經常收到別人用E-Mail寄來sign gpg 的信,內容大概是這樣:
> Hi,
> please find attached the user id
> Yu-Chin Tsai ....
> of your key A.... signed by me.
> If you have multiple user ids, I sent the signature for each user id
> separately to that user id's associated email address. You can import
> the signatures by running each through `gpg --import`.
> Note that I did not upload your key to any keyservers. If you want this
> new signature to be available to others, please upload it yourself.
> With GnuPG this can be done using
> gpg --keyserver pool.sks-keyservers.net --send-key A....
> If you have any questions, don't hesitate to ask.
然後附件是sign好的key。
通常我都會照著做,就是
gpg --import [attached_file]
gpg --keyserver pool.sks-keyservers.net --send-key [ID]
可是,要怎麼sign別人的勒?我以往都是直接從 key server 但是這樣好像不是很好,因為無法確認 E-Mail Address 的可效性,好像滿有道理的。所以,大家其實都是用 caff 這個指令一次完成。用法:
# 安裝 signing-party
apt-get install signing-party
# 準備使用 caff, 第一次會產生config範本
caff
# 編輯 ~/.caffrc
# change the name
$CONFIG{'owner'} = 'Thomas Tsai';
# change the email address
$CONFIG{'email'} = 'bg@aaa..com';
# your keyid
$CONFIG{'keyid'} = [ qw{1234567890ABCDEF} ];
# 加強安全性 所以再編輯 ~/.caff/gnupghome/gpg.conf
personal-digest-preferences SHA512
cert-digest-algo SHA512
# 來 caff 吧
caff 01234567
# sign 好之後要輸入 save, 之後會問你要不要寄出去,寄出去就完成了。
我第一次執行因為沒有設定 exim4 寄信,所以失敗,可以參考之前寫的 exim4使用 google smtp 的方式寄信,再重新 caff 01234567 即可。
過程中,看到 debian wiki 寫的 sig2dot 很有趣阿,只是xdot 沒有辦法收pipe的樣子。
sudo apt-get install graphviz xdot
gpg --list-sigs | sig2dot >sig_file.xdot
xdot sig_file.xdot
這樣就可以看到有去的關聯圖了!
reference:
- https://pgp-tools.alioth.debian.org/
- http://kalug.linux.org.tw/planet/user/18/tag/gpg/
- http://pre.tir.tw/008/blog/output/gnupg-zui-jia-shi-jian-gpg-subkeys.html
- http://www.codemud.net/~thinker/GinGin_CGI.py/show_id_doc/478
- https://www.azabani.com/2014/01/07/after-pgp-key-signing-parties.html
Comments