我想为一个 atm 创建一个自动 GnuPG 密钥生成脚本,尽管他们运行 ubuntu,但使用 CLI 感觉不舒服。此外,其他人管理他们的计算机,使其保持最新状态并保持良好的运行状态,因此他们也没有 root/sudo 访问权限。我真的很想尝试并尽可能避免通过电话指示进行操作……去过太多次了,不知道那是什么 PITA!
因此,我大量借鉴了我在 gnupg.org 论坛上找到的示例(我认为?)来编写此脚本。gpg --gen-key --batch但一旦运行该命令,无论 3 或 4 分钟内生成多少鼠标活动,它似乎都不会执行任何操作。顺便说一句,所有 echo 语句只是指示脚本进度的临时方法,这并不是很远。
#!/bin/bash
# First run give your server some work, otherwise gpg won't be able to generator random bytes.
#sudo rngd -r /dev/urandom
#no sudo so:
echo -e "\nYou need to begin moving your mouse continuously and in random patterns for as long as it takes to generate a new key. This could take a minute or two, so be patient and just keep moving the mouse.\n"
echo -e "\ngpg --gen-key --batch\n"
gpg --batch --gen-key
%echo Generating a default key
Key-Type: default
Key-Length: 2048
Subkey-Type: default
Name-Real: Firstname Lastname
Name-Comment: No comment
Name-Email: user@domain.com
Expire-Date: 0
Passphrase: abcde
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
# kill the rngd task.
#sudo service rng-tools stop
echo -e "\ngpg -k\n"
gpg -k
# get key id for newly created passkey
echo -e "\nkId=$(gpg -k Firstname|grep pub|sed -r 's/^pub[ ]*2048R\/([A-Z0-9]{8,})[ ]*.*$/\1/')\n" #; echo "\$kId: ${kId}"
kId=$(gpg -k Firstname|grep pub|sed -r 's/^pub[ ]*2048R\/([A-Z0-9]{8,})[ ]*.*$/\1/') ; echo -e "\n\$kId: ${kId}\n"
# set key as the default key (if desired) by entering this line in your ~/.bashrc
echo -e "\nexport GPGKEY=$kId\n"
export GPGKEY="$kId"
# restart the gpg-agent and source your .bashrc again
echo -e "\nkillall -q gpg-agent\n"
killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc
#create revocation cert
echo -e "\ngpg --output revoke.asc --gen-revoke $GPGKEY\n"
gpg --output revoke.asc --gen-revoke $GPGKEY
# send public key to keyserver
echo -e "\ngpg --send-keys --keyserver keyserver.ubuntu.com $GPGKEY\n"
#gpg --send-keys --keyserver keyserver.ubuntu.com $GPGKEY
我想知道是否有人可以看到任何明显的问题或遗漏提供“gpg”所需的关键细节?
即使我使用需要sudo rngd -r /dev/random为目标用户绕过的命令运行脚本(无 sudo 访问权限),我也会得到同样的结果。
所以我猜问题出在我想传递给 gpg 的关键参数中,但我已经与手册页交叉引用了它们,似乎无法找到问题所在。有趣的是 gpg 没有返回错误。
对于批量密钥生成,GnuPG 期望文件中的创建命令,与批量密钥生成的 GnuPG 手册页进行比较。
cat <<EOT >batch-cmds
%echo Generating a default key
Key-Type: default
Key-Length: 2048
Subkey-Type: default
Name-Real: Firstname Lastname
Name-Comment: No comment
Name-Email: user@domain.com
Expire-Date: 0
Passphrase: abcde
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOT
gpg --batch --gen-key batch-cmds
考虑将密码存储在硬盘上的文件中的安全隐患。我不确定您是否也可以将内容直接通过管道传输到 GnuPG 而不是将它们存储到文件中。尝试这样的事情:
gpg --batch --gen-key <<EOT
%echo Generating a default key
Key-Type: default
Key-Length: 2048
Subkey-Type: default
Name-Real: Firstname Lastname
Name-Comment: No comment
Name-Email: user@domain.com
Expire-Date: 0
Passphrase: abcde
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOT