堆栈内存溢出
  简体   繁体   English

在将公钥的扩展名导入GnuPG之前是否热衷于验证?

[英]Hot to verify a public key's extensions before importing it to GnuPG?

 原文  2016-01-08 13:51:24       linux/ security/ gnupg/ pgp

问题描述

How do I verify a user's extended public key file's integrity (when downloading through a connection that lacks confidentiality and authentication) when I have their previous (now expired) public key in my keyring? 当我在密钥环中拥有其先前(现已过期)的公共密钥时,如何验证用户扩展的公共密钥文件的完整性(通过缺乏机密性和身份验证的连接下载时)? Is their expired key sufficient information to verify the extended key? 他们的过期密钥是否足以验证扩展密钥? Consider the below scenario: 请考虑以下情形:

  1. I have Bob's trusted public key in my keyring. 我的密钥环中有Bob的受信任公共密钥。
  2. Bob's key expired yesterday, so he extended his keypair and uploaded a new ascii-armoured public key to his website. 鲍勃的钥匙已于昨天到期,因此他延长了他的钥匙对,并向其网站上载了一个新的带ascii装甲的公共钥匙。
  3. I downloaded Bob's new public key file over http, and I want to verify it. 我通过http下载了Bob的新公钥文件,我想对其进行验证。

Is the new public key file signed with his old key in a verifiable way? 新的公共密钥文件是否以可验证的方式用其旧密钥签名? How would I verify the integrity of the new key file utilizing his existing (expired) key in my keyring? 如何利用密钥环中现有的(过期的)密钥来验证新密钥文件的完整性?

1 个解决方案

解决方案1
 2 已采纳  2016-01-08 17:58:06

For a general scenario with a new key pair: If either the key itself is signed by his old key (this is the usual way to do such key changes) and/or the key file you downloaded is signed by his old key, you can verify and validate the signature anyway: all that happens is GnuPG indicating that the key already expired. 对于具有密钥对的一般方案:如果密钥本身是用他的旧密钥签名的(这是进行此类密钥更改的通常方法)和/或您下载的密钥文件是用他的旧密钥签名的,则可以无论如何都要验证和验证签名:所有发生的都是GnuPG,表明密钥已经过期。

But you wrote 但是你写了

Bob's key expired yesterday, so he extended his keypair and uploaded a new ascii-armoured public key to his website Bob的密钥昨天过期,因此他延长了密钥对的时间,并向其网站上载了一个新的ASCII装甲的公共密钥

Extending the key's validity does not produce a different key. 扩展密钥的有效性不会产生其他密钥。 They key is identified by the tuple of public key and creation timestamp, which is hashed together to the fingerprint of the key. 它们的密钥由公共密钥和创建时间戳记的元组标识,该时间戳记一起散列到密钥的指纹中。 Short and long key IDs are derived from that. 短密钥ID和长密钥ID是从中得出的。 If all he did is indeed extend the validity of the key, simply import the key. 如果他所做的只是确实扩展了密钥的有效性,只需导入密钥即可。 The signature and trust you issued on that key are still valid. 您在该密钥上签发的签名和信任仍然有效。

If you wish you can compare at least the long key ID before importing, run 如果您希望可以至少在导入之前比较长键ID,请运行 

gpg --keyid-format 0xlong [key-file]

and compare with the key already in your key chain. 并与您的钥匙链中已有的钥匙进行比较。

Anyway: don't simply trust keys in your key chain, but use signatures and trust instead. 无论如何:不要简单地信任密钥链中的密钥,而要使用签名和信任。 Lots of mail clients automatically fetch keys to verify signatures, you might have fetched some (unvalidated) keys for reading signatures issued on other keys, ... 许多邮件客户端会自动获取密钥以验证签名,您可能已经获取了一些(未验证的)密钥来读取在其他密钥上发布的签名,...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法使用 openssl 验证公共证书的模块(无法验证 rsa 公钥来自私钥) - Unable to verify a public cert's modules with openssl (Unable to verify rsa public key came from a private key) 使用DSA公钥验证X509证书签名 - Verify X509 cert signature with DSA public key bash脚本来验证不要求ssh公钥 - bash script to verify the ssh public key isn't requested Python-gnupg 找不到密钥 - Python-gnupg cant find secret key 如何使用 gnupg 在 PHP 中导入 pgp 私钥? - How to import pgp private key in PHP with gnupg? 在将服务器安装到数据中心之前如何验证服务器的硬件? - How verify server's hardware before install it into data center? 如果在文件范围内定义了签名缓冲区,为什么 public_key_verify_signature() 会返回错误? (Linux内核加密) - why public_key_verify_signature() returns error if signature buffer is defined in file scope? (linux kernel crypto) 导入 Python 并在 C++ 中扩展 - Importing Python with extensions in C++ 如何验证 github SSH 密钥 - How to verify github SSH key 将公钥添加到服务器的authorized_keys文件后,是否应将其删除? - Should I remove the public key after adding it to the server's authorized_keys file?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM