无法使用 gpg 和命令文件编辑信任

无法使用 gpg 和命令文件编辑信任

我正在尝试为我的构建工具编写一个包装 GnuPG 的插件。

到目前为止我已经设法做了所有事情,但有一件事我遇到了困难,那就是如何在不影响现有密钥的信任的情况下信任新添加的密钥。

如果我首先列出键:

root@7353afd2c546:/# gpg --with-keygrip --with-secret --batch --with-colons --status-fd 1 --list-keys
tru::1:1542186184:0:3:1:5
pub:-:4096:1:B6A8B64B909CAF2F:1541574504:::-:::scESC:::#:::23::0:
fpr:::::::::DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:
grp:::::::::9BEB53AD0C68FC629997DB0597DDD758C632B9CD:
uid:-::::1541574504::5D90CFACEB3B07D9914327FD2981787B56ACD4A2::Testy <[email protected]>::::::::::0:
sub:-:4096:1:0E839DDD93691327:1541574504::::::e:::+:::23:
fpr:::::::::B9A633DBD1A309DB71ED55940E839DDD93691327:
grp:::::::::6D475E5BA6A1502B1C083F780A537DBC15643EEA:

我们发现有效性没有任何价值。

现在我有一个命令文件:

root@7353afd2c546:/# cat /root/.gnupg/commands
trust
5
save

当我跑步时:

root@7353afd2c546:/# gpg --batch --yes --status-fd 1 --command-file /root/.gnupg/commands --edit-key DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F
[GNUPG:] KEY_CONSIDERED DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F 0
Secret subkeys are available.


pub:-:4096:1:B6A8B64B909CAF2F:1541574504:0::-:::sc
fpr:::::::::DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:
ssb:-:4096:1:0E839DDD93691327:1541574504:0:::::e
fpr:::::::::B9A633DBD1A309DB71ED55940E839DDD93691327:
uid:-::::::::Testy <[email protected]>:::S9 S8 S7 S2 H10 H9 H8 H11 H2 Z2 Z3 Z1,mdc,no-ks-modify:1,p::
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

pub:-:4096:1:B6A8B64B909CAF2F:1541574504:0::-:::sc
fpr:::::::::DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:
ssb:-:4096:1:0E839DDD93691327:1541574504:0:::::e
fpr:::::::::B9A633DBD1A309DB71ED55940E839DDD93691327:
uid:-::::::::Testy <[email protected]>:::S9 S8 S7 S2 H10 H9 H8 H11 H2 Z2 Z3 Z1,mdc,no-ks-modify:1,p::
[GNUPG:] GET_LINE edit_ownertrust.value
[GNUPG:] GOT_IT
[GNUPG:] GET_LINE edit_ownertrust.value
[GNUPG:] GOT_IT

[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT

我们在这里看到它似乎成功地从文件中读取了输入。然而,当我再次列出密钥时,有效性并没有改变。

但如果我手动编辑密钥:

root@7353afd2c546:/# gpg --edit-key DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret subkeys are available.

pub  rsa4096/B6A8B64B909CAF2F
     created: 2018-11-07  expires: never       usage: SC
     trust: never         validity: unknown
ssb  rsa4096/0E839DDD93691327
     created: 2018-11-07  expires: never       usage: E
[ unknown] (1). Testy <[email protected]>

gpg> trust
pub  rsa4096/B6A8B64B909CAF2F
     created: 2018-11-07  expires: never       usage: SC
     trust: never         validity: unknown
ssb  rsa4096/0E839DDD93691327
     created: 2018-11-07  expires: never       usage: E
[ unknown] (1). Testy <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa4096/B6A8B64B909CAF2F
     created: 2018-11-07  expires: never       usage: SC
     trust: ultimate      validity: unknown
ssb  rsa4096/0E839DDD93691327
     created: 2018-11-07  expires: never       usage: E
[ unknown] (1). Testy <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> save
Key not changed so no update needed.

然后它就可以工作了:

root@7353afd2c546:/# gpg --with-keygrip --with-secret --batch --with-colons --status-fd 1 --list-keys
gpg: checking the trustdb
tru:o:1:1542190815:1:3:1:5
[GNUPG:] KEY_CONSIDERED DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F 0
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub:u:4096:1:B6A8B64B909CAF2F:1541574504:::u:::scESC:::#:::23::0:
fpr:::::::::DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:
grp:::::::::9BEB53AD0C68FC629997DB0597DDD758C632B9CD:
uid:u::::1541574504::5D90CFACEB3B07D9914327FD2981787B56ACD4A2::Testy <[email protected]>::::::::::0:
sub:u:4096:1:0E839DDD93691327:1541574504::::::e:::+:::23:
fpr:::::::::B9A633DBD1A309DB71ED55940E839DDD93691327:
grp:::::::::6D475E5BA6A1502B1C083F780A537DBC15643EEA:

这为什么不起作用?

答案1

你的命令文件只有trust 5一行,即使trust命令不接受参数。相反,它会显示菜单选择的单独提示,这意味着响应也应该在单独的行中。每个提示在命令文件中都需要有自己的行。

save因此信任不会更新,因为 GnuPG在需要数字时会收到单词。

设置ownertrust的更快方法是:

echo "DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:6:" | gpg --import-ownertrust

(这6不是打字错误——它是内部信任值,而不是菜单项编号。)

相关内容