/cdrom/RedHat/RPMS/htmlview-2.0.0-1.noarch.rpm /tmp/
$ cd /tmp
用 rpm 驗證軟體 ( 選項: --checksig or -K )
$ rpm --checksig htmlview-2.0.0-1.noarch.rpm
htmlview-2.0.0-1.noarch.rpm: md5 (GPG) NOT OK (MISSING KEYS: GPG#DB42A60E)
[ 鑰匙環不存在 htmlview 所屬軟體包組的公匙. ]
$ rpm --checksig --nogpg htmlview-2.0.0-1.noarch.rpm
htmlview-2.0.0-1.noarch.rpm: md5 OK
[ md5 OK 這條信息說明傳送中軟體沒被篡改 .]
數字簽名證明軟體所屬作者 .
( 數字簽名是作者用私匙對軟體特徵值進行加密 . )
$ cp /mnt/cdrom/RPM-GPG-KEY ./
$ less ./RPM-GPG-KEY
導入軟體組公匙 :
$ gpg --import RPM-GPG-KEY
gpg: Warning: using insecure memory!
gpg: key DB42A60E: public key imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --list-keys
gpg: Warning: using insecure memory!
/home/ideal/.gnupg/pubring.gpg
------------------------------
pub 1024D/A2CCCBF3 2005-06-21 hello (no)
sub 1024g/84F6D7B9 2005-06-21
pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc <security@redhat.com>
sub 2048g/961630A2 1999-09-23
$ rpm --checksig htmlv*.rpm
htmlview-2.0.0-1.noarch.rpm: md5 gpg OK
## 實例 3 : 驗證 Bastille RPM 發布軟體包的分離簽名 : ##
這裡只介紹驗證數字簽名 , Bastille 1.3.0 版本沒包括數字簽名 ,有單獨簽名包 . 跟以上有點差別 .
在 http://www.sourcefourge.net/projects/bastille-linux 下載 :
主軟體包: Bastille-1.3.0-1.0mdk.noarch.rpm
簽名包: Bastille-1.3.0-1.0mdk.noarch.rpm.asc
http://www.bastille-linux.org/key 下載 Bastille 公匙 : bastille-key
導入公匙 :
$ gpg --import bastille-key
驗證 Bastille 數字簽名 :
$ gpg --verify Bastille-1.3.0-1.0mdk.noarch.rpm.asc Bastille-1.3.0-1.0mdk.noarch.rpm
顯示 : .................. gpg ok 
