I'm wondering if there is away to export pub/priv key from java keystore(digicert signed) in format which then can be imported to gpg(.asc) keyring. I tried using openssl to extract keys in pem however the same can't be imported in gpg and I don't see any commands in openssl which can convert pem to .asc.
I might be completely off track and gpg might not be compatible with pem. Any directions on same will be appreciated.
Related
When following the steps for Ubuntu/Debian installon:
https://ignite.apache.org/docs/latest/installation/deb-rpm
sudo update generates this warning:
$ sudo apt update
All packages are up to date.
http://apache.org/dist/ignite/deb/dists/apache-ignite/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
The man page shows a solution for a simple wget load
I'm not sure how that tracks against the instruction in the install step:
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 0EE62FB37A00258D
wget doesn't let me use the URL.
I'm hoping someone can recommend instructions for translating the above instruction into the up to date apt command to load a key.
The information to deal with deprecated command is in the man page:
$ man apt-key
DEPRECATION
Except for using apt-key del in maintainer scripts, the use of apt-key is deprecated. This section
shows how to replace existing use of apt-key.
If your existing use of apt-key add looks like this:
wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -
Then you can directly replace this with (though note the recommendation below):
wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc
Make sure to use the "asc" extension for ASCII armored keys and the "gpg" extension for the binary OpenPGP format (also known as "GPG key public ring"). The binary OpenPGP format
works for all apt versions, while the ASCII armored format works for apt version >= 1.4.
Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and
pointing to the filename of the key. See sources.list(5) for details. Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not managed by packages. When
using a deb822-style sources.list, and with apt version >= 2.4, the Signed-By option can also be used to include the full ASCII armored keyring directly in the sources.list without
an additional file.
How to I get this: hkp://keyserver.ubuntu.com:80 --recv-keys 0EE62FB37A00258D, into the file as shown in the manual?
While this isn't specifically an Apache Ignite issue, I sympathize with your difficulty.
The documented apt-key command syntax uses a PGP key exchange server protocol URL (eg. "hkp://..") but you may not know that Horowitz Key Protocol (HKP) is based on HTTP. If you change the hkp url to http (note that https will not always work, so use http explicitly), a browser will render a search form allowing you to enter a keychain ID, like the given '0EE62FB37A00258D' ID.
http://keyserver.ubuntu.com:80/
The page with search results will yield a link to a MIME encoded PGP public key.
http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x390ef70bb1ea12b2773962950ee62fb37a00258d
The search term in this URL is a PGP fingerprint for the public key you want. The key ID in the documentation is a truncation of the least significant bits of the fingerprint, and so the key ID substring can also be used to search and get the key.
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x0EE62FB37A00258D
Please try this URL as modeled in the apt-key deprecation warning in lieu of the https://myrepo.example/myrepo.asc example.
I recently upgraded my base system and now gpg with version 2.1.x is in use. Unfortunately it does not read my old keyrings any more.
As I see from here the gpg system should convert it automatically, however this is not happening in my Ubuntu. How can the old format converted then manually?
Somehow there was a migration happening in the past already, so there existed following file already: .gpg-v21-migrated. But the new gpg version could not read or find any migrated files. So I removed the file and the keyrings got reimported:
rm ~/.gnupg/.gpg-v21-migrated
Trying to convert some old shell/unix scripts into Ruby.
I have the following encryption of a file that's accomplished via the gpg tool in Unix. I can pass in the recipient key, the file I want to encrypt, and the outfile to pgp encrypt something.
gpg --recipient "$my_recipient_key" \
--encrypt "$my_file" \
--output "$my_outfile" \
--always-trust \
--compress-algo zip
What's the Ruby equivalent to do a simple encryption as above?
After doing some digging, I see:
OpenPGP is popular, but there's no documentation on the RubyGems site and other places are sparse with good examples.
gpgme seems popular and promising. However, I'll be honest, I'm new to Ruby and clicking on the documentation (see link) leaves me a little bit confused about where to start (i.e. a good example would be nice)
I also see other smaller gems and libraries that users have designed, but I'm restricted to using certified gems from the rubyGems database as this is for official work use.
Thanks!
I've used gpgme recently. The code to encrypt a file looked like this
GPGME::Key.import(File.open(path_to_key)) #only needed if the key has not been imported previously
crypto = GPGME::Crypto.new :always_trust => true
File.open(path_to_encrypt) do |in_file|
File.open(output_path, 'wb') do |out_file|
crypto.encrypt in_file, :output => out_file, :recipients => "foo#example.com"
end
end
You might want to know that there's nothing "certified" about what's on rubygems - anyone can post a gem there (and it takes all of 3 minutes to do so)
This question already has answers here:
Unable to load config info from /usr/local/ssl/openssl.cnf on Windows
(15 answers)
Closed 6 years ago.
