...making Linux just a little more fun!

<-- prev | next -->

Front and Back: KPGP and GPG

By Jimmy O'Regan

One of the virtues of Linux is that its Unix heritage has given it a powerful command line. Using the command line can be difficult though, and many people prefer to use GNOME or KDE to do their work. Fortunately, many developers choose to embrace Larry Wall's virtue of "laziness", and instead of choosing to reinvent the wheel, they create user friendly front-ends to common CLI apps.

This is the first article of an occasional series which intends to look at some of these front-ends, show the new user how to use them, and, most importantly, provide the corresponding commands for the "back-end" command for future reference - you never know when you might need to do something over an SSH connection, after all!

KGPG and GPG

KGPG is a front-end to GPG, the GNU Privacy Guard. GPG was created to replace PGP, the popular encryption program. GPG is a common component in a Linux system - almost all package utilities use it for verification, for example.

GPG is an implementation of OpenPGP (RFC 2440), a standard created around the workings of PGP, to provide security for, among other things, e-mail. PGP/GPG is best known as an implementation of public-key cryptography - each user has two keys, a public key, and a private key. If I want to send encrypted e-mail to Mark, I encrypt it using my private key and his public key; Mark is then able to decrypt it using his private key and my public key.

The most common use of GPG, however, is as a way of digitally signing something - normally e-mail, or as mentioned earlier, software packages - so the recipient can verify that the item came from the person who claims to have sent it.

Starting KGPG

KGPG Wizard

When you start KGPG for the first time, it presents a Wizard which helps you to set up GPG. It's OK to follow the defaults. The final step, and the one we're interested in, is the key generation dialogue.

Generate a key

KGPG's key generation dialogue contains the common defaults, all you need to do is enter your name and e-mail address in the appropriate areas, and click OK. Note that "Expert Mode" provides you with a shell, and runs GPG for you.

After generation

KGPG then presents you with a dialogue containing your signature's Key ID and Fingerprint. It also offers to create a Revocation Certificate. You should use this option - the best option is to chose "Save as", move the file somewhere safe, and delete it from your computer. This is an option I wish I had taken advantage of - there are two old keys belonging to me floating around that I wish I could get rid of!

If you want to generate a Revocation Certificate at any later stage, simply right click on the key in KGPG's Key Management window, and select "Revoke Key".

Starting with GPG

Generating a key pair in GPG is just as easy: using the command gpg --keygen you are offered the same defaults as in KGPG, simply press the 'Enter' key to accept them and type 'y' followed by 'Enter' when asked "Is this correct". When asked, enter your name and e-mail address..

Here is a sample key generation session:

[foo@dhcppc0 foo]$ gpg --gen-key
gpg (GnuPG) 1.2.4; Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: Foo McBar
Email address: foo@bar.com
Comment:
You selected this USER-ID:
    "Foo McBar <foo@bar.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.++++++++++.+++++++++++++++++++++++++.++++++++++++++++++++++++++++++..+++++
+++++.+++++++++++++++..+++++.+++++..+++++.+++++++++++++++.+++++>+++++.+++++>
+++++......<++++++++++
public and secret key created and signed.
key marked as ultimately trusted.

To generate a revocation certificate, you can use gpg --gen-revoke. You need to give GPG some way of identifying which key you wish to create a certificate for - GPG can make use of several key pairs, which is useful if you want to keep separate identities for work and private use, or if you use a pseudonym for whatever reason.

[foo@dhcppc0 foo]$ gpg --gen-revoke "Foo McBar"

sec  1024D/EA4A9540 2004-06-28   Foo McBar <foo@bar.com>

Create a revocation certificate for this key? y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key is no longer used
(No description given)
Is this okay? y

You need a passphrase to unlock the secret key for
user: "Foo McBar "
1024-bit DSA key, ID EA4A9540, created 2004-06-28

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

Importing Keys

Find a key

To find a key with KGPG, choose "File->Key Server Dialogue". In the dialogue, enter the name, e-mail address or Key ID of the key you wish to import. If there are multiple matches, you are presented with a dialogue from which you can choose the correct key.

