问题描述
GitLab 9.5.0增加了对提交的gpg签名进行检查并在提交哈希旁边显示验证状态的支持(发行说明).但是,此版本不验证使用子项签名的提交( gitlab问题,计划中的支持).
GitLab 9.5.0 adds support for checking the gpg signature of commits and display the verification status next to the commit hash (release note). This version, however, does not verify commits signed using subkeys (gitlab issue, support is planned).
是否可以在gpg中导出子项并将其转换为主键,以便可以将这些主键添加到GitLab?
Is it possible to export the subkeys in gpg and convert them into primary keys, such that these primary keys can be added to GitLab?
推荐答案
EDIT 2017年10月
从版本10.1开始,GitLab对子项提供了本机支持.您只需添加完整的公钥.如果已在GitLab中验证了密钥的电子邮件地址,则用子密钥签名的提交将显示为已验证".
EDIT Oct 2017
Since version 10.1 GitLab has native support for subkeys. You can simply add thefull public key. Commits signed with subkeys show up as 'verified' if the email address of your key has been verified in GitLab.
尽管原始密钥环不应该更改,但我建议您首先备份所有(公共和秘密)密钥环!该解决方案是实验性的!
创建目录,例如 sub2primary
并进行更改,因为以下命令将创建大量的临时文件,这可能会使您的主目录混乱.我将假设以下设置
Create a directory, e.g. sub2primary
, and change into it, because the following commands will create quite a number of temporary files, which might mess up your home directory. I will assume the following setup
frank@7777a258a48e:~/sub2primary$ gpg2 --list-keys
/home/frank/.gnupg/pubring.kbx
------------------------------
pub rsa1024/34171358 2017-08-30 [SC]
uid [ultimate] Frank <frank@example.com>
sub rsa1024/320752EA 2017-08-30 [S]
sub rsa1024/BBA338AD 2017-08-30 [E]
在Ubuntu 16.04上.
on ubuntu 16.04.
首先,您需要导出密钥(公用密钥和专用密钥,主密钥和子密钥)并将其分解为单独的数据包.
Firstly, you need to export your keys (public and private, primary and subkey) and break them into individual packets.
$ gpg2 --export frank@example.com | gpgsplit -vp pub
$ gpg2 --export-secret-keys frank@example.com | gpgsplit -vp sec
这两个命令创建了两个文件,每个文件对应一个数据包.您可以使用 pgpdump
检查数据包.我们对与 pub * .public_subkey
和 sec * .secret_subkey
匹配的文件感兴趣.检查其中一个文件会发现
These two commands create a couple of files, each corresponds to a single packet. You can inspect the packets with pgpdump
. We are interested in the files matching pub*.public_subkey
and sec*.secret_subkey
. Inspecting one of these files reveals
frank@7777a258a48e:~/sub2primary$ pgpdump sec000004-007.secret_subkey
Old: Secret Subkey Packet(tag 7)(517 bytes)
...
这确实是一个私有子项.如果您有多个子密钥(例如,一个用于签名,一个用于加密),我不确定如何识别正确的子密钥.在此示例中,带有 * 000004-*
的数据包将包含用于签名的密钥.(如果有疑问,请选择一个,如果错误,请重新开始.)
that this is indeed a private subkey. If you have multiple subkeys (e.g. one for signing and one for encryption), I'm not sure, how to identify, the correct one. In this example, the packets with *000004-*
will turn out to contain the keys used for signing. (In doubt pick one, and start over if it was the wrong one.)
gpg2 --list-packets< file>
显示有关包含密钥ID的数据包的更多信息.这有助于选择正确的数据包.
gpg2 --list-packets <file>
shows more information about a packet including the key id. This helps selecting the correct packet.