I have installed OpenSSL 64. I want to use a certificate for my nodejs https server. I ran the following command:
openssl genrsa -out subdomain.domain.com.key 1024
But I have got the error:
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.........++++++
.........................................++++++
unable to write 'random state'
e is 65537 (0x10001)
How can I resolve it?
Is this the right command?
The solution is running this command:
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
or
set OPENSSL_CONF=[path-to-OpenSSL-install-dir]\bin\openssl.cfg
in the command prompt before using openssl command.
Let openssl know for sure where to find its .cfg file.
Alternatively you could set the same variable OPENSSL_CONF in the Windows environment variables.
NOTE: This can happen when using the OpenSSL binary distribution from Shining Light Productions (a compiled + installer version of the official OpenSSL that is free to download & use). This distribution is "semi-officially" linked from OpenSSL's site as a "service primarily for operating systems where there are no pre-compiled OpenSSL packages".
I've SSL on Apache2.4.4 and executing this code at first, did the trick:
set OPENSSL_CONF=C:\wamp\bin\apache\Apache2.4.4\conf\openssl.cnf
then execute the rest codes..
/usr/local/ssl/openssl.cnf
A path like this means the program has been compiled with either Cygwin or MSYS. If you must use this openssl then you will need an interpreter that understands those paths, like Bash, which is provided by Cygwin or MSYS.
Another option would be to download or compile a Windows Native version of openssl. Using that the program would instead require a path like
C:\Users\Steven\ssl\openssl.cnf
which would be better suited for the Command Prompt.
In my case I used the binaries from Shining Light and the environment variables were already updated. But still had the issue until I ran a command window with elevated privileges.
When you open the CMD window be sure to run it as Administrator. (Right click the Command Prompt in Start menu and choose "Run as administrator")
I think it can't read the files due to User Account Control.
SOLUTION!
just set -config parameter location correctly, i.e :
openssl .................... -config C:\bin\apache\apache2.4.9\conf\openssl.cnf
Not sure what is the difference between .cfg & .cnf
In my server I couldn't find .cfg or .cnf
I had created a new file for the same and placed it in the following folder /usr/local/ssl/bin
executed the
.\openssl genrsa -des3 -out <key name>.key 2048
went great..
Simply install Win64 OpenSSL v1.0.2a or Win32 OpenSSL v1.0.2a, you can download these from http://slproweb.com/products/Win32OpenSSL.html. Works out of the box, no configuration needed.
I'm trying to convert a .cer cert to a .p12 one using opensll.
this is the command that I'm using
C:\OpenSSL-Win32\bin>openssl x509 -inform der -in developer_identity.cer -out de
veloper_identity.pem
I'm conitunally getting an error and I don't know what it means. How can I figure out how to fix it.
2104:error:02001005:system library:fopen:Input/output error:.\crypto\bio\bss_fil
e.c:163:fopen('C:\OpenSSL-Win32\bin','rb')
2104:error:2006D002:BIO routines:BIO_new_file:system lib:.\crypto\bio\bss_file.c
:168:
2104:error:0E078002:configuration file routines:DEF_LOAD:system lib:.\crypto\con
f\conf_def.c:199:
EDIT 1
I'm not entirely sure if I'm using it correctly so I'll outline what I tried.
1) Downloaded openssl.exe and installed it.
2) Copied the cert file I want to work with to the bin folder in the install location.
3) Entered the command at the top of this post
I had the same problem. I resolved with the above answer.
Just type depending on 32 o 64 bits:
C:> set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
or
C:> set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
Thanks.
C:\OpenSSL-Win32\bin
Looks like it's trying to open a directory for reading? Does openssl work generally or is there some problem with its installation?
How about adding argument:
-config <full_path_to_the_openssl_config_file>
for example:
-config c:\OpenSSL-Win3\bin\openssl.cfg
so your command looks like this:
openssl x509 -inform der -in developer_identity.cer -out developer_identity.pem -config c:\OpenSSL-Win3\bin\openssl.cfg
Not sure if this is still an open issue for you or not, but I just solved this for myself.
From a Windows command prompt:
C:\> set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
I don't understand why everyone suggests changing your Environment Variables. For me, it was already set. Perhaps the older versions didn't? I guess double check it's set right. Either way, I was unable to use openssl at all. Restarting Windows after installation solved the issue.
I solved the problem by moving the openssl directory to the root of C: drive and setting the env variable.