Select a key

To do this in GPG, use gpg --search-key "Something to find", where "Something to find" is a name, e-mail address or Key ID. If there are multiple matches, GPG also prompts you to make a selection:

[foo@dhcppc0 foo]$ gpg --search-keys "Jimmy O'Regan"
gpg: searching for "Jimmy O'Regan" from HKP server subkeys.pgp.net
Keys 1-3 of 3 for "Jimmy O'Regan"
(1)     Jimmy O'Regan <jimregan@o2.ie>
          1024 bit DSA key 773730F8, created 2004-06-19
(2)     Jimmy O'Regan <jimregan@o2.ie>
          1024 bit DSA key DA974449, created 2004-06-05
(3)     Jimmy O'Regan <jimregan@lit.compsoc.com>
          1024 bit DSA key FF5D8291, created 2000-08-22
Enter number(s), N)ext, or Q)uit > 1
gpg: key 773730F8: "Jimmy O'Regan <jimregan@o2.ie>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Note that if you don't have a keyserver set up in ~/.gnupg/gpg.conf you can add the option --keyserver [keyserver]. For example:

gpg --keyserver subkeys.pgp.net --search-keys "Jimmy O'Regan"

If you already have a public key in a file, you can import it into KGPG using "Keys->Import Key", where you can either enter the file name, or browse to it. This dialogue also gives the option to import from the clipboard - I found this useful when I needed to contact Linux Gazette's sys admin, Kayos, who keeps his key on his contacts page.

In GPG, to import from a file, use gpg --import filename. Note that this accepts standard pipes, so there are ways of emulating KGPG's clipboard input. The way most likely to work everywhere is to use a "here document":

[foo@dhcppc0 jimmy]$ gpg --import <<EOF
> (paste public key)
>EOF

Getting the contents of X's clipboard came up recently on The Answer Gang, where Ben pointed to his xclip tip from Issue 78. To use this with GPG, you could try:

xclip -o|gpg --import

Alternatively, if you use KDE, but don't use KGPG, you could try:

dcop klipper klipper getClipboardContents|gpg --import

Viewing keys

KGPG Key Management

There are no special steps to take in KGPG to view keys or signatures - the Key Management window displays all of the keys in your keyring. You can click on the '+' beside each key name to see alternate UIDs, signatures, photo IDs etc. If you wish, you can have photo IDs appear in the main window by selecting one of the options in "View->Photo IDs".

In GPG, you can use one of several options, depending on what you want to view. If you wish to view public keys, use --list-keys; if you wish to view secret keys, use --list-secret-keys; and if you wish to view public keys and their signatures, use --list-sigs. With all of these options, if you specify a name, GPG will print only the details for that name.

Exporting Keys

To export your public key in KGPG, choose "Keys->Export Public Keys", or type Ctrl-C. This offers to export the key in an e-mail, to the clipboard, to the default keyserver, or to a file - $HOME/$USER.asc by default.

In GPG, to export a key, use gpg --export -a [key id]. The -a option is important if you want to use the key in e-mail, as it encodes the key in ASCII "armor". If you don't specify the Key ID, the default behaviour is to export all keys, which is probably not what you want.

Alternate IDs

If you have multiple e-mail addresses, and wish to use the same key for each of them, you may wish to add an extra User ID. In KGPG, simple right click on the file and select "Add User ID". This presents you with a dialogue which asks for a name, e-mail address and optional comment.

In GPG, use gpg --edit-key [key id]. This gives you a prompt saying Command>. At this prompt, type adduid, and enter the name, e-mail, and optional comment as prompted.

To add a photo ID in KGPG, right click on the name you wish to add a photo for, choose "Add Photo", and browse to the location of the file. In GPG, you must again use gpg --edit-key. This time, from the Command> prompt, type addphoto. When prompted, type the path to the photo.

It's important to point out that KGPG, or at least KGPG 1.1, as shipped with Mandrake 10.0, sets a new UID as the primary UID, rather than as an alternate, as GPG does. To change the primary UID, you must use GPG's edit mode. Select the number of the UID, following the steps above, and use the primary command.

