我正在尝试为我的构建工具编写一个包装 GnuPG 的插件。
到目前为止我已经设法做了所有事情,但有一件事我遇到了困难,那就是如何在不影响现有密钥的信任的情况下信任新添加的密钥。
如果我首先列出键:
root@7353afd2c546:/# gpg --with-keygrip --with-secret --batch --with-colons --status-fd 1 --list-keys
tru::1:1542186184:0:3:1:5
pub:-:4096:1:B6A8B64B909CAF2F:1541574504:::-:::scESC:::#:::23::0:
fpr:::::::::DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:
grp:::::::::9BEB53AD0C68FC629997DB0597DDD758C632B9CD:
uid:-::::1541574504::5D90CFACEB3B07D9914327FD2981787B56ACD4A2::Testy <[email protected]>::::::::::0:
sub:-:4096:1:0E839DDD93691327:1541574504::::::e:::+:::23:
fpr:::::::::B9A633DBD1A309DB71ED55940E839DDD93691327:
grp:::::::::6D475E5BA6A1502B1C083F780A537DBC15643EEA:
我们发现有效性没有任何价值。
现在我有一个命令文件:
root@7353afd2c546:/# cat /root/.gnupg/commands
trust
5
save
当我跑步时:
root@7353afd2c546:/# gpg --batch --yes --status-fd 1 --command-file /root/.gnupg/commands --edit-key DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F
[GNUPG:] KEY_CONSIDERED DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F 0
Secret subkeys are available.
pub:-:4096:1:B6A8B64B909CAF2F:1541574504:0::-:::sc
fpr:::::::::DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:
ssb:-:4096:1:0E839DDD93691327:1541574504:0:::::e
fpr:::::::::B9A633DBD1A309DB71ED55940E839DDD93691327:
uid:-::::::::Testy <[email protected]>:::S9 S8 S7 S2 H10 H9 H8 H11 H2 Z2 Z3 Z1,mdc,no-ks-modify:1,p::
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
pub:-:4096:1:B6A8B64B909CAF2F:1541574504:0::-:::sc
fpr:::::::::DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:
ssb:-:4096:1:0E839DDD93691327:1541574504:0:::::e
fpr:::::::::B9A633DBD1A309DB71ED55940E839DDD93691327:
uid:-::::::::Testy <[email protected]>:::S9 S8 S7 S2 H10 H9 H8 H11 H2 Z2 Z3 Z1,mdc,no-ks-modify:1,p::
[GNUPG:] GET_LINE edit_ownertrust.value
[GNUPG:] GOT_IT
[GNUPG:] GET_LINE edit_ownertrust.value
[GNUPG:] GOT_IT
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
我们在这里看到它似乎成功地从文件中读取了输入。然而,当我再次列出密钥时,有效性并没有改变。
但如果我手动编辑密钥:
root@7353afd2c546:/# gpg --edit-key DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret subkeys are available.
pub rsa4096/B6A8B64B909CAF2F
created: 2018-11-07 expires: never usage: SC
trust: never validity: unknown
ssb rsa4096/0E839DDD93691327
created: 2018-11-07 expires: never usage: E
[ unknown] (1). Testy <[email protected]>
gpg> trust
pub rsa4096/B6A8B64B909CAF2F
created: 2018-11-07 expires: never usage: SC
trust: never validity: unknown
ssb rsa4096/0E839DDD93691327
created: 2018-11-07 expires: never usage: E
[ unknown] (1). Testy <[email protected]>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa4096/B6A8B64B909CAF2F
created: 2018-11-07 expires: never usage: SC
trust: ultimate validity: unknown
ssb rsa4096/0E839DDD93691327
created: 2018-11-07 expires: never usage: E
[ unknown] (1). Testy <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> save
Key not changed so no update needed.
然后它就可以工作了:
root@7353afd2c546:/# gpg --with-keygrip --with-secret --batch --with-colons --status-fd 1 --list-keys
gpg: checking the trustdb
tru:o:1:1542190815:1:3:1:5
[GNUPG:] KEY_CONSIDERED DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F 0
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub:u:4096:1:B6A8B64B909CAF2F:1541574504:::u:::scESC:::#:::23::0:
fpr:::::::::DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:
grp:::::::::9BEB53AD0C68FC629997DB0597DDD758C632B9CD:
uid:u::::1541574504::5D90CFACEB3B07D9914327FD2981787B56ACD4A2::Testy <[email protected]>::::::::::0:
sub:u:4096:1:0E839DDD93691327:1541574504::::::e:::+:::23:
fpr:::::::::B9A633DBD1A309DB71ED55940E839DDD93691327:
grp:::::::::6D475E5BA6A1502B1C083F780A537DBC15643EEA:
这为什么不起作用?
答案1
你的命令文件只有trust 5一行,即使trust命令不接受参数。相反,它会显示菜单选择的单独提示,这意味着响应也应该在单独的行中。每个提示在命令文件中都需要有自己的行。
save因此信任不会更新,因为 GnuPG在需要数字时会收到单词。
设置ownertrust的更快方法是:
echo "DE29CBE0AC9B2EB810E694D7B6A8B64B909CAF2F:6:" | gpg --import-ownertrust
(这6不是打字错误——它是内部信任值,而不是菜单项编号。)