GnuPG (简体中文)
根据 官方网站:
- GnuPG 是完整实现了 RFC4880(即PGP)所定义的 OpenPGP 标准的自由软件。GnuPG 可以加密和签名你的数据和通讯信息,包含一个通用的密钥管理系统以及用于各种公钥目录的访问模块。GnuPG,简称 GPG,是一个易于与其它程序整合的命令行工具,拥有很多前端程序和函数库。GnuPG 还支持 S/MIME 和 Secure Shell (ssh)。
安装
软件包 pinentry 也会被同时安装,它是一些简单的 PIN 或 passphrase 输入对话框的合集,GnuPG 需要用这些对话框来输入密码。至于用哪个 pinentry 对话框,则是由 shell 脚本 /usr/bin/pinentry 来确定,先后顺序参考 #pinentry。
如果要使用图形界面或集成了 GnuPG 的程序,请查看加密、签名与信息隐藏软件。
配置
目录位置
GnuPG 用环境变量 $GNUPGHOME 定位配置文件的位置。默认情况下此变量并未被设置,会直接使用 $HOME,所以默认的配置目录是 ~/.gnupg。
要改变默认位置,执行 $ gpg --homedir path/to/file 或在环境变量中设置 GNUPGHOME。
配置文件
默认的用户配置文件是 ~/.gnupg/gpg.conf 和 ~/.gnupg/dirmngr.conf。
默认的全局配置文件是 /etc/gnupg/gpgconf.conf。
以上配置文件均默认不被创建,可复制位于 /usr/share/doc/gnupg/examples/gpgconf.conf 的样例文件。
gnupg 目录的默认权限是 700,其中文件的权限是 600。也即,仅目录的所有者有权读写、访问这些文件。这是基于安全考虑,请不要变更。如果不使用这样的安全权限设置,会收到不安全文件的警告。
此外, pacman 使用单独的配置文件进行软件包的权限验证。详情请参考软件包签名。
新用户的默认选项
要给新建用户设定一些默认选项,把配置文件放到 /etc/skel/.gnupg/。系统创建新用户时,就会把文件复制到 GnuPG 目录。还有一个 addgnupghome 命令可以为已有用户创建新 GnuPG 主目录:
# addgnupghome user1 user2
此命令会检查 /home/user1/.gnupg 和 /home/user2/.gnupg,如果用户的 GnuPG 主目录不存在,就会从 skeleton 目录复制文件过去。
用法
- 如果需要一个
user-id,可以使用 key ID、指纹、用户名或电邮地址的部分等替代,GnuPG 对此的处理很灵活。 - 如果需要一个
key-id,可以给命令加上--keyid-format=long选项来查询。例如,如果想要查看主密匙,可以使用gpg --list-secret-keys --keyid-format=long user-id命令,key-id 是和 sec 同一行的十六进制散列值。
创建密钥对
用下面命令创建一个密钥对:
$ gpg --full-gen-key
使用 --expert 选项可以选择其它的加密算法,尤其是较新的ECC(椭圆曲线加密)。
命令执行后会需要用户回答一些问题,大部分用户应该需要的是:
- 默认的“RSA 和 RSA”用于加密和解密。
- 默认的密钥长度,即 3072。增大长度到 4096“成本极高,但获益很少”。这个帖子说明了为何 GPG 不默认使用 RSA-4096。
- 过期日期。大部分用户可以选择一年。这样即使无法访问密钥环,用户也知道密钥已经过期。如果有需要,可以不重新签发密钥就延长过期时间。
- 用户名和电子邮件。可以给同样的密钥不同的身份,比如给同一个密钥关联多个电子邮件。
- 不填写可选注释。注释字段并没有被很好地定义,作用有限。
- 一个安全的密钥口令。可参考如何选择安全的密码。
--gen-key 选项对密钥类型、密钥长度、过期时间均使用默认值,仅询问姓名和电邮地址。查看密钥
查看公钥:
$ gpg --list-keys
查看私钥:
$ gpg --list-secret-keys
导出公钥
GPG 的主要用途是通过公钥加密信息以确保其私密性。你可以分发自己的公钥,而其他人通过该公钥加密发给你的信息。而你的私钥必须始终保密,否则将会威胁信息的私密性。相关内容,请参见公开密钥加密。
所以其他人需要有你的公钥才能给你发加密信息。
以下命令可生成公钥的 ASCII 版本(--armor 参数),(例如用于以电子邮件发布):
$ gpg --output public.key --armor --export <user-id>
此外,还可以通过密钥服务器分发公钥。
- 使用
--no-emit-version可以避免打印版本号,通过配置文件也可以进行此设置。 - 可以省略
user-id以导出密钥环内所有的公钥。这可以用来分享多个身份,或是将其导入到另一个程序,比如 Thunderbird。
导入公共密钥
要给其他人发送加密信息,或者验证他们的签名,就需要他们的公钥。通过文件 public.key 导入公钥到密钥环:
$ gpg --import public.key
此外,还可以通过密钥服务器导入公钥。
如想导入某个 key ID 以安装某个 Arch Linux 软件包,可参见 pacman 的相关说明和 makepkg 的相关说明。
使用公钥服务器
发布公钥
你可以将你的公钥注册到一个公共的密钥服务器,这样其他人不用联系你就能获取到你的公钥:
$ gpg --send-keys <key-id>
搜索和接收公钥
要查询公钥的详细信息而不是导入,执行:
$ gpg --search-keys <key-id>
要导入一个公钥:
$ gpg --recv-keys <key-id>
- 任何人都可以将公钥注册到密钥服务器上,因此不应该完全信任从密钥服务器上所检索到的某人的公钥。你应该通过将你检索到的公钥的指纹与该公钥所有者在可信任的来源(如该公钥所有者的博客或网站)所发布的指纹进行比较,或是直接通过电话或邮件联系该公钥所有者进行确认,以确保你检索到的公钥的真实性。使用多种方式进行验证可以提高你所检索到的公钥的可信度。更多相关信息,请参见公开密钥指纹。
- 导入公钥时建议使用长 key ID 或是完整的指纹。短 ID 可能遇到碰撞。如使用了短 ID,所有具有相同短 ID 的公钥都会被导入。这是一个例子。
- 在配置文件中加入
auto-key-retrieve参数将会在需要时自动从密钥服务器导入公钥,但是这样做可能泄漏你的隐私。参见 gpg(1) 中的“web bug”部分。
公钥服务器
常见的公钥服务器:
- Ubuntu Keyserver:联盟式(federated)、没有验证、公钥不可删除。
- Mailvelope Keyserver:中心式、验证电邮 ID、公钥可删除。
- keys.openpgp.org:中心式、验证电邮 ID、公钥可删除、没有第三方签名(即不支持信任网络)。
维基百科(英文)上有更多的服务器。
备选公钥服务器可以在#配置文件中的 keyserver 选项中注明,例如:
~/.gnupg/dirmngr.conf
keyserver hkp://keyserver.ubuntu.com
也可临时指定一个公钥服务器:
$ gpg --keyserver hkps://keys.openpgp.org/ --search-keys 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90
- 若遇到错误信息
gpg: keyserver receive failed: General error,且你使用了默认的 HKPS 公钥服务器池,请在dirmngr.conf中设置 HKPS 池证书:hkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem然后杀掉dirmngr进程。 - 若遇到错误信息
gpg: keyserver receive failed: Connection refused,可尝试更换 DNS 服务器。 - 你可以通过
--use-tor选项或 Torsocks 来使用 Tor 连接密钥服务器。hkp://jijrk5u4osbsr34t5.onion是 sks-keyservers pool 的洋葱网络地址。详见这个网页。 - 你可以通过设置环境变量
http_proxy并在dirmngr.conf中写入honor-http-proxy以使用代理访问密钥服务器。或者,你也可以通过在dirmngr.conf中写入http-proxy host[:port]以直接覆盖环境变量http_proxy来使用代理。重启dirmngr.service用户服务以使改动生效。
网络公钥目录
网络公钥服务(Web Key Service,WKS)协议是公钥分发的新标准。电子邮件域将提供其自己的公钥服务器,称为网络公钥目录(Web Key Directory,WKD)。在高于 2.1.16 版本的 GPG 中,在依电子邮件地址(如[email protected])加密时,如果该公钥不在本地密钥环中,GPG 将以 HTTPS 向电子邮件的域(example.com)查询 OpenPGP 公钥。选项 auto-key-locate 将在本地密钥环内无该电邮地址的公钥时,按 WKD 协议查找公钥。
$ gpg --recipient [email protected] --auto-key-locate --encrypt doc
GnuPG Wiki 举出了一些支持 WKD 的电子邮件服务商。若电邮地址域由你控制,可遵循这份指南在你的域上启用 WKD。可用这个地址检查你的公钥是否能在 WKD 中找到。
加密与解密
非对称加解密
在加密(参数--encrypt或-e)一个文件或一条信息给另外一个人(参数--recipient或-r)之前,你需要先#导入他的公钥。如果你还没有#创建自己的密钥对,请先创建。
要加密一个名为 doc 的文件:
$ gpg --recipient <user-id> --encrypt doc
要解密(参数 --decrypt 或 -d)一个用你的公钥加密的、名为 doc.gpg 的文件:
$ gpg --output doc --decrypt doc.gpg
gpg 会提示你输入密钥口令,并将 doc.gpg 中的数据解密到 doc。如果你忽略了参数 -o(--output),gpg 将会直接输出解密的信息。
- 使用参数
--armor以 ASCII 编码的形式加密文件(适用于复制与粘贴文本文件格式的消息)。 - 使用
-R <user-id>或--hidden-recipient <user-id>代替-r可以不将收件人的指纹 ID 放入加密的消息中。这有助于隐藏收件人的信息,是针对流量分析的一个有限对策。 - 使用
--no-emit-version以避免打印版本号。也可将相应配置添加到你的配置文件中。 - 你可以使用 GPG 将自己作为收件人来加密敏感文件,但是每次只能压缩一个文件——尽管你可以将多个文件压缩后再进行加密。如果需要加密一个目录或一整个文件系统,请参见 Disk encryption#Available methods。
对称加解密
对称加密不需要生成密钥对,可用来简单地给文件加上密码。使用 -c--symmetric 参数来进行对称加密:
$ gpg -c doc
下面的例子
- 用口令给 doc 进行了对称加密
- 用 AES-256 加密算法对口令进行加密
- 用 SHA-512 摘要算法对口令进行打乱
- 打乱 65536 次
$ gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536 doc
下面的命令可解密以口令对称加密的 doc.gpg 文件,并将解密的文档输出到同一目录下的doc文件中:
$ gpg --output doc --decrypt doc.gpg
目录操作
可用 gpgtar(1) 对目录进行加密和解密。
加密:
$ gpgtar -c -o dir.gpg dir
解密:
$ gpgtar -d dir.gpg
密钥维护
备份你的私钥
备份你的吊销证书
编辑你的密钥
Running the gpg --edit-key <user-id> command will present a menu which enables you to do most of your key management related tasks.
Some useful commands in the edit key sub menu:
> passwd # change the passphrase > clean # compact any user ID that is no longer usable (e.g revoked or expired) > revkey # revoke a key > addkey # add a subkey to this key > expire # change the key expiration time
Type help in the edit key sub menu for more commands.
adduid command. You can then set your favourite one as primary.Exporting subkey
If you plan to use the same key across multiple devices, you may want to strip out your master key and only keep the bare minimum encryption subkey on less secure systems.
First, find out which subkey you want to export.
$ gpg -K
Select only that subkey to export.
$ gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.gpg
At this point you could stop, but it is most likely a good idea to change the passphrase as well. Import the key into a temporary folder.
$ gpg --homedir /tmp/gpg --import /tmp/subkey.gpg $ gpg --homedir /tmp/gpg --edit-key <user-id> > passwd > save $ gpg --homedir /tmp/gpg -a --export-secret-subkeys [subkey id]! > /tmp/subkey.altpass.gpg
At this point, you can now use /tmp/subkey.altpass.gpg on your other devices.
延长到期时间
Rotating subkeys
If you have set your subkeys to expire after a set time, you can create new ones. Do this a few weeks in advance to allow others to update their keyring.
Create new subkey (repeat for both signing and encrypting key)
$ gpg --edit-key <user-id> > addkey
And answer the following questions it asks (see previous section for suggested settings).
Save changes
> save
Update it to a keyserver.
$ gpg --keyserver pgp.mit.edu --send-keys <user-id>
吊销密钥
签名
Signatures certify and timestamp documents. If the document is modified, verification of the signature will fail. Unlike encryption which uses public keys to encrypt a document, signatures are created with the user's private key. The recipient of a signed document then verifies the signature using the sender's public key.
Sign a file
To sign a file use the --sign or -s flag:
$ gpg --output doc.sig --sign doc
The above also encrypts the file and stores it in binary format.
Clearsign a file or message
To sign a file without compressing it into binary format use:
$ gpg --clearsign doc
This wraps the document into an ASCII-armored signature, but does not modify the document.
