GPG简要入门指南

什么是GPG？

GPG 是一个加密、解密、签名、验证工具。
- 加密：对信息进行加密，有对称加密和非对称加密
- 解密：对加密的信息解密
- 签名：对发出的信息签名，使他人能验证信息为本人发出，且未被篡改过
- 验证：对接收到的签名的信息进行验证

GPG 还是一个密钥管理工具

管理自己的私钥，其他人的公钥，以及提供了一套公钥信任体系。

安装

下载安装 GPG：访问 GPG官网，下载适合自己操作系统平台的安装程序。
安装完成后，打开 CMD 窗口，输入 gpg --version验证是否安装成功
出现下列信息表示成功

C:\Users\name>gpg --version
gpg (GnuPG) 2.4.0
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\name\AppData\Roaming\gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

开始使用

输入gpg -help列出所有指令

Commands:

 -s, --sign                         make a signature
     --clear-sign                   make a clear text signature
 -b, --detach-sign                  make a detached signature
 -e, --encrypt                      encrypt data
 -c, --symmetric                    encryption only with symmetric cipher
 -d, --decrypt                      decrypt data (default)
     --verify                       verify a signature
 -k, --list-keys                    list keys
     --list-signatures              list keys and signatures
     --check-signatures             list and check key signatures
     --fingerprint                  list keys and fingerprints
 -K, --list-secret-keys             list secret keys
     --generate-key                 generate a new key pair
     --quick-generate-key           quickly generate a new key pair
     --quick-add-uid                quickly add a new user-id
     --quick-revoke-uid             quickly revoke a user-id
     --quick-set-expire             quickly set a new expiration date
     --full-generate-key            full featured key pair generation
     --generate-revocation          generate a revocation certificate
     --delete-keys                  remove keys from the public keyring
     --delete-secret-keys           remove keys from the secret keyring
     --quick-sign-key               quickly sign a key
     --quick-lsign-key              quickly sign a key locally
     --quick-revoke-sig             quickly revoke a key signature
     --sign-key                     sign a key
     --lsign-key                    sign a key locally
     --edit-key                     sign or edit a key
     --change-passphrase            change a passphrase
     --export                       export keys
     --send-keys                    export keys to a keyserver
     --receive-keys                 import keys from a keyserver
     --search-keys                  search for keys on a keyserver
     --refresh-keys                 update all keys from a keyserver
     --import                       import/merge keys
     --card-status                  print the card status
     --edit-card                    change data on a card
     --change-pin                   change a card's PIN
     --update-trustdb               update the trust database
     --print-md                     print message digests
     --server                       run in server mode
     --tofu-policy VALUE            set the TOFU policy for a key

Options controlling the diagnostic output:
 -v, --verbose                      verbose
 -q, --quiet                        be somewhat more quiet
     --options FILE                 read options from FILE
     --log-file FILE                write server mode logs to FILE

Options controlling the configuration:
     --default-key NAME             use NAME as default secret key
     --encrypt-to NAME              encrypt to user ID NAME as well
     --group SPEC                   set up email aliases
     --openpgp                      use strict OpenPGP behavior
 -n, --dry-run                      do not make any changes
 -i, --interactive                  prompt before overwriting

Options controlling the output:
 -a, --armor                        create ascii armored output
 -o, --output FILE                  write output to FILE
     --textmode                     use canonical text mode
 -z N                               set compress level to N (0 disables)

Options controlling key import and export:
     --auto-key-locate MECHANISMS   use MECHANISMS to locate keys by mail address
     --auto-key-import              import missing key from a signature
     --include-key-block            include the public key in signatures
     --disable-dirmngr              disable all access to the dirmngr

Options to specify keys:
 -r, --recipient USER-ID            encrypt for USER-ID
 -u, --local-user USER-ID           use USER-ID to sign or decrypt

(See the man page for a complete listing of all commands and options)

Examples:

 -se -r Bob [file]          sign and encrypt for user Bob
 --clear-sign [file]        make a clear text signature
 --detach-sign [file]       make a detached signature
 --list-keys [names]        show keys
 --fingerprint [names]      show fingerprints

Please report bugs to <https://bugs.gnupg.org>.

生成密匙

输入gpg --gen-key生成
依据提示输入名称、电子邮箱等信息后输出密匙的相关信息

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: xxxx
Email address: xxxx
You selected this USER-ID:
    "xxxx <xxxx@qq.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: directory 'C:\\Users\\name\\AppData\\Roaming\\gnupg\\openpgp-revocs.d' created
gpg: revocation certificate stored as 'C:\\Users\\name\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\064E4BB07566BA558B6B006A4BF6180BAB71781D.rev'
public and secret key created and signed.

pub   ed25519 2023-02-23 [SC] [expires: 2025-02-22]
      064E4BB07566BA558B6B006A4BF6180BAB71781D
uid                      xxxx <xxxx@qq.com>
sub   cv25519 2023-02-23 [E] [expires: 2025-02-22]

其中064E4BB07566BA558B6B006A4BF6180BAB71781D这是”用户ID”的Hash字符串，可以用来替代”用户ID”。

查看密匙列表

输入gpg --list-keys
如果你要从密钥列表中删除某个密钥，可以使用delete-key参数。

1	gpg --delete-key [用户ID]

加密和解密

这个过程是对文件进行的

加密：```

1	gpg --recipient [用户ID] --output [加密文件输出路径] --encrypt [加密文件输入路径]

解密：
1
gpg [加密文件路径]
签名
有时，我们不需要加密文件，只需要对文件签名，表示这个文件确实是我本人发出的。sign参数用来签名。

1	gpg --sign test.txt

然后生成了一个test.txt.gpg文件，我们打开这个文件后，发现这也是一个二进制的数据，这并不是加密后的数据，与上边的二进制数据不一样。如果想生成ASCII码的签名文件，可以使用clearsign参数

1	gpg --clearsign test.txt

如果想生成单独的签名文件，与文件内容分开存放，可以使用detach-sign参数。

1	gpg --detach-sign test.txt

是一个二进制的数据，如果想采用ASCII码形式，要加上armor参数

1	gpg --armor --detach-sign test.txt

验证签名

我们收到别人签名后的文件，需要用对方的公钥验证签名是否为真。verify参数用来验证

1	gpg --verify test.txt.asc test.txt

本文采用署名-非商业性使用-相同方式共享 4.0 国际许可协议，转载请注明出处。