OJW*_*OJW 20 digital-signature gnupg
是否可以要求 gpg(或 gpg4win)仅验证文件是否由特定公钥文件签名,而无需导入、签名和信任该密钥?
即类似的东西
gpg --using-key pubkey.txt --verify message.txt
而不是必须创建自己的私钥然后再做
gpg --import pubkey.txt
gpg --lsign-key [name within pubkey.txt]
# ... something to do with choosing trust levels
gpg --verify message.txt
Ben*_*Ben 15
您必须拥有公钥才能验证使用相应私钥进行的签名,但您不必对密钥进行签名,甚至无需在本地签名。在这种情况下,您将收到来自 GPG 的警告,指出密钥不受信任。
这是我使用由我自己的密钥签名的文件进行的测试,但在未导入密钥的系统上:
[ben@seditious tmp]$ gpg -v --verify thing.txt.gpg
gpg: original file name='thing.txt'
gpg: Signature made Thu 26 Sep 2013 06:51:39 AM EST using RSA key ID 35C7553C
gpg: Can't check signature: public key not found
[ben@seditious tmp]$ gpg -v --status-fd 1 --verify thing.txt.gpg
gpg: original file name='thing.txt'
gpg: Signature made Thu 26 Sep 2013 06:51:39 AM EST using RSA key ID 35C7553C
[GNUPG:] ERRSIG 7FF2D37135C7553C 1 10 00 1380142299 9
[GNUPG:] NO_PUBKEY 7FF2D37135C7553C
gpg: Can't check signature: public key not found
[ben@seditious tmp]$
不幸的是,Harry 的建议不起作用,它确实提取了更多信息,但还不够有用。
可以看到,得到的信息最多的就是用于签名的子密钥的密钥ID和签名的时间。这与 pgpdump(或 --list-packets)可用的数据相匹配:
bash-3.2$ pgpdump thing.txt.gpg
Old: Compressed Data Packet(tag 8)
Comp alg - ZLIB <RFC1950>(comp 2)
Old: One-Pass Signature Packet(tag 4)(13 bytes)
New version(3)
Sig type - Signature of a binary document(0x00).
Hash alg - SHA512(hash 10)
Pub alg - RSA Encrypt or Sign(pub 1)
Key ID - 0x7FF2D37135C7553C
Next packet - other than one pass signature
Old: Literal Data Packet(tag 11)(24 bytes)
Format - binary
Filename - thing.txt
File modified time - Thu Sep 26 06:51:39 EST 2013
Literal - ...
Old: Signature Packet(tag 2)(412 bytes)
Ver 4 - new
Sig type - Signature of a binary document(0x00).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA512(hash 10)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Thu Sep 26 06:51:39 EST 2013
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x7FF2D37135C7553C
Hash left 2 bytes - f0 97
RSA m^d mod n(3066 bits) - ...
-> PKCS-1
bash-3.2$
如你所见,它提供了哈希算法,密钥类型的详细信息(我的签名密钥是一个 3072 位的 RSA 子密钥和子密钥的密钥 ID,但没有什么可以识别主密钥。这些信息只是当您拥有公钥并验证签名时显示。
然后我在该系统上导入了我的公钥并再次尝试:
[ben@seditious tmp]$ gpg -v --verify thing.txt.gpg
gpg: original file name='thing.txt'
gpg: Signature made Thu 26 Sep 2013 06:51:39 AM EST using RSA key ID 35C7553C
gpg: using subkey 35C7553C instead of primary key 73590E5D
gpg: using PGP trust model
gpg: Good signature from "Ben M <ben@REDACTED>"
gpg: aka "Ben M <ben.m@REDACTED>"
gpg: aka "Ben M <ben.m@REDACTED>"
gpg: aka "Ben M (backup email address) <benm@REDACTED>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DB47 24E6 FA42 86C9 2B4E 55C4 321E 4E23 7359 0E5D
Subkey fingerprint: B7F0 FE75 9387 430D D0C5 8BDB 7FF2 D371 35C7 553C
gpg: binary signature, digest algorithm SHA512
[ben@seditious tmp]$
现在它能够识别键并将其与主键匹配。但是,可以像这样减少这些警告的性质:
[ben@seditious tmp]$ gpg -v --verify --trust-model always thing.txt.gpg
gpg: original file name='thing.txt'
gpg: Signature made Thu 26 Sep 2013 06:51:39 AM EST using RSA key ID 35C7553C
gpg: using subkey 35C7553C instead of primary key 73590E5D
gpg: Good signature from "Ben M <ben@REDACTED>"
gpg: aka "Ben M <ben.m@REDACTED>"
gpg: aka "Ben M <ben.m@REDACTED>"
gpg: aka "Ben M (backup email address) <benm@REDACTED>"
gpg: WARNING: Using untrusted key!
gpg: binary signature, digest algorithm SHA512
[ben@seditious tmp]$
仍然有一个警告说它是一个不受信任的密钥,但不是很大,并且删除冗长只会将其减少为:
[ben@seditious tmp]$ gpg --verify --trust-model always thing.txt.gpg
gpg: Signature made Thu 26 Sep 2013 06:51:39 AM EST using RSA key ID 35C7553C
gpg: Good signature from "Ben M <ben@REDACTED>"
gpg: aka "Ben M <ben.m@REDACTED>"
gpg: aka "Ben M <ben.m@REDACTED>"
gpg: aka "Ben M (backup email address) <benm@REDACTED>"
gpg: WARNING: Using untrusted key!
[ben@seditious tmp]$
验证阶段需要公钥,因为它用于将签名者生成的数据与其私钥进行匹配。简单来说,它可以被认为是加密的补充,其中需要私钥来解密加密为公钥的数据。
注意:我在这个例子中稍微调整了 UID,但是每个获得该密钥的人都会看到它们的真实情况。否则输出是直接复制和粘贴。
编辑:如果您拥有非 ASCII 装甲格式(即 .gpg 文件而不是 .asc 文件),您可以像密钥环一样直接调用公钥文件。即便如此,您仍然需要公钥。要做到这一点,命令是这样的:
[ben@seditious ~]$ gpg -v --no-default-keyring --keyring /tmp/mykey.gpg --verify /tmp/thing.txt.gpg
gpg: original file name='thing.txt'
gpg: Signature made Thu 26 Sep 2013 06:51:39 AM EST using RSA key ID 35C7553C
gpg: using subkey 35C7553C instead of primary key 73590E5D
gpg: using PGP trust model
gpg: Good signature from "Ben M <ben@REDACTED>"
gpg: aka "Ben M (backup email address) <benm@REDACTED>"
gpg: aka "Ben M <ben.m@REDACTED>"
gpg: aka "Ben M <ben.m@REDACTED>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DB47 24E6 FA42 86C9 2B4E 55C4 321E 4E23 7359 0E5D
Subkey fingerprint: B7F0 FE75 9387 430D D0C5 8BDB 7FF2 D371 35C7 553C
gpg: binary signature, digest algorithm SHA512
[ben@seditious ~]$