请注意,本文章尚未完工且处于写作的初期阶段,因此本博客不对内容的连续性存在保证。

(话说都 5202 年了马上怎么还在写2024年的入门啊喂!

虽然我个人对 GPG 的了解大抵是始于2020年时出于好奇接触到了 GPG,并成功的被 Kleopatra 那复杂的界面吸引。但是在2024年之前我对于 PGP 的理解都停留在玩具层面上,在详细的入门了 GnuPG 后,写下了这篇文章。

概念

在 PGP(Pretty Good Privacy)中,存在公钥->私钥A[认证、签名]、私钥B[加密]、密钥C...的关系。需要注意的是,由于这个体系不可避免的在 RSA 等非对称的加密算法,或是 Curve25519 等签名算法的基础上进行了拓展来实现高级功能,所以这里的名词与非对称加密的名词有出入。读者可以在实践中自行揣摩他们应有的意思,但是在这里,让我们暂时的忘记大部分密码学的内容,光记住公钥是可以公开的,私钥是必须保密的的原则,继续向下看。

预先准备

如果你希望正式的实战的话,作者在这里推荐 Tails 作为你安装的系统。当然了,如果你还需要热热身,也可以使用其他的系统。具体如何使用 Tails 实战,我们将在文章最后讲解。

首先,让我们确认一下系统。如果你是 Windows 操作系统的话,只需要下载并安装 Gpg4win 就好了,因为作者并不建议你使用 Windows 在正式的实战环节,所以默认的配置一路 Next 就可以了。安装好后,执行 gpg --version ,如果输出的内容和下面的大差不差,那么就说明你的操作并无异常。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Users\apple> gpg --version
gpg (GnuPG) 2.4.7
libgcrypt 1.11.0
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\apple\AppData\Roaming\gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

那么,如果你是 Linux 系统,你的系统如果是由社区维护的,那么大概率已经带有了一个 GnuPG,因为你的包管理器需要它来实现对软件包的信任。对每个系统如何安装,在此就不多赘述了,总之,安装完成后,执行 gpg --version ,如果和下面的大差不差,也说明你成功安装了 GnuPG。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
apple@centos:~$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/apple/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

创建你的密钥

首先,我们在安装了GnuPG后,它并不会给你创建你的密钥对。我们需要执行gpg --full-gen-key来创建我们的密钥对。具体步骤见下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
apple@centos:~$ gpg --full-gen-key # Step 0,键入命令
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1 #Step 1,输入数字选择密钥类型,我们选择最广泛的 RSA
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096 #Step 2,输入 RSA 密钥长度,我们直接拉满
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y #Step 3,输入密钥过期时间,因为只要过期前我们就能修改过期时间,所以设置一个不会忽略掉的时间就可以,这里我偷懒写了10年
Key expires at Tue Nov 28 02:09:38 2034 CST
Is this correct? (y/N) y #Step 4,如果上面没输错的话,这里写y表示正确

GnuPG needs to construct a user ID to identify your key.

Real name: INXINX #Step 5,这里写你的名字,可以真名可以网名,如果要上传 Keyserver 建议慎重考虑是否要自己透露真名。注意:不同于 Kleopatra,这里必须是5字符以上的名字。
Email address: [email protected] #Step 6,这里写你的邮箱,可以真的可以假的,如果要上传 Keyserver 建议慎重考虑是否需要透露真实邮箱。如果是 GitHub 使用的话,可以选择后期添加 UID,也可以这里写真实邮箱。
Comment: #Step 7,备注,可以不填
You selected this USER-ID:
    "INXINX <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o #Step 8,前面没写错就填o,这里会让你创建密码,请一定记住,不可以调过。
#Step 9,这里如果你是桌面发行版就随机大幅度晃鼠标,如果是命令行就随机扣键盘,总之就是为系统随机源增加额外的熵来更安全、也更快的生成私钥
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/apple/.gnupg/trustdb.gpg: trustdb created
gpg: key 21E0EC557D72FA40 marked as ultimately trusted
gpg: directory '/home/apple/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/apple/.gnupg/openpgp-revocs.d/A707BC2D981BF018B66B62A021E0EC557D72FA40.rev'
public and secret key created and signed.

pub   rsa4096 2024-11-29 [SC] [expires: 2034-11-27]
      A707BC2D981BF018B66B62A021E0EC557D72FA40
uid                      INXINX <[email protected]>
sub   rsa4096 2024-11-29 [E] [expires: 2034-11-27]

最后,我们它告诉我们我们的信息,下面是常用的缩写,摘自C的博客

1
2
3
4
5
6
7
8
9
A    =>    Authentication
C    =>    Certify
E    =>    Encrypt
S    =>    Sign
?    =>    Unknown capability
sec  =>    Secret Key
ssb  =>    Secret SuBkey
pub  =>    Public Key
sub  =>    Public Subkey

创建子密钥

具有Certify属性的密钥是十分重要的,由它控制着整个公钥的各个密钥。由于其地位过于高,我们更推荐使用更容易吊销的子密钥,而不是只能随着整个公钥一起吊销的具有 Certify 的密钥进行签名(Signature)。

那么让我们来添加子密钥,添加子密钥需要进入密钥库的交互界面gpg --edit-key <部分名字或最少末8位指纹>在这里,指纹指的是你的具有Certify属性的密钥(主密钥)的公钥。需要注意的是只要你提供的名字或指纹末尾能够唯一匹配你的 GPG 公钥,就可以成功进入交互界面。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
apple@centos:~$ gpg --edit-key 7D72FA40 #Step 0, 进入交互模式
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/21E0EC557D72FA40
     created: 2024-11-29  expires: 2034-11-27  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/C02468B357B3AD0E
     created: 2024-11-29  expires: 2034-11-27  usage: E
[ultimate] (1). INXINX <[email protected]>

gpg> addkey #Step 1, 为密钥对添加子密钥
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (14) Existing key from card
Your selection? 4 #Setp 2, 这里,我们添加一个适用于签名(S)的 RSA 子密钥
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) #Step 3, 这里,由于是 RSA 密钥,需要输入密钥长度,这里可以直接回车选择默认的长度,也可以输入一个1024到4096中间的数(比如2048)来创建不同长度的子密钥
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y #Step 4, 这里是输入子密钥的过期时间,按情况输入即可,后续可以修改
Key expires at Tue Nov 30 15:14:36 2027 CST
Is this correct? (y/N) y #Step 5, 如果信息没错的话就输入 y 然后回车
Really create? (y/N) y #Step 6, 确认是否创建,确认的话输入 y 然后回车,会提示你输入密钥库的密码。
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/21E0EC557D72FA40
     created: 2024-11-29  expires: 2034-11-27  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/C02468B357B3AD0E
     created: 2024-11-29  expires: 2034-11-27  usage: E
ssb  rsa3072/AFF13A388E7B909B
     created: 2024-11-30  expires: 2027-11-30  usage: S
[ultimate] (1). INXINX <[email protected]>

gpg> save #Step 7, 记得修改完成后不要手快 Ctrl+C 或者 q 退出,记得保存,不然你的操作不会保存
apple@centos:~$

读者可以自行创建另一个用于加密(E)的密钥来试手。

创建吊销证书

假如你忘了主密钥的密码,或者丢失了对主密钥的控制权(丢失,被夺取),如果没有撤销凭证的话, 除了一个个通知你的朋友们没有任何办法 证明你不再使用这个密钥,这简直是灾难。

吊销证书,可以在发布公钥后吊销你的整个公钥,建议多备份一份防止让别人有可乘之机。创建吊销证书的方法是使用 gpg --gen-revoke -ao <保存吊销证书的文件名> <部分名字或最少8位末指纹>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apple@centos:~/gpg-tutorial$ gpg --gen-revoke -ao revoke.pgp INX #Step 0, 创建吊销证书,在这里我使用部分名字来做示范

sec  rsa4096/21E0EC557D72FA40 2024-11-29 INXINX <[email protected]>

Create a revocation certificate for this key? (y/N) y #Step 1, 输入 y 确认创建吊销证书
Please select the reason for the revocation: # 在下面我会给这五个选项逐一翻译
  0 = No reason specified # 没有标注理由
  1 = Key has been compromised # 密钥已被泄漏
  2 = Key is superseded # 密钥已被取代
  3 = Key is no longer used # 密钥不再使用
  Q = Cancel # 退出创建流程
(Probably you want to select 1 here)
Your decision? 3 #Step 2, 选择你的原因,我们这里选择3,密钥不再使用
Enter an optional description; end it with an empty line:
> #Step 3, 输入额外的说明,可以不填直接回车
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N) y  #Step 4, 确认创建吊销证书
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

现在我们就有了一张吊销证书了。

备份你的密钥

因为现在密钥仅存在了电脑的用户的密钥库中,重装系统就会丢失,而且甚至是仅仅通过你设定的密钥就能解密。我们将其备份出来,保存在自己的其他加密设备上(最简单的方式就是打一个没有目录信息的加密压缩包)。

备份公钥

每次对密钥进行操作本质上都会操作你的公钥,为了使我们导出的每一个私钥相互关联,我们先导出公钥。

使用gpg -ao <保存公钥的文件名> --export <部分名字或最少8位末指纹>导出你的公钥信息,这个文件并不会包含你的隐私信息,因此是可以安全传播的。

1
2
3
apple@centos:~/gpg-tutorial$ gpg -ao public_key --export INXINX # 导出公钥,这里我们使用了用户真名全名进行操作
apple@centos:~/gpg-tutorial$ ls
public_key  revoke.pgp

需要注意如果你的账户全名带有空格,需要使用\进行空格的转义或者使用双引号将字符串包裹起来。例如,我们这里有一个真名叫做INX Fung Example的密钥。

1
2
3
4
apple@centos:~$ gpg -ao p_ex --export INX\ Fung\ Example
apple@centos:~$ gpg -ao p_ex_str --export "INX Fung Example"
apple@centos:~$ ls
p_ex  p_ex_str

备份私钥

首先,我们使用gpg --fingerprint -K --keyid-format long列出全部密钥来。

1
2
3
4
5
6
7
8
apple@centos:~/gpg-tutorial$ gpg  --fingerprint -K --keyid-format long
/home/apple/.gnupg/pubring.kbx
------------------------------
sec   rsa4096/21E0EC557D72FA40 2024-11-29 [SC] [expires: 2034-11-27]
      Key fingerprint = A707 BC2D 981B F018 B66B  62A0 21E0 EC55 7D72 FA40
uid                 [ultimate] INXINX <[email protected]>
ssb   rsa4096/C02468B357B3AD0E 2024-11-29 [E] [expires: 2034-11-27]
ssb   rsa3072/AFF13A388E7B909B 2024-11-30 [S] [expires: 2027-11-30]

我们需要逐个导出每一个私钥,请注意,在这里我们的私钥需要使用各个secssb的指纹来指定,也就是算法/后面的十六进制串,导出单个私钥的命令为gpg -ao <存储私钥的文件名> --export-secret-key <对应密钥的公钥指纹>!(注意末尾的感叹号,否则会导出全部的子密钥的私钥)。在这个例子中,我们需要执行如下的内容。

1
2
3
4
apple@centos:~/gpg-tutorial$ gpg -ao inxinx-seckey --export-secret-key 21E0EC557D72FA40!
apple@centos:~/gpg-tutorial$ gpg -ao inxinx-enckey --export-secret-key C02468B357B3AD0E!
apple@centos:~/gpg-tutorial$ gpg -ao inxinx-sgnkey --export-secret-key AFF13A388E7B909B!
apple@centos:~/gpg-tutorial$ #需要注意,每次回车后都会要求你输入密钥对的密码。

成功后,你的密钥就已经成功导出了。

删除机器上的密钥

安全期间,我不建议你把你的主密钥放在一个能接触互联网的环境下,当然这是实战环节的内容。在这里,我们可以通过删除密钥、再次导入密钥的方式来练习基本的 GnuPG 操作。

删除私钥

删除私钥的命令是gpg --delete-secret-keys <部分名字或主密钥、子密钥最少8位末指纹>

1
2
3
4
5
6
7
8
9
10
apple@centos:~/gpg-tutorial$ gpg --delete-secret-keys INXINX #Step 0, 删除私钥
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  rsa4096/21E0EC557D72FA40 2024-11-29 INXINX <[email protected]>

Delete this key from the keyring? (y/N) y #Step 1, 确认
This is a secret key! - really delete? (y/N) y #Step 2, 再次确认是否删除,回车后会提示删除哪些密钥

需要注意,删除私钥并不彻底。

由于gpg生成的私钥会在你的磁盘上使用明文储存,所以一个单独的 rm 或者右键删除 并不能彻底删除掉,可以使用 wipe 工具。如果你使用的是 SSD 且没有 启用全盘加密,是没法彻底删除的。

在实战环节中我将会详细的讲述如何规避此问题。

删除公钥

删除私钥的命令是gpg --delete-keys <部分名字或最少8位末指纹>

1
2
3
4
5
6
7
8
9
apple@centos:~/gpg-tutorial$ gpg --delete-keys INX #Step 0, 删除密钥
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/21E0EC557D72FA40 2024-11-29 INXINX <[email protected]>

Delete this key from the keyring? (y/N) y #Step 1, 确认删除

你可能会好奇,为什么需要先介绍删除私钥而非公钥。原因在于,如果先行删除公钥的话,实际上并不能成功删除,报错见下。

1
2
3
4
5
6
7
apple@centos:~/gpg-tutorial$ gpg --delete-keys INX # 删除公钥
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: there is a secret key for public key "INX"!
gpg: use option "--delete-secret-keys" to delete it first.

它会提示我们,这里尚存私钥,需要先删除私钥。

同时删去公钥和私钥

实际上,GnuPG存在一个同时删去公钥和私钥的参数--delete-secret-and-public-keys。因此我们可以快速的同时删去两者

导入密钥

导入密钥不仅可以导入公钥,也可以导入私钥。需要注意的是单独导入私钥无法体现完整的密钥关系,导入公钥方可搭建其密钥的框架来。

具体的导入命令为 gpg --import <文件名>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
apple@centos:~/gpg-tutorial$ gpg --import inxinx-seckey #Example 1, 单独导入私钥,会要求输入密码
gpg: key 21E0EC557D72FA40: public key "INXINX <[email protected]>" imported
gpg: key 21E0EC557D72FA40: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
apple@centos:~/gpg-tutorial$ gpg -k # 查看当前密钥库状态
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/home/apple/.gnupg/pubring.kbx
------------------------------
pub   rsa4096 2024-11-29 [SC] [expires: 2034-11-27]
      A707BC2D981BF018B66B62A021E0EC557D72FA40
uid           [ unknown] INXINX <[email protected]>

apple@centos:~/gpg-tutorial$ gpg --import public_key #Example 2, 导入公钥
gpg: key 21E0EC557D72FA40: "INXINX <[email protected]>" 2 new signatures
gpg: key 21E0EC557D72FA40: "INXINX <[email protected]>" 2 new subkeys
gpg: Total number processed: 1
gpg:            new subkeys: 2
gpg:         new signatures: 2
apple@centos:~/gpg-tutorial$ gpg -k # 查看当前密钥库状态,不展示私钥状况
/home/apple/.gnupg/pubring.kbx
------------------------------
pub   rsa4096 2024-11-29 [SC] [expires: 2034-11-27]
      A707BC2D981BF018B66B62A021E0EC557D72FA40
uid           [ unknown] INXINX <[email protected]>
sub   rsa4096 2024-11-29 [E] [expires: 2034-11-27]
sub   rsa3072 2024-11-30 [S] [expires: 2027-11-30]

apple@centos:~/gpg-tutorial$ gpg -K # 查看当前密钥库状态,展示私钥状况。其中带有#的项目代表缺少对应的私钥
/home/apple/.gnupg/pubring.kbx
------------------------------
sec   rsa4096 2024-11-29 [SC] [expires: 2034-11-27]
      A707BC2D981BF018B66B62A021E0EC557D72FA40
uid           [ unknown] INXINX <[email protected]>
ssb#  rsa4096 2024-11-29 [E] [expires: 2034-11-27]
ssb#  rsa3072 2024-11-30 [S] [expires: 2027-11-30]

读者可以自行尝试删除、导入密钥试手。

需要注意,有时导入私钥会遇到报错无法正常导入,此时加入参数--allow-secret-key-import尝试,若仍无法导入,可以试试删去.gnupg文件夹(这是十分危险的操作,请在操作前至少进行一次备份,并清楚自己在做什么)并通过gpg -k重建密钥库。

