GnuPrivacyGuardHowto

Revision 11 as of 2005-12-31 00:34:27

Clear message

This page describes how to use gpg to create a keypair, sign other keys and data and use a keyserver

Installing the neccessary packages

There are several useful gpg packages:

  • gnupg
  • gnupg-agent, pinentry-gtk2
  • gpa

gnupg is the core package, it is installed by default on Ubuntu systems. gpg-agent and pinentry-gtk2 are packages that facilitate not having to enter the password for your key every time you want to use it. gpa is a graphical interface to gpg.

pinentry-gtk2 is not available in hoary, a backported breezy package can be found on http://seveas.ubuntulinux.nl/

Configuration

Run gpg once: 

gpg < /dev/null

This command will fail, but that's ok. It created an inital configuration in ~/.gnupg/ Open this file in your favorite editor. BBrowse through it and change what you like. A few useful things to change are:

  • keyserver-options auto-key-retrieve
  • use-agent

The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time.

Now create the file ~/.gnupg/gpg-agent.conf with the following content: {{{pinentry-program /usr/bin/pinentry-gtk-2 default-cache-ttl 86400 max-cache-ttl 86400}}}

This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours.

Generating a key

Both gpg and gpa can generate you a new key

gpg

Run the command 

gpg --gen-key

It will ask what kind of key you want. The default choice (1) is preferred, since the others cannot be used for encryption. A keysize (question 2) of 2048 (which is the default) is also a good choice.

Most people make their keys valid until infinity (question 3). If you do this don't forget to revoke the key when you no longer use it (see later).

It will then ask you for your name and E-mail address. Make sure that the name on the key matches the name in your passport! You can add extra e-mailaddresses to the key later.

it will now ask you for a password twice. Remember this password carefully, there is no way to recover it when it's lost.

A complete session looks like this: {{{dennis@mirage ~ $ gpg --gen-key Please select what kind of key you want:

  • (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only)

Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid.

  • 0 = key does not expire

  • <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years

Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:

Real name: Dennis Kaarsemaker Email address: dennis@kaarsemaker.net Comment: Tutorial key You selected this USER-ID:

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..++++++++++++++++++++.++++++++++.+++++.+++++.+++++.+++++++++++++++.++++++++++..+++++>+++++..............>+++++.............+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.+++++++++++++++.++++++++++..+++++.+++++++++++++++..+++++.+++++.+++++++++++++++.+++++++++++++++++++++++++++++++++++++++++++++..++++++++++++++++++++++++++++++>+++++.......................................................................>+++++....<.+++++.>.+++++.<+++++.............................>.+++++......<+++++..>+++++..+++++^ gpg: key D8FC66D2 marked as ultimately trusted public and secret key created and signed.

pub 1024D/D8FC66D2 2005-09-08

  • Key fingerprint = 95BD 8377 2644 DD4F 28B5 2C37 0F6E 4CA6 D8FC 66D2

uid Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net> sub 2048g/389AA63E 2005-09-08}}}

gpa

Start gpa, and in its menu choose Keys -> New Key. This opens a new window where you can fill in the required information. See the previous section for recommendations.

gpg.conf

Now that you created a key, open gpg.conf again and set the key ID of this new key as default-key. Another nice trick to do is adding this line to your .bashrc: 

export GPGKEY=B52A7216

(Use your key id instead of B52A7216 of course)

Now restart the gpg-agent and source your .bashrc again: 

killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc

Uploading the key

After creating the key, you can upload it to the keyserver so that other people can download your key. You do this with the following command: 

gpg --send-keys $GPGKEY

Getting your key signed

The whole point of all this GPG business is to create a web of trust. By signing someones key, you state that you have checked that the person that uses a certain key is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created.

This network is called the Strongly connected set and information about it can be found at http://www.cs.uu.nl/people/henkp/henkp/pgp/pathfinder/

How do you properly sign a key?

Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:

  1. Keysigning is always done after meeting in person

  2. During this meeting you hand each other your key fingerprint and at least one government issued identification paper with a photograph. These fingerprints are usua;;y distributed as fingerprint slips, crated by a script such as gpgkey2ps (package: signing-party)

  3. You check whether the name on the key corresponds with the name on the passport and whether the person in front of you is indeed who he says he is.

  4. Having done these two checks, you only need to check whether this person is in control of the private key. You do this by sending him/her back his/her signed public key, encrypted with his public key. The caff program makes this part very easy. You need to create a file named .caffrc in your homedir (only once) with the following content: 

    $CONFIG{owner} = q{Your full name here};
$CONFIG{email} = q{The emailaddress used in your key here};
$CONFIG{keyid} = [ qw{last 16 characters of your key fingerprint here} ];

    Now you can simply run the following command: 

    caff key_id_of_other_persons_key

  5. When you receive signed keys from others, you get them as attachment, save these attachments and import them with gpg. You can then send this signature to the keyservers so other people can know about it. 

    gpg --import filename_of_saved_signature
gpg --send-keys $GPGKEY

Signing data

When you've set up GPG and have a key in the strong set, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member. Signing is done in 3 easy steps:

  1. Download the code of conduct from https://launchpad.net/codeofconduct/1.0

  2. Run the command 

    gpg --clearsign UbuntuCodeofConduct-1.0.txt

  3. Upload the contents of UbuntuCodeofConduct-1.0.txt.asc on https://launchpad.net/codeofconduct/1.0/+sign

Note: You can also sign keys and files with the GPA gui. A howto will be written shortly.

GPG Keys and Launchpad You need to tell Launchpad about your GPG key(s) to be able to sign the Ubuntu Code of Conduct (and thus become an Ubuntite) and to build packages using HCT.

Visit the GPG Keys page once logged into launchpad. Paste your key fingerprint into the textbox: 

gpg --fingerprint

Example: the key fingerprint would be something like "95BD 8377 2644 DD4F 28B5 2C37 0F6E 4CA6 D8FC 66D2"

Launchpad will send you and email which you will have to decrypt. You can save the text to a file and run 

gpg --decrypt file.txt

You will need to enter your passphrase.

The message will be displayed along with the link you must follow to confirm your key in launchpad.

Follow it, enter your launchpad password as asked and you are done!

CategoryDocumentation CategoryCleanup