Import and sign a public key

GPG index

Now I have a private/public key pair, but what to do with it? Ofcourse we want to use it for encrypting and signing files, we will get tot that in a minute (next article). Because, as written in the first article, Bob needs Alice’s public key to encrypt a message to her, and he also needs her public key to verify whether signature is valid. So, it’s not enough to only create the keypair, you also have to distribute your public key to the persons you want to have this encrypted/signed communication with. Therefor…..first let’s discuss that:

What we now should do:

  1. Alice must be sure that Bob is who he says he is (ID/Passport/Blue Eyes)
    1. And if Alice is sure, get from Bob the fingerprint of the public key of Bob
  2. Somehow get the public key of Bob to Alice
    1. Export the public key of Bob
    2. Get the key to Alice
  3. Import the key into the gpg-keyring of Alice
  4. Check the fingerprint of the imported public key of Bob with the fingeprint from step 1.1
  5. If the fingerprints compare (step 5), trust the public key in the gpg public keyring

Step 1:

In this example I just created two users on my system, they don’t really exist 🙂 So, I herby certify that Alice actually is Alice and Bob is actually Bob.

The public keyring of Alice now looks like:

[alice@radijs ~]$ gpg --list-keys 
/home/alice/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]
      9B40B1BC71AD2D212D316CEEDA65161857B73DD7
uid           [ultimate] Alice <alice@maboc.nl>
sub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]

[alice@radijs ~]$

There’s only one public key (her own).

Step 1.1 :

Bob now has to supply the fingerprint for his public key:

[bob@radijs ~]$ gpg --fingerprint bob@maboc.nl
pub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]
      C819 0B35 074D 7BBF E07F  4DF0 119E 1700 215E 42E6
uid           [ultimate] BobBob <bob@maboc.nl>
sub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]

And there you have it.

Step 2:

The public key must be transported to Alice. But first we must export it to a file, in order to be able to transport it 🙂

