我正在尝试将 PGP 密钥导入 NixOS(从开放钥匙链)。此密钥用于加密和解密密码列表(使用经过)。
以下是重现此问题的步骤(您可以按照此指导):
在Openkeychain中,备份密钥,记下36位代码并保存;
在 NixOS 中(假设您的 ~/Downloads 文件夹中有备份密钥),输入以下内容:
nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback ~/Downloads/backup_2021-09-16.sec.pgp | gpg --import'
这应该会导致导入密钥,但我只得到一个公钥。以下是完整输出:
gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 40
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
gpg: key 0x10D48E16F953D026: public key "John Doe <[email protected]>" imported
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026/0x10D48E16F953D026: error sending to agent: Without pinentry
gpg: error building skey array: Sem pinentry
gpg: error reading '[stdin]': Without pinentry
gpg: import from '[stdin]' failed: Without pinentry
gpg: Total number processed: 1
gpg: imported: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg-agent.conf
我尝试按照建议将以下条目添加到这里:
pinentry-program /run/current-system/sw/bin/pinentry-curses
然后$ gpgconf --reload gpg-agent
重新加载 gpg-agent,然后执行导入命令:
nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback ~/Downloads/backup_2021-09-16.sec.pgp | gpg --import'
将输出以下内容:
gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 40
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
gpg: key 0x10D48E16F953D026: public key "John Doe <[email protected]>" imported
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026/0x10D48E16F953D026: error sending to agent: Inappropriate ioctl for device
gpg: error building skey array: Inappropriate ioctl for device
gpg: error reading '[stdin]': Inappropriate ioctl for device
gpg: import from '[stdin]' failed: Inappropriate ioctl for device
gpg: Total number processed: 1
gpg: imported: 1
gpg: unchanged: 1
gpg: secret keys read: 1
有趣的是,无论gpg-agent.conf
文件是否添加上述条目,执行以下操作都会在终端上解密并输出公钥和私钥:
nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback < ~/Downloads/backup_2021-09-16.sec.pgp'
答案1
我最终搞明白了。您需要先将其解密为文本文件。出现提示时,使用 OpenKeychain 在备份密钥时提供给您的代码:
nix-shell -p gnupg --run 'gpg -o ~/Downloads/backup_2021-09-16_decrypted.txt --decrypt --pinentry-mode=loopback < ~/Downloads/backup_2021-09-16.sec.pgp'
这将以纯文本形式保存您的公钥和私钥,您可以使用命令进行确认cat ~/Downloads/backup_2021-09-16_decrypted.txt
。
您现在可以使用以下命令导入密钥(出现提示时,插入您已在其他地方使用的此密钥的密码,例如在密码存储应用程序中):
nix-shell -p gnupg --run 'gpg --import ~/Downloads/backup_2021-09-16_decrypted.txt'
它应该输出类似这样的内容:
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026: secret key imported
gpg: Total number processed: 2
gpg: unchanged: 2
gpg: secret keys read: 1
gpg: secret keys imported: 1
注意secret keys imported
末尾的一行。您可以使用命令仔细检查gpg --list-secret-keys
。如果一切顺利,它应该会列出您的密钥的 sec、uid、子密钥和指纹。
在此之前,您可能需要在 nixos 配置中启用 gpg-agent,如下所示:
services.gpg-agent = {
enable = true;
};
这将为gpg-agent.conf
您创建一个文件(如果您已经有一个文件,系统将提示您将其移开或使用“home-manager switch -b backup”自动备份),其中包含以下行:
pinentry-program /nix/store/bv018hrslwj37vpvgjrnqdpr0raj27ik-pinentry-1.1.0-gtk2/bin/pinentry