signing an RPM

GPG basics

There are lots of long and drawn out descriptions about how to use GPG that drag you into all of the myriad GPG options, the history and politics of public key encryption, number theory and encryption theory and so forth. But you probably just want to know how to generate your own key pair, and maybe encrypt and decrypt files.

Most of what follows is from a tutorial by Thomas Chung.

Here is what I did:

gpg --gen-key

GPG then takes you through a dialog, where you answer lots of questions you are probably not well prepared to answer. I chose to generate the default (DSA and Elgamal). It tells me the DSA keypair will have 1024 bits, and then a select a 2048 bit keysize for the Elgamal key. After that I just follow along, providing my real name and email when asked for it. I do specify a pass phrase (PEN), and away it goes.

Files get placed into ~/.gnupg and I can peek at my keys via:

gpg --list-keys

Once you have a key pair, you can pass the public key out freely. You should NEVER distribute your private key. If someone wants to securely send you a document, they can encrypt it with your public key, and you can decrypt it with your private key. Likewise if you want to securely send a document, you can encrypt it with your private key, and anyone with your public key can decrypt it. (The latter doesn't provide much security, but it does guarantee to recipients that your message is authentic and has not been tampered with).

You can export your public key into an ascii file via:

gpg --export -armor 'Billy Bob' >RPM-GPG-KEY-billy (or the equivalent:)
gpg --export -a 'Billy Bob' >RPM-GPG-KEY-billy

Now suppose someone (fred) has sent you their public key (that they generated via the preceding process) and you are wanting to send them a document. The first thing you do is to import their public key via:

gpg --import RPM-GPG-KEY-fred

After doing this you encrypt a message to send them via:

gpg --encrypt plaintext --out cyphertext

If you issue the preceding command, you will be prompted to indicate the user id. You can give either their email address or their name. Alternately you can specify their user id (in either fashion, but you will probably need to put quotes around a first/last name pair) on the command line via:

gpg --encrypt plaintext -r joe@spam.com --out cyphertext

To decrypt such a message, do this

gpg --decrypt cyphertext --out plaintext

To do this, you need to give your passphrase. Without the --out switch (as shown here) output goes to standard output.

Have any comments? Questions? Drop me a line!

Adventures in Computing / tom@mmto.org