主页 / server / 问题

问题[gpg](server)

Martin Hope
Halacs
Asked: 2022-08-28 22:34:58 +0800 CST
  • 0

我使用以下命令使用的 GPG 加密创建了具有重复性的备份。当我想恢复文件时,重复性要求密码进行解密。知道为什么吗?我使用 YubiKey 5 来存储我的 GPG 私钥,因此它没有密码保护,此外,它要求密码短语来解密而不是 GPG 私钥的密码短语。

早些时候我也使用对称加密而不是 GPG(PASSPHRASE 环境变量),但与此同时,客户端的 ~/.cache/duplicity 目录和远程端的完整备份集都被删除了。

:/tmp$ duplicity restore --file-to-restore "/home/gabor/test.jpg" sftp://backupmachine//mnt/duplicity/ /tmp/teszt/test.jpg
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Sat Aug 27 14:02:43 2022
GnuPG passphrase for decryption:

这是创建备份的方式:

TARGET='sftp://backupmachine//mnt/duplicity/'
SSH_KEY="${BASE_DIR}/cloud.pem"

GPG_ENCRYPT_OPTS=--encrypt-key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
export DUP_OPT="--ssh-options -oIdentityFile=${SSH_KEY}"
duplicity $DUP_OPT $GPG_ENCRYPT_OPTS --full-if-older-than 3W --include-filelist "$(dirname $0)/gabor1-list.txt" --exclude '**' --exclude "$HOME/.cache/duplicity" / "${TARGET}"

这就是我测试 .gpg 文件的方式,它们实际上是使用 GPG 密钥加密的,而不是使用密码的对称加密:

:/tmp$ gpg -d duplicity-new-signatures.20220827T120243Z.to.20220828T010003Z.sigtar.gpg > x
gpg: encrypted with 4096-bit RSA key, ID xxxxxxxxxxxxxxxx, created 2022-05-27
      "me <[email protected]>"
:/tmp$ file x
x: POSIX tar archive
gpg
Martin Hope
Croolman
Asked: 2022-01-06 00:43:09 +0800 CST
  • 1

我们正在使用Sonatype Nexus Repository Manager来托管apt存储库。其中一个的GPG密钥最近已过期,需要更新。我认为足够的是生成新的密钥对(如官方站点文档中所述),通过 Nexus UI 和新密码粘贴新的私钥,然后apt-key add在客户端系统上粘贴新的公钥,一切都会很好。相反,发生的事情apt update仍然是NO_PUBKEY <old_id>. 我不知道现在从哪里apt获取信息,它错过了旧密钥并且没有“同步”新密钥。/var/lib/apt/lists/在调用apt update. 我错过了什么?

编辑:全部在干净的 docker 中运行,其中仅添加新密钥apt-key add public.gpg.key和新存储库/etc/apt/sources.listecho "deb <repo_url> bionic main" >> /etc/apt/sources.list

apt gpg nexus
Martin Hope
Jon Reeves
Asked: 2020-10-16 05:18:07 +0800 CST
  • 1

我最近有一个包签名密钥过期,阻止了一些自动更新的安装,所以现在我正在设置监控,以确保如果再次发生这种情况,我们会收到警报。

在 Debian 系统上,我可以使用 apt-key 显示所有 repo 密钥及其到期日期(如果有的话),但无法找到如何在 CentOS 上为 yum 执行等效操作

我可以使用以下方法获取一些关键信息:

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

但这并没有显示到期日期 - 知道如何提取这些信息吗?

centos yum gpg
Martin Hope
Shah-G
Asked: 2020-06-19 13:17:57 +0800 CST
  • 5

在 Ubuntu 20.04 LTS 上,我正在尝试安装 MongoDB、Sublime Text 3 等软件包,但在添加它们之前,必须添加它们的 repo url。我正在尝试这个命令:
wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add -

并且这条消息失败了:

gpg: invalid key resource URL '/tmp/apt-key-gpghome.Mi0IvTayBR/home:hawkeye116477:waterfox.asc.gpg'
gpg: keyblock resource '(null)': General error
gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
gpg: key 5E62D791625A271E: 1 signature not checked due to a missing key
gpg: key 3B4FE6ACC0B21F32: 3 signatures not checked due to missing keys
gpg: key D94AA3F0EFE21092: 3 signatures not checked due to missing keys
gpg: key 871920D1991BC93C: 1 signature not checked due to a missing key
gpg: Total number processed: 12
gpg:       skipped new keys: 12

使固定?

ubuntu gpg repository
Martin Hope
5nefarious
Asked: 2020-04-14 16:54:43 +0800 CST
  • 2

我正在尝试连接到 Google Cloud 上的虚拟机。我创建了一个用于 SSH 的公钥并将该密钥添加到云实例。我已SSH_AUTH_SOCK设置为gpg-agent.

~/.gnupg/gpg-agent.conf

default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

~/.zprofile

...

