- 在线时间
- 3253 小时
- 最后登录
- 2013-5-28
- 阅读权限
- 180
- 积分
- 36136
- UID
- 4205
- 注册时间
- 2002-1-23
- 帖子
- 27645
- 精华
- 7
|
94嘛,学无止境嘛~~~~~
数字签名,用privatekey签名用publickey校验
签名
gpg -u takelook -o test.sig --sign test.txt
校验
gpg --verify test.sig
gpg: Signature made 03/24/06 17:19:58 using DSA key ID 751B09D5
gpg: Good signature from "takelook (Individual) <takelook@gmail.com>"
恢复
gpg -o t.txt -d test.sig
还有一种叫作clearsign,也就是不压缩只是把签名付上去,发邮件中可以用
gpg -u takelook --clearsign test.txt
如果文件被改动,那么校验的结果就会失败,这也是数字签名的意义
gpg --verify test.sig
gpg: [don't know]: invalid packet (ctb=00)
gpg: Signature made 10/07/80 12:00:57 using ? key ID 6E400000
gpg: Can't check signature: unknown digest algorithm
gpg: [don't know]: invalid packet (ctb=00)
上面的都是源文件被签名后,面目全非,必须用publickkey恢复,还有一种
Detached signatures 分离签名
gpg -u takelook -o test.sig --detach-sig test.txt
校验
gpg --verify test.sig test.txt
gpg: Signature made 03/24/06 17:41:53 using DSA key ID 751B09D5
gpg: Good signature from "takelook (Individual) <takelook@gmail.com>"
这种技术也被软件发布时广泛使用,来确认文件本身确实是官方发布的。
比如gunpg,先保存它的公钥到文本文件gnupg.gpg,http://www.gnupg.org/(en)/signature_key.html
导入
gpg --import gnupg.gpg
gpg: key 57548DCD: public key "Werner Koch (gnupg sig) <dd9jn@gnu.org>" imported
gpg: key 1CE0C630: public key "Werner Koch (dist sig) <dd9jn@gnu.org>" imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
校验
gpg --verify gnupg-w32cli-1.4.2.2.exe.sig gnupg-w32cli-1.4.2.2.exe
gpg: Signature made 03/08/06 17:18:20 using RSA key ID 1CE0C630
gpg: Good signature from "Werner Koch (dist sig) <dd9jn@gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7B96 D396 E647 1601 754B E4DB 53B6 20D0 1CE0 C630
那个指纹是要确认的,防止第3方假冒
更详细的信息可以在这儿找到
http://www.glump.net/dokuwiki/gpg/gpg_intro
Okay,什么叫安全,什么叫永远,现在明白了
下课~~~ |
|