Need to import a single GnuPG public key into the pubring - gnupg

This is for a Python based GnuPg user friendly front-end program.
Have been trying to find the command for importing just one public key, rather than all of them.
This imorts all keys in the file
gpg --import Some_pub_keys.txt
I tried this:
gpg --import 6CA398EA Some_pub_keys.txt
To only import this key 6CA398EA, but it did not work.
Is there a command for importing just a single key?

What you want is this:
gpg --no-default-keyring --keyring myapp_keyring.gpg --import a_key.asc
The first flag tells GPG not to use your default keyrings, the second tells it to use the file myapp_keyring.gpg as the keyring file and the last is the import command. Note, the alternate keyring file MUST be of the GPG or OpenPGP format, so it will generally use either the .gpg or .pgp extension and not .txt (or anything else).

Related

How to convert a GPG key into a .asc file without knowing the passcode

I have lost the passcode to a GPG keypair, and need to recover it. In the process of doing so I need to convert into a .asc file for gpg2john. However the GPG cli askes for a password to convert it into the ascii-armored version... which I do not have. Is there anyway for me to get the .asc file from just the keys.
I can not use the below command as it requires a password.
gpg --export-secret-key --armor
Note: recover lost gpg password doesn't seem have any real answers.
Apparently (see recover lost gpg password), gnupg added code to require a passphrase for export in newer versions. If you install an old, old version, like
brew install gnupg#1.4
you can then call
gpg1 -a --export-secret-keys ID >exportedPrivateKey.asc
without having to enter a passphrase.
Needless to say, only use gpg1 for that one task, not for ongoing encryption ;)

How to encrypt a file using gpg key from files in Go?

I'm doing some works about secure communication. I generated a gpg key in the bash. It is easy to encrypt a file in the bash, however, I want to do that in Go.
The go package openpgp seems not having relative functions, so how can I do that?
Thanks.

Windows, OpenSSL generate a new .pem from key.pem and cert.pem

I have the following files Cert.pem, Key.pem, CACert.pem
I have been told that I need to decrypt the key.pem.
1) What is the windows OpenSSL command to do this?
I need to combine the decrypted key.pem file with the cert.pem file to produce a new cert.pem file.
2) What is the windows OpenSSL command to do this?
Thanks
Unix installations of OpenSSL should include man pages, but Windows versions often do not because Windows doesn't usually have any way of finding and displaying them. man pages for the currently supported releases, plus 'master' which is the development head, are available on the OpenSSL website at https://www.openssl.org/docs/manpages.html . All OpenSSL 'commands' are actually run by the (single) program openssl, thus you execute pkey some args by running
openssl pkey some args
rem if openssl.exe is on your PATH or in the current directory, otherwise
x:\path\to\openssl pkey some args
You don't mention having the password for the encrypted key file; I hope you do because you can't decrypt (or do anything else) without it.
For 1.0.0 up, pkey is the preferred way to convert private keys, including encrypting and decrypting; see its man page. In brief you simply tell pkey to read from the input file and write to the output file, and omit any specification of a cipher; that omission will cause it to write an unencrypted key. Note pkey will write the output in PKCS8 format, which is preferred for most purposes, but if you actually need a 'legacy' or 'traditional' format for some reason -- ask whoever 'told' you what software this file will be used with -- 1.1.0 pkey can do this but earlier cannot.
If you are stuck with a 0.9.x release, usually only on obsolete systems, use pkcs8 -topk8 -nocrypt for PCKS8 output; see that.
If you need legacy/traditional format (on a release below 1.1.0) you must use the 'legacy' per-algorithm commands, so you need to know what algorithm your key(file) is. Look at the first line where it says -----BEGIN something PRIVATE KEY----- . If something is RSA, use rsa; for DSA dsa; for EC ec; see the respective pages. If something is ENCRYPTED you must decrypt it to PkCS8 as above first, then look at it with asn1parse to determine which algorithm it is, but I expect it's not very likely someone who want a legacy unencrypted key will start with an PKCS8 encrypted one.
OpenSSL does not provide any special operation to combine PEM files, since concatenating files of many types is a common operation. On Unix this is canonically done with the cat program; on Windows it can be done by using the (builtin) copy command with plus-sign(s) in the source; on both Unix and Windows it can be done by creating a file and then appending to it like:
copy decryptedkey.pem combined.pem
type certificate.pem >> combined.pem
rem >> means redirect the output from that command ('type')
rem normally on the console to _the end of_ the named file.
In this case you want to modify cert.pem by adding the contents of decryptedkey.pem, so just do
type decryptedkey.pem >> cert.pem
Alternatively you can use a plaintext editor like notepad. Open both files; select all the text in the second file and copy (or cut) and paste it at the end of the first file; save the modified first file.

PGP TarBall File Signature Keys Verification fails with no valid OpenPGP data found

This is the first time I figured I had better check the keys of the bind software I want to install. So I downloaded what I think is a OpenPGP key ...
$ wget ftp://ftp.isc.org/isc/bind9/9.9.4/bind-9.9.4.tar.gz.sha1.asc
... then I tried to "import" this key like this ...
$ gpg --import bind-9.9.4.tar.gz.sha1.asc
... but I get this error message:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
What am I doing wrong?
Thanks!
The command syntax is gpg bind-9.9.4.tar.gz.sha1.asc. Of course, this gives an error that no public key is found. You can download public keys from pgpkeys.mit.edu.
This article explains the process step-by-step.
Sometimes, you read words like these: “It is essential that you verify the integrity of the downloaded files using the PGP or MD5 signatures […] using the following commands […]”.
gpg --import KEYS
gpg --verify <software-bundle>.asc
You know you should do. And without reading all of it, you may think: Two commands, one to attach the signature file and one to verify the downloaded software. It is not.
KEYS does not refer to the downloaded asc file, but to a special file named KEYS that you need to download separately. See the step “Download KEYS”. The link is not pointing to the asc file as you might think. It points to something else. These KEYS are needed to check the integrity of the asc file itself. The second command seems to perform both checks then. It verifies the asc file given as parameter (using the imported keys), but if you try to run it on the standalone asc file, it says:
gpg: no signed data
gpg: can't hash datafile: No data
So I think it also verifies the integrity of the software, too, which is expected to be a file with the same name except the tailing .asc in the same directory. (But I didn’t find a proof for this to be true by now.)

Linux / Windows Shell Scripting to Unlock PGP File

I have a sequence of scripts which downloads PGP files from a FTP server. I then unzip these files with a private key using PGPKeys. The unzipped files are then picked up by a SQL Server job which appends the data onto our database. I'd like to automate the entire process. Is there anyway to unzip a PGP locked file using shell scripting (either Linux or Windows)?
That's a perfect task to automize, I can help you in Linux.
First you can use wget to download a file
wget ftp://website.com/yourpgparchive.zip
If your ftp website requires authenticated access use
wget --ftp-user=USER --ftp-password=PASSWORD ftp://ftp.site/archive.zip.pgp
Then you need gpg (the open source PGP implementation) to decrypt the file
gpg -o file.zip -d file.zip.gpg
(If you need some suggestion on how to import keys and get started with gpg check here)
Then you can just unzip the file with
unzip file.zip
You may need to install gnupg and unzip from your package manager.
Yes, GPG. In your case, it's just gpg -d filename (or just gpg -d to read from stdin).
And, what you probably wanted to say is decrypt instead of unzip and encrypted instead of locked.

Resources