https://www.gnupg.org/download/ mac 方式一:推荐 mac $ brew install gpg pinentry pinentry-mac $ echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf $ killall gpg-agent 如果使用期间发生错误,参考后面的 Inappropriate ioctl for device 配置环境变量。 SourceTree支持: $ ls -la /usr/local/bin/gpg lrwxr-xr-x /usr/local/bin/gpg -> ../Cellar/gnupg/2.2.10/bin/gpg $ ln -s /usr/local/bin/gpg /usr/local/bin/gpg2 在SourceTree的配置界面,点“高级”,更改“GPG程序”路径为 /usr/local/bin。 方式二: https://gpgtools.org/ 下载dmg安装 pc https://gpg4win.org/download.html linux (tarball) $ mkdir ~/gnupg $ cd ~/gnupg $ wget https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.10.tar.bz2 wget https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.32.tar.bz2 wget https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.3.tar.bz2 wget https://www.gnupg.org/ftp/gcrypt/libksba/libksba-1.3.5.tar.bz2 wget https://www.gnupg.org/ftp/gcrypt/libassuan/libassuan-2.5.1.tar.bz2 wget https://www.gnupg.org/ftp/gcrypt/ntbtls/ntbtls-0.1.2.tar.bz2 wget https://www.gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2 wget https://www.gnupg.org/ftp/gcrypt/pinentry/pinentry-1.1.0.tar.bz2 // wget https://www.gnupg.org/ftp/gcrypt/gpgme/gpgme-1.11.1.tar.bz2 // wget https://www.gnupg.org/ftp/gcrypt/gpa/gpa-0.9.10.tar.bz2 $ tar xvjf gnupg-2.2.10.tar.bz2 tar xvjf libgpg-error-1.32.tar.bz2 tar xvjf libgcrypt-1.8.3.tar.bz2 tar xvjf libksba-1.3.5.tar.bz2 tar xvjf libassuan-2.5.1.tar.bz2 tar xvjf ntbtls-0.1.2.tar.bz2 tar xvjf npth-1.6.tar.bz2 tar xvjf pinentry-1.1.0.tar.bz2 // tar xvjf gpgme-1.11.1.tar.bz2 // tar xvjf gpa-0.9.10.tar.bz2 // 编译安装GnuPG组件 $ cd libgpg-error-1.32 $ ./configure $ sudo make && sudo make install $ cd ../libgcrypt-1.8.3 $ ./configure $ sudo make && sudo make install $ cd ../libksba-1.3.5 $ ./configure $ sudo make && sudo make install $ cd ../libassuan-2.5.1 $ ./configure $ sudo make && sudo make install $ cd ../ntbtls-0.1.2 $ ./configure $ sudo make && sudo make install $ cd ../npth-1.6 $ ./configure $ sudo make && sudo make install // 编译安装GnuPG $ cd ../gnupg-2.2.10 $ ./configure $ sudo make -j8 && sudo make install $ whereis gpg gpg: /usr/bin/gpg /usr/local/bin/gpg /usr/share/man/man1/gpg.1.gz $ /usr/local/bin/gpg --version /usr/local/bin/gpg: error while loading shared libraries: libgcrypt.so.20: cannot open shared object file: No such file or directory 正常会显示版本信息,如果出现这个错误,先获得libgcrypt.so.20文件的位置,然后加入变量LD_LIBRARY_PATH中: $ whereis libgcrypt.so.20 libgcrypt.so: /usr/lib/libgcrypt.so.11 /usr/lib64/libgcrypt.so.11 /usr/local/lib/libgcrypt.so.20 /usr/local/lib/libgcrypt.so $ export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH $ /usr/local/bin/gpg --version gpg (GnuPG) 2.2.10 libgcrypt 1.8.3 Copyright (C) 2018 Free Software Foundation, Inc. ... 将环境变量添加到启动配置,如.bashrc中 $ echo export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH >> ~/.bashrc 同理检查PATH环境变量,使/usr/local/bin在/usr/bin前,然gpg命令直接运行我们编译的版本。 重新进入会话,输入 gpg --version 应该是刚才安装的版本。 必要组件安装: --- // 用于输入密码保护(必须) $ cd ../pinentry-1.1.0 $ ./configure $ sudo make && sudo make install --- 下面两个可选,可能需要修改库的路径,configure才能正确通过。 // GPGME is the standard library to access GnuPG functions from programming languages. $ cd ../gpgme-1.11.1 $ ./configure $ sudo make && sudo make install // GPA is a graphical frontend to GnuPG. $ cd ../gpa-0.9.10 $ ./configure $ sudo make && sudo make install --- 最后可删除无用的源文件 $ cd ~ $ sudo rm -rf gnupg ----------------- 使用 ----------------- 1. 查看已有的GPG keys $ gpg --list-secret-keys --keyid-format LONG 2. 创建一个GPG key $ gpg --full-generate-key gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: yourname Email address: yourname@email.com Comment: demo You selected this USER-ID: "yourname (demo) <yourname@email.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key F461FA2D923C3798 marked as ultimately trusted gpg: revocation certificate stored as '/home/yourname/.gnupg/openpgp-revocs.d/BA4CF1650621335540E42DB5F461FA2D923C3798.rev' public and secret key created and signed. pub rsa2048 2018-09-18 [SC] BA4CF1650621335540E42DB5F461FA2D923C3798 uid yourname (demo) <yourname@email.com> sub rsa2048 2018-09-18 [E] 3. 生成吊销证书 $ gpg --list-secret-keys --keyid-format LONG /home/yourname/.gnupg/pubring.gpg ------------------------ sec rsa2048/F461FA2D923C3798 2018-09-18 [SC] BA4CF1650621335540E42DB5F461FA2D923C3798 uid [ultimate] yourname (demo) <yourname@email.com> ssb rsa2048/96E3D9B0C023B825 2018-09-18 [E] 记住sec中算法后面的值,输入在下面 (说明:也可以用邮箱地址替换这个KEY值) $ gpg --gen-revoke F461FA2D923C3798 4. 导出GPG key $ gpg --armor --export F461FA2D923C3798 -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFugt1QBCACpIrObmogNUtVRGogRUub4GmP+4IlZxu+Q5ExhGHFNhdTOEbii 9OT4Vy6snZoURWwxKPNu5/W35cs57+tv/FjVEqp1fDgnhK8YHo1AtfO5Yjqq/UR/ mPBdOBsKlstKl9+cCR/dv+uE23/fJnNqfbLZUyv8GRPwBh7OggX2MO4elzzzujnH ... -----END PGP PUBLIC KEY BLOCK----- 复制包括-----BEGIN PGP PUBLIC KEY BLOCK-----和-----END PGP PUBLIC KEY BLOCK-----的全部内容。 5. 添加一个user id到GPG key $ gpg --edit-key F461FA2D923C3798 > adduid Real name: myname Email address: myname@email.com Comment: You selected this USER-ID: "myname <myname@email.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o sec rsa2048/F461FA2D923C3798 created: 2018-09-18 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa2048/96E3D9B0C023B825 created: 2018-09-18 expires: never usage: E [ultimate] (1) yourname (demo) <yourname@email.com> [ unknown] (2). myname <myname@email.com> > quit Save changes? (y/N) y 可以使用help了解更多命令。 6. 应用 - 可在github设置 -> SSH and GPG keys里,添加生成PGP KEY,注意使用对应的邮箱和user id的GPG KEY - 可用于git签名,如 $ git config --global user.signingkey F461FA2D923C3798 提交的签名 $ git config commit.gpgsign true $ git config --global commit.gpgsign true 然后提交代码(-S): $ git commit -S -m your commit message tag的签名(-s) $ git tag -s mytag 验证(-v) $ git tag -v mytag - 使用gpg-agent帮助减少密码输入,可将下面命令写入~/.xsession、 ~/.profile或者.bash_profile等启动文件 eval $(gpg-agent --daemon) ----------------- 排除故障 ----------------- 故障:Inappropriate ioctl for device 解决: $ echo "test" | gpg --clearsign 如果提示 Inappropriate ioctl for device,设置变量指向tty $ export GPG_TTY=$(tty) $ echo 'export GPG_TTY=$(tty)' >> ~/.zshrc // 或者.bashrc, .bash_profile 故障:apt: Unknown error executing apt-key 解决: sudo apt-get clean sudo rm /var/lib/apt/lists/* sudo rm /var/lib/apt/lists/partial/* sudo apt-get clean sudo apt-get update