在从文件导入密钥之前,我想检查密钥的指纹。根据centos wiki的说明,我使用命令
gpg --quiet --with-fingerprint <path of key file>
. 如果我使用 gnupg 2.1.16(自编译)或 gnupg 2.1.17(openSUSE Tumbleweed 或 ArchLinux(命令gpg)),则输出不包含密钥。如果我使用 gnupg 2.1.15(自编译)或 gnupg 2.1.13(Fedora(命令gpg2)),输出将包含预期的指纹。
如何使用较新的 gnupg 版本获取指纹?
以下是关于我的测试的更多信息:
gpg --quiet --with-fingerprint ./RPM-GPG-KEY-CentOS-7(换行可能是错误的)
pub rsa4096 2014-06-23 [SC]
uid CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
pub rsa4096 2014-06-23 [SC]
uid CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
pub rsa4096 2014-06-23 [SC]
6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5
uid CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>小智 5
这有效(至少在 2.2.4 中):
gpg --import --import-options show-only ~/schneier.gpg
从手册页:
--import-options parameters
import-show
show-only
Show a listing of the key as imported right before it is stored. This
can be combined with the option --dry-run to only look at keys; the
option show-only is a shortcut for this combination. Note that suf?
fixes like '#' for "sec" and "sbb" lines may or may not be printed.
请参阅https://unix.stackexchange.com/a/391346/29483。将密钥文件视为密钥环对我来说不起作用,但接受的答案有帮助。
cat keyfile.key | gpg --with-colons --import-options import-show --dry-run --import
在带有 gpg 2.1.18 的 Debian 9 和带有 gpg2 2.2.0 的 Fedora 26 上测试:
$ gpg2 --with-fingerprint --import-options import-show --dry-run --import < linux_signing_key.pub
pub dsa1024 2007-03-08 [SC]
4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
uid Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub elg2048 2007-03-08 [E]
pub rsa4096 2016-04-12 [SC]
EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
uid Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub rsa4096 2016-04-12 [S] [expires: 2019-04-12]
gpg: Total number processed: 2
也有可能--with-fingerprint已经过时了。GPG2 似乎已修复以停止输出不安全的短密钥 ID。
$ gpg2 --import-options import-show --dry-run --import < linux_signing_key.pub pub dsa1024 2007-03-08 [SC]
4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
uid Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub elg2048 2007-03-08 [E]
pub rsa4096 2016-04-12 [SC]
EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub rsa4096 2016-04-12 [S] [expires: 2019-04-12]
gpg: Total number processed: 2
不幸的是,我想要机器可读的输出--with-colons,但那里还发生了其他事情:-(。
$ gpg --with-colons --with-fingerprint --import-options import-show --dry-run --import < linux_signing_key.pub
gpg: lookup_hashtable failed: Unknown system error
gpg: trustdb: searching trust record failed: Unknown system error
gpg: Error: The trustdb is corrupted.
gpg: You may try to re-create the trustdb using the commands:
gpg: cd ~/.gnupg
gpg: gpg --export-ownertrust > otrust.tmp
gpg: rm trustdb.gpg
gpg: gpg --import-ownertrust < otrust.tmp
gpg: If that does not work, please consult the manual
我最终使用了以下代码
gpg_show_fingerprints() {
gpg2 --with-fingerprint --import-options import-show --dry-run --import < "$1" >/dev/null 2>&1
if [ "$?" == 2 ]; then
# Usage error. Try the old way.
gpg2 --with-fingerprint "$1"
else
gpg2 --with-fingerprint --import-options import-show --dry-run --import < "$1"
fi
}
gpg_show_fingerprints "$1" |
sed -E -n -e 's/.*(([0-9A-F]{4}[ ]*){10,}).*/\1/ p'
| 归档时间: |
|
| 查看次数: |
4670 次 |
| 最近记录: |