I could not find any good example of signing and verifying a file using PGP, I hope the following example could be useful.
I will use Bob and Alice to explain it.
1.Bob install Alice’s PGP Public key in his machine:
$ gpg --import <Key_Alice>-pub-sub.asc
2.Alice signs and encrypts a document (TestMessage.txt) using her PGP Private key :
$ gpg --output TestMessageSignedByAlice.txt -a --sign ./TestMessage.txt
--output : write output to FILE (TestMessageSignedByAlice.txt)
-a, --armor :output file should be in ascii format
--sign : document to sign and encrypt (TestMessage.txt)
The result is a document signed and encrypted (TestMessageSignedByAlice.txt) by Alice using her PGP private key.
3.Finally Bob verifies Alice’s signed document and decrypts document using Alice’s PGP Public Key. The original document content will be found in document TestMessageDecrypt.txt .
$ gpg --output TestMessageDecrypt.txt --decrypt ./TestMessageSignedByAlice.txt
--decrypt: file to verify signature and to decrypt (TestMessageSignedByAlice.txt)
--output : write output to FILE (TestMessageDecrypt.txt)
I used documentation from :
https://www.gnupg.org/gph/en/manual/x135.html
It works in a bit different way:
Alice uses her secret (private) key to sign a document, and Bob's public key to encrypt a document.
Bob uses his secret (private) key to decrypt document, and then Alice's public key to verify signature.
Related
I'm looking to convert an ed25519 private key to an rsa private key using ssh-keygen.
I found this helpful guide but I am having trouble figuring out how to specify that the input format is ed25519 and the export format should be rsa.
I've tried a bunch of different ways trying to match the synopsis and the description of flags, but every time I try, I get "Too many arguments" error from ssh-keygen.
I'd also like to find the command to generate a public key from a ed25519 private key to verify that it works.
No, it can't be converted. RSA and EdDSA are not just different types of keys, these are totally different Cryptosystems. Key generation algorithms, private keys are just part of it.
All the conversion options available in ssh-keygen are usually convert one type of RSA key to another type of RSA key. e.g. converting OPENSSH RSA key to PKCS8 RSA key. Basically, that so called conversion is just packaging RSA key in different ways.
As mentioned in "How to generate secure SSH keys", ED25519 is an EdDSA signature scheme using SHA-512 (SHA-2) and Curve25519
The main problem with EdDSA is that it requires at least OpenSSH 6.5 (ssh -V) or GnuPG 2.1 (gpg --version), and maybe your OS is not so updated, so if ED25519 keys are not possible your choice should be RSA with at least 4096 bits.
To generate the private key:
ssh-keygen -t ed25519 -P "" -f myid_ed25519
From the private key, you can generate its public key (which has nothing to do with RSA):
ssh-keygen -y -f myid_ed25519 > myid_ed25519.pub
I'm trying to decrypt a file but I get the following:
gpg <file name>
gpg: encrypted with 2048-bit RSA key, ID 4A83B612, created 2018-02-19
"user <email>"
gpg: decryption failed: secret key not available
When I list my keys using:
gpg --list-keys
Here is the result:
pub 2048R/0BBBBDB3 2018-02-19
uid user <email>
sub 2048R/4A83B612 2018-02-19
I understand that the sub key doesn't seem to be recognized.
To decrypt you need the private key. Have a look at https://www.gnupg.org/gph/en/manual/x110.html:
If you want to encrypt a message to Alice, you encrypt it using Alice's public key, and she decrypts it with her private key. If Alice wants to send you a message, she encrypts it using your public key, and you decrypt it with your key.
As the documentation states, only the recipient you specify by --recipient when encrypting can decrypt the message.
So in summary:
Encrypting uses the public key of the recicipient
Decrypting uses the private key of the recipient
I managed to have an output of gpg --list-secret-keys
I still can't decrypt the file though. Here is the output of gpg --output doc --decrypt doc.gpg:
gpg: encrypted with 2048-bit RSA key, ID 4A83B612, created 2018-02-19
"user " gpg: decryption failed: secret key not available
I'm trying to get the fingerprints from the public OpenPGP keys of ActiveMQ. They are published at http://www.apache.org/dist/activemq/KEYS.
Unfortunately, not all the keys have fingerprints listed next to them. Do you have any idea how to proceed?
I used this command (tested with gpg 2.2.12):
gpg --show-keys file.pub
For old versions, see the answer from Jens Erat. With newer versions gpg --with-fingerprint does not work and returns:
gpg: WARNING: no command supplied. Trying to guess what you mean ...