Make a detached signature
To create a separate signature file to be distributed separately from the document or file itself, use the --detach-sig flag:
$ gpg --output doc.sig --detach-sig doc
This method is often used in distributing software projects to allow users to verify that the program has not been modified by a third part.
验证签名
To verify a signature use the --verify flag:
$ gpg --verify doc.sig
where doc.sig is the signature you wish to verify.
To verify and decrypt a file at the same time, use the --decrypt flag as you normally would in decrypting a file.
If you are verifying a detached signature, both the file and the signature must be present when verifying. For example, to verify Arch Linux's latest iso you would do:
$ gpg --verify archlinux-<version>-dual.iso.sig
where archlinux-<version>-dual.iso must be located in the same directory.
gpg-agent
gpg-agent is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client.
Starting with GnuPG 2.1.0 the use of gpg-agent is required. gpg-agent is started on-demand by the GnuPG tools, so there is usually no reason to start it manually.
Configuration
gpg-agent can be configured via ~/.gnupg/gpg-agent.conf file. The configuration options are listed in gpg-agent(1). For example you can change cache ttl for unused keys:
~/.gnupg/gpg-agent.conf
default-cache-ttl 3600
$ /usr/lib/gnupg/gpg-preset-passphrase --preset XXXXXX
where XXXX is the keygrip. You can get its value when running gpg --with-keygrip -K. Passphrase will be stored until gpg-agent is restarted. If you set up default-cache-ttl value, it will take precedence.
重新加载代理
在修改完配置之后,用gpg-connect-agent重新加载代理:
$ gpg-connect-agent reloadagent /bye
该命令应该输出OK。
pinentry
gpg-agent 可以在pinentry-program中设定,以便使用特定的pinentry用户界面来提示用户输入密码。例如:
~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-curses
还有其他pinentry程序可选,参考pacman -Ql pinentry | grep /usr/bin/的输出结果。
/usr/bin/pinentry-kwallet你需要安装软件包kwalletcliAUR。记得在修改完配置后要重新加载代理。
Start gpg-agent with systemd user
It is possible to use the Systemd/User facilities to start the agent.
Create a systemd unit file:
~/.config/systemd/user/gpg-agent.service
[Unit] Description=GnuPG private key agent IgnoreOnIsolate=true [Service] Type=forking ExecStart=/usr/bin/gpg-agent --daemon Restart=on-abort [Install] WantedBy=default.target
Unattended passphrase
Starting with GnuPG 2.1.0 the use of gpg-agent and pinentry is required, which may break backwards compatibility for passphrases piped in from STDIN using the --passphrase-fd 0 commandline option. In order to have the same type of functionality as the older releases two things must be done:
First, edit the gpg-agent configuration to allow loopback pinentry mode:
~/.gnupg/gpg-agent.conf
allow-loopback-pinentry
Restart the gpg-agent process if it is running to let the change take effect.
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:
$ gpg --pinentry-mode loopback ...
...or if this is not possible, add the option to the configuration:
~/.gnupg/gpg.conf
pinentry-mode loopback
pinentry-mode loopback in gpg.conf may break other usage, using the commandline option should be preferred if at all possible. [1]
SSH agent
gpg-agent has OpenSSH agent emulation. If you already use the GnuPG suite, you might consider using its agent to also cache your SSH keys. Additionally, some users may prefer the PIN entry dialog GnuPG agent provides as part of its passphrase management.
To start using GnuPG agent for your SSH keys, enable SSH support in the ~/.gnupg/gpg-agent.conf file:
~/.gnupg/gpg-agent.conf
enable-ssh-support
Next, make sure that gpg-agent is always started. Either follow #Start gpg-agent with systemd user, or add the following to your .bashrc file:
~/.bashrc
# Start the gpg-agent if not already running
if ! pgrep -x -u "${USER}" gpg-agent >/dev/null 2>&1; then
gpg-connect-agent /bye >/dev/null 2>&1
fi
Then set SSH_AUTH_SOCK so that SSH will use gpg-agent instead of ssh-agent. To make sure each process can find your gpg-agent instance regardless of e.g. the type of shell it is child of use pam_env.
~/.config/environment.d/50-ssh_auth_sock.conf
SSH_AGENT_PID DEFAULT=
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
Alternatively, depend on Bash:
~/.bashrc
# Set SSH to use gpg-agent
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
fi
- If you use non-default GnuPG #Directory location[损坏的链接:无效的章节], run
gpgconf --create-socketdirto create a socket directory under/run/user/$UID/gnupg/. Otherwise the socket will be placed in the GnuPG home directory. - The test involving the
gnupg_SSH_AUTH_SOCK_byvariable is for the case where the agent is started asgpg-agent --daemon /bin/sh, in which case the shell inherits theSSH_AUTH_SOCKvariable from the parent, gpg-agent [2].
Also set the GPG_TTY and refresh the TTY in case user has switched into an X session as stated in gpg-agent(1). For example:
~/.bashrc
# Set GPG TTY export GPG_TTY=$(tty) # Refresh gpg-agent tty in case user switches into an X session gpg-connect-agent updatestartuptty /bye >/dev/null
Once gpg-agent is running you can use ssh-add to approve keys, following the same steps as for ssh-agent. The list of approved keys is stored in the ~/.gnupg/sshcontrol file. Once your key is approved, you will get a pinentry dialog every time your passphrase is needed. You can control passphrase caching in the ~/.gnupg/gpg-agent.conf file. The following example would have gpg-agent cache your keys for 3 hours:
~/.gnupg/gpg-agent.conf
default-cache-ttl-ssh 10800
Smartcards
GnuPG uses scdaemon as an interface to your smartcard reader, please refer to the man page for details.
GnuPG only setups
If you do not plan to use other cards but those based on GnuPG, you should check the reader-port parameter in ~/.gnupg/scdaemon.conf. The value '0' refers to the first available serial port reader and a value of '32768' (default) refers to the first USB reader.
GnuPG with PSCD-Lite
pcscd.service has to be running, or the socket pcscd.socket has to be listening.PSCD-Lite is a daemon which handles access to smartcard (SCard API). If GnuPG's scdaemon fails to connect the smartcard directly (e.g. by using its integrated CCID support), it will fallback and try to find a smartcard using the PSCD-Lite driver.
Always use PSCD-Light
If you are using any smartcard with an opensc driver (e.g.: ID cards from some countries) you should pay some attention to GnuPG configuration. Out of the box you might receive a message like this when using gpg --card-status
gpg: selecting openpgp failed: ec=6.108
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together. In order to point scdaemon to use pcscd you should remove reader-port from ~/.gnupg/scdaemon.conf, specify the location to libpcsclite.so library and disable ccid so we make sure that we use pcscd:
~/.gnupg/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so card-timeout 5 disable-ccid
Please check scdaemon(1) if you do not use OpenSC.
使用技巧
Different algorithm
You may want to use stronger algorithms:
~/.gnupg/gpg.conf
... personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES
In the latest version of GnuPG, the default algorithms used are SHA256 and AES, both of which are secure enough for most people. However, if you are using a version of GnuPG older than 2.1, or if you want an even higher level of security, then you should follow the above step.
Encrypt a password
It can be useful to encrypt some password, so it will not be written in clear on a configuration file. A good example is your email password.
First create a file with your password. You need to leave one empty line after the password, otherwise gpg will return an error message when evaluating the file.
Then run:
$ gpg -e -a -r <user-id> your_password_file
-e is for encrypt, -a for armor (ASCII output), -r for recipient user ID.
You will be left with a new your_password_file.asc file.
Revoking a key
- Anybody having access to your revocation certificate can revoke your key, rendering it useless.
- Key revocation should only be performed if your key is compromised or lost, or you forget your passphrase.
Revocation certificates are automatically generated for newly generated keys, although one can be generated manually by the user later. These are located at ~/.gnupg/openpgp-revocs.d/. The filename of the certificate is the fingerprint of the key it will revoke.
To revoke your key, simply import the revocation certificate:
$ gpg --import <fingerprint>.rev
Now update the keyserver:
$ gpg --keyserver subkeys.pgp.net --send <userid>
Change trust model
By default GnuPG uses the Web of Trust as the trust model. You can change this to Trust on First Use by adding --trust-model=tofu when adding a key or adding this option to your GnuPG configuration file. More details are in this email to the GnuPG list.
Hide all recipient id's
By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using hidden-recipient <user-id>. To remove it for all recipients add throw-keyids to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. (Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.) On the receiving side, it may slow down the decryption process because all available secret keys must be tried (e.g. with --try-secret-key <user-id>).
Using caff for keysigning parties
To allow users to validate keys on the keyservers and in their keyrings (i.e. make sure they are from whom they claim to be), PGP/GPG uses he Web of Trust. Keysigning parties allow users to get together in physical location to validate keys. The Zimmermann-Sassaman key-signing protocol is a way of making these very effective. Here you will find a how-to article.
For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool caff. It can be installed from the AUR with the package caff-svnAUR[损坏的链接:package not found].
To send the signatures to their owners you need a working MTA. If you do not have already one, install msmtp.
Troubleshooting
Not enough random bytes available
When generating a key, gpg can run into this error:
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy!
To check the available entropy, check the kernel parameters:
cat /proc/sys/kernel/random/entropy_avail
A healthy Linux system with a lot of entropy available will have return close to the full 4,096 bits of entropy. If the value returned is less than 200, the system is running low on entropy.
To solve it, remember you do not often need to create keys and best just do what the message suggests (e.g. create disk activity, move the mouse, edit the wiki - all will create entropy). If that does not help, check which service is using up the entropy and consider stopping it for the time. If that is no alternative, see Random number generation#Alternatives.
su
When using pinentry, you must have the proper permissions of the terminal device (e.g. /dev/tty1) in use. However, with su (or sudo), the ownership stays with the original user, not the new one. This means that pinentry will fail, even as root. The fix is to change the permissions of the device at some point before the use of pinentry (i.e. using gpg with an agent). If doing gpg as root, simply change the ownership to root right before using gpg:
chown root /dev/ttyN # where N is the current tty
and then change it back after using gpg the first time. The equivalent is likely to be true with /dev/pts/.
tty is not enough.Agent complains end of file
The default pinentry program is pinentry-gtk-2, which needs a DBus session bus to run properly. See General troubleshooting#Session permissions for details.
Alternatively, you can use pinentry-qt. See #pinentry.
KGpg configuration permissions
There have been issues with kdeutils-kgpg[损坏的链接:package not found] being able to access the ~/.gnupg/ options. One issue might be a result of a deprecated options file, see the bug report.
Another user reported that KGpg failed to start until the ~/.gnupg folder is set to drwxr-xr-x permissions. If you require this work-around, ensure that the directory contents retain -rw------- permissions! Further, report it as a bug to the developers.
Conflicts between gnome-keyring and gpg-agent
While the Gnome keyring implements a GPG agent component, as of GnuPG version 2.1, GnuPG ignores the GPG_AGENT_INFO environment variable, so that Gnome keyring can no longer be used as a GPG agent.
However, since version 0.9.6 the package pinentry provides the pinentry-gnome3 program. You may set the following option in your gpg-agent.conf file
pinentry-program /usr/bin/pinentry-gnome3
in order to make use of that pinentry program.
Since version 0.9.2 all pinentry programs can be configured to optionally save a passphrase with libsecret. For example, when the user is asked for a passphrase via pinentry-gnome3, a checkbox is shown whether to save the passphrase using a password manager. Unfortunately, the package pinentry does not have this feature enabled (see FS#46059 for the reasons). You may use pinentry-libsecretAUR[损坏的链接:package not found] as a replacement for it, which has support for libsecret enabled.
mutt and gpg
To be asked for your GnuPG password only once per session as of GnuPG 2.1, see this forum thread.
"Lost" keys, upgrading to gnupg version 2.1
When gpg --list-keys fails to show keys that used to be there, and applications complain about missing or invalid keys, some keys may not have been migrated to the new format.
Please read GnuPG invalid packet workaround. Basically, it says that there is a bug with keys in the old pubring.gpg and secring.gpg files, which have now been superseded by the new pubring.kbx file and the private-keys-v1.d/ subdirectory and files. Your missing keys can be recovered with the following commnads:
$ cd $ cp -r .gnupg gnupgOLD $ gpg --export-ownertrust > otrust.txt $ gpg --import .gnupg/pubring.gpg $ gpg --import-ownertrust otrust.txt $ gpg --list-keys
gpg hanged for all keyservers (when trying to receive keys)
If gpg hanged with a certain keyserver when trying to receive keys, you might need to kill dirmngr in order to get access to other keyservers which are actually working, otherwise it might keeping hanging for all of them.
Smartcard not detected
Your user might not have the permission to access the smartcard which results in a card error to be thrown, even though the card is correctly set up and inserted.
One possible solution is to add a new group scard including the users who need access to the smartcard.
Then use an udev[损坏的链接:无效的章节] rule, similar to the following:
/etc/udev/rules.d/71-gnupg-ccid.rules
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard"
One needs to adapt VENDOR and MODEL according to the lsusb output, the above example is for a YubikeyNEO.