第二,我们需要将这些子密钥包(此处为 pub000004-014.public_subkey
和 sec000004-007.secret_subkey
)转换为主密钥包.为此,您需要一个十六进制编辑器( vim -b
就足够了)并修改每个文件中的第一个字节.用 \ x99
替换公用子项的第一个字节,并用 \ x95
替换秘密子项的第一个字节.如果使用 vim -b
,则可以从主密钥文件 pub000001-006.public_key
和 sec000001-005.secret_key .(不要将公开和秘密混为一谈!)
Secondly, we need to convert these subkey packets (here
pub000004-014.public_subkey
and sec000004-007.secret_subkey
) into primary key packets. In order to do this, you need a hex editor (vim -b
is sufficient) and modify the first byte in each file. Replace the first byte of the public subkey with \x99
, and the first byte of the secret subkey with \x95
. If you work with vim -b
, you can copy the first byte from the primary key filespub000001-006.public_key
and sec000001-005.secret_key
. (Don't mix public and secret!)
此过程后
pgpdump
显示密钥现在是主密钥了
After this procedure
pgpdump
shows that the keys are now primary ones
frank@7777a258a48e:/~/sub2primary$ pgpdump sec000004-007.secret_subkey
Old: Secret Key Packet(tag 5)(517 bytes)
...
导入主键
接下来,我们需要欺骗
gpg
来导入这些损坏的数据包(它们没有用户ID,也没有自签名).为此,只需复制它们,使其可用作钥匙圈
Import primary keys
Next, we need to trick
gpg
to import these broken packets (they don't have a user id, nor a self signature). To do this, simply copy them such that they can be used as keyrings
frank@7777a258a48e:~/sub2primary$ cp pub000004-014.public_subkey ~/.gnupg/tmp
frank@7777a258a48e:~/sub2primary$ cp sec000004-007.secret_subkey ~/.gnupg/sec_tmp
如下面的打印输出所示,可以告诉
gpg
使用这些修改的密钥.
As shown in the next print out, it is possible to tell
gpg
to use these modified keys.
frank@7777a258a48e:~/sub2primary$ gpg2 --no-default-keyring --keyring tmp --secret-keyring sec_tmp --list-secret-keys
/home/frank/.gnupg/tmp
----------------
sec rsa1024/320752EA 2017-08-30 [SCEA]
frank@7777a258a48e:~/sub2primary$ gpg2 --no-default-keyring --keyring tmp --secret-keyring sec_tmp --list-keys
/home/frank/.gnupg/tmp
----------------
pub rsa1024/320752EA 2017-08-30 [SCEA]
添加用户ID
最后一步是编辑此密钥以添加用户ID.
Adding user id
The last step consists of editing this key to add a user id.
frank@7777a258a48e:~/sub2primary$ gpg2 --no-default-keyring --keyring tmp --secret-keyring sec_tmp --edit-key 320752EA
子命令
adduid
将提示您输入必要的信息.完成后,保存
.这会添加用户ID并自动对其进行签名.
The subcommand
adduid
will prompt for necessary information. Once you are done, save
. This adds the user id and signs it automatically.
最后,您可以导出新的主键,该键与旧的子键相同.可以将输出添加到您在GitLab上的个人资料中.
Lastly, you can export the new primary key, which is identical to your old subkey. The output can be added to your profile on GitLab.
frank@7777a258a48e:~/sub2primary$ gpg2 --no-default-keyring --keyring tmp --secret-keyring sec_tmp --armor --export
您不应将
tmp
密钥环或此操纵的密钥用于任何其他目的!上传密钥后,您可以删除临时文件.现在,使用您的常用子密钥签名的提交将在GitLab上显示为 verified .
You should not use the
tmp
keyrings or this rigged key for any other purposes! You can delete the temporary files, once you have uploaded the key. Commits signed with your usual sub-key will now show up as verified on GitLab.
信用:此解决方案的灵感来自 http://atom.smasher.org/gpg/gpg-migrate.txt ,它使用类似的工具来解决不同的问题.
Credit: This solution is inspired by http://atom.smasher.org/gpg/gpg-migrate.txt, which uses similar tools to solve a different problem.
这篇关于如何向GitLab添加gpg子项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!