The fingerprint is derived from the public key and creation timestamp -- both are contained in the public keys listed on the site.There are several ways of inspecting keys without importing them, which also makes sure you print the information of the very specific key you are considering right now. --with-fingerprint makes GnuPG always output the fingerprint when listing keys. One way to get the fingerprint would be:
$ gpg --with-fingerprint <<EOT
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (Darwin)
mQGiBEPspSsRBADdguKAxMQbA32vTQrCyONR6Zs/YGdvau2Zrr3SSSSR0Ge4FMjZ
4tzwpf6+32m4Bsf7YIwdLl0H5hI1CgT5gDl9kXvfaFUehFnwR+FDyiBRiyHjUpGF
4dgkQfWy9diYeWGtsvszsvWHXtED4SXb322StX4MfJj+YesA1iEdTiXK6wCg1QDa
RucfjC+kx4zPsJwkJOgYpyMEAMTiXtNwQcke6nIFb/lb5374NjwwVAuuMTrRWLyq
5HodugEIHaw3EitQWtnFfXNkXTJZzS6t2HAGv29UTfhiBzKdkydgCkOk2MLWISOV
fqcg0tNIp5ZJCmUHg3s+OFNSH4oUi65u+FyDseUid3OKtPI+ZhIk8N+DjOIg2Kvo
/UALA/9q+WfBd7re+W3iUtU7TutUcwbKsjP+jpaJeUHg2ChOBxVfQKt4YlPHVdrR
iCrfNi90Z8qbsZ0iAXuqexrfMq20pAPmpHRpe54mmP1CMT5m+Gq71eKIfkUrb3LC
/zv08dLG2vm9oghd242wbcifaX+t7AhNAIpe/WTvQsB0gpdO4LQmSGlyYW0gQ2hp
cmlubyA8aGlyYW1AaGlyYW1jaGlyaW5vLmNvbT6IWwQTEQIAGwUCQ+ylKwYLCQgH
AwIDFQIDAxYCAQIeAQIXgAAKCRCf8lmA9bp+T/G/AKDM1QDs7il/CJhTycgDvE3c
EOgUBwCfelsVK4sgBCooZptoaCCDgVtt71G5AQ0EQ+ylLhAEAJD25AWgwcNgBFKY
svExQaGIojIGJyn4Cf/5U30cui/K7fIU7JtyNhKcfZdCrh2hKx+x3H/dTF6e0SrR
hzKV7Dx0j76yhHHB1Ak25kjRxoU4Jk+CG0m+bRNTF9xz9k1ALSm3Y+A5RqNU10K6
e/5KsPuXMGSGoQgJ1H6g/i80Wf8PAAMFA/9mIxu7lMaqE1OE7EeAsHgLslNbi0h9
pjDUVNv8bc1Os2gBPaJD8B89EeheTHw6NMNIe75HVOpKk4UA0gvOBrxJqCr18yFJ
BM5sIlaEmuJwZOW4dDGOR1oS5qgE9NzpmyKhE+fu/S1wmy0coL667+1xZcnrPbUF
D4i7/aD1r8qJhohGBBgRAgAGBQJD7KUuAAoJEJ/yWYD1un5Pth0An0QEUs5cxpl8
zL5kZCj7c8MN8YZDAKDR9LTb6woveul50+uGtUl2fIH1uA==
=RBPl
-----END PGP PUBLIC KEY BLOCK-----
EOT
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub dsa1024/0x9FF25980F5BA7E4F 2006-02-10 [SCA]
Key fingerprint = E5B8 247A F8A6 19A2 8F90 FDFC 9FF2 5980 F5BA 7E4F
uid Hiram Chirino <hiram#hiramchirino.com>
sub elg1024/0x10314D676733C080 2006-02-10 [E]
You can also provide the full page, then GnuPG will print all fingerprints, readily grepable.
