I want to download a pgp key from a keyserver automaticly using gpg like this:
gpg --searchkey carol@example.com
gpg is giving me this result.
gpg: searching for "carol@example.com" from hkp server pool.sks-keyservers.net
(1) <carol@example.com>
2048 bit RSA key 2F5E71CD, created: 2015-02-17
Keys 1-1 of 1 for "carol@example.com". Enter number(s), N)ext, or Q)uit >
If I want to add this key to my keyring I need to press "1" and ENTER.
My Question is: Is there a way to insert automatically always the first found key from the keyserver to my keyring? Because if I want to do it with about 200 addresses it would be nice if I can import them by a script without sitting next to the computer and pressing always "1" and Enter.
I know that is a security risk to import automatically always the first key, but to import the keys automatically means not that I also trust them automatically.
编写脚本时,请勿使用邮件地址来查找密钥. 每个人都可以上传具有任意用户ID的密钥在其中中,关键服务器根本不检查任何内容.甚至很容易计算短键ID冲突.信任密钥服务器上的任意密钥会提供非常非常危险的错误安全假设.
Do not use mail addresses for finding keys when scripting. Everybody can upload keys with arbitrary user IDs in them, key servers to not check anything at all. It is even easily possible to calculate short key ID collisions. Trusting arbitrary keys on key servers provides a very, very dangerous, false assumption of safety.
For scripting purpose, always work with key fingerprints. These are secure against collision attacks and provide a unique identifier for OpenPGP keys (in theory, they do not, but they provide a larger key address space than UUIDs do, which in practice are considered unique).
To download a list of fingerprints, use something like
gpg --recv-keys \
0D69E11F12BDBA077B3726AB4E1F799AA4FF2279 \
4AC1999F0BA293E8960AF2DA428C3085AF19CFE9 \
要简单地获取所有密钥并以另一种方式验证信任(例如,通过信任网络,但不要忘记这样做),您必须GnuPG周围的脚本.这是最初发布在安全性上的示例脚本. /a>,该文件每行包含一个邮件地址,并提取所有匹配的键:
while read line
gpg --with-colons --batch --search $line 2>/dev/null | \
awk 'BEGIN { FS = ":" }; $1=="pub" { print $2 }' | \
xargs gpg --recv-keys
done < $1