Crypto, Certs, Digests, & All That

GNU Privacy Guard

In Fedora, Gnu Privacy Guard comes in two flavors: GnuPG2 (command gpg2, package gnupg2) and GnuPG (command gpg, package gnupg). GnuPG2 is the "modern" branch of GNU Privacy Guard, and GnuPG is the "classic" branch:

-> gpg2 --version | head -2
gpg (GnuPG) 2.1.7
libgcrypt 1.6.3
-> gpg --version | head -1
gpg (GnuPG) 1.4.19

The main additions to GnuPG2 include support for S/MIME and smart cards, gpg-agent, and a modular build. The two flavors look to be otherwise interchangeable with respect to invocation.

To list the public keys in your keyring:

-> gpg --list-keys
pub   4096R/57BBCCBA 2009-07-29
uid                  Fedora (12) <>

pub   4096R/E8E40FDE 2010-01-19
uid                  Fedora (13) &>

To delete a public key:

-> gpg --delete-key E8E40FDE
pub  4096R/E8E40FDE 2010-01-19 Fedora (13) <>

Delete this key from the keyring? (y/N) y

You can omit the interactive confirmation like so:

-> gpg --batch --yes --delete-key "Fedora (12) <>"

To change the passphrase protecting your private key, use the passwd command from within the key editor:

gpg --edit-key Test
Secret key is available.

pub  2048R/4549D949  created: 2011-12-13  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/4B121B1A  created: 2011-12-13  expires: never       usage: E   
[ultimate] (1). Test Key (A key for testing and trying GnuPG.)

gpg> passwd
Key is protected.

You need a passphrase to unlock the secret key for ...
Enter the new passphrase for this secret key.
gpg> quit
Save changes? (y/N) y

GPG Agent

GnuPG2's gpg-agent, a daemon, remembers a private key's passphrase during a login session. When gpg2 first needs a private key, gpg-agent prompts for the key. If another gpg2 process subsequently needs this key, gpg-agent quietly supplies the passphrase without additional prompting. For symmetric encryption, gpg-agent also handles prompting the user for a passphrase, but it does not record the passphrase.

gpg-agent's configuration file is ~/.gnupg/gpg-agent.conf.

Users don't start gpg-agent themselves (typically): If a GnuPG2 command needs the services of gpg-agent when the latter is not running, the command automatically starts the agent. (See: Invoking GPG-AGENT)

Package gnupg2 provides gpg-agent.

GNOME Keyring Agent

There are several related auto-start files (.desktop) in /etc/xdg/autostart with prefix "gnome-keyring-"; e.g., gnome-keyring-ssh.desktop.

Message Digests

The simple string "abc" (without enclosing quotation marks) is a convenient input to informally compare digest utilities (cf. NSRL Test Data):

-> echo -n abc > abc.txt
-> wc --bytes abc.txt 
3 abc.txt

Be careful to use option -n so that echo excludes a trailing newline, which it would append by default:

-> echo abc | wc --bytes

You can use shasum (package perl-Digest-SHA) to compute SHA digests of a file or input stream, or Secure Hash Algorithm digests. It offers SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512224, and SHA-512256. For example:

-> shasum abc.txt 
a9993e364706816aba3e25717850c26c9cd0d89d  abc.txt
-> shasum --algorithm 1 abc.txt 
a9993e364706816aba3e25717850c26c9cd0d89d  abc.txt
-> shasum --algorithm 256 abc.txt 
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad  abc.txt

You can similarly use GNU's sh1sum, sh224sum, sh256sum, sh384sum, and sh512 (package coreutils) instead:

-> sha1sum abc.txt 
a9993e364706816aba3e25717850c26c9cd0d89d  abc.txt
-> sha256sum abc.txt 
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad  abc.txt

You can typically use these tool kits interchangeably because they produce the same output format when computing digests and expect the same input format when checking digests. For example:

-> shasum -a 512 abc.txt xyz.txt > abc-xyz.sha512
-> sha512sum --check abc-xyz.sha512 
abc.txt: OK
xyz.txt: OK

There are potential subtleties to be aware of, however. shasum offers a Universal Newlines mode and a BITS mode, but the GNU commands do not support these modes. And the GNU commands can optionally write and check the BSD-style formats, which shasum spurns.

You can use md5sum (package coreutils) to compute or check the MD5 digest of a file's contents:

-> md5sum abc.txt 
900150983cd24fb0d6963f7d28e17f72  abc.txt
-> md5sum abc.txt > abc.md5
-> md5sum --check abc.md5 
abc.txt: OK

Wikipedia's MD5 article notes that MD5 hashes are no longer secure and should be replaced by SHA-2 hashes.

You can use OpenSSL's command dgst to compute various digests as well:

-> openssl dgst abc.txt
MD5(abc.txt)= 900150983cd24fb0d6963f7d28e17f72
-> openssl dgst -md5 abc.txt
MD5(abc.txt)= 900150983cd24fb0d6963f7d28e17f72
-> openssl dgst -sha1 abc.txt
SHA1(abc.txt)= a9993e364706816aba3e25717850c26c9cd0d89d

See man page dgst for yet more digests. Add option -r to get the output format that the GNU digests write:

-> openssl dgst -sha1 -r abc.txt
a9993e364706816aba3e25717850c26c9cd0d89d *abc.txt

The asterisk indicates binary-mode format, in particular.

GUI GtkHash displays multiple digests for a file; it offers over two-dozen algorithms. Open it with command gtkhash for GTK+2 (package gtkhash) or gtkhash3 for GTK+3 (package gtkhash3). There is no man page. Plugins for Nautilus (package gtkhash-nautilus) and Thunar (gtkhash-thunar) add a Digests tab to a file's Properties dialog.