系统环境
本次操作系统是Ubuntu 18.04。
GPG在不同OS上有不同的安装程序。
GPG KEY生成操作
-
根据OS选择安装GPG。若系统中已经安装了
gpg2
,那么可以使用gpg2
命令取代gpg
。Ubuntu下gpg
是自带的程序,也可以安装gpg2
。 -
使用以下命令来创建 公钥/私钥。
$ gpg2 --full-gen-key
在mac等系统上,命令可能是
gpg2 --gen-key
。 -
第一个需要选择的是生成key类型,选择好后点击Enter。
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
-
接着需要确定生成key的长度。
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096
选择输入
4096
,后Enter。RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096 Requested keysize is 4096 bits
-
再来确认key有效时间,选择
0
设置永久有效。Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all
-
最后确认前面的步骤是否准确。
Is this correct? (y/N) y
输入
y
确认。 -
下来就开始输入相关的用户,邮件信息等。
GnuPG needs to construct a user ID to identify your key. Real name: nn Email address: nn@aliyun.com Comment: You selected this USER-ID: "nn <nn@aliyun.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
输入
o
,点击Enter。在弹出的密码输入框中输入key对应的密码,最后确认后可看到生成的信息。
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 79B54CD55FCCE768 marked as ultimately trusted gpg: revocation certificate stored as '/home/nn/.gnupg/openpgp-revocs.d/FF397A0475296E3914987EE879B54CD55FCCE768.rev' public and secret key created and signed. pub rsa4096 2020-08-27 [SC] FF397A0475296E3914987EE879B54CD55FCCE768 uid nn <nn@aliyun.com> sub rsa4096 2020-08-27 [E]
-
使用如下命令查看GPG私钥。
$ gpg2 --list-secret-keys --keyid-format LONG <your_email>
其中 <your_email> 使用 nn@aliyun.com 替换。
gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u sec rsa4096/79B54CD55FCCE768 2020-08-27 [SC] FF397A0475296E3914987EE879B54CD55FCCE768 uid [ultimate] nn <nn@aliyun.com> ssb rsa4096/D75D370A832C22A1 2020-08-27 [E]
sec
开头的行上,/
后是私钥id即keyId,这里的就是79B54CD55FCCE768
。 -
使用上步的keyId查看公钥key。
gpg2 --armor --export 79B54CD55FCCE768
得到的结果类似如下:
这样GPG KEY就生成了。
常用命令
-
列举GPG keys。
$ gpg2 --list-secret-keys --keyid-format short
后边的
short
也可以选择替换为long
。/home/nicholas/.gnupg/pubring.kbx --------------------------------- sec rsa4096/3CF8D791AB81AE55 2020-08-26 [SC] A598B8F2448C8B19C2ECF7803CF8D791AB81AE55 uid [ultimate] nn <nn@126.com> ssb rsa4096/A0B38A3FA93702EB 2020-08-26 [E] sec rsa4096/79B54CD55FCCE768 2020-08-27 [SC] FF397A0475296E3914987EE879B54CD55FCCE768 uid [ultimate] nn <nn@aliyun.com> ssb rsa4096/D75D370A832C22A1 2020-08-27 [E]
这显示的是
short
格式显示的keys。 -
导出秘钥到
.gpg
格式文件。$ gpg2 --export-secret-key <KEY_ID> > ~/.gnupg/secring.gpg
-
删除gpg key。
$ gpg2 --delete-secret-key <KEY_ID>
这里<KEY_ID>使用列举的keyId值
79B54CD55FCCE768
。$ gpg2 --delete-secret-key 79B54CD55FCCE768
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec rsa4096/79B54CD55FCCE768 2020-08-27 nn <nn@aliyun.com> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y
GPG签名Commit
在生成GPG KEY后,若使用的是gitlab,可以在 User Settings 中 GPG Keys 内添加生成的公钥KEY。
-
在GIT配置中进行配置。
$ git config --global user.signingkey 79B54CD55FCCE768
其中
79B54CD55FCCE768
是KEY_ID。 -
(可选)如果在gpg key过程中出现了提示 gpg: signing failed等错误提示消息,改用
gpg2
。$ git config --global gpg.program gpg2
-
签名commit。
要对某笔commit进行签名,可以在commit命令中添加
-S
标记。$ git commit -S -m "My commit msg"
若不想每次提交都添加
-S
,则进行全局配置。git config --global commit.gpgsign true