GnuPG 2.1.16:使用“--with-fingerprint”不再显示指纹

tag-icon tag-icon gpg fingerprint
GnuPG 2.1.16:使用“--with-fingerprint”不再显示指纹

在从文件导入密钥之前,我想检查密钥的指纹。根据说明来自 centos 维基,我使用命令

gpg --quiet --with-fingerprint <path of key file>

如果我使用 GnuPG 2.1.16(自编译)或 GnuPG 2.1.17(OpenSUSE Tumbleweed 或 ArchLinux,命令gpg),输出不包含密钥。

如果我使用 GnuPG 2.1.15(自编译)或 GnuPG 2.1.13(Fedora,命令gpg2),输出将包含预期的指纹。

如何使用较新的 GnuPG 版本获取指纹?

以下是我的测试的更多信息:

  • 使用的密钥文件:http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
  • 的输出gpg --quiet --with-fingerprint ./RPM-GPG-KEY-CentOS-7
    • 使用 GnuPG 2.1.17: 
      pub   rsa4096 2014-06-23 [SC]
uid           CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>
    • 使用 GnuPG 2.1.16: 
      pub   rsa4096 2014-06-23 [SC]
uid           CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>
    • 使用 GnuPG 2.1.13: 
      pub   rsa4096 2014-06-23 [SC]
      6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5
uid           CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>

答案1

这有效(至少在 2.2.4 中):

gpg --import --import-options show-only ~/schneier.gpg

从手册页:

--import-options parameters
       import-show
       show-only
         Show  a listing of the key as imported right before it is stored.  This
         can be combined with the option --dry-run to only  look  at  keys;  the
         option  show-only  is  a shortcut for this combination.  Note that suf‐
         fixes like '#' for "sec" and "sbb" lines may or may not be printed.

答案2

https://unix.stackexchange.com/a/391346/29483。将密钥文件视为密钥环对我来说不起作用,但接受的答案有帮助。

cat keyfile.key | gpg --with-colons --import-options import-show --dry-run --import

在带有 gpg 2.1.18 的 Debian 9 和带有 gpg2 2.2.0 的 Fedora 26 上测试:

$ gpg2 --with-fingerprint --import-options import-show --dry-run --import < linux_signing_key.pub 
pub   dsa1024 2007-03-08 [SC]
      4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                      Google, Inc. Linux Package Signing Key <[email protected]>
sub   elg2048 2007-03-08 [E]

pub   rsa4096 2016-04-12 [SC]
      EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                      Google Inc. (Linux Packages Signing Authority) <[email protected]>
sub   rsa4096 2016-04-12 [S] [expires: 2019-04-12]

gpg: Total number processed: 2

也有可能--with-fingerprint已经过时了。 GPG2 似乎已修复以停止输出不安全的短密钥 ID。

$ gpg2 --import-options import-show --dry-run --import < linux_signing_key.pub pub   dsa1024 2007-03-08 [SC]
      4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
      4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
uid                      Google, Inc. Linux Package Signing Key <[email protected]>
sub   elg2048 2007-03-08 [E]

pub   rsa4096 2016-04-12 [SC]
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid                      Google Inc. (Linux Packages Signing Authority) <[email protected]>
sub   rsa4096 2016-04-12 [S] [expires: 2019-04-12]

gpg: Total number processed: 2

不幸的是,我想要机器可读的输出--with-colons,但那里还发生了其他事情:-(。

$ gpg --with-colons --with-fingerprint --import-options import-show --dry-run --import < linux_signing_key.pub 
gpg: lookup_hashtable failed: Unknown system error
gpg: trustdb: searching trust record failed: Unknown system error
gpg: Error: The trustdb is corrupted.
gpg: You may try to re-create the trustdb using the commands:
gpg:   cd ~/.gnupg
gpg:   gpg --export-ownertrust > otrust.tmp
gpg:   rm trustdb.gpg
gpg:   gpg --import-ownertrust < otrust.tmp
gpg: If that does not work, please consult the manual

我最终使用了以下代码

gpg_show_fingerprints() {
    gpg2 --with-fingerprint --import-options import-show --dry-run --import < "$1" >/dev/null 2>&1
    if [ "$?" == 2 ]; then
        # Usage error.  Try the old way.
        gpg2 --with-fingerprint "$1"
    else
        gpg2 --with-fingerprint --import-options import-show --dry-run --import < "$1"
    fi
}

gpg_show_fingerprints "$1" |
    sed -E -n -e 's/.*(([0-9A-F]{4}[ ]*){10,}).*/\1/ p'

答案3

有趣的是,省略该--with-fingerprint选项会打印指纹,但没有空格格式。使用 gpg 版本 2.2.20。

$ gpg RPM-GPG-KEY-CentOS-7
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2014-06-23 [SC]
      6341AB2753D78A78A7C27BB124C6A8A7F4A80EB5
uid           CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>

答案4

gpg --show-keys --fingerprint RPM-GPG-KEY-CentOS-7
pub   rsa4096 2014-06-23 [SC]
      6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5
uid                      CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>

来自 GPG 手册 -

       --show-keys
              This  commands  takes OpenPGP keys as input and prints information about them
              in the same way the command --list-keys does for locally stored key.  In  ad‐
              dition the list options show-unusable-uids, show-unusable-subkeys, show-nota‐
              tions and show-policy-urls are also enabled.  As usual for automated process‐
              ing, this command should be combined with the option --with-colons.

       --fingerprint
              List  all keys (or the specified ones) along with their fingerprints. This is
              the same output as --list-keys but with the additional output of a line  with
              the  fingerprint. May also be combined with --check-signatures.  If this com‐
              mand is given twice, the fingerprints of all secondary keys are  listed  too.
              This  command also forces pretty printing of fingerprints if the keyid format
              has been set to "none".

       --with-fingerprint
              Same  as  the command --fingerprint but changes only the format of the output
              and may be used together with another command.

我的 GnuPG 版本是2.2.20

参考 -

https://serverfault.com/a/1059889/619144

相关内容