Workshops

User Tools

Site Tools

Trace: pgp_workshop
pgp_workshop

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pgp_workshop [2025/04/16 08:11] userapgp_workshop [2025/05/29 07:47] (current) – [The actual Key signing] usera
Line 167: Line 167:
  
 The way it is done is the following: The way it is done is the following:
-  - The file is **hashed** (see the paragraph below).+  - The file is **[[hashed|hashed]]** (see the paragraph below).
   - This hashed file is encrypted with your private key   - This hashed file is encrypted with your private key
   - The result is added at the end of your file, giving a **signed** file.   - The result is added at the end of your file, giving a **signed** file.
- 
-<div class="warning" style='padding:0.1em; background-color:#E9D8FD; color:#69337A'> 
-<span> 
-<p style='margin-top:1em; text-align:center'> 
-<b>Hash function</b></p> 
-<p style='margin-left:1em;'> 
-<b>to hash</b> means applying a <b>hash function</b>. A hash function is a complicated function that: 
-<ol> 
-<li>for any file or string input returns a string of a fixed size</li> 
-<li>is injective (two different inputs give two different output)</li> 
-<li>is very hard to invert (two inputs that are different by only one character will give two very different outputs)</li> 
-</ol> 
-</p> 
-</span> 
-</div> 
  
 Actually, in most case you will do both: signing (with your private key) then encrypting (with the public key of someone else). The person receiving the message will decrypt it with their private key, and then extract the signature and verify it with your public key. Actually, in most case you will do both: signing (with your private key) then encrypting (with the public key of someone else). The person receiving the message will decrypt it with their private key, and then extract the signature and verify it with your public key.
  
 +
 +==== First step if you only set up Thunderbird with PGP so far ====
 +
 +If you were on Windows and set up your keys with Kleopatra, the command line gpg tool will already know those keys. However, if you used the PGP key manager from thunderbird, it is different. You will therefore have to copy all your keys from the thunderbird key manager to the keys that are known by the gpg command line tool.
 +
 +This is how to do it. First, go to the key manager, select your own key, that you will use to sign things with, and click on File->Backup Secret Key to File, then find a location on your computer (you will be asked for a passphrase for this, please use a [[diceware|good one]])
 +
 +Then, open a command line, navigate to the directory where your secret key file is located and enter:
 +
 +<code>
 +gpg --import [filename]
 +</code>
 +
 +where [filename] is the name of this secret key file. you then need to tell the gpg command tool to use this key as a default signing key. This is done by the command:
 +
 +<code>
 +echo 'default-key:0:"[fingerprint]' | gpgconf --change-options gpg
 +</code>
 +
 +where [fingerprint] is the fingerprint of your key. You can find it with the command:
 +
 +<code>
 +gpg --fingerprint [NAME]
 +</code>
 +
 +where [NAME] can be a small part of your mail address: gpg is cleaver enough to do a search among your keys and guess which one is the closest. 
 +
 +You are then ready to sign files and keys !
 ==== Checking the integrity of a downloaded file ==== ==== Checking the integrity of a downloaded file ====
  
Line 263: Line 276:
  
 GPG is a lot based on the trust that you are talking to the right person. Therefore, to tell to the whole world that you trust some public key, you should **sign the public keys** of other people. GPG is a lot based on the trust that you are talking to the right person. Therefore, to tell to the whole world that you trust some public key, you should **sign the public keys** of other people.
 +
 +=== Note if you used Thunderbird and not Kleopatra ===
 +
 +To sign a key, you need to use the command line gpg, so as said before, if you used Kleopatra to generate your keys, you are good to go, as the gpg tool will already know your keys. However, if you used Thunderbird, you need to copy the keys you want to sign. This is how you do it.
 +  - First, go to the PGP key manager in Thunderbird
 +  - Select the public key you want to sign, then right click and click on Export public key to file and select a location on your computer
 +  - Open a command line, navigate to the folder where your file is and enter ''%%gpg --import [FILENAME]%%'', where [FILENAME] is the file you exported the public key to
 +  - repeat the operaton for each key you want to sign
 +
 +=== The actual Key signing ===
  
 This is how to do it (as recommended [[https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84|here]]): This is how to do it (as recommended [[https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84|here]]):
  
   - Alice (you) get the public key of Bob   - Alice (you) get the public key of Bob
-  - Alice sign it with her private key: <code>gpg --sign-key [key_id]</code> where <code>[key_id]</code> is the fingerprint of the Bob public key. In the process you will be asked to check that the fingerprint match with the key of the other person, which you should do in a secure channel, or in person, with the person owning the key. +  - Alice sign it with her private key: ''%%gpg --sign-key [key_id]%%'' where ''%%[key_id]%%'' is the fingerprint of the Bob public key. In the process you will be asked to check that the fingerprint match with the key of the other person, which you should do in a secure channel, or in person, with the person owning the key. Note: you can at every time look at all signatures on a key with the command: ''%%gpg --list-sig [NAME]%%'', with [NAME] being for example part of the mail address associated with the key. 
-  - Alice exports, then encrypts the signed key with Bob public key, with the following command: <code>gpg --armor --export [key_id] | gpg --sign --encrypt -r [key_id] > [filename]</code>, where <code>[key_id]</code> is the fingerprint of Bob public key and <code>[filename]</code>is the output filename+  - Alice exports, then encrypts the signed key with Bob public key, with the following command: <code>gpg --armor --export [key_id] | gpg --sign --encrypt -r [key_id] > [filename]</code>, where ''%%[key_id]%%'' is the fingerprint of Bob public key and ''%%[filename]%%'' is the output filename. Note: you can alternatively, since you already configured your mails for this, just export the key with ''%%gpg --armor --export [key_id] > [filename]%%'', and attach it to a mail encrypted with your mail client.
   - Alice emails the key to Bob using the mail address associated with the key   - Alice emails the key to Bob using the mail address associated with the key
-  - Bob receives it, then decrypt it with his private key and import it: <code>gpg --decrypt [filename]</code> and then <code>gpg --import [filename_decrypted]</code> +  - Bob receives it, then decrypt it with his private key and import it: ''%%gpg --decrypt [filename]%%'' and then ''%%gpg --import [filename_decrypted]%%'' 
-  - He can then send it to a keyserver, containing Alice signature: <code>gpg --send_keys [key_id]</code>+  - He can then send it to a keyserver, containing Alice signature: ''%%gpg --send_keys [key_id]%%''
  
pgp_workshop.1744791094.txt.gz · Last modified: by usera