[bob@radijs ~]$ gpg --export --armor bob@maboc.nl
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF+tS9wBCADHpmq20vvmC3EAkOvZWMWDTGjIDGj7RYA00RxCYKUl9VNw3qKx
Y3QIPuWRlscPlyX4RY1a8EiO52G65l8M0PHnJJH7cnfr00gsv0SoxWa3f4fGt/tC
BykScL0kIV4hYrl03mETTWaSrWVB5SuEa9nGlpHfQL83jFf6fXOJveheDjG8f4+L
KoWE+juztMbJYc7AZ83k/ltZNDJtK7Fwny8upX1ehxOcKMqgPNmi7PlRkGihBAnU
ejiOMSQcbslxZmyocZIjRQlCGXC5pexKILK/FVRJckovaTJAr1koHvMff8TZXILu
ntCg2XMrqyD5oIL/WWCcsGgr6VlpA0lrypz7ABEBAAG0FUJvYkJvYiA8Ym9iQG1h
Ym9jLm5sPokBVAQTAQgAPhYhBMgZCzUHTXu/4H9N8BGeFwAhXkLmBQJfrUvcAhsD
BQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBGeFwAhXkLmexQH/0c9
zjz/8RPtJ4jZM7qKWMVUJ3ZVdOGIYi6Z3JiiWC0pXwMF3Nxm7vZQpCJEPu3Uq9hX
0Qiyy3Holp/zVBgJBQQlP3+stiNNA3P2vhSWrz2VhMcIZ6U50herpkm/ev+YSKtS
oRXrVnohMb6LAu9dx5KlvBcqY9gCdHqmGSj8wFTWIcn9mYL3IuRDt0d9N3P+UN9j
B10GgftY1i3fFFWj3tHcnhBFBY7Ju1rGLWlvEudh2/mkhyAhEGPbK4v2ufMqAD2Y
eAab1qDgToKsyehcmzciurZ3RnAAYtODdk8NocfZU1b7N5tu6xgea7OCjixcDDvy
4eV3xcqfCY661NmecHuJATMEEAEIAB0WIQSbQLG8ca0tIS0xbO7aZRYYV7c91wUC
X7WFmgAKCRDaZRYYV7c913VwB/4wETygdHMKP9ORbUiKKSEK5e4RSfi+pH7TYGFT
nbVK60J/+R97yayZuwkCEJZ85QAETFNYhDfB1aOXyr76TjWEKjyv+U3Gl9C3PTrS
lour5nZe7d8ugibGFsa+GTVpl011kQqCstTXNzC+myPPk+bFdMpHaAjLf7VHiAeB
ApIgM4KYUIc2XqbITfJrBWSLrJr85t+PFAscTdn71+iATeGRBLGtskBtriVwRJm4
ygaHe9zdhOiO7RK+OzYE9iUZ/RPZbCjm1fDAlRfgWVZZwWI99h6b4/0W3J91e4oY
P2ZpBuvLt/8z79nkfVk9q16odcG2Nykt5qLBhpqiU50dsoGduQENBF+tS9wBCADe
EGbKuFZryNZqQxxQsjDI4I3KV7mYK0jQuWHVKv92sG6L1blWZLmj+prxCooq95D4
zfCGX0gaM/2TfgjGtASsDcZYu/vFX8rovMsCv/SSe/ACpgSaBGbMpREmVZcvThJn
9mTtvVwT0MixDlWP8plYj359xd294uZrjicmayU1WgykDppMU4doJLRAC2op2TsJ
FuDAeXABeUUcHzeeUaVePb/33KSVhe2Y5gUrZCGm2iM0VXu+P0N3p05pH+yNxXku
P339KQKoqrUtv9L2ar8Dlg2bapJJmvUbg+jn/UFBUMt38RBDUKg5Lwf9uyWaqVRI
IFWfHuWvd2kCKM86EuA3ABEBAAGJATwEGAEIACYWIQTIGQs1B017v+B/TfARnhcA
IV5C5gUCX61L3AIbDAUJA8JnAAAKCRARnhcAIV5C5mbeCAC3CZ96PRf2ZgRwqqE4
Huj5vC8Ls+AsAoe+x8RtaI51l42I37x0mHxJoPiNJ2yvF+YGoa+ffgcBxtypsz46
qSl7S5thDBx0B1h+WJdGkODB8SAHsRNfjVy17WQeiYkYh0xdFDMbKlSFxQIvMBH0
OOrecWsTKqZzjxVaaOFvr76ZMqVwHxvQWzkK8SU70IMjvkra0pkmeXB/EvN2owBm
shaCvLLm+Skuq3+vzc7/xfboah3kwDrTzcasY7jUobZx3b+9rpjPILgbsRGX7dSW
taAQO/Zw17ieZ3Aw07nFsOXUN+n6Ralys0b7ClBc9GebH/7g6hYkPW9tXFzoPgGT
rDMO
=Mo5o
-----END PGP PUBLIC KEY BLOCK-----
[bob@radijs ~]$ 
[bob@radijs ~]$ 
[bob@radijs ~]$ 
[bob@radijs ~]$ gpg --export --armor bob@maboc.nl > bobs.pub
[bob@radijs ~]$ ls -l bobs.pub 
-rw-rw-r--. 1 bob bob 2164 19 nov 13:09 bobs.pub
[bob@radijs ~]$

As you can see…the gpg export command outputs the key to standard out. In the second instance I redirected the output to a file.
Maybe you wonder why I use the option –armor? Well, it works just as well without the armor option, however, the output will then be “binary” and I would not easily be able to show it here. The armor option tells gpg to export the key in an ascii readable format.

