自动下载pgp密钥 [英] download a pgp key automaticly

问题描述

我想像这样使用gpg从密钥服务器自动下载pgp密钥:

I want to download a pgp key from a keyserver automaticly using gpg like this:

    gpg --searchkey carol@example.com

gpg给了我这个结果.

gpg is giving me this result.

    gpg: searching for "carol@example.com" from hkp server pool.sks-keyservers.net
    (1)     <carol@example.com>
              2048 bit RSA key 2F5E71CD, created: 2015-02-17
    Keys 1-1 of 1 for "carol@example.com".  Enter number(s), N)ext, or Q)uit > 

如果要将此密钥添加到我的钥匙圈中，则需要按"1"并按ENTER.

If I want to add this key to my keyring I need to press "1" and ENTER.

我的问题是:有没有一种方法可以始终自动将第一个找到的密钥从密钥服务器自动插入到我的密钥环中?因为如果我想使用大约200个地址，那么可以通过脚本将其导入而无需坐在计算机旁边并始终按"1"并按Enter即可.

My Question is: Is there a way to insert automatically always the first found key from the keyserver to my keyring? Because if I want to do it with about 200 addresses it would be nice if I can import them by a script without sitting next to the computer and pressing always "1" and Enter.

我知道始终自动导入第一个密钥是安全隐患，但是自动导入密钥并不意味着我也自动信任它们.

I know that is a security risk to import automatically always the first key, but to import the keys automatically means not that I also trust them automatically.

推荐答案

编写脚本时，请勿使用邮件地址来查找密钥. 每个人都可以上传具有任意用户ID的密钥在其中中，关键服务器根本不检查任何内容.甚至很容易计算短键ID冲突.信任密钥服务器上的任意密钥会提供非常非常危险的错误安全假设.

Do not use mail addresses for finding keys when scripting. Everybody can upload keys with arbitrary user IDs in them, key servers to not check anything at all. It is even easily possible to calculate short key ID collisions. Trusting arbitrary keys on key servers provides a very, very dangerous, false assumption of safety.

出于脚本编写目的，请始终使用密钥指纹.这些密钥可以抵御冲突攻击，并为OpenPGP密钥提供唯一的标识符(理论上讲，不是，但是提供了更大的密钥地址空间)比UUID更难，在实践中，UUID被认为是唯一的.

For scripting purpose, always work with key fingerprints. These are secure against collision attacks and provide a unique identifier for OpenPGP keys (in theory, they do not, but they provide a larger key address space than UUIDs do, which in practice are considered unique).

要下载指纹列表，请使用类似的

To download a list of fingerprints, use something like

gpg --recv-keys \
  0D69E11F12BDBA077B3726AB4E1F799AA4FF2279 \
  4AC1999F0BA293E8960AF2DA428C3085AF19CFE9 \
  ...

(或者，删除反斜杠并将所有内容放在一行中)

要简单地获取所有密钥并以另一种方式验证信任(例如，通过信任网络，但不要忘记这样做)，您必须GnuPG周围的脚本.这是最初发布在安全性上的示例脚本. /a>，该文件每行包含一个邮件地址，并提取所有匹配的键:

To simply fetch all keys and validate trust on another way (eg. through the web of trust, but don't forget to do so), you have to script around GnuPG. Here is an example script originally posted on security.SE, which takes a file containing one mail address per line and fetches all matching keys:

#!/bin/sh
while read line
do
    gpg --with-colons --batch --search $line 2>/dev/null | \
    awk 'BEGIN { FS = ":" };  $1=="pub" { print $2 }' | \
    xargs gpg --recv-keys
done < $1

这篇关于自动下载pgp密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！