我想为一个人创建一个自动GnuPG密钥生成脚本,虽然他们运行ubuntu,但是使用CLI感觉不舒服。此外,其他人管理他们的计算机,使其保持最新和良好的运行顺序,因此他们也没有root / sudo访问权限。而且我真的想尽量避免通过手机上的说明尽可能多地做...已经有太多次知道PITA是什么了!
所以我从gnupg.org论坛上发现的一个例子(我认为?)中大量借用了这个脚本。但是,无论在3或4分钟内生成多少鼠标活动,一旦运行gpg --gen-key --batch命令,它似乎都没有做任何事情。 btw的所有echo语句只是表示脚本进度的临时方法,这不是很远的。
#!/bin/bash
# First run give your server some work, otherwise gpg won't be able to generator random bytes.
#sudo rngd -r /dev/urandom
#no sudo so:
echo -e "\nYou need to begin moving your mouse continuously and in random patterns for as long as it takes to generate a new key. This could take a minute or two, so be patient and just keep moving the mouse.\n"
echo -e "\ngpg --gen-key --batch\n"
gpg --batch --gen-key
%echo Generating a default key
Key-Type: default
Key-Length: 2048
Subkey-Type: default
Name-Real: Firstname Lastname
Name-Comment: No comment
Name-Email: user@domain.com
Expire-Date: 0
Passphrase: abcde
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
# kill the rngd task.
#sudo service rng-tools stop
echo -e "\ngpg -k\n"
gpg -k
# get key id for newly created passkey
echo -e "\nkId=$(gpg -k Firstname|grep pub|sed -r 's/^pub[ ]*2048R\/([A-Z0-9]{8,})[ ]*.*$/\1/')\n" #; echo "\$kId: ${kId}"
kId=$(gpg -k Firstname|grep pub|sed -r 's/^pub[ ]*2048R\/([A-Z0-9]{8,})[ ]*.*$/\1/') ; echo -e "\n\$kId: ${kId}\n"
# set key as the default key (if desired) by entering this line in your ~/.bashrc
echo -e "\nexport GPGKEY=$kId\n"
export GPGKEY="$kId"
# restart the gpg-agent and source your .bashrc again
echo -e "\nkillall -q gpg-agent\n"
killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc
#create revocation cert
echo -e "\ngpg --output revoke.asc --gen-revoke $GPGKEY\n"
gpg --output revoke.asc --gen-revoke $GPGKEY
# send public key to keyserver
echo -e "\ngpg --send-keys --keyserver keyserver.ubuntu.com $GPGKEY\n"
#gpg --send-keys --keyserver keyserver.ubuntu.com $GPGKEY
我想知道是否有人可以看到任何明显的问题或遗漏喂养'gpg'所需的关键细节?
即使我使用sudo rngd -r /dev/random命令运行脚本我需要绕过目标用户(没有sudo访问权限),我也会得到同样的东西。
所以我猜问题是在我想要传递给gpg的关键参数中,但我已经用手册页交叉引用它们,似乎无法找到问题所在。虽然gpg没有返回错误,但这很有趣。
答案 0 :(得分:4)
通过生成批量密钥,GnuPG期望在文件中创建命令,并与GnuPG manual page on batch key generation进行比较。
cat <<EOT >batch-cmds
%echo Generating a default key
Key-Type: default
Key-Length: 2048
Subkey-Type: default
Name-Real: Firstname Lastname
Name-Comment: No comment
Name-Email: user@domain.com
Expire-Date: 0
Passphrase: abcde
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOT
gpg --batch --gen-key batch-cmds
考虑将密码存储在硬盘上的文件中的安全隐患。我不确定你是否也可以将内容直接传输到GnuPG而不是将它们存储到文件中。尝试这样的事情:
gpg --batch --gen-key <<EOT
%echo Generating a default key
Key-Type: default
Key-Length: 2048
Subkey-Type: default
Name-Real: Firstname Lastname
Name-Comment: No comment
Name-Email: user@domain.com
Expire-Date: 0
Passphrase: abcde
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOT