GPG 金鑰建立(+替代SSH使用)

sunxyw發表於2022-08-14
系列文章
GPG 金鑰建立(+替代SSH使用) 讓Git Commit安全可信的第一步:GPG簽名 GPG 的基礎使用:交換公鑰

中英對照:

英文 中文
Key 金鑰
Capability 能力
Certify 認證
Sign 簽名
Encrypt 加密
Authenticate 鑑權

其實我對於 Certify 和 Authenticate 的翻譯有點不滿意,但又不知道怎麼翻譯好

如果你有相關的問題/意見,歡迎留言。
但我不常看論壇,你也可以選擇給我發郵件就是了:learnku@sunxyw.xyz

建立主金鑰

主金鑰是一個只用於建立子金鑰的金鑰,換言之,它只需要認證 Certify 能力,而其他能力:簽名 Sign/ 加密 Encrypt/ 鑑權 Authenticate 則會分配給子金鑰。

  1. 開始生成金鑰,並選擇自定能力:

    $ gpg --full-generate-key --expert
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 8

  2. 依次輸入 SE禁用對應的能力,僅保留 Certify能力,最後輸入 Q退出:

    Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
.
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
.
Your selection? S
.
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt
.
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
.
Your selection? E
.
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
.
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
.
Your selection? Q

  3. 輸入金鑰長度(可自行選擇,越高越安全):

    RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits

  4. 輸入有效期(2d兩天,3w為三週,5m為五月,1y為一年):

    Please specify how long the key should be valid.
      0 = key does not expire
   <n>  = key expires in n days
   <n>w = key expires in n weeks
   <n>m = key expires in n months
   <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Aug 14 17:32:10 2023 CST
Is this correct? (y/N) y

  5. 輸入資訊以構建使用者 ID:

    GnuPG needs to construct a user ID to identify your key.
.
Real name: <這裡輸入你的名字>
Email address: <這裡輸入你的郵箱>
Comment: <留空>
You selected this USER-ID:
 "<你的名字> <<你的郵箱>>"
.
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

  6. 輸入金鑰密碼:

    此處忘記複製了,大致上就是一個框,中間 `Passphrase` 輸密碼,然後再輸入一次,然後回車。

  7. 完成生成:

    We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key <你的金鑰ID> marked as ultimately trusted
gpg: revocation certificate stored as '<撤銷金鑰儲存路徑>'
public and secret key created and signed.
.
pub   rsa4096 2022-08-14 [C] [expires: 2023-08-14]
   E08F47B250F8CB12347B2DFA11DC61840BEABCED
uid                      <你的名字> <<你的郵箱>>

    生成完成後,建議將撤銷金鑰儲存到安全的位置(物理硬碟或列印)。

生成用於替代 SSH 金鑰的子金鑰(簽名、加密及鑑權)

  1. 開始生成

    gpg --expert --edit-key <你的名字>
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
.
Secret key is available.
.
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-08-14
sec  rsa4096/11DC61840BEB9ECD
  created: 2022-08-14  expires: 2023-08-14  usage: C
  trust: ultimate      validity: ultimate
[ultimate] (1). <你的名字> <<你的郵箱>>

    你應該會看見一個由 gpg>開頭的,類似命令列的東西,我稱作 GPG 控制檯,下文以 gpg>開頭的就是指這裡的輸入。

  2. 新增子金鑰,並選擇自定能力

    gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 8

  3. 新增鑑權 Authenticate能力,其他兩種應已預設啟用,最終應有 Sign``Encrypt``Authenticate三種能力

    Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
.
Your selection? A
.
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt Authenticate

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
.
Your selection? Q

  4. 輸入金鑰長度

    RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits

  5. 輸入有效期

    Please specify how long the key should be valid.
      0 = key does not expire
   <n>  = key expires in n days
   <n>w = key expires in n weeks
   <n>m = key expires in n months
   <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Aug 14 18:03:22 2023 CST
Is this correct? (y/N) y
Really create? (y/N) y

