主页 / computer / 问题 / 1676763
Accepted
nunop
Asked: 2021-09-18 06:01:56 +0800 CST

导入 OpenPGP 密钥(在 NixOS 上)

  • 772

我正在尝试将 PGP 密钥导入 NixOS(从Openkeychain导出)。此密钥用于加密和解密密码列表(使用pass)。

以下是重现问题的步骤(您可以按照本指南进行操作):

  1. 在 Openkeychain 中,对密钥进行备份,记下 36 位代码并保存;

  2. 在 NixOS 中(假设您的 ~/Downloads 文件夹中有备份密钥),键入以下内容:

nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback ~/Downloads/backup_2021-09-16.sec.pgp | gpg --import'

这应该会导致导入一个密钥,但我只得到一个公钥。这是完整的输出:

gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 40
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
gpg: key 0x10D48E16F953D026: public key "John Doe <[email protected]>" imported
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026/0x10D48E16F953D026: error sending to agent: Without pinentry
gpg: error building skey array: Sem pinentry
gpg: error reading '[stdin]': Without pinentry
gpg: import from '[stdin]' failed: Without pinentry
gpg: Total number processed: 1
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1

我尝试按照此处gpg-agent.conf的建议将以下条目添加到:

pinentry-program /run/current-system/sw/bin/pinentry-curses

然后$ gpgconf --reload gpg-agent重新加载 gpg-agent,然后是 import 命令:

nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback ~/Downloads/backup_2021-09-16.sec.pgp | gpg --import'

会输出这个:

gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 40
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
gpg: key 0x10D48E16F953D026: public key "John Doe <[email protected]>" imported
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026/0x10D48E16F953D026: error sending to agent: Inappropriate ioctl for device
gpg: error building skey array: Inappropriate ioctl for device
gpg: error reading '[stdin]': Inappropriate ioctl for device
gpg: import from '[stdin]' failed: Inappropriate ioctl for device
gpg: Total number processed: 1
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1

有趣的是,执行以下操作将解密并在终端上输出公钥和私钥,无论是否将上述条目添加到gpg-agent.conf文件中:

nix-shell -p gnupg --run 'gpg --decrypt --pinentry-mode=loopback < ~/Downloads/backup_2021-09-16.sec.pgp'
gnupg password-management

1 个回答

  1. Best Answer

    我最终想通了。您需要先将其解密为文本文件。出现提示时,请使用 OpenKeychain 在备份密钥时提供给您的代码:

    nix-shell -p gnupg --run 'gpg -o ~/Downloads/backup_2021-09-16_decrypted.txt --decrypt --pinentry-mode=loopback < ~/Downloads/backup_2021-09-16.sec.pgp'

    这将以纯文本格式保存您的公钥和私钥,您可以使用命令确认cat ~/Downloads/backup_2021-09-16_decrypted.txt

    您现在可以使用以下命令导入密钥(出现提示时,插入您已在其他地方使用的此密钥的密码,例如在 Password Store 应用程序中):

    nix-shell -p gnupg --run 'gpg --import ~/Downloads/backup_2021-09-16_decrypted.txt'

    应该输出以下内容:

    gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026: "John Doe <[email protected]>" not changed
gpg: key 0x10D48E16F953D026: secret key imported
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

    注意最后secret keys imported一行。您可以使用命令仔细检查gpg --list-secret-keys。如果一切顺利,它应该会列出您的密钥的 sec、uid、子密钥和指纹。

    在此之前,您可能需要在您的 nixos 配置中启用 gpg-agent,如下所示:

    services.gpg-agent = {
  enable = true;
};

    这将为您创建一个gpg-agent.conf文件(如果您已经有一个文件,系统将提示您将其移开或使用'home-manager switch -b backup'自动备份它),其中包含以下行:

    pinentry-program /nix/store/bv018hrslwj37vpvgjrnqdpr0raj27ik-pinentry-1.1.0-gtk2/bin/pinentry
    • 0

相关问题