Note, that this works only on old GnuPG, version 2.0.x. For newer versions, see the other answers describing the --show-keys option, which is not available in this version.
gpg --show-keys --fingerprint <<EOT
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (Darwin)
mQGiBEPspSsRBADdguKAxMQbA32vTQrCyONR6Zs/YGdvau2Zrr3SSSSR0Ge4FMjZ
4tzwpf6+32m4Bsf7YIwdLl0H5hI1CgT5gDl9kXvfaFUehFnwR+FDyiBRiyHjUpGF
4dgkQfWy9diYeWGtsvszsvWHXtED4SXb322StX4MfJj+YesA1iEdTiXK6wCg1QDa
RucfjC+kx4zPsJwkJOgYpyMEAMTiXtNwQcke6nIFb/lb5374NjwwVAuuMTrRWLyq
5HodugEIHaw3EitQWtnFfXNkXTJZzS6t2HAGv29UTfhiBzKdkydgCkOk2MLWISOV
fqcg0tNIp5ZJCmUHg3s+OFNSH4oUi65u+FyDseUid3OKtPI+ZhIk8N+DjOIg2Kvo
/UALA/9q+WfBd7re+W3iUtU7TutUcwbKsjP+jpaJeUHg2ChOBxVfQKt4YlPHVdrR
iCrfNi90Z8qbsZ0iAXuqexrfMq20pAPmpHRpe54mmP1CMT5m+Gq71eKIfkUrb3LC
/zv08dLG2vm9oghd242wbcifaX+t7AhNAIpe/WTvQsB0gpdO4LQmSGlyYW0gQ2hp
cmlubyA8aGlyYW1AaGlyYW1jaGlyaW5vLmNvbT6IWwQTEQIAGwUCQ+ylKwYLCQgH
AwIDFQIDAxYCAQIeAQIXgAAKCRCf8lmA9bp+T/G/AKDM1QDs7il/CJhTycgDvE3c
EOgUBwCfelsVK4sgBCooZptoaCCDgVtt71G5AQ0EQ+ylLhAEAJD25AWgwcNgBFKY
svExQaGIojIGJyn4Cf/5U30cui/K7fIU7JtyNhKcfZdCrh2hKx+x3H/dTF6e0SrR
hzKV7Dx0j76yhHHB1Ak25kjRxoU4Jk+CG0m+bRNTF9xz9k1ALSm3Y+A5RqNU10K6
e/5KsPuXMGSGoQgJ1H6g/i80Wf8PAAMFA/9mIxu7lMaqE1OE7EeAsHgLslNbi0h9
pjDUVNv8bc1Os2gBPaJD8B89EeheTHw6NMNIe75HVOpKk4UA0gvOBrxJqCr18yFJ
BM5sIlaEmuJwZOW4dDGOR1oS5qgE9NzpmyKhE+fu/S1wmy0coL667+1xZcnrPbUF
D4i7/aD1r8qJhohGBBgRAgAGBQJD7KUuAAoJEJ/yWYD1un5Pth0An0QEUs5cxpl8
zL5kZCj7c8MN8YZDAKDR9LTb6woveul50+uGtUl2fIH1uA==
=RBPl
-----END PGP PUBLIC KEY BLOCK-----
EOT
pub dsa1024 2006-02-10 [SCA]
E5B8 247A F8A6 19A2 8F90 FDFC 9FF2 5980 F5BA 7E4F
uid Hiram Chirino <hiram#hiramchirino.com>
sub elg1024 2006-02-10 [E]
From GPG manual -
--show-keys
This commands takes OpenPGP keys as input and prints information about them
in the same way the command --list-keys does for locally stored key. In ad‐
dition the list options show-unusable-uids, show-unusable-subkeys, show-nota‐
tions and show-policy-urls are also enabled. As usual for automated process‐
ing, this command should be combined with the option --with-colons.
--fingerprint
List all keys (or the specified ones) along with their fingerprints. This is
the same output as --list-keys but with the additional output of a line with
the fingerprint. May also be combined with --check-signatures. If this com‐
mand is given twice, the fingerprints of all secondary keys are listed too.
This command also forces pretty printing of fingerprints if the keyid format
has been set to "none".
--with-fingerprint
Same as the command --fingerprint but changes only the format of the output
and may be used together with another command.
My GnuPG version is 2.2.20
References -
https://unix.stackexchange.com/a/694646/356166
I am using the below code to encrypt the text file. I need to read the encrypted text back and need to send in email. But for this its needs to be encoded without any special characters.
But When I encrypt using the below code, it is encrypting with special chracters.
gpg --output test.txt.gpg --encrypt --recipient test#test.com test.txt
Any Ideas?
You need to add the "-a" (ASCII armor) argument to gpg:
gpg -a --output test.txt.gpg --encrypt --recipient test#test.com test.txt
This tells gpg to format it's output in base 64 encoding.
Sample:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
hIwDpFCQLAnT5k0BBACOZhkGWUAAtVcY8KwyjbslRapH/82fltm6KrR4ZnA7DU34
6iLc92Zsv0+2NU7R3QANd0n+iNyiuKEpcmtD8Z+i3t1t3mBo8ZkwOKK2HbluVS/y
g3zeaJlK3J+PjY34F3Tgtjy30Tpw2mETMW9T9alzV+6K4LR5YLVGf1Y4E3bMLYUC
DgMN7kGkEsZTmBAH/0ijsp+dZ3A5UkmNva/mF9Xbl+9M40Sn9Z/vFH+h6dLOqYb5
z2Ixe6bxggEXmBpi/dmEIeOdqkOzj7PWeBLyLyFpIg926HheqTSH6Z4P4OPbXyCK
PlkoAwVzIv1xzc7Go3jnVylXzFAjsgDlDl6BLdN0U9x3yHa6vMHpigjUOSSLTtVH
urcabsjVTushn7VHzqgAIt/GldbyV8/NJlstI+0eB6x2nQ4If6nPcNLYl1s+oCDG
eO+beFYhT68wzAfRGbhCPBmB7ILojEMUM6rj7+efR6JxgAS8rRH/lH3zZhWPtz12
+vzlhT3ZJMS71yiluT/gnOTIlFid21l9R+JtcHAIALYrIsyKrPyzMw7sranvnATy
dHbDe1L2DC4SyAyA5SCDAzGhbwDWs7Td9/64bRDDtB3DUp3KG+ZaE/13K9CRIcUp
XRKvagklAfkTqQzPshC//xnHZeOw5kMBscNk5bvP/CZlcuPTgFOz/BNbFW0ooTPM
5RoEcl7V/h5OfUl38+aJGXP7rU/njBENQJDGM4s4ouFt6x3UC0KEL1BAGAu1fLyF
XMSVF40rezxavXuAYYw+pEtaotx7OAlp0tCkEX1AoobULhjtDNJ7FrWiN9e29noD
P5Dzk9RedKpr9ZKC22KeSpHZkpEiM82751HRHXpD3g0VYpAbxBWANO+QWqXnxqXJ
IqvU5Gjq5NGACOdMjQWnGiBvqwkCq4fI6lXNNNVNrTgMOpM=
=etE5
-----END PGP MESSAGE-----
I am wondering how to extract keys from an Apple .p12 file. From my limited understanding, a .p12 file is a combination of X504 certificates and private keys.
I am seeing that every .p12 file I run into has a X504 certificate and at least one key, and in some situations two keys. This is due to the fact that every .p12 has an Apple developer key, and some have an extra key (possibly an Apple root authorization key). I am considering only those .p12 files with two keys as valid. My goal here is to differentiate between those .p12 files that have one key and those that have two.
So far I have used OpenSSL to be able to inspect X504 files and the keys of any .p12. For example I have this code that does the inspections for all .p12 files in a directory:
Dir.glob('*.p12').each do |p|
file = File.read(p)
p12 = OpenSSL::PKCS12.new(file, "")
# note that this new certificate is in an X509 format
cert = p12.certificate
puts p12.inspect()
puts cert.inspect()
end
This is my output:
#<OpenSSL::PKCS12:0x007fcf33018920>
#<OpenSSL::X509::Certificate subject=/UID=FFBMT4K5/CN=iPhone Distribution: A.H. Belo Management Services, Inc./OU=FFBMT4K5/O=FFBMT4K5/C=US, issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority, serial=36597980220620, not_before=2012-01-11 16:30:22 UTC, not_after=2013-01-10 16:30:22 UTC>
Now my problem is getting keys. If I do something like this:
puts p12.key
I get a long string on encrypted data like this:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4Pet7CZrPr4x/SKjMwy5avXmcguzQlix/vBq+qq7aKQhctKr
d5HE7wk4jWbDGj7Rf9ckeFFMktTTbKYmnKCywCct/uJmgavFl1+t45DIQL2V1JMU
JSXvtjDXoKFweKQgdiha5mBNL70+ivqxMzJJw19E+MhFoZ6tFOgQ5gPLcDLR5WTU
ezxH9RbXGWbq+CMBjJ+lw8/Ako7IOm+d95ZTM6u333qp0dsn+1/I/zGeWE1gJXIl
8mIkvrp7+BDTvXHYALADwXnXijqvd/bANfetsDQ+gxRnc06dFt114JUuptcXGwbg
//ykDzNYhuibQD1Z65KfTB/ntQ1aE5FtHEXirwIDAQABAoIBACNCrt/0pZqP9QXY
B/xYYjeBkz0M2GvtuvhadmoTmIwuLY/xtS5oipVsvJBtKudSMUP4VJ8HHxlkgj7l
S+gAyAOWIH9yvN5WLgIr3PVuG/UJwhIve1jXOVs1DJcAtsAx+WSLrrOtJGv3HXZr
FJsRpr4YkJbtzPwoArjkJsHmllxfT2zeQPMJy+RQ/qlHUqsude/ahC0I3RiW3SgB
EKTNM1vGTEkox8bUUhHqNY3ERlihFpZC2wSkroETDY3RkSjuPkNy7uT/b66a/qjj
qaIA0YLhNOYGdN2llJN5GJjYYVKakpiipqcHCFrV1+JtbFB2tKhqAvK6fjCZcSFF
fW58owECgYEA/g8FvAPcejPR3O8E1ydNWChhd9UZQUeQNCET+lY3Dxwklk+u1140
yw/u2hUoNdJLfev1HtlYruglD9jW/LGoLaPodQfcHcaCSfdJa1mmKfSieApOe15+
ijO3WpZK/MJUTteGVMW/B/QnxPBGtsDo6q2v2YxA7fOhzmImn5hgxlsCgYEA4q/A
DBKe1WDZPUyG3R/Cfl5AEqEHly6VkCPFF+uYFZzep/SN/ez34r7fmcfl0RL7H9kn
Q4WBaCMbCgG9dErORW99usoBsjys5pojstNJDZwACUg9rPnV/+uUqMyocjeN0Vrl
2Vg0dC8HH1hLZPLkp+MAy2nNzmnnHcTKiTqsDT0CgYEApVzfzaXxvvS1t4k37Fbf
h+8YqefhfVT4LoYNO9ccFVCrG88XrYTa9gUT4Yz91DJiAr8vl/m+OHJPlUX9gRKd
tb9HEc2g3xyTN1OmzSHX/t0FVv7WYIR79rZ8tJC4lFZki8DK5aikk6e+rvf5/wAH
WqDcocwhgwAeJHhMTXrgGpsCgYBGYqWx2fJBdNHfK6zQafUdAazJXACcW5WK7OBc
vgU56Lxl0BRqnLKXUAbjm+Lq2Qbqa6W6XHDC4euaXtHxkuybOLQEVIbUTeytqXye
IOaU+DQ2rZyg4e4liYNeKjW/SSqar6ugobefv55piCPY02ZWDrEHd/G0PsPJRXpR
w8r6TQKBgFMoEZKywokRIbMCUHHRR3TVeizBMhbNUUmOiRhzsHZPJ2V63PNp3L1c
0NsRo62mbekXDRH8J0C8fLG4R64Y7+rHBQo0tBpgYepPU0NCrsojF7brtYYb3VqI
baVEPRhIy2tJylDad6M36DeOCIhvXalh8GaV/HhEr4lxykth+mGH
-----END RSA PRIVATE KEY-----
My question is how can I determine whether this certificate has more than one key, and also how I can inspect the keys for information. If what I am asking or my understanding of this issue is fundamentally flawed, please let me know. This is my first time being exposed to certificates and any information will be greatly helpful. Any points in the right direction will be appreciated, thanks in advance.
EDIT:
Using OpenSSL I can view the two shrouded keybags of a .p12. Example:
openssl pkcs12 -in some_p12.p12 -info -noout
output:
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
So I'm looking for a couple things. Generally speaking, what exactly are these keybags? And also, how can I inspect them/determine how many I have per .p12 file using Ruby. Thanks.
I'm quite late for this one but it also interested me. I've tested creating a p12 file using two of my digital certificates (one expiring in 2023 and the other one in 2027) and this is was the openssl output:
$ openssl pkcs12 -in some_p12.p12 -info -noout
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048*
When parsing it in ruby using OpenSSL::PKCS12 I noticed one of the certificates could be read from the in ca_certs array and the other from the certificate method:
p12 = OpenSSL::PKCS12.new(file, "1234")
p12.certificate # => The latest one with the further expiry date (2027)
p12.key # => The private key from the certificate
p12.ca_certs # => Array, with the other certificate (expiring in 2023)
p12.ca_certs.count #=> 1
I could read the private key from the certificate using key as usual, however I could not find a way to read the key corresponding the certificate from ca_certs
A .p12 contains only 1 private key, and contains 1 or more public keys. The public keys are the ones that make the chain of trust.
.p12 is a binary format. To convert it and extract to individual certificates, look for example here. The link contains all the openssl commands you need.