导入 OpenPGP 密钥(在 NixOS 上)

导入 OpenPGP 密钥(在 NixOS 上)

我正在尝试将 PGP 密钥导入 NixOS(从开放钥匙链)。此密钥用于加密和解密密码列表(使用经过)。

以下是重现此问题的步骤(您可以按照此指导):

  1. 在Openkeychain中,备份密钥,记下36位代码并保存;

  2. 在 NixOS 中(假设您的 ~/Downloads 文件夹中有备份密钥),输入以下内容:

nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback ~/Downloads/backup_2021-09-16.sec.pgp | gpg --import' 

这应该会导致导入密钥,但我只得到一个公钥。以下是完整输出:

gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 40
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
gpg: key 0x10D48E16F953D026: public key "John Doe <[email protected]>" imported
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026/0x10D48E16F953D026: error sending to agent: Without pinentry
gpg: error building skey array: Sem pinentry
gpg: error reading '[stdin]': Without pinentry
gpg: import from '[stdin]' failed: Without pinentry
gpg: Total number processed: 1
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1

gpg-agent.conf我尝试按照建议将以下条目添加到这里

pinentry-program /run/current-system/sw/bin/pinentry-curses

然后$ gpgconf --reload gpg-agent重新加载 gpg-agent,然后执行导入命令:

nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback ~/Downloads/backup_2021-09-16.sec.pgp | gpg --import'

将输出以下内容:

gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 40
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
gpg: key 0x10D48E16F953D026: public key "John Doe <[email protected]>" imported
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026/0x10D48E16F953D026: error sending to agent: Inappropriate ioctl for device
gpg: error building skey array: Inappropriate ioctl for device
gpg: error reading '[stdin]': Inappropriate ioctl for device
gpg: import from '[stdin]' failed: Inappropriate ioctl for device
gpg: Total number processed: 1
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1

有趣的是,无论gpg-agent.conf文件是否添加上述条目,执行以下操作都会在终端上解密并输出公钥和私钥:

nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback < ~/Downloads/backup_2021-09-16.sec.pgp' 

答案1

我最终搞明白了。您需要先将其解密为文本文件。出现提示时,使用 OpenKeychain 在备份密钥时提供给您的代码:

nix-shell -p gnupg --run 'gpg -o ~/Downloads/backup_2021-09-16_decrypted.txt --decrypt --pinentry-mode=loopback < ~/Downloads/backup_2021-09-16.sec.pgp'

这将以纯文本形式保存您的公钥和私钥,您可以使用命令进行确认cat ~/Downloads/backup_2021-09-16_decrypted.txt

您现在可以使用以下命令导入密钥(出现提示时,插入您已在其他地方使用的此密钥的密码,例如在密码存储应用程序中):

nix-shell -p gnupg --run 'gpg --import ~/Downloads/backup_2021-09-16_decrypted.txt'

它应该输出类似这样的内容:

gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026: secret key imported
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

注意secret keys imported末尾的一行。您可以使用命令仔细检查gpg --list-secret-keys。如果一切顺利,它应该会列出您的密钥的 sec、uid、子密钥和指纹。

在此之前,您可能需要在 nixos 配置中启用 gpg-agent,如下所示:

services.gpg-agent = {
  enable = true;
};

这将为gpg-agent.conf您创建一个文件(如果您已经有一个文件,系统将提示您将其移开或使用“home-manager switch -b backup”自动备份),其中包含以下行:

pinentry-program /nix/store/bv018hrslwj37vpvgjrnqdpr0raj27ik-pinentry-1.1.0-gtk2/bin/pinentry

相关内容