1. 技术文章
  2. How to add a gpg subkey to GitLab

How to add a gpg subkey to GitLab

白昼怎懂夜的黑 提交于 2021-02-08 03:06:48

问题


GitLab 9.5.0 adds support for checking the gpg signature of commits and display the verification status next to the commit hash (release note). This version, however, does not verify commits signed using subkeys (gitlab issue, support is planned).

Is it possible to export the subkeys in gpg and convert them into primary keys, such that these primary keys can be added to GitLab?


回答1:


EDIT Oct 2017

Since version 10.1 GitLab has native support for subkeys. You can simply add the full public key. Commits signed with subkeys show up as 'verified' if the email address of your key has been verified in GitLab.

Orignal answer

Although the original keyrings should not change, I recommend you to backup all your (public and secret) keyrings first! This solution is rather experimental!

Create a directory, e.g. sub2primary, and change into it, because the following commands will create quite a number of temporary files, which might mess up your home directory. I will assume the following setup

frank@7777a258a48e:~/sub2primary$ gpg2 --list-keys
/home/frank/.gnupg/pubring.kbx
------------------------------
pub   rsa1024/34171358 2017-08-30 [SC]
uid         [ultimate] Frank <frank@example.com>
sub   rsa1024/320752EA 2017-08-30 [S]
sub   rsa1024/BBA338AD 2017-08-30 [E]

on ubuntu 16.04.

Export subkeys

Firstly, you need to export your keys (public and private, primary and subkey) and break them into individual packets.

$ gpg2 --export frank@example.com | gpgsplit -vp pub
$ gpg2 --export-secret-keys frank@example.com | gpgsplit -vp sec

These two commands create a couple of files, each corresponds to a single packet. You can inspect the packets with pgpdump. We are interested in the files matching pub*.public_subkey and sec*.secret_subkey. Inspecting one of these files reveals

frank@7777a258a48e:~/sub2primary$ pgpdump sec000004-007.secret_subkey 
Old: Secret Subkey Packet(tag 7)(517 bytes)
...

that this is indeed a private subkey. If you have multiple subkeys (e.g. one for signing and one for encryption), I'm not sure, how to identify, the correct one. In this example, the packets with *000004-* will turn out to contain the keys used for signing. (In doubt pick one, and start over if it was the wrong one.)

Edit: gpg2 --list-packets <file> shows more information about a packet including the key id. This helps selecting the correct packet.

Convert to primary keys

Secondly, we need to convert these subkey packets (here pub000004-014.public_subkey and sec000004-007.secret_subkey) into primary key packets. In order to do this, you need a hex editor (vim -b is sufficient) and modify the first byte in each file. Replace the first byte of the public subkey with \x99, and the first byte of the secret subkey with \x95. If you work with vim -b, you can copy the first byte from the primary key filespub000001-006.public_key and sec000001-005.secret_key. (Don't mix public and secret!)

After this procedure pgpdump shows that the keys are now primary ones

frank@7777a258a48e:/~/sub2primary$ pgpdump sec000004-007.secret_subkey 
Old: Secret Key Packet(tag 5)(517 bytes)
...

Import primary keys

Next, we need to trick gpg to import these broken packets (they don't have a user id, nor a self signature). To do this, simply copy them such that they can be used as keyrings

frank@7777a258a48e:~/sub2primary$ cp pub000004-014.public_subkey ~/.gnupg/tmp
frank@7777a258a48e:~/sub2primary$ cp sec000004-007.secret_subkey ~/.gnupg/sec_tmp

As shown in the next print out, it is possible to tell gpg to use these modified keys.

frank@7777a258a48e:~/sub2primary$ gpg2 --no-default-keyring --keyring tmp --secret-keyring sec_tmp --list-secret-keys
/home/frank/.gnupg/tmp
----------------
sec   rsa1024/320752EA 2017-08-30 [SCEA]

frank@7777a258a48e:~/sub2primary$ gpg2 --no-default-keyring --keyring tmp     --secret-keyring sec_tmp --list-keys
/home/frank/.gnupg/tmp
----------------
pub   rsa1024/320752EA 2017-08-30 [SCEA]

Adding user id

The last step consists of editing this key to add a user id.

frank@7777a258a48e:~/sub2primary$ gpg2 --no-default-keyring --keyring tmp     --secret-keyring sec_tmp --edit-key 320752EA

The subcommand adduid will prompt for necessary information. Once you are done, save. This adds the user id and signs it automatically.

Export sub/primary key

Lastly, you can export the new primary key, which is identical to your old subkey. The output can be added to your profile on GitLab.

frank@7777a258a48e:~/sub2primary$ gpg2 --no-default-keyring --keyring tmp     --secret-keyring sec_tmp --armor --export

You should not use the tmp keyrings or this rigged key for any other purposes! You can delete the temporary files, once you have uploaded the key. Commits signed with your usual sub-key will now show up as verified on GitLab.

Credit: This solution is inspired by http://atom.smasher.org/gpg/gpg-migrate.txt, which uses similar tools to solve a different problem.



来源:https://stackoverflow.com/questions/45965240/how-to-add-a-gpg-subkey-to-gitlab

标签
gitlab
gnupg
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!