A Few GNU-Privacy Guard Notes
This page is should provide a quick reference to some of the common GNU Privacy Guard commands and a few issues.
Finding the Key ID
You need to have a key ID before you can request a key from a server.
Look at the top of an email for the signer, for example:
Message was signed by Unknown Key 20B19259
Receiving a Key from a Server
[pete@nebula pete]$ gpg --keyserver certserver.pgp.com --recv-key 20B19259
gpg: Warning: using insecure memory!
gpg: requesting key 20B19259 from certserver.pgp.com ...
gpg: key 20B19259: public key imported
gpg: sig 20B19259.69: duplicated certificate - deleted
gpg: sig 20B19259.69: duplicated certificate - deleted
gpg: sig 20B19259.69: duplicated certificate - deleted
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Listing Keys
[pete@nebula pete]$ gpg --list-key
gpg: Warning: using insecure memory!
/home/pete/.gnupg/pubring.gpg
-----------------------------
pub 1024D/2442DB43 2001-07-31 Pete Nesbitt (Promoting the Bird) <peternola.bc.ca>
sub 1024g/01AF5D44 2001-07-31
pub 1024D/7FE12896 2001-08-01 Pete Nesbitt <pmnesbitt@home.com>
sub 1024g/2BDB90AC 2001-08-01
pub 1024R/20B19259 2000-09-20 CERT Coordination Center <cert@cert.org>
Sending a Key to a Server
[pete@nebula pete]$ gpg --keyserver certserver.pgp.com --send-key pmnesbitt@home.com
gpg: Warning: using insecure memory!
gpg: success sending to `certserver.pgp.com' (status=200)
[pete@nebula pete]$
Key Servers and Firewalls
The --keyserver option will accept a port as part of its argument.
If your connection times out, your local firewall may be blocking the connection, often to LDAP port 389, but not always.
Try using http on port 80 by appending it to the server name.
For example:
gpg --keyserver certserver.pgp.com:80 --recv-key 20B19259
Eliminating "using insecure memory" warnings
This is very important if others have access to your system.
To force gpg to run as user root, set the executable to SUID:
[root@nebula /root]# ls -al /usr/bin/gpg
-rwxr-xr-x 1 root root 542396 Feb 27 13:18 /usr/bin/gpg
[root@nebula /root]# chmod u+s /usr/bin/gpg
[root@nebula /root]# ls -l /usr/bin/gpg
-rwsr-xr-x 1 root root 542396 Feb 27 13:18 /usr/bin/gpg
PGP & GNU-PG Compatability Notes
- Why would your signature be Invalid?
On the PGP side, you seem to need to validate the signature yourself before it acknowleges it as valid.
You need to "sign" it saying you trust the key.
- netscape plugin broke pgp in win 95, netsc 6.
- In GNU-PG you need to force --compress-algo 1 --cipher-algo 3des
Sample command line:
"gpg -o ./testtowin --compress-algo 1 --cipher-algo 3des -r pete_nesbitt@yahoo.com -e testtoencr"
Note: These can both go into the ~/.gnupg/options file so they work with other apps such as email. (drop the leading dashes):
compress-algo 1
cipher-algo 3des
- You need some kind of plugin for email, without it you can not read any encrypted mail you send out, because you do not (likely) have the recipients Private key to decrypt it.
- By default, it was set to sync with the key server for:
Encrypting to an unknown key or Verification
You may prefer not to enable these.
- Kmail auto decripts and has the good line returns. PGP for Windows fails at the line-return characters (but see Eudora section).
Eudora & PGP supplied Plugin:
- Eudora on win95, with pgp (and included plugin), works fine. Does correct line returns but not auto decrypt even though the
option is selected in the email tab of the PGP settings (available through Eudora settings).
You also have to open the message, it will not decrypt in the preview window.
- Messages are sent as attachments, which is a real pain, especially since they are not titled, just a blank email with an attachment. Scary!
- Even worse, your encrypted outgoing messages are saved in the outbox, as a blank email with an attachment (that you can at least read).
I sent an email, with a title of "Eudora Encrytion Test", it saved it as an encrypted attachment named c:\windows\temp\mimd0f2.msg. How intuative!
- I have not yet tried GNU PG for Windows. The people who would be using it want/need the GUI that PGP offers.
I am sure that if a GNU PG graphical front end was available, Privacy Guard would be the better solution.
It works so well with Linux, but then again.... what did you expect.
original document created by Pete Nesbitt, August 2001