Deleting

In KGPG, this is very simple. Select the key or signature you wish to delete, and press the 'Delete' key. It's not possible to delete all signatures from KGPG, however - signatures on an alternate UID or Photo ID must be deleted from the command line. You can quickly gain access to GPG from "Keys->Edit in Terminal", or by pressing Alt-Enter.

In GPG, to delete a public key, use gpg --delete-keys [key id]; to delete a secret key, use gpg --delete-secret-keys [key id]. To delete a signature, you must again use the edit mode. GPG enumerates the UIDs of the key for you. To work on an UID, type its number. GPG will then list each UID again, with an asterisk beside each selected key. Use the delsig command to delete a signature. GPG will prompt you with each signature in turn; type 'y', 'n', or 'q' followed by 'Enter' to delete, skip a signature, or leave the delsig mode, respectively. Simply hitting 'Enter' chooses the default action, which is to skip the signature.

Key Signing

To sign a key, first import it. In KGPG, choose "Keys->Sign Key(s)"; in GPG, use gpg --sign-key [key id]. Both will prompt you to confirm this, and both will ask how well you have verified the identity of the owner of the key. In GPG this appears as:

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

If you cannot say that you have done very careful checking, it is recommended that you don't sign the key at all. Once you have signed the key, you should export it, so the owner can import your signature. For more information on key signing, see the GPG Keysigning Party HOWTO or Debian's Keysigning guide.

Encrypting, decrypting and signing

With KGPG installed, you can encrypt any file you wish from Konqueror by right clicking, and selecting "Actions->Encrypt File"; or by dropping it onto the KGPG icon in the System Tray. Select the person you wish to receive the file, and KGPG will create an ASCII encoded version of the encrypted file. To decrypt, you similarly drag the file onto the System Tray.

In GPG, use gpg -e [filename], and enter the Key ID when prompted. You can then use gpg --enarmor [filename] to ASCII encode it. Use gpg --decrypt [filename] to decrypt.

To sign files in KGPG, you must first change the settings to allow it. Go to "Settings->Configure KGpg"; in the "User Interface" pane, set "Event on unencrypted file drop" to "Ask" (or "Sign" if you have no intention of using encryption). This allows you to drop files onto the System Tray for signing.

In GPG, to sign a file use gpg --sign [filename]. You may ASCII encode this, as for encryption, if you wish to email the file.

Conclusion

I hope someone out there finds this useful - if even one KGPG user finds a corresponding GPG command using this, I'll be happy. If anyone found it useful as an introduction to either KGPG or GPG, feel free to send me encrypted e-mail - my public key is available here. Until next time, take care!

P.S.

I'd like to take a moment to correct an error in last month's article on Mozilla extensions, and to thank those who pointed it out.

Mentioning PopUpALT, I said "This feature, which was present in Netscape 4, was removed from Mozilla for some unknown reason." What I meant to say was "for some reason I haven't discovered".

Marcin Gil was the first to write, saying "The PopupALT was probably removed from Mozilla because (as my memory recalls correctly) the ALT attribute is for screen readers, text browsers etc. Such a use is recommended by W3C in XHTML specs (I think Jeffrey Zeldman writes it in his book). TITLE attribute is for popping up texts.."

Crystle clarified this: "In fact, the W3 says that the alt tag should be used very carefully, and I've seen some really long alt tags - this causes problems if your browser translates to voice or braille, which is the purpose for the alt tag.
See: http://www.w3.org/TR/html401/struct/objects.html#alternate-text

To which Josh Ockert added: "The correct behavior is to display the *entire* value of an alt attribute if the image is not loaded."

 


[BIO] Jimmy is a single father of one, who enjoys long walks... Oh, right.

Jimmy has been using computers from the tender age of seven, when his father inherited an Amstrad PCW8256. After a few brief flirtations with an Atari ST and numerous versions of DOS and Windows, Jimmy was introduced to Linux in 1998 and hasn't looked back.

In his spare time, Jimmy likes to play guitar and read: not at the same time, but the picks make handy bookmarks.

Copyright © 2004, Jimmy O'Regan. Released under the Open Publication license unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 104 of Linux Gazette, July 2004

<-- prev | next -->
Tux