问题
I want to download a pgp key from a keyserver automaticly using gpg like this:
gpg --searchkey carol@example.com
gpg is giving me this result.
gpg: searching for "carol@example.com" from hkp server pool.sks-keyservers.net
(1) <carol@example.com>
2048 bit RSA key 2F5E71CD, created: 2015-02-17
Keys 1-1 of 1 for "carol@example.com". Enter number(s), N)ext, or Q)uit >
If I want to add this key to my keyring I need to press "1" and ENTER.
My Question is: Is there a way to insert automatically always the first found key from the keyserver to my keyring? Because if I want to do it with about 200 addresses it would be nice if I can import them by a script without sitting next to the computer and pressing always "1" and Enter.
I know that is a security risk to import automatically always the first key, but to import the keys automatically means not that I also trust them automatically.
回答1:
Do not use mail addresses for finding keys when scripting. Everybody can upload keys with arbitrary user IDs in them, key servers to not check anything at all. It is even easily possible to calculate short key ID collisions. Trusting arbitrary keys on key servers provides a very, very dangerous, false assumption of safety.
For scripting purpose, always work with key fingerprints. These are secure against collision attacks and provide a unique identifier for OpenPGP keys (in theory, they do not, but they provide a larger key address space than UUIDs do, which in practice are considered unique).
To download a list of fingerprints, use something like
gpg --recv-keys \
0D69E11F12BDBA077B3726AB4E1F799AA4FF2279 \
4AC1999F0BA293E8960AF2DA428C3085AF19CFE9 \
...
(alternatively, remove the backslashes and put everything on a single line)
To simply fetch all keys and validate trust on another way (eg. through the web of trust, but don't forget to do so), you have to script around GnuPG. Here is an example script originally posted on security.SE, which takes a file containing one mail address per line and fetches all matching keys:
#!/bin/sh
while read line
do
gpg --with-colons --batch --search $line 2>/dev/null | \
awk 'BEGIN { FS = ":" }; $1=="pub" { print $2 }' | \
xargs gpg --recv-keys
done < $1
来源:https://stackoverflow.com/questions/28565741/download-a-pgp-key-automaticly