Https

具有通過 HTTPS 下載功能的 PGP 密鑰伺服器?

  • September 19, 2019

我公司的防火牆阻止了埠 80 上的密鑰伺服器,而我希望支持的一些發行版還沒有使用 HKPS 來通過 TLS 獲取。

是否有密鑰伺服器可以通過 HTTPS 提供給定密鑰的簡單下載?例如,我可以在https://keybase.io/naftulikay/pgp_keys.asc的 keybase 上獲取我自己的個人密鑰

是否有資源可以在不使用密鑰伺服器協議的情況下通過 HTTPS 獲取密鑰?我正在編寫 Ansible,因此很容易通過 HTTPS 獲取內容。

openpgp.org有一個https的設施。只是通過他們的指紋導入了幾個鍵。路徑是可預測的,您只需替換${KEY_FINGERPRINT}為要導入的密鑰的指紋即可。當然必須已經上傳到https://keys.openpgp.org

curl --sSL https://keys.openpgp.org/vks/v1/by-fingerprint/${KEY_FINGERPRINT} | \
 gpg --import

Ubuntu 密鑰伺服器還有一個 HTTP(S) API,通過它可以獲取 ASCII 格式的密鑰:

curl -sSL https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${KEY_FINGERPRINT} | \
 gpg --import

請注意| gpg --import用於將密鑰數據導入 GnuPG 密鑰環的管道。

通過 HTTPS 自動導入 GPG/PGP 密鑰:

由於路徑https://keys.openpgp.org是可預測的,並且僅因儲存在伺服器上的密鑰指紋而異,因此我們可以自動導入由指紋辨識的密鑰列表。下面經過測試,知道可以正常工作

要使腳本適應您自己的使用,只需將我的 (3) 樣本鍵指紋替換為您要導入的鍵的指紋,當然還可以將變數設置PATHSCRIPTS為您想要的路徑:

#!/bin/bash

PATHSCRIPTS='/home/pi'

# Create text file using a Here-Doc containing Key Fingerprints of keys to import into keyring:

cat <<EOF> $PATHSCRIPTS/Key-fingerprints-list.txt
AEB042FFD73BAA7545EDA021343A2DF613C5E7F8
7AFAF20259E69236E43EEF521F45D0F6E89F27A6
704FCD2556C40AF8F2FBD8E2E5A1DE67F98FA66F
EOF

# Read the text file we created into an array
readarray arrayKeyFingerprints < $PATHSCRIPTS/Key-fingerprints-list.txt

# Loop through the array adding each key in turn by its fingerprint from keys.openpgp.org:
for i in ${arrayKeyFingerprints[@]}; do
   curl https://keys.openpgp.org/vks/v1/by-fingerprint/$i | gpg --import
done

上述腳本(保存為test.sh並在 Raspberry Pi 上執行)的結果如下所示:

pi@pi4-ap1:~ $ ./test.sh 
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                            Dload  Upload   Total   Spent    Left  Speed
100  3212  100  3212    0     0   7629      0 --:--:-- --:--:-- --:--:--  7629
gpg: /home/pi/.gnupg/trustdb.gpg: trustdb created
gpg: key 343A2DF613C5E7F8: public key "Terrence Houlahan (I'm the former NYPD cop living in the UK.  This is my only *personal* key.  Trust no others.) <terrence@houlahan.co.uk>" imported
gpg: Total number processed: 1
gpg:               imported: 1
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                            Dload  Upload   Total   Spent    Left  Speed
100  3220  100  3220    0     0  18720      0 --:--:-- --:--:-- --:--:-- 18612
gpg: key 1F45D0F6E89F27A6: public key "Terrence Houlahan (Terrence Houlahan Linux & Network Engineer) <houlahan@F1Linux.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                            Dload  Upload   Total   Spent    Left  Speed
100  3252  100  3252    0     0  19473      0 --:--:-- --:--:-- --:--:-- 19473
gpg: key E5A1DE67F98FA66F: public key "Terrence Houlahan (Open-IPcamera Project Developer Key Terrence Houlahan) <terrence.houlahan@open-ipcamera.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1

我們做了一個密鑰列表,有我們的 (3) 個導入的密鑰:

pi@pi4-ap1:~ $ gpg --list-keys
/home/pi/.gnupg/pubring.kbx
---------------------------
pub   rsa4096 2011-03-13 [SC]
 AEB042FFD73BAA7545EDA021343A2DF613C5E7F8
uid           [ unknown] Terrence Houlahan (I'm the former NYPD cop living in the UK.  This is my only *personal* key.  Trust no others.) <terrence@houlahan.co.uk>
sub   rsa4096 2011-03-13 [E]

pub   rsa4096 2019-02-06 [SC] [expires: 2029-01-31]
 7AFAF20259E69236E43EEF521F45D0F6E89F27A6
uid           [ unknown] Terrence Houlahan (Terrence Houlahan Linux & Network Engineer) <houlahan@F1Linux.com>
sub   rsa4096 2019-02-06 [E] [expires: 2029-01-31]

pub   rsa4096 2019-02-06 [SC] [expires: ????-??-??]
 704FCD2556C40AF8F2FBD8E2E5A1DE67F98FA66F
uid           [ unknown] Terrence Houlahan (Open-IPcamera Project Developer Key Terrence Houlahan) <terrence.houlahan@open-ipcamera.net>
sub   rsa4096 2019-02-06 [E] [expires: ????-??-??]

引用自:https://unix.stackexchange.com/questions/500675