[英]Hot to verify a public key's extensions before importing it to GnuPG?
How do I verify a user's extended public key file's integrity (when downloading through a connection that lacks confidentiality and authentication) when I have their previous (now expired) public key in my keyring? 当我在密钥环中拥有其先前(现已过期)的公共密钥时,如何验证用户扩展的公共密钥文件的完整性(通过缺乏机密性和身份验证的连接下载时)? Is their expired key sufficient information to verify the extended key?
他们的过期密钥是否足以验证扩展密钥? Consider the below scenario:
请考虑以下情形:
Is the new public key file signed with his old key in a verifiable way? 新的公共密钥文件是否以可验证的方式用其旧密钥签名? How would I verify the integrity of the new key file utilizing his existing (expired) key in my keyring?
如何利用密钥环中现有的(过期的)密钥来验证新密钥文件的完整性?
For a general scenario with a new key pair: If either the key itself is signed by his old key (this is the usual way to do such key changes) and/or the key file you downloaded is signed by his old key, you can verify and validate the signature anyway: all that happens is GnuPG indicating that the key already expired. 对于具有新密钥对的一般方案:如果密钥本身是用他的旧密钥签名的(这是进行此类密钥更改的通常方法)和/或您下载的密钥文件是用他的旧密钥签名的,则可以无论如何都要验证和验证签名:所有发生的都是GnuPG,表明密钥已经过期。
But you wrote 但是你写了
Bob's key expired yesterday, so he extended his keypair and uploaded a new ascii-armoured public key to his website
Bob的密钥昨天过期,因此他延长了密钥对的时间,并向其网站上载了一个新的ASCII装甲的公共密钥
Extending the key's validity does not produce a different key. 扩展密钥的有效性不会产生其他密钥。 They key is identified by the tuple of public key and creation timestamp, which is hashed together to the fingerprint of the key.
它们的密钥由公共密钥和创建时间戳记的元组标识,该时间戳记一起散列到密钥的指纹中。 Short and long key IDs are derived from that.
短密钥ID和长密钥ID是从中得出的。 If all he did is indeed extend the validity of the key, simply import the key.
如果他所做的只是确实扩展了密钥的有效性,只需导入密钥即可。 The signature and trust you issued on that key are still valid.
您在该密钥上签发的签名和信任仍然有效。
If you wish you can compare at least the long key ID before importing, run 如果您希望可以至少在导入之前比较长键ID,请运行
gpg --keyid-format 0xlong [key-file]
and compare with the key already in your key chain. 并与您的钥匙链中已有的钥匙进行比较。
Anyway: don't simply trust keys in your key chain, but use signatures and trust instead. 无论如何:不要简单地信任密钥链中的密钥,而要使用签名和信任。 Lots of mail clients automatically fetch keys to verify signatures, you might have fetched some (unvalidated) keys for reading signatures issued on other keys, ...
许多邮件客户端会自动获取密钥以验证签名,您可能已经获取了一些(未验证的)密钥来读取在其他密钥上发布的签名,...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.