Step 2.2:

Get the key to Alice in any way you see fit. Since I’m here just demoing, I passed it via /tmp. Bob puts his public key in /tmp and Alice picks it up (don’t forget to loosen the permissions on the key, otherwise Alice can not pick it up from /tmp)

 

Step 3:

Alice picks the public key up (from /tmp). And imports it to her public keyring

[alice@radijs ~]$ gpg --list-keys
/home/alice/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]
      9B40B1BC71AD2D212D316CEEDA65161857B73DD7
uid           [ultimate] Alice <alice@maboc.nl>
sub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]

[alice@radijs ~]$ 
[alice@radijs ~]$ cp /tmp/bob.pub ./
[alice@radijs ~]$
[alice@radijs ~]$ ls -l bob.pub 
-rwxrwxr-x. 1 alice alice 1745 19 nov 13:20 bob.pub
[alice@radijs ~]$ 
[alice@radijs ~]$ gpg --import bob.pub 
gpg: key 119E1700215E42E6: public key "BobBob <bob@maboc.nl>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[alice@radijs ~]$  
[alice@radijs ~]$ gpg --list-keys
/home/alice/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]
      9B40B1BC71AD2D212D316CEEDA65161857B73DD7
uid           [ultimate] Alice <alice@maboc.nl>
sub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]

pub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]
      C8190B35074D7BBFE07F4DF0119E1700215E42E6
uid           [ unknown] BobBob <bob@maboc.nl>
sub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]

[alice@radijs ~]$

What did I do? 1) list the public key Alice has in her keyring at the moment, 2) Copy the key to her home-directory 3) list it (just to see whether it’s there, 4) import the key, and finally 5) list the public keys in Alice’s keyring.

Asyou might see Alice now has two public keys in her keyring. The first is her own, which she trusts ultemately, and there is the public key of Bob of which the trust is Unkown.

Step 4 :

Let’s check the fingerprint on the freshly imported public key.

[alice@radijs ~]$ gpg --fingerprint bob@maboc.nl
pub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]
      C819 0B35 074D 7BBF E07F  4DF0 119E 1700 215E 42E6
uid           [ unknown] BobBob <bob@maboc.nl>
sub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]

[alice@radijs ~]$

How does this fingerprint found (C819 0B35 074D 7BBF E07F 4DF0 119E 1700 215E 42E6) compare to the fingerprint supplied by Bob in step 1.2 (C819 0B35 074D 7BBF E07F 4DF0 119E 1700 215E 42E6)….they are the same 🙂

We now know that the public key we have got from Bob actually is the same key as we have got the fingerprint from at step 1.2

Step 5 :

Last thing to do is trusting this key so we can safely use whitout hesitations:

[alice@radijs ~]$ gpg --edit-key bob@maboc.nl 
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/119E1700215E42E6
     created: 2020-11-12  expires: 2022-11-12  usage: SC  
     trust: unknown       validity: unknown
sub  rsa2048/6945C7E1B92180C0
     created: 2020-11-12  expires: 2022-11-12  usage: E   
[ unknown] (1). BobBob 

gpg> trust
pub  rsa2048/119E1700215E42E6
     created: 2020-11-12  expires: 2022-11-12  usage: SC  
     trust: unknown       validity: unknown
sub  rsa2048/6945C7E1B92180C0
     created: 2020-11-12  expires: 2022-11-12  usage: E   
[ unknown] (1). BobBob 

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa2048/119E1700215E42E6
     created: 2020-11-12  expires: 2022-11-12  usage: SC  
     trust: ultimate      validity: unknown
sub  rsa2048/6945C7E1B92180C0
     created: 2020-11-12  expires: 2022-11-12  usage: E   
[ unknown] (1). BobBob 
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit
[alice@radijs ~]$
[alice@radijs ~]$ gpg --list-key bob@maboc.nl
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2022-11-12
pub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]
      C8190B35074D7BBFE07F4DF0119E1700215E42E6
uid           [ultimate] BobBob 
sub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]

[alice@radijs ~]$

As you might notice Alice provided ultimate trust on this key. Why you can (for example) also give marginally trust, is not for now. It is wath the “web of trust” is build with.

You may also notice that when the public key of Bob is listed it now has ultimate trust.

Alice is good to go…she can encrypt files for Bob and be sure only Bob can decrypt the file, and if she receives a signed file/document/email, she can confidently verify whether it was actually signed by Bob.

Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *