{"id":258,"date":"2020-11-19T12:58:18","date_gmt":"2020-11-19T12:58:18","guid":{"rendered":"https:\/\/maboc.nl\/?p=258"},"modified":"2020-11-19T12:58:18","modified_gmt":"2020-11-19T12:58:18","slug":"import-and-sign-a-public-key","status":"publish","type":"post","link":"https:\/\/maboc.nl\/?p=258","title":{"rendered":"Import and sign a public key"},"content":{"rendered":"

GPG index<\/a><\/p>\n

Now I have a private\/public key pair, but what to do with it? Ofcourse we want to use it for encrypting and signing files, we will get tot that in a minute (next article). Because, as written in the first<\/a> article, Bob needs Alice’s public key to encrypt a message to her, and he also needs her public key to verify whether signature is valid. So, it’s not enough to only create the keypair, you also have to distribute your public key to the persons you want to have this encrypted\/signed communication with. Therefor…..first let’s discuss that:<\/p>\n

What we now should do:<\/p>\n

    \n
  1. Alice must be sure that Bob is who he says he is (ID\/Passport\/Blue Eyes)\n
      \n
    1. And if Alice is sure, get from Bob the fingerprint of the public key of Bob<\/li>\n<\/ol>\n<\/li>\n
    2. Somehow get the public key of Bob to Alice\n
        \n
      1. Export the public key of Bob<\/li>\n
      2. Get the key to Alice<\/li>\n<\/ol>\n<\/li>\n
      3. Import the key into the gpg-keyring of Alice<\/li>\n
      4. Check the fingerprint of the imported public key of Bob with the fingeprint from step 1.1<\/li>\n
      5. If the fingerprints compare (step 5), trust the public key in the gpg public keyring<\/li>\n<\/ol>\n

        Step 1:<\/p>\n

        In this example I just created two users on my system, they don’t really exist \ud83d\ude42 So, I herby certify that Alice actually is Alice and Bob is actually Bob.<\/p>\n

        The public keyring of Alice now looks like:<\/p>\n

        [alice@radijs ~]$ gpg --list-keys \r\n\/home\/alice\/.gnupg\/pubring.kbx\r\n------------------------------\r\npub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]\r\n      9B40B1BC71AD2D212D316CEEDA65161857B73DD7\r\nuid           [ultimate] Alice <alice@maboc.nl>\r\nsub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]\r\n\r\n[alice@radijs ~]$\r\n<\/pre>\n
        There’s only one public key (her own).<\/p>\n
        Step 1.1 :<\/p>\n
        Bob now has to supply the fingerprint for his public key:<\/p>\n
        [bob@radijs ~]$ gpg --fingerprint bob@maboc.nl\r\npub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]\r\n      C819 0B35 074D 7BBF E07F  4DF0 119E 1700 215E 42E6\r\nuid           [ultimate] BobBob <bob@maboc.nl>\r\nsub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]\r\n<\/pre>\n
        And there you have it.<\/p>\n
        Step 2:<\/p>\n
        The public key must be transported to Alice. But first we must export it to a file, in order to be able to transport it \ud83d\ude42<\/p>\n
        [bob@radijs ~]$ gpg --export --armor bob@maboc.nl\r\n-----BEGIN PGP PUBLIC KEY BLOCK-----\r\n\r\nmQENBF+tS9wBCADHpmq20vvmC3EAkOvZWMWDTGjIDGj7RYA00RxCYKUl9VNw3qKx\r\nY3QIPuWRlscPlyX4RY1a8EiO52G65l8M0PHnJJH7cnfr00gsv0SoxWa3f4fGt\/tC\r\nBykScL0kIV4hYrl03mETTWaSrWVB5SuEa9nGlpHfQL83jFf6fXOJveheDjG8f4+L\r\nKoWE+juztMbJYc7AZ83k\/ltZNDJtK7Fwny8upX1ehxOcKMqgPNmi7PlRkGihBAnU\r\nejiOMSQcbslxZmyocZIjRQlCGXC5pexKILK\/FVRJckovaTJAr1koHvMff8TZXILu\r\nntCg2XMrqyD5oIL\/WWCcsGgr6VlpA0lrypz7ABEBAAG0FUJvYkJvYiA8Ym9iQG1h\r\nYm9jLm5sPokBVAQTAQgAPhYhBMgZCzUHTXu\/4H9N8BGeFwAhXkLmBQJfrUvcAhsD\r\nBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBGeFwAhXkLmexQH\/0c9\r\nzjz\/8RPtJ4jZM7qKWMVUJ3ZVdOGIYi6Z3JiiWC0pXwMF3Nxm7vZQpCJEPu3Uq9hX\r\n0Qiyy3Holp\/zVBgJBQQlP3+stiNNA3P2vhSWrz2VhMcIZ6U50herpkm\/ev+YSKtS\r\noRXrVnohMb6LAu9dx5KlvBcqY9gCdHqmGSj8wFTWIcn9mYL3IuRDt0d9N3P+UN9j\r\nB10GgftY1i3fFFWj3tHcnhBFBY7Ju1rGLWlvEudh2\/mkhyAhEGPbK4v2ufMqAD2Y\r\neAab1qDgToKsyehcmzciurZ3RnAAYtODdk8NocfZU1b7N5tu6xgea7OCjixcDDvy\r\n4eV3xcqfCY661NmecHuJATMEEAEIAB0WIQSbQLG8ca0tIS0xbO7aZRYYV7c91wUC\r\nX7WFmgAKCRDaZRYYV7c913VwB\/4wETygdHMKP9ORbUiKKSEK5e4RSfi+pH7TYGFT\r\nnbVK60J\/+R97yayZuwkCEJZ85QAETFNYhDfB1aOXyr76TjWEKjyv+U3Gl9C3PTrS\r\nlour5nZe7d8ugibGFsa+GTVpl011kQqCstTXNzC+myPPk+bFdMpHaAjLf7VHiAeB\r\nApIgM4KYUIc2XqbITfJrBWSLrJr85t+PFAscTdn71+iATeGRBLGtskBtriVwRJm4\r\nygaHe9zdhOiO7RK+OzYE9iUZ\/RPZbCjm1fDAlRfgWVZZwWI99h6b4\/0W3J91e4oY\r\nP2ZpBuvLt\/8z79nkfVk9q16odcG2Nykt5qLBhpqiU50dsoGduQENBF+tS9wBCADe\r\nEGbKuFZryNZqQxxQsjDI4I3KV7mYK0jQuWHVKv92sG6L1blWZLmj+prxCooq95D4\r\nzfCGX0gaM\/2TfgjGtASsDcZYu\/vFX8rovMsCv\/SSe\/ACpgSaBGbMpREmVZcvThJn\r\n9mTtvVwT0MixDlWP8plYj359xd294uZrjicmayU1WgykDppMU4doJLRAC2op2TsJ\r\nFuDAeXABeUUcHzeeUaVePb\/33KSVhe2Y5gUrZCGm2iM0VXu+P0N3p05pH+yNxXku\r\nP339KQKoqrUtv9L2ar8Dlg2bapJJmvUbg+jn\/UFBUMt38RBDUKg5Lwf9uyWaqVRI\r\nIFWfHuWvd2kCKM86EuA3ABEBAAGJATwEGAEIACYWIQTIGQs1B017v+B\/TfARnhcA\r\nIV5C5gUCX61L3AIbDAUJA8JnAAAKCRARnhcAIV5C5mbeCAC3CZ96PRf2ZgRwqqE4\r\nHuj5vC8Ls+AsAoe+x8RtaI51l42I37x0mHxJoPiNJ2yvF+YGoa+ffgcBxtypsz46\r\nqSl7S5thDBx0B1h+WJdGkODB8SAHsRNfjVy17WQeiYkYh0xdFDMbKlSFxQIvMBH0\r\nOOrecWsTKqZzjxVaaOFvr76ZMqVwHxvQWzkK8SU70IMjvkra0pkmeXB\/EvN2owBm\r\nshaCvLLm+Skuq3+vzc7\/xfboah3kwDrTzcasY7jUobZx3b+9rpjPILgbsRGX7dSW\r\ntaAQO\/Zw17ieZ3Aw07nFsOXUN+n6Ralys0b7ClBc9GebH\/7g6hYkPW9tXFzoPgGT\r\nrDMO\r\n=Mo5o\r\n-----END PGP PUBLIC KEY BLOCK-----\r\n[bob@radijs ~]$ \r\n[bob@radijs ~]$ \r\n[bob@radijs ~]$ \r\n[bob@radijs ~]$ gpg --export --armor bob@maboc.nl > bobs.pub\r\n[bob@radijs ~]$ ls -l bobs.pub \r\n-rw-rw-r--. 1 bob bob 2164 19 nov 13:09 bobs.pub\r\n[bob@radijs ~]$\r\n<\/pre>\n
        As you can see…the gpg export command outputs the key to standard out. In the second instance I redirected the output to a file.
        \nMaybe you wonder why I use the option –armor? Well, it works just as well without the armor option, however, the output will then be “binary” and I would not easily be able to show it here. The armor option tells gpg to export the key in an ascii readable format.<\/p>\n
        Step 2.2:<\/p>\n
        Get the key to Alice in any way you see fit. Since I’m here just demoing, I passed it via \/tmp. Bob puts his public key in \/tmp and Alice picks it up (don’t forget to loosen the permissions on the key, otherwise Alice can not pick it up from \/tmp)<\/p>\n
         <\/p>\n
        Step 3:<\/p>\n
        Alice picks the public key up (from \/tmp). And imports it to her public keyring<\/p>\n
        [alice@radijs ~]$ gpg --list-keys\r\n\/home\/alice\/.gnupg\/pubring.kbx\r\n------------------------------\r\npub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]\r\n      9B40B1BC71AD2D212D316CEEDA65161857B73DD7\r\nuid           [ultimate] Alice <alice@maboc.nl>\r\nsub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]\r\n\r\n[alice@radijs ~]$ \r\n[alice@radijs ~]$ cp \/tmp\/bob.pub .\/\r\n[alice@radijs ~]$\r\n[alice@radijs ~]$ ls -l bob.pub \r\n-rwxrwxr-x. 1 alice alice 1745 19 nov 13:20 bob.pub\r\n[alice@radijs ~]$ \r\n[alice@radijs ~]$ gpg --import bob.pub \r\ngpg: key 119E1700215E42E6: public key \"BobBob <bob@maboc.nl>\" imported\r\ngpg: Total number processed: 1\r\ngpg:               imported: 1\r\n[alice@radijs ~]$  \r\n[alice@radijs ~]$ gpg --list-keys\r\n\/home\/alice\/.gnupg\/pubring.kbx\r\n------------------------------\r\npub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]\r\n      9B40B1BC71AD2D212D316CEEDA65161857B73DD7\r\nuid           [ultimate] Alice <alice@maboc.nl>\r\nsub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]\r\n\r\npub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]\r\n      C8190B35074D7BBFE07F4DF0119E1700215E42E6\r\nuid           [ unknown] BobBob <bob@maboc.nl>\r\nsub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]\r\n\r\n[alice@radijs ~]$\r\n<\/pre>\n
        What did I do? 1) list the public key Alice has in her keyring at the moment, 2) Copy the key to her home-directory 3) list it (just to see whether it’s there, 4) import the key, and finally 5) list the public keys in Alice’s keyring.<\/p>\n
        Asyou might see Alice now has two public keys in her keyring. The first is her own, which she trusts ultemately, and there is the public key of Bob of which the trust is Unkown.<\/p>\n
        Step 4 :<\/p>\n
        Let’s check the fingerprint on the freshly imported public key.<\/p>\n
        [alice@radijs ~]$ gpg --fingerprint bob@maboc.nl\r\npub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]\r\n      C819 0B35 074D 7BBF E07F  4DF0 119E 1700 215E 42E6\r\nuid           [ unknown] BobBob <bob@maboc.nl>\r\nsub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]\r\n\r\n[alice@radijs ~]$\r\n\r\n<\/pre>\n
        How does this fingerprint found (C819 0B35 074D 7BBF E07F 4DF0 119E 1700 215E 42E6) compare to the fingerprint supplied by Bob in step 1.2 (C819 0B35 074D 7BBF E07F 4DF0 119E 1700 215E 42E6)….they are the same \ud83d\ude42<\/p>\n
        We now know that the public key we have got from Bob actually is the same key as we have got the fingerprint from at step 1.2<\/p>\n
        Step 5 :<\/p>\n
        Last thing to do is trusting this key so we can safely use whitout hesitations:<\/p>\n
        \r\n[alice@radijs ~]$ gpg --edit-key bob@maboc.nl \r\ngpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.\r\nThis is free software: you are free to change and redistribute it.\r\nThere is NO WARRANTY, to the extent permitted by law.\r\n\r\n\r\npub  rsa2048\/119E1700215E42E6\r\n     created: 2020-11-12  expires: 2022-11-12  usage: SC  \r\n     trust: unknown       validity: unknown\r\nsub  rsa2048\/6945C7E1B92180C0\r\n     created: 2020-11-12  expires: 2022-11-12  usage: E   \r\n[ unknown] (1). BobBob \r\n\r\ngpg> trust\r\npub  rsa2048\/119E1700215E42E6\r\n     created: 2020-11-12  expires: 2022-11-12  usage: SC  \r\n     trust: unknown       validity: unknown\r\nsub  rsa2048\/6945C7E1B92180C0\r\n     created: 2020-11-12  expires: 2022-11-12  usage: E   \r\n[ unknown] (1). BobBob \r\n\r\nPlease decide how far you trust this user to correctly verify other users' keys\r\n(by looking at passports, checking fingerprints from different sources, etc.)\r\n\r\n  1 = I don't know or won't say\r\n  2 = I do NOT trust\r\n  3 = I trust marginally\r\n  4 = I trust fully\r\n  5 = I trust ultimately\r\n  m = back to the main menu\r\n\r\nYour decision? 5\r\nDo you really want to set this key to ultimate trust? (y\/N) y\r\n\r\npub  rsa2048\/119E1700215E42E6\r\n     created: 2020-11-12  expires: 2022-11-12  usage: SC  \r\n     trust: ultimate      validity: unknown\r\nsub  rsa2048\/6945C7E1B92180C0\r\n     created: 2020-11-12  expires: 2022-11-12  usage: E   \r\n[ unknown] (1). BobBob \r\nPlease note that the shown key validity is not necessarily correct\r\nunless you restart the program.\r\n\r\ngpg> quit\r\n[alice@radijs ~]$\r\n[alice@radijs ~]$ gpg --list-key bob@maboc.nl\r\ngpg: checking the trustdb\r\ngpg: marginals needed: 3  completes needed: 1  trust model: pgp\r\ngpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u\r\ngpg: next trustdb check due at 2022-11-12\r\npub   rsa2048 2020-11-12 [SC] [expires: 2022-11-12]\r\n      C8190B35074D7BBFE07F4DF0119E1700215E42E6\r\nuid           [ultimate] BobBob \r\nsub   rsa2048 2020-11-12 [E] [expires: 2022-11-12]\r\n\r\n[alice@radijs ~]$\r\n<\/pre>\n
        As you might notice Alice provided ultimate trust on this key. Why you can (for example) also give marginally trust, is not for now. It is wath the “web of trust” is build with.<\/p>\n
        You may also notice that when the public key of Bob is listed it now has ultimate trust.<\/p>\n
        Alice is good to go…she can encrypt files for Bob and be sure only Bob can decrypt the file, and if she receives a signed file\/document\/email, she can confidently verify whether it was actually signed by Bob.<\/p>\n","protected":false},"excerpt":{"rendered":"
        GPG index Now I have a private\/public key pair, but what to do with it? Ofcourse we want to use it for encrypting and signing files, we will get tot that in a minute (next article). Because, as written in the first article, Bob needs Alice’s public key to encrypt a message to her, and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[37,38],"class_list":["post-258","post","type-post","status-publish","format-standard","hentry","category-privacy","tag-gpg","tag-privacy"],"_links":{"self":[{"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/posts\/258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/maboc.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=258"}],"version-history":[{"count":11,"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/posts\/258\/revisions"}],"predecessor-version":[{"id":269,"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/posts\/258\/revisions\/269"}],"wp:attachment":[{"href":"https:\/\/maboc.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/maboc.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/maboc.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}