mirror of
https://github.com/Dichgrem/Blog.git
synced 2025-08-01 09:19:32 -04:00
282 lines
13 KiB
HTML
282 lines
13 KiB
HTML
<!DOCTYPE html>
|
||
<html lang="en">
|
||
|
||
<head>
|
||
<title>Dich'blog</title>
|
||
|
||
<meta http-equiv="content-type" content="text/html; charset=utf-8">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1">
|
||
<meta name="robots" content="noodp"/>
|
||
|
||
<link rel="stylesheet" href="https://blog.dich.bid/style.css">
|
||
<link rel="stylesheet" href="https://blog.dich.bid/color/blue.css">
|
||
|
||
<link rel="stylesheet" href="https://blog.dich.bid/color/background_dark.css">
|
||
|
||
<link rel="stylesheet" href="https://blog.dich.bid/font-hack-subset.css">
|
||
|
||
<meta name="description" content="">
|
||
|
||
<meta property="og:description" content="">
|
||
<meta property="og:title" content="Dich'blog">
|
||
<meta property="og:type" content="article">
|
||
<meta property="og:url" content="https://blog.dich.bid/about-gpg/">
|
||
|
||
<meta name="twitter:card" content="summary_large_image">
|
||
<meta name="twitter:description" content="">
|
||
<meta name="twitter:title" content="Dich'blog">
|
||
<meta property="twitter:domain" content="blog.dich.bid">
|
||
<meta property="twitter:url" content="https://blog.dich.bid/about-gpg/">
|
||
|
||
<link rel="alternate" type="application/atom+xml" title="Dich'blog Atom Feed" href="https://blog.dich.bid/atom.xml" />
|
||
|
||
|
||
<link rel="icon" type="image/png" href=/dich.webp />
|
||
|
||
<!-- ✅ Added center alignment styles -->
|
||
<style>
|
||
.footer {
|
||
text-align: center;
|
||
padding: 1rem 0;
|
||
}
|
||
|
||
.footer__inner {
|
||
display: flex;
|
||
justify-content: center;
|
||
flex-direction: column;
|
||
align-items: center;
|
||
}
|
||
|
||
.copyright {
|
||
text-align: center;
|
||
}
|
||
</style>
|
||
</head>
|
||
|
||
<body class="">
|
||
<div class="container">
|
||
|
||
<header class="header">
|
||
<div class="header__inner">
|
||
<div class="header__logo">
|
||
|
||
<a href="https://blog.dich.bid" style="text-decoration: none;">
|
||
<div class="logo">
|
||
|
||
Dich'blog
|
||
|
||
</div>
|
||
</a>
|
||
</div>
|
||
</div>
|
||
|
||
|
||
<nav class="menu">
|
||
<ul class="menu__inner">
|
||
<li><a href="https://blog.dich.bid">blog</a></li>
|
||
|
||
<li><a href="https://blog.dich.bid/archive">archive</a></li>
|
||
|
||
<li><a href="https://blog.dich.bid/tags">tags</a></li>
|
||
|
||
<li><a href="https://blog.dich.bid/weekly">weekly</a></li>
|
||
|
||
<li><a href="https://blog.dich.bid/search">search</a></li>
|
||
|
||
<li class="active"><a href="https://blog.dich.bid/about">about me</a></li>
|
||
|
||
<li><a href="https://blog.dich.bid/links">links</a></li>
|
||
|
||
<li><a href="https://blog.dich.bid/atom.xml">rss</a></li>
|
||
|
||
<li><a href="https://github.com/Dichgrem" target="_blank" rel="noopener noreferrer">github</a></li>
|
||
</ul>
|
||
</nav>
|
||
|
||
|
||
|
||
</header>
|
||
|
||
|
||
<div class="content">
|
||
|
||
<div class="post">
|
||
|
||
<h1 class="post-title"><a href="https://blog.dich.bid/about-gpg/">乱七八糟:GPG使用小记</a></h1>
|
||
<div class="post-meta-inline">
|
||
|
||
<span class="post-date">
|
||
2025-06-17
|
||
</span>
|
||
|
||
</div>
|
||
|
||
|
||
<span class="post-tags-inline">
|
||
:: tags:
|
||
<a class="post-tag" href="https://blog.dich.bid/tags/luan-qi-ba-zao/">#乱七八糟</a></span>
|
||
|
||
|
||
<div class="post-content">
|
||
<p>前言 PGP/GPG 的核心功能——公钥加密、数字签名、信任管理广泛用于各个行业,本文简单说明了其使用方法。</p>
|
||
<span id="continue-reading"></span><h2 id="shen-me-shi-pgp-yu-gpg">什么是 PGP 与 GPG</h2>
|
||
<ul>
|
||
<li>
|
||
<p><strong>PGP(Pretty Good Privacy)</strong></p>
|
||
<ul>
|
||
<li>由 Phil Zimmermann 于 1991 年发布,是第一个面向个人用户的大众化加密软件。</li>
|
||
<li>采用公钥加密体系,用于对邮件和文件进行加密、签名与验证。</li>
|
||
</ul>
|
||
</li>
|
||
<li>
|
||
<p><strong>GPG(GNU Privacy Guard,又称 GnuPG)</strong></p>
|
||
<ul>
|
||
<li>项目发起于 1997 年,由 Free Software Foundation 推动,是 GPL 许可的自由软件实现。</li>
|
||
<li>完全兼容 OpenPGP 标准(RFC 4880),可无缝替代 PGP 软件。</li>
|
||
</ul>
|
||
</li>
|
||
</ul>
|
||
<h2 id="li-shi-yan-ge">历史沿革</h2>
|
||
<table><thead><tr><th>时间</th><th>事件</th></tr></thead><tbody>
|
||
<tr><td>1991 年</td><td>Phil Zimmermann 发布 PGP 1.0,标志个人加密进入大众市场</td></tr>
|
||
<tr><td>1994 年</td><td>PGP 因出口管制遭到美国政府调查,后续改版加密算法合规化</td></tr>
|
||
<tr><td>1997 年</td><td>GNU 推出 GnuPG,目标创建一个开源、自由的 OpenPGP 实现</td></tr>
|
||
<tr><td>2001 年</td><td>OpenPGP 正式成为 IETF 标准(RFC 2440)</td></tr>
|
||
<tr><td>2006 年</td><td>GnuPG 2.0 发布,引入多子系统(gpg-agent、dirmngr 等)</td></tr>
|
||
<tr><td>2014 年</td><td>OpenPGP 更新为 RFC 4880bis,GnuPG 不断改进对新算法的支持</td></tr>
|
||
</tbody></table>
|
||
<h2 id="he-xin-zuo-yong">核心作用</h2>
|
||
<table><thead><tr><th>应用领域</th><th>描述</th></tr></thead><tbody>
|
||
<tr><td><strong>1. 电子邮件加密与签名</strong></td><td>- <strong>PGP/MIME</strong>:通过邮件客户端(如 Thunderbird + Enigmail)对正文和附件加密,并用私钥签名。<br>- <strong>PGP inline</strong>:将加密/签名内容以纯文本形式嵌入邮件,兼容性更强。</td></tr>
|
||
<tr><td><strong>2. 文件与目录的加密签名</strong></td><td>- <strong>单文件加密/解密</strong>:<br><code>gpg --encrypt --recipient Alice file.txt</code><br><code>gpg --decrypt file.txt.gpg</code><br>- <strong>归档目录加密</strong>:使用 <code>tar</code> 打包后再加密。<br>- <strong>签名校验</strong>:<br><code>gpg --detach-sign --armor release.tar.gz</code><br><code>gpg --verify release.tar.gz.asc release.tar.gz</code></td></tr>
|
||
<tr><td><strong>3. 软件包与系统镜像签名</strong></td><td>- Linux 包管理签名:APT、pacman-key 等验证来源可信性。<br>- 容器镜像签名:结合 TUF/Notary 使用 GPG 保护 Docker 镜像完整性。</td></tr>
|
||
<tr><td><strong>4. SSH 公钥管理与登录</strong></td><td>- 将 GPG 子密钥作为 SSH 密钥使用:<br><code>echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf</code><br><code>gpgconf --reload gpg-agent</code><br><code>ssh-add -L</code><br>- 好处:私钥集中管理、PIN保护、跨平台一致。</td></tr>
|
||
<tr><td><strong>5. 自动化脚本与 CI/CD 环境</strong></td><td>- 用 GPG 自动签名构建产物,供用户验证。<br>- 将签名集成进发布脚本(如 <code>release.sh</code>),自动生成 <code>.sig</code> 并上传。</td></tr>
|
||
<tr><td><strong>6. 文档与 PDF 数字签名</strong></td><td>- 利用 <code>gpgsm</code> 或 <code>OpenPGP.js</code> 对 PDF、Office 文档签名,保障法律或审计合规性。</td></tr>
|
||
<tr><td><strong>7. 密码管理与“密码库”</strong></td><td>- <strong>pass</strong>:每个密码为一个 GPG 加密文件,支持 Git 同步和版本控制。<br>- <strong>git-crypt</strong>:自动加密 Git 仓库中的敏感文件,仅授权者可解密。</td></tr>
|
||
<tr><td><strong>8. 安全聊天与即时通讯</strong></td><td>- 将 OTR 会话密钥托管在 GPG 中(如 <code>mcabber</code> + OTR),实现端到端加密。</td></tr>
|
||
<tr><td><strong>9. 时间戳与不可篡改日志</strong></td><td>- 结合 GPG 签名与时间戳协议(如 RFC 3161)验证文件/日志未被篡改。</td></tr>
|
||
<tr><td><strong>10. 去中心化信任与身份管理</strong></td><td>- 使用 Web of Trust 模型构建可信身份网络,用于开源社区签名、Key Signing Party、LDAP 交换等。</td></tr>
|
||
</tbody></table>
|
||
<h2 id="an-zhuang-gnupg">安装 GnuPG</h2>
|
||
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>paru -S gnupg
|
||
</span></code></pre>
|
||
<h2 id="sheng-cheng-gong-yao-yu-si-yao">生成公钥与私钥</h2>
|
||
<p>使用如下命令:</p>
|
||
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>gpg --full-generate-key
|
||
</span></code></pre>
|
||
<p>生成流程:</p>
|
||
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH
|
||
</span><span>This is free software: you are free to change and redistribute it.
|
||
</span><span>There is NO WARRANTY, to the extent permitted by law.
|
||
</span><span>
|
||
</span><span>Please select what kind of key you want:
|
||
</span><span> (1) RSA and RSA
|
||
</span><span> (2) DSA and Elgamal
|
||
</span><span> (3) DSA (sign only)
|
||
</span><span> (4) RSA (sign only)
|
||
</span><span> (9) ECC (sign and encrypt) *default*
|
||
</span><span> (10) ECC (sign only)
|
||
</span><span> (14) Existing key from card
|
||
</span><span>Your selection? 9 ## 默认选择ECC算法
|
||
</span><span>Please select which elliptic curve you want:
|
||
</span><span> (1) Curve 25519 *default*
|
||
</span><span> (4) NIST P-384
|
||
</span><span> (6) Brainpool P-256
|
||
</span><span>Your selection? 1 ## 默认选择标准椭圆曲线
|
||
</span><span>Please specify how long the key should be valid.
|
||
</span><span> 0 = key does not expire
|
||
</span><span> <n> = key expires in n days
|
||
</span><span> <n>w = key expires in n weeks
|
||
</span><span> <n>m = key expires in n months
|
||
</span><span> <n>y = key expires in n years
|
||
</span><span>Key is valid for? (0) 1y ## 默认有效期为一年
|
||
</span><span>Key expires at 2026年06月17日 星期三 13时06分27秒 CST
|
||
</span><span>Is this correct? (y/N) y
|
||
</span><span>
|
||
</span><span>GnuPG needs to construct a user ID to identify your key.
|
||
</span><span>
|
||
</span><span>## 输入名字与邮箱,comment可省略
|
||
</span><span>
|
||
</span><span>Real name: xxx
|
||
</span><span>Email address: xxx@gmail.com
|
||
</span><span>Comment:
|
||
</span><span>You selected this USER-ID:
|
||
</span><span> "xxx <xxx@gmail.com>"
|
||
</span><span>
|
||
</span><span>Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
|
||
</span><span>Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
|
||
</span><span>We need to generate a lot of random bytes. It is a good idea to perform
|
||
</span><span>some other action (type on the keyboard, move the mouse, utilize the
|
||
</span><span>disks) during the prime generation; this gives the random number
|
||
</span><span>generator a better chance to gain enough entropy.
|
||
</span><span>We need to generate a lot of random bytes. It is a good idea to perform
|
||
</span><span>some other action (type on the keyboard, move the mouse, utilize the
|
||
</span><span>disks) during the prime generation; this gives the random number
|
||
</span><span>generator a better chance to gain enough entropy.
|
||
</span></code></pre>
|
||
<h2 id="lie-chu-mi-yao">列出密钥</h2>
|
||
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>gpg --list-secret-keys --keyid-format long
|
||
</span></code></pre>
|
||
<p>其中<code>sec ed25519/xxxxxxxxx 2025-06-17 [SC] [expires: 2026-06-17]</code>的xxxxxxxxx即为公钥ID。</p>
|
||
<h2 id="fa-bu-gong-yao">发布公钥</h2>
|
||
<p>例如上传你的 key:</p>
|
||
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>gpg --send-keys <你的Long‑Key‑ID>
|
||
</span></code></pre>
|
||
<p>默认为你的 gpg.conf 中配置的 keyserver,也可以显式指定:</p>
|
||
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>gpg --keyserver hkps://keys.openpgp.org --send-keys <Key‑ID>
|
||
</span></code></pre>
|
||
<p>也可以使用如下命令导出公钥为可读 ASCII 格式,类似ssh-keys,随后即可发布在个人博客上等等。</p>
|
||
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>gpg --armor --export <Key‑ID> > mypubkey.asc
|
||
</span></code></pre>
|
||
<h2 id="che-xiao-gong-yao">撤销公钥</h2>
|
||
<p>如果怀疑密钥被泄露或被中间人替换,立即发布“撤销证书”(revocation certificate)并上传到 keyserver。</p>
|
||
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>gpg --gen-revoke <KeyID> > revoke.asc
|
||
</span></code></pre>
|
||
<p>上传撤销证书后,所有人都能知道该公钥已不再可信。</p>
|
||
<hr />
|
||
<p><strong>Done.</strong></p>
|
||
|
||
</div>
|
||
|
||
|
||
<div class="pagination">
|
||
<div class="pagination__title">
|
||
<span class="pagination__title-h">Thanks for reading! Read other posts?</span>
|
||
<hr />
|
||
</div>
|
||
<div class="pagination__buttons">
|
||
<span class="button previous">
|
||
<a href="https://blog.dich.bid/about-baci/">
|
||
<span class="button__icon">←</span>
|
||
<span class="button__text">乱七八糟:Baci实验笔记</span>
|
||
</a>
|
||
</span>
|
||
|
||
</div>
|
||
</div>
|
||
|
||
</div>
|
||
|
||
</div>
|
||
|
||
|
||
<footer class="footer">
|
||
<div class="footer__inner">
|
||
<div class="copyright">
|
||
<span>©
|
||
2025
|
||
Dichgrem</span>
|
||
<span class="copyright-theme">
|
||
<span class="copyright-theme-sep"> :: CC BY-SA 4.0 :: A friend comes from distant lands</span>
|
||
</a>
|
||
</span>
|
||
</div>
|
||
</div>
|
||
</footer>
|
||
|
||
</div>
|
||
</body>
|
||
</html>
|
||
|