lar*_*sks 13 gpg pgp cryptography digital-signatures
我们想使用 gpg 签名来验证我们系统配置管理工具的某些方面。此外,我们希望使用“信任”模型,其中使用主签名密钥对各个系统管理员密钥进行签名,然后我们的系统信任该主密钥(并使用“信任网络”来验证我们的系统管理员的签名)。
这为我们提供了很大的灵活性,例如可以在有人离开时轻松撤销对密钥的信任,但我们遇到了问题。虽然该gpg命令会告诉您密钥是否不受信任,但它似乎不会返回指示此事实的退出代码。例如:
# gpg -v < foo.asc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header:
gpg: original file name=''
this is a test
gpg: Signature made Fri 22 Jul 2011 11:34:02 AM EDT using RSA key ID ABCD00B0
gpg: using PGP trust model
gpg: Good signature from "Testing Key <someone@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: ABCD 1234 0527 9D0C 3C4A CAFE BABE DEAD BEEF 00B0
gpg: binary signature, digest algorithm SHA1
我们关心的部分是这样的:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
在这种情况下 gpg 返回的退出代码是 0,尽管信任失败:
# echo $?
0
如果某些东西使用不受信任的签名进行签名,我们如何让 gpg 失败?
我已经看到一些建议,该gpgv命令将返回正确的退出代码,但不幸的gpgv是不知道如何从密钥服务器获取密钥。我想我们可以从 解析状态输出(使用 --status-fd)gpg,但是有更好的方法吗?
这就是最终的结果:
#!/bin/sh
tmpfile=$(mktemp gpgverifyXXXXXX)
trap "rm -f $tmpfile" EXIT
gpg --status-fd 3 --verify "$@" 3> $tmpfile || exit 1
egrep -q '^\[GNUPG:] TRUST_(ULTIMATE|FULLY)' $tmpfile
这将查找在 上gpg输出的信任信息--status-fd。如果存在不受信任的签名(或无效/无签名),脚本会以错误退出:
$ sh checksig sample.sh.bad
gpg: Signature made Mon 24 Jun 2013 11:42:58 AM EDT using RSA key ID DCD5C569
gpg: Good signature from "Test User <testuser@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6FCD 3CF0 8BBC AD50 662E 5070 E33E D53C DCD5 C569
$ echo $?
1
如果存在有效的可信签名,脚本将无错误退出:
$ sh checksig sample.sh.good
gpg: Signature made Mon 24 Jun 2013 11:38:49 AM EDT using RSA key ID 5C2864A8
gpg: Good signature from "Lars Kellogg-Stedman <...>"
$ echo $?
0
因此,让我尝试拆分问题:
第一个问题似乎您正在测试的密钥不受信任。
gpg -v < test.txt.asc
gpg: armor header: Version: GnuPG v1.4.11 (GNU/Linux)
gpg: original file name='test.txt'
this is a test
gpg: Signature made Thu 11 Aug 2011 09:09:35 PM EST using RSA key ID FE1B770E
gpg: using PGP trust model
gpg: Good signature from "John Doe <jdoe@noemail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5DD8 216D ADB1 51E8 4326 3ACA 1DED BB72 FE1B 770E
gpg: binary signature, digest algorithm SHA1
我认为这是故意的......但在我们开始解决之前,让我建议您使用gpgv而不是gpg -v?一分钟后你就会明白为什么:
$ gpgv < test.txt.asc
gpgv: keyblock resource `/user/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Thu 11 Aug 2011 09:09:35 PM EST using RSA key ID FE1B770E
gpgv: Can't check signature: public key not found
$ echo $?
2
没有密钥,没有信任......不,我们将密钥导入到 trustkeys.gpg
$ gpg --no-default-keyring --keyring trustedkeys.gpg --import jdoe_pub.gpg
gpg: keyring `/user/.gnupg/trustedkeys.gpg' created
gpg: key FE1B770E: public key "John Doe <jdoe@noemail.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpgv < test.txt.asc
gpgv: Signature made Thu 11 Aug 2011 09:09:35 PM EST using RSA key ID FE1B770E
gpgv: Good signature from "John Doe <jdoe@noemail.com>"
$ echo $?
0
希望能帮助到你
| 归档时间: |
|
| 查看次数: |
7881 次 |
| 最近记录: |