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

一切似乎都正常工作:

% ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EA... (none)

但是,当我尝试实际连接到虚拟机时...

debug1: Offering public key: (none) RSA SHA256:[REDACTED] agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/alice/.ssh/id_rsa
debug3: no such identity: /Users/alice/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /Users/alice/.ssh/id_dsa
debug3: no such identity: /Users/alice/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/alice/.ssh/id_ecdsa
debug3: no such identity: /Users/alice/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/alice/.ssh/id_ed25519
debug3: no such identity: /Users/alice/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /Users/alice/.ssh/id_xmss
debug3: no such identity: /Users/alice/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
%
mac-osx google-cloud-platform gpg google-compute-engine ssh-keys
Martin Hope
lonix
Asked: 2020-04-04 00:02:56 +0800 CST
  • 3

在执行自动化服务器部署时,我可以通过脚本上传和导入 gpg 密钥。但我不能相信钥匙。

我试过了

gpg --batch --yes --edit-key keyname trust 5


echo 5 | gpg --batch --yes --edit-key keyname trust -

在非批处理模式下,它总是停止请求输入。在批处理模式下,它会忽略输入。

什么是正确的语法?

linux bash automation gpg
Martin Hope
0xnick1chandoke
Asked: 2019-04-05 14:27:02 +0800 CST
  • 1

我通过 duplicity 开始备份,没有给它任何选项。我自己没有创建任何 GPG 密钥,所以当我运行 duplicity 时,它要求我输入密码,然后创建一个密钥,并通过加密和压缩成功备份(到 BackBlaze B2)。

很好,但我不知道密钥存储在哪里。因此,如果我的驱动器死了,那么我将无法恢复备份。gpg -k没有输出。钥匙藏在哪里?

gpg
Martin Hope
fadedbee
Asked: 2019-03-28 06:33:20 +0800 CST
  • 4

我想我需要在我的钥匙圈中有钥匙 94532124541922FB ,因为 multistrap 正在报告:

W: GPG error: http://packages.roundr.devuan.org/merged ascii InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 94532124541922FB
W: The repository 'http://auto.mirror.devuan.org/merged ascii InRelease' is not signed.

我尝试使用以下方法导入密钥:

user@host:~/multistrap$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 94532124541922FB
Executing: /tmp/apt-key-gpghome.wsOOsj4iqi/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 94532124541922FB
key 94532124541922FB:
1 signature not checked due to a missing key
gpg: key 94532124541922FB: "Devuan Repository (Primary Devuan signing key) <[email protected]>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1

我不确定这是否成功,所以我尝试了:

user@host:~/multistrap$ gpg --list-keys
/home/user/.gnupg/pubring.kbx
--------------------------------
pub   rsa3072 2019-03-25 [SC] [expires: 2021-03-24]
      579B175CD95705FB9A6C3D271587404115319AFF
uid           [ultimate] User <[email protected]>
sub   rsa3072 2019-03-25 [E] [expires: 2021-03-24]

这让我觉得它失败了。

如何获得密钥 94532124541922FB?

更新:我发现 apt-key 具有与 GPG 不同的密钥环,并且 GPG 具有不同的密钥环,具体取决于您使用的sudo.

关键在那里,有apt-key

user@host:~/multistrap$ sudo apt-key adv --list-keys
Executing: /tmp/apt-key-gpghome.12skPKfRJz/gpg.1.sh --list-keys
/tmp/apt-key-gpghome.12skPKfRJz/pubring.gpg
-------------------------------------------
...
pub   rsa2048 2014-12-02 [SC]
      72E3CB773315DFA2E464743D94532124541922FB
uid           [ unknown] Devuan Repository (Primary Devuan signing key) <[email protected]>
sub   rsa2048 2014-12-02 [E]
sub   rsa4096 2016-04-26 [S]

pub   rsa4096 2016-10-06 [SC]
      CF1921B2D91C6435848E810099C46A90B1FB3B59
uid           [ unknown] Devuan ISO Toaster (Devuan GNU+Linux) <[email protected]>
sub   rsa4096 2016-10-06 [E]

pub   rsa4096 2017-09-04 [SC] [expires: 2022-09-03]
      E032601B7CA10BC3EA53FA81BB23C00C61FC752C
uid           [ unknown] Devuan Repository (Amprolla3 on Nemesis) <[email protected]>
sub   rsa4096 2017-09-04 [E] [expires: 2022-09-03]

但仍然多带抱怨:

user@host:~/multistrap$ sudo multistrap -a armhf -d /multistrap-devuan-ascii -f simple-config
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_GB.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
multistrap 2.2.9 using simple-config
multistrap 2.2.9 using simple-config
Defaulting architecture to native: armhf
multistrap building armhf multistrap on 'armhf'
I: Downloading debian-archive-keyring 
Get:1 http://packages.roundr.devuan.org/merged ascii/main armhf debian-archive-keyring all 2017.5 [56.4 kB]
Fetched 56.4 kB in 0s (67.5 kB/s)           
Getting package lists: APT_CONFIG=/tmp/multistrap.QTx1QB apt-get  -o Apt::Architecture=armhf -o Dir::Etc::TrustedParts=/multistrap-devuan-ascii/etc/apt/trusted.gpg.d -o Dir::Etc::Trusted=/multistrap-devuan-ascii/etc/apt/trusted.gpg -o Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o Dir=/multistrap-devuan-ascii/ -o Dir::Etc=/multistrap-devuan-ascii/etc/apt/ -o Dir::Etc::Parts=/multistrap-devuan-ascii/etc/apt/apt.conf.d/ -o Dir::Etc::PreferencesParts=/multistrap-devuan-ascii/etc/apt/preferences.d/ -o APT::Default-Release='*' -o Dir::State=/multistrap-devuan-ascii/var/lib/apt/ -o Dir::State::Status=/multistrap-devuan-ascii/var/lib/dpkg/status -o Dir::Cache=/multistrap-devuan-ascii/var/cache/apt/ update
Get:1 http://packages.roundr.devuan.org/merged ascii InRelease [21.9 kB]
Ign:1 http://packages.roundr.devuan.org/merged ascii InRelease
Fetched 21.9 kB in 0s (34.5 kB/s)
Reading package lists... Done
W: GPG error: http://packages.roundr.devuan.org/merged ascii InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 94532124541922FB
W: The repository 'http://auto.mirror.devuan.org/merged ascii InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
gpg