I'm doing some works about secure communication. I generated a gpg key in the bash. It is easy to encrypt a file in the bash, however, I want to do that in Go.
The go package openpgp seems not having relative functions, so how can I do that?
Thanks.
Related
I have lost the passcode to a GPG keypair, and need to recover it. In the process of doing so I need to convert into a .asc file for gpg2john. However the GPG cli askes for a password to convert it into the ascii-armored version... which I do not have. Is there anyway for me to get the .asc file from just the keys.
I can not use the below command as it requires a password.
gpg --export-secret-key --armor
Note: recover lost gpg password doesn't seem have any real answers.
Apparently (see recover lost gpg password), gnupg added code to require a passphrase for export in newer versions. If you install an old, old version, like
brew install gnupg#1.4
you can then call
gpg1 -a --export-secret-keys ID >exportedPrivateKey.asc
without having to enter a passphrase.
Needless to say, only use gpg1 for that one task, not for ongoing encryption ;)
I have the following files Cert.pem, Key.pem, CACert.pem
I have been told that I need to decrypt the key.pem.
1) What is the windows OpenSSL command to do this?
I need to combine the decrypted key.pem file with the cert.pem file to produce a new cert.pem file.
2) What is the windows OpenSSL command to do this?
Thanks
Unix installations of OpenSSL should include man pages, but Windows versions often do not because Windows doesn't usually have any way of finding and displaying them. man pages for the currently supported releases, plus 'master' which is the development head, are available on the OpenSSL website at https://www.openssl.org/docs/manpages.html . All OpenSSL 'commands' are actually run by the (single) program openssl, thus you execute pkey some args by running
openssl pkey some args
rem if openssl.exe is on your PATH or in the current directory, otherwise
x:\path\to\openssl pkey some args
You don't mention having the password for the encrypted key file; I hope you do because you can't decrypt (or do anything else) without it.
For 1.0.0 up, pkey is the preferred way to convert private keys, including encrypting and decrypting; see its man page. In brief you simply tell pkey to read from the input file and write to the output file, and omit any specification of a cipher; that omission will cause it to write an unencrypted key. Note pkey will write the output in PKCS8 format, which is preferred for most purposes, but if you actually need a 'legacy' or 'traditional' format for some reason -- ask whoever 'told' you what software this file will be used with -- 1.1.0 pkey can do this but earlier cannot.
If you are stuck with a 0.9.x release, usually only on obsolete systems, use pkcs8 -topk8 -nocrypt for PCKS8 output; see that.
If you need legacy/traditional format (on a release below 1.1.0) you must use the 'legacy' per-algorithm commands, so you need to know what algorithm your key(file) is. Look at the first line where it says -----BEGIN something PRIVATE KEY----- . If something is RSA, use rsa; for DSA dsa; for EC ec; see the respective pages. If something is ENCRYPTED you must decrypt it to PkCS8 as above first, then look at it with asn1parse to determine which algorithm it is, but I expect it's not very likely someone who want a legacy unencrypted key will start with an PKCS8 encrypted one.
OpenSSL does not provide any special operation to combine PEM files, since concatenating files of many types is a common operation. On Unix this is canonically done with the cat program; on Windows it can be done by using the (builtin) copy command with plus-sign(s) in the source; on both Unix and Windows it can be done by creating a file and then appending to it like:
copy decryptedkey.pem combined.pem
type certificate.pem >> combined.pem
rem >> means redirect the output from that command ('type')
rem normally on the console to _the end of_ the named file.
In this case you want to modify cert.pem by adding the contents of decryptedkey.pem, so just do
type decryptedkey.pem >> cert.pem
Alternatively you can use a plaintext editor like notepad. Open both files; select all the text in the second file and copy (or cut) and paste it at the end of the first file; save the modified first file.
I want to use batch to upload from the mput command to FTP. But, what I do not want to do is upload a file that has already been uploaded before, so I need the MD5 of each file and compare the new ones with the existing ones.
How are the commands I need?
First, make sure your remote server supports the checksum calculation at all. Many do not. I believe there's even no standard FTP command to calculate a checksum of a remote file. There were many proposals and there are many proprietary solutions.
The latest proposal is:
https://datatracker.ietf.org/doc/html/draft-bryan-ftpext-hash-02
Some of the commands that can be used to calculate MD5 checksum are: XMD5, MD5, and HASH.
You can test that with WinSCP. The WinSCP supports all the previously mentioned commands. Test its checksum calculation function or the checksum scripting command. If they work, enable logging and check, what command and what syntax WinSCP uses against your server.
Then you can execute the command in your command-line FTP client. You didn't tell us, what client are you using. In common Windows or *nix command-line ftp client, you can use quote command to execute an arbitrary FTP protocol command, like:
quote MD5 filename
If you are on Windows, you can use WinSCP scripting. As in GUI, WinSCP will find out for you, what command to use. You simply use checksum command:
checksum md5 index.html
(I'm the author of WinSCP)
Though note, that you better use SHA-1. MD5 is not to be trusted anymore.
This is the first time I figured I had better check the keys of the bind software I want to install. So I downloaded what I think is a OpenPGP key ...
$ wget ftp://ftp.isc.org/isc/bind9/9.9.4/bind-9.9.4.tar.gz.sha1.asc
... then I tried to "import" this key like this ...
$ gpg --import bind-9.9.4.tar.gz.sha1.asc
... but I get this error message:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
What am I doing wrong?
Thanks!
The command syntax is gpg bind-9.9.4.tar.gz.sha1.asc. Of course, this gives an error that no public key is found. You can download public keys from pgpkeys.mit.edu.
This article explains the process step-by-step.
Sometimes, you read words like these: “It is essential that you verify the integrity of the downloaded files using the PGP or MD5 signatures […] using the following commands […]”.
gpg --import KEYS
gpg --verify <software-bundle>.asc
You know you should do. And without reading all of it, you may think: Two commands, one to attach the signature file and one to verify the downloaded software. It is not.
KEYS does not refer to the downloaded asc file, but to a special file named KEYS that you need to download separately. See the step “Download KEYS”. The link is not pointing to the asc file as you might think. It points to something else. These KEYS are needed to check the integrity of the asc file itself. The second command seems to perform both checks then. It verifies the asc file given as parameter (using the imported keys), but if you try to run it on the standalone asc file, it says:
gpg: no signed data
gpg: can't hash datafile: No data
So I think it also verifies the integrity of the software, too, which is expected to be a file with the same name except the tailing .asc in the same directory. (But I didn’t find a proof for this to be true by now.)
I have a sequence of scripts which downloads PGP files from a FTP server. I then unzip these files with a private key using PGPKeys. The unzipped files are then picked up by a SQL Server job which appends the data onto our database. I'd like to automate the entire process. Is there anyway to unzip a PGP locked file using shell scripting (either Linux or Windows)?
That's a perfect task to automize, I can help you in Linux.
First you can use wget to download a file
wget ftp://website.com/yourpgparchive.zip
If your ftp website requires authenticated access use
wget --ftp-user=USER --ftp-password=PASSWORD ftp://ftp.site/archive.zip.pgp
Then you need gpg (the open source PGP implementation) to decrypt the file
gpg -o file.zip -d file.zip.gpg
(If you need some suggestion on how to import keys and get started with gpg check here)
Then you can just unzip the file with
unzip file.zip
You may need to install gnupg and unzip from your package manager.
Yes, GPG. In your case, it's just gpg -d filename (or just gpg -d to read from stdin).
And, what you probably wanted to say is decrypt instead of unzip and encrypted instead of locked.