如何在不使用密钥服务器的情况下从OpenPGP智能卡获取公钥？

我正在使用OpenPGP在智能卡（Yubikey）上生成公钥对的用例。如何在不使用密钥服务器的情况下从OpenPGP智能卡获取公钥？

然后将智能卡交付给用户。试图在本地模拟这种下面正在做：

智能卡上生成密钥
删除的GnuPG主目录
访问智能卡重新生成的GnuPG主目录

的问题是我无法在执行上述步骤之后测试加密文件，因为公钥似乎缺失。 fetch似乎不起作用。

在这个阶段，我不想在任何在线服务器上共享公钥。删除钥匙圈后，有什么方法可以从智能卡中检索公钥？

下面是被遵循的步骤：

$ gpg --card-edit                                      

Reader ...........: 1050:0404:X:0 
Application ID ...: D2760001240102010006046314290000 
Version ..........: 2.1 
Manufacturer .....: Yubico 
Serial number ....: 04631429 
Name of cardholder: sm sm 
Language prefs ...: en 
Sex ..............: unspecified 
URL of public key : [not set] 
Login data .......: sm 
Signature PIN ....: not forced 
Key attributes ...: rsa4096 rsa4096 rsa4096 
Max. PIN lengths .: 127 127 127 
PIN retry counter : 3 0 3 
Signature counter : 0 
Signature key ....: 54D4 E469 7056 B390 AE72 CAA1 A507 3320 7876 0302 
     created ....: 2017-10-11 13:16:52 
Encryption key....: ADA3 2D7F 8D66 4F34 C04A 457C DFEB E3E4 A8F1 8611 
     created ....: 2017-10-11 11:14:18 
Authentication key: 18B9 7AB4 0723 46F4 C23A 3DD7 E5C0 6A93 049E F6A8 
     created ....: 2017-10-11 11:14:18 
General key info..: [none] 

gpg/card> admin 
Admin commands are allowed 

gpg/card> generate 
Make off-card backup of encryption key? (Y/n) n 

gpg: Note: keys are already stored on the card! 

Replace existing keys? (y/N) y 
What keysize do you want for the Signature key? (4096) 
What keysize do you want for the Encryption key? (4096) 
What keysize do you want for the Authentication key? (4096) 
Key is valid for? (0) 0 
Is this correct? (y/N) y 
Real name: john doe 
Email address: [email protected] 
Comment: 
You selected this USER-ID: 
    "john doe <<[email protected]>" 

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o 

gpg: /home/xxx/.gnupg/trustdb.gpg: trustdb created 
gpg: key 6825CB0EBDA94110 marked as ultimately trusted 
gpg: directory '/home/xxx/.gnupg/openpgp-revocs.d' created 
gpg: revocation certificate stored as '/home/xxx/.gnupg/openpgp-revocs.d/6858F119E93FB74BB561DE556825CB0EBDA94110.rev' 
public and secret key created and signed. 


gpg/card> list 

Reader ...........: 1050:0404:X:0 
Application ID ...: D2760001240102010006046314290000 
Version ..........: 2.1 
Manufacturer .....: Yubico 
Serial number ....: 04631429 
Name of cardholder: sm sm 
Language prefs ...: en 
Sex ..............: unspecified 
URL of public key : [not set] 
Login data .......: sm 
Signature PIN ....: not forced 
Key attributes ...: rsa4096 rsa4096 rsa4096 
Max. PIN lengths .: 127 127 127 
PIN retry counter : 3 0 3 
Signature counter : 4 
Signature key ....: 6858 F119 E93F B74B B561 DE55 6825 CB0E BDA9 4110 
     created ....: 2017-10-11 13:18:11 
Encryption key....: BE05 7FDF 9ACD 05F0 B75A 570F 4711 4B69 A622 C1DC 
     created ....: 2017-10-11 13:18:11 
Authentication key: 7275 2C47 B1EF BFB5 1E6D 0E65 31C7 7DBE 2D22 7E32 
     created ....: 2017-10-11 13:18:11 
General key info..: pub rsa4096/6825CB0EBDA94110 2017-10-11  john doe <<[email protected]> 
sec> rsa4096/6825CB0EBDA94110 created: 2017-10-11 expires: never  
           card-no: 0006 04631429 
ssb> rsa4096/31C77DBE2D227E32 created: 2017-10-11 expires: never  
           card-no: 0006 04631429 
ssb> rsa4096/47114B69A622C1DC created: 2017-10-11 expires: never  
           card-no: 0006 04631429 

gpg/card> quit 

$ rm -rf .gnupg/ 

$ gpg --card-status                                      
gpg: directory '/home/smalatho/.gnupg' created 
gpg: new configuration file '/home/smalatho/.gnupg/dirmngr.conf' created 
gpg: new configuration file '/home/smalatho/.gnupg/gpg.conf' created 
gpg: keybox '/home/smalatho/.gnupg/pubring.kbx' created 
Reader ...........: 1050:0404:X:0 
Application ID ...: D2760001240102010006046314290000 
Version ..........: 2.1 
Manufacturer .....: Yubico 
Serial number ....: 04631429 
Name of cardholder: sm sm 
Language prefs ...: en 
Sex ..............: unspecified 
URL of public key : [not set] 
Login data .......: sm 
Signature PIN ....: not forced 
Key attributes ...: rsa4096 rsa4096 rsa4096 
Max. PIN lengths .: 127 127 127 
PIN retry counter : 3 0 3 
Signature counter : 4 
Signature key ....: 6858 F119 E93F B74B B561 DE55 6825 CB0E BDA9 4110 
     created ....: 2017-10-11 13:18:11 
Encryption key....: BE05 7FDF 9ACD 05F0 B75A 570F 4711 4B69 A622 C1DC 
     created ....: 2017-10-11 13:18:11 
Authentication key: 7275 2C47 B1EF BFB5 1E6D 0E65 31C7 7DBE 2D22 7E32 
     created ....: 2017-10-11 13:18:11 
General key info..: [none]

来源

2017-10-11 Stelios

OpenPGP智能卡没有存储足够的信息来重建完整的OpenPGP公钥。您必须单独导入公钥 - 在密钥服务器上共享它是一种解决方案，但您也可以使用gpg --export密钥以及之后的gpg --import再次进行测试。

来源

2017-10-13 18:21:35

我认为密钥服务器存储的信息与本地公钥环相同吗？ – Stelios

事实上，密钥服务器只是提供基于密钥ID或指纹（长密钥ID和指纹定义给定密钥的可能性很小的可能性）或用户ID（根本没有验证，只需搜索密钥服务器网络）的未验证/未验证的密钥'总统@ whitehouse.gov'）。从这个意义上说，上传到存储库的密钥是一个更加强大的概念，因为它允许上面讨论的“首次使用时的信任”。无论您从哪个方式检索密钥（从存储库，从密钥服务器），您仍然需要验证密钥。 –

谢谢你的帮助Jens。 – Stelios

它要求用户删除GNUPGHOME目录之前，需要手动导出公共密钥，然后重新导入智能卡的公共密钥。

$ gpg --armor --export [email protected] > public.asc 
$ rm -rf ~/.gnupg 
$ gpg --import public.asc

来源

2017-10-12 07:13:01 Stelios

如何在不使用密钥服务器的情况下从OpenPGP智能卡获取公钥？

回答

相关问题