  6. 輸入主金鑰密碼(上一部分你設定的那個),並完成生成

    We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.
sec  rsa4096/<主金鑰ID>
  created: 2022-08-14  expires: 2023-08-14  usage: C
  trust: ultimate      validity: ultimate
ssb  rsa4096/<子金鑰ID>
  created: 2022-08-14  expires: 2023-08-14  usage: SEA
[ultimate] (1). <你的名字> <<你的郵箱>>

  7. 記得儲存!!!

    gpg> save

  8. 最後你可以確認一下生成成功

    $ gpg --list-keys
<儲存路徑>
.-------------------------------
pub   rsa4096 2022-08-14 [C] [expires: 2023-08-14]
   E08F47B250F8CB85627B2DFA11DC61840BHJKLO
uid           [ultimate] <你的名字> <<你的郵箱>>
sub   rsa4096 2022-08-14 [SEA] [expires: 2023-08-14]

    你應該會看到如上圖的,擁有認證 C能力的主金鑰 pub以及擁有簽名加密鑑權 SEA能力的 sub子金鑰。

設定 GPG Agent 以用於 SSH 驗證

  1. 啟用 GPG Agent 的 SSH 支援

    nano ~/.gnupg/gpg-agent.conf

    用編輯器開啟後,將 enable-ssh-support 新增到檔案末尾

  2. 設定 SSH_AUTH_SOCK以使 SSH 使用 GPG Agent 替代 SSH Agent,將以下內容新增到對應終端的啟動指令碼

    fish: ~/.config/fish/config.fish
bash: ~/.bashrc
zsh: ~/.zshrc

    我用的是 fish,不確定 bash 和 zsh 的路徑是否正確。

    # 這是 fish 的
set -e SSH_AGENT_PID
if test -z $gnupg_SSH_AUTH_SOCK_BY; or test $gnupg_SSH_AUTH_SOCK_BY -ne $fish_pid
 set -gx SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)
end
set -gx GPG_TTY (tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
    # 這是 bash 或 zsh 的
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null

  3. 獲取子金鑰 Keygrid

    $ gpg --list-keys --with-keygrip
<儲存路徑>
.-------------------------------
pub   rsa4096 2022-08-14 [C] [expires: 2023-08-14]
   E08F47B250F12345677B2DFA11ABCDE40BEB9ECD
   Keygrip = D14395D05A68DE9876543044D42A0HGTYDEF7E38
uid           [ultimate] <你的名字> <<你的郵箱>>
sub   rsa4096 2022-08-14 [SEA] [expires: 2023-08-14]
   Keygrip = <下一步用到的子金鑰Keygrid>

  4. 新增子金鑰 Keygrid 用於 SSH 驗證

    echo <上一步得到的子金鑰Keygrid> >> ~/.gnupg/sshcontrol

  5. 重啟終端

  6. 檢查 SSH Key 是否存在

    $ ssh-add -l
4096 SHA256:8xkd+tbKlCnz2+RCRliMqGsFBQIhPBHcRl6EtJ1vBtk (none) (RSA)

  7. 匯出 SSH 公鑰

    $ gpg --export-ssh-key <你的名字>
ssh-rsa <一長串內容> openpgp:0x193CEF1B

    這整一個,連帶 ssh-rsaopenpgp:XXXXXXXX就是你的公鑰了,你可以將它上傳到 GitHub 等平臺。

  8. 最後,你可以測試下是否有效

    $ ssh -T git@github.com
Hi sunxyw! You've successfully authenticated, but GitHub does not provide shell access.

好,完成。
感謝你的閱讀,再見。

下一篇打算寫將 GPG 金鑰用於簽名提交(Commit Signing)以及 GitHub Vigilant mode 的說明,也可能是 GnuPG 的日常使用?

本作品採用《CC 協議》,轉載必須註明作者和本文連結

相關文章