信任密钥

如果你足够细心,会发现我们的密钥在删除并再次导入后的信任登记会变成 unknown 这是因为我们对自己密钥的信任等级在删除公钥的时候一并删除了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
apple@centos:~/gpg-tutorial$ gpg -K # 查看信任情况
/home/apple/.gnupg/pubring.kbx
------------------------------
sec   rsa4096 2024-11-29 [SC] [expires: 2034-11-27]
      A707BC2D981BF018B66B62A021E0EC557D72FA40
uid           [ unknown] INXINX <[email protected]>
ssb#  rsa4096 2024-11-29 [E] [expires: 2034-11-27]
ssb#  rsa3072 2024-11-30 [S] [expires: 2027-11-30]

apple@centos:~/gpg-tutorial$ gpg --edit-key inx #Step 0, 进入密钥编辑模式
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/21E0EC557D72FA40
     created: 2024-11-29  expires: 2034-11-27  usage: SC
     trust: unknown       validity: unknown
sub  rsa4096/C02468B357B3AD0E
     created: 2024-11-29  expires: 2034-11-27  usage: E
sub  rsa3072/AFF13A388E7B909B
     created: 2024-11-30  expires: 2027-11-30  usage: S
[ unknown] (1). INXINX <[email protected]>

gpg> trust #Step 1, 修改信任等级
sec  rsa4096/21E0EC557D72FA40
     created: 2024-11-29  expires: 2034-11-27  usage: SC
     trust: unknown       validity: unknown
sub  rsa4096/C02468B357B3AD0E
     created: 2024-11-29  expires: 2034-11-27  usage: E
sub  rsa3072/AFF13A388E7B909B
     created: 2024-11-30  expires: 2027-11-30  usage: S
[ unknown] (1). INXINX <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.) # 接下来是对信任等级的逐个翻译

  1 = I don't know or won't say # 我不知道,抑或是我不想说
  2 = I do NOT trust # 我坚决不信
  3 = I trust marginally # 我半信半疑,适合网友
  4 = I trust fully # 我完全相信,适合已经线下确认过对方的身份
  5 = I trust ultimately # 我终极相信。请只用在自己的密钥上
  m = back to the main menu

Your decision? 5 #Step 2, 输入选择由于是自己的密钥,我们选择5,终极相信
Do you really want to set this key to ultimate trust? (y/N) y

sec  rsa4096/21E0EC557D72FA40
     created: 2024-11-29  expires: 2034-11-27  usage: SC
     trust: ultimate      validity: unknown
sub  rsa4096/C02468B357B3AD0E
     created: 2024-11-29  expires: 2034-11-27  usage: E
sub  rsa3072/AFF13A388E7B909B
     created: 2024-11-30  expires: 2027-11-30  usage: S
[ unknown] (1). INXINX <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> save #Step 3, 保存密钥
Key not changed so no update needed.
apple@centos:~/gpg-tutorial$ gpg -K  # 查看信任情况
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2034-11-27
/home/apple/.gnupg/pubring.kbx
------------------------------
sec   rsa4096 2024-11-29 [SC] [expires: 2034-11-27]
      A707BC2D981BF018B66B62A021E0EC557D72FA40
uid           [ultimate] INXINX <[email protected]> # 可以发现信任等级恢复了
ssb#  rsa4096 2024-11-29 [E] [expires: 2034-11-27]
ssb#  rsa3072 2024-11-30 [S] [expires: 2027-11-30]

实战

Still Work in Progress.

参考文献

[1] 《2021年,用更现代的方法使用PGP(上,中,下)》 2021年,用更现代的方法使用PGP(上) - C的博客 |UlyC 2021年,用更现代的方法使用PGP(中) - C的博客 |UlyC 2021年,用更现代的方法使用PGP(下) - C的博客 |UlyC

[2] 《OpenPGP 最佳实践 - 密钥服务器》OpenPGP 最佳实践 - 密钥服务器 | Nova Kwok’s Awesome Blog

[3] Pico Keys Getting Started - Pico Keys

[4] 《GPG使用指南》GPG 使用指南 | val’s Blog