小贝子编程

GPG 仍然看到吊销子项的良好迹象仍然有效



>我创建了一个密钥,并创建了一个子密钥。使用子项,我签署了一个文件。验证有效。已吊销密钥,验证不成立。这是预期行为。

但是,如果我尝试使用相同的子项签名并验证它仍然有效。我做错了什么?以下是我正在做的全部工作:

$ gpg --gen-key
$ gpg -k
/Users/mustafa/.gnupg/pubring.kbx
---------------------------------
pub   rsa2048 2019-02-03 [SC] [expires: 2021-02-02]
      5DD923FBCF6392A5CB366167D4C0627A07510C6C
uid           [ultimate] Mustafa <mustafa91@gmail.com>
sub   rsa2048 2019-02-03 [E] [expires: 2021-02-02]

使用编辑键,添加一个子项。

$ gpg --edit-key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
sec  rsa2048/D4C0627A07510C6C
     created: 2019-02-03  expires: 2021-02-02  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/E058B91696C43666
     created: 2019-02-03  expires: 2021-02-02  usage: E
gpg> addkey
sec  rsa2048/D4C0627A07510C6C
     created: 2019-02-03  expires: 2021-02-02  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/E058B91696C43666
     created: 2019-02-03  expires: 2021-02-02  usage: E
ssb  rsa2048/38616BDAE66E418C
     created: 2019-02-03  expires: 2019-02-13  usage: S
[ultimate] (1). Mustafa <mustafa91@gmail.com>
gpg> q
Save changes? (y/N) y

对文件进行签名并验证。

$ gpg --armor --detach-sign --default-key 38616BDAE66E418C  test.txt
gpg: using "38616BDAE66E418C" as default secret key for signing
$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb  3 21:49:43 2019 +03
gpg:                using RSA key 485FC77FC73DA3B800C7F41538616BDAE66E418C
gpg: Good signature from "Mustafa <mustafa91@gmail.com>" [ultimate]
撤销密钥,并显示

消息"此密钥现在在敌人手中"。

$ gpg --edit-key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
gpg> key 2
sec  rsa2048/D4C0627A07510C6C
     created: 2019-02-03  expires: 2021-02-02  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/E058B91696C43666
     created: 2019-02-03  expires: 2021-02-02  usage: E
ssb* rsa2048/38616BDAE66E418C
     created: 2019-02-03  expires: 2019-02-13  usage: S
gpg> revkey
sec  rsa2048/D4C0627A07510C6C
     created: 2019-02-03  expires: 2021-02-02  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/E058B91696C43666
     created: 2019-02-03  expires: 2021-02-02  usage: E
The following key was revoked on 2019-02-03 by RSA key D4C0627A07510C6C Mustafa <mustafa91@gmail.com>
ssb  rsa2048/38616BDAE66E418C
     created: 2019-02-03  revoked: 2019-02-03  usage: S
[ultimate] (1). Mustafa <mustafa91@gmail.com>

尝试验证旧签名并查看其失败。

$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb  3 21:49:43 2019 +03
gpg:                using RSA key 485FC77FC73DA3B800C7F41538616BDAE66E418C
gpg: Good signature from "Mustafa <mustafa91@gmail.com>" [ultimate]
gpg: WARNING: This subkey has been revoked by its owner!
gpg: reason for revocation: Key has been compromised
gpg: revocation comment: This key is now in the hands of the enemy.

但是,尝试使用吊销的密钥进行签名。

$ rm test.key.asc
$ gpg --armor --detach-sign --default-key 38616BDAE66E418C  test.txt
gpg: using "38616BDAE66E418C" as default secret key for signing

为什么它不会失败?如何验证?

$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb  3 21:53:11 2019 +03
gpg:                using RSA key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
gpg: Good signature from "Mustafa <mustafa91@gmail.com>" [ultimate]

看看你最后的两段摘录。尽管您指定了要38616BDAE66E418C的默认签名密钥,但当您执行验证时,会报告已使用 D4C0627A07510C6C 进行签名。

如果使用 gpg -v 的详细选项,您将看到,如果指定的默认密钥被撤销,它将回退到下一个可用的签名密钥。

为了说明这一点,我重新创建了您的场景:

sec  rsa2048/4E5CB15076F1318E
     created: 2019-02-09  expires: 2021-02-08  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/3303CBB274AECA3B
     created: 2019-02-09  expires: 2021-02-08  usage: E
The following key was revoked on 2019-02-09 by RSA key 4E5CB15076F1318E Herp Derp <herp@derp.com>
ssb  rsa2048/8ABD3900E64E7972
     created: 2019-02-09  revoked: 2019-02-09  usage: S
[ultimate] (1). Herp Derp <herp@derp.com>

在吊销之前使用子项签名:

$ gpg -v --armor --detach-sign --default-key 8ABD3900E64E7972 test.txt
gpg: using pgp trust model
gpg: using "8ABD3900E64E7972" as default secret key for signing
gpg: using subkey 8ABD3900E64E7972 instead of primary key 4E5CB15076F1318E
gpg: writing to 'test.txt.asc'
gpg: RSA/SHA256 signature from: "8ABD3900E64E7972 Herp Derp <herp@derp.com>"

吊销后使用子项签名:

$ gpg -v --armor --detach-sign --default-key 8ABD3900E64E7972 test.txt
gpg: Note: signature key 8ABD3900E64E7972 has been revoked
gpg: using pgp trust model
gpg: using "8ABD3900E64E7972" as default secret key for signing
gpg: Note: signature key 8ABD3900E64E7972 has been revoked
gpg: writing to 'test.txt.asc'
gpg: RSA/SHA256 signature from: "4E5CB15076F1318E Herp Derp <herp@derp.com>"

您可以看到,在第二个示例中,gpg 将子项标识为已吊销并回退到主键。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium