Get key signature/fingerprint for GPG Public Key - gpg-signature

How can I get the key signature from a GPG Public Key? For example, I need a signature for Spotify's public key here:
https://download.spotify.com/debian/pubkey.gpg
Something like this, but for GPG Keys.
This is as far as I've got:
$ gpg pubkey.gpg
pub 4096R/130D1D45 2019-07-15 Spotify Public Repository Signing Key <tux#spotify.com>

Download the key, import it, extract the email and run gpg --fingerprint.
cd ~
curl -O https://download.spotify.com/debian/pubkey.gpg
gpg --import ~/pubkey.gpg
gpg --fingerprint tux#spotify.com
# 2EBF 997C 15BD A244 B6EB F5D8 4773 BD5E 130D 1D45

Related

git-secret: gpg: [don't know]: partial length invalid for packet type 20 in the gitlab ci job

I have a trouble with git secret in the gitlab ci jobs.
What I done:
init, add users, add files, hide them using git secret
create a job where I want to reveal files:
git secret:
stage: init
before_script:
- sh -c "echo 'deb https://gitsecret.jfrog.io/artifactory/git-secret-deb git-secret main' >> /etc/apt/sources.list"
- wget -qO - 'https://gitsecret.jfrog.io/artifactory/api/gpg/key/public' | apt-key add -
- apt-get update && apt-get install -y git-secret
script:
- echo $GPG_PRIVATE_KEY | tr ',' '\n' > ./pkey.gpg
- export GPG_TTY=$(tty)
- gpg --batch --import ./pkey.gpg
- git secret reveal -p ${GPG_PASSPHRASE}
Result logs:
...
$ gpg --batch --import ./pkey.gpg
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key SOMEKEY: public key "Email Name <ci#email.com>" imported
gpg: key SOMEKEY: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
$ git secret reveal -p ${GPG_PASSPHRASE}
gpg: [don't know]: partial length invalid for packet type 20
git-secret: abort: problem decrypting file with gpg: exit code 2: /path/to/decrypted/file
I don't understand where the problem. What mean packet type 20? And length of what?
Locally it revealed fine. Command git secret whoknows shows that email on the ci env can decrypt. Passphrase checked and passed to the job.
For me, the problem was the GnuPG versions being different between the encryption machine (v2.3) and the decryption side (v2.2).
After I downgraded it to v2.2 (due to v2.3 not yet being available on Debian), the problem went away.
This is a common problem with the format of the keys.
Since you're using GitLab CI, you should get advantage of the File type in the CI/CD Variables instead of storing the value of the GPG Key as a Variable type.
First of all, forget about generating the armor in one line with the piped | tr '\n' ',' and get the proper multiline armor.
Second, add it to your GitLab CI Variables with type "File", add an empty line at the end and then delete it (this seems stupid but will save you headaches, since it seems to be a problem when copying directly from the shell to the textbox in GitLab).
Third, import directly the file in your keychain:
gpg --batch --import $GPG_PRIVATE_KEY

Duplicating an ssh private key file

I have a private key under ~/.ssh/id_rsa. Running ssh-keygen -l -f ~/.ssh/id_rsa confirms that the key is valid.
I'm trying to create another file containing this key. For example,
cp ~/.ssh/id_rsa ~/.ssh/id_rsa.dupe
chmod 0400 ~/.ssh/id_rsa (to make permissions the same for both files)
But when I run ssh-keygen -l -f ~/.ssh/id_rsa.dupe, I get ~/.ssh/id_rsa.dupe is not a key file.
This is expected behavior. ssh-keygen -l refers to a public key file, per its documentation:
-l Show fingerprint of specified public key file.
If you want to generate a private key and generate a public key, you can use -y to do that:
ssh-keygen -y -f ~/.ssh/id_rsa.dupe >~/.ssh/id_rsa.dupe.pub
ssh-keygen -l -f ~/.ssh/id_rsa.dupe.pub

Why does importing the GPG key for the mono repo fail?

When following the steps to setup mono on the following site it is failing to import the GPG key for the repo.
https://www.mono-project.com/download/stable/#download-lin-centos
This is happening on CentOS machines running both 6.x and 7.x.
rpm --import "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF"
error: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF: key 1 not an armored public key.
This appears to be due to a missing newline at the end of the key file. If you open the key with vi and save it, without making any changes (this is one way to ensure there is a newline at the end of the file), the import works.
curl -v "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF" -okey
vi key
# don't modify, just save it with ":wq"
rpm --import key
Another way to add the newline to the end of the file: https://unix.stackexchange.com/a/31955
sed -i -e '$a\' key
see https://github.com/mono/mono/issues/15955
I used this workaround to then download. See https://github.com/mono/mono/issues/16025
rpm --import https://download.mono-project.com/repo/xamarin.gpg
su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo’

Duplicity is arguing BackendException: ssh connection to my server:22 failed: not a valid OPENSSH private key file

Thanks to maybeg, I've managed to backup my data from home to an external server. (An amazon one)
As i don't want to backup company datas to Amazon, i tried with an internal backup server.
I then used this command. (I have my own key)
docker run -d --name volumerize
-v /MyFolder/Keys/:/MyFolder/Keys/
-v jenkins_volume:/source:ro
-v backup_volume:/backup
-e 'VOLUMERIZE_SOURCE=/source'
-e "VOLUMERIZE_TARGET=scp://myuser#mybackupserver/home/myuser/"
-e 'VOLUMERIZE_DUPLICITY_OPTIONS=--ssh-options "-i /MyFolder/Keys/myuserkey"'
-e 'PASSPHRASE="mypassphrase"' blacklabelops/volumerize
When using duplicity backup command, inside or outside the container, i have the following error
/usr/lib/python2.7/site-packages/paramiko/ecdsakey.py:200: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signature, ec.ECDSA(self.ecdsa_curve.hash_object())
BackendException: ssh connection to myuser#mybackupserver:22 failed: not a valid OPENSSH private key file
Strangely, inside or outside the volumerize container, the following is running properly.
ssh -i /MyFolder/Keys/myuserkey myuser#mybackupserver
key_load_public: invalid format
Enter passphrase for key '/MyFolder/Keys/myuser':
[myuser#mybackupserver ~]$
Editing backup file for example is giving me the following :
#!/bin/bash
set -o errexit
source /etc/volumerize/stopContainers
duplicity $# --allow-source-mismatch --archive-dir=/volumerize-cache --ssh-options "-i /MyFolder/Keys/myuserkey" /source scp://myuser#mybackupserver/home/myuser/
source /etc/volumerize/startContainers
I've tried to check env variables inside the container, please find below what i have : (Note that passphrase has been added as env variable as found here)
HOSTNAME=b68f0e1a2d45
TERM=xterm
BLACKLABELOPS_HOME=/var/blacklabelops
GOOGLE_DRIVE_CREDENTIAL_FILE=/credentials/googledrive.cred
VOLUMERIZE_HOME=/etc/volumerize
VOLUMERIZE_SOURCE=/source
DOCKERIZE_VERSION=v0.5.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/etc/volumerize
VOLUMERIZE_TARGET=scp://myuser#mybackupserver/home/myuser/
PWD=/etc/volumerize
VOLUMERIZE_DUPLICITY_OPTIONS=--ssh-options "-i /MyFolder/Keys/myuserkey"
VOLUMERIZE_CACHE=/volumerize-cache
GPG_TTY=/dev/console
SHLVL=1
HOME=/root
no_proxy=*.local, 169.254/16
GOOGLE_DRIVE_SETTINGS=/credentials/cred.file
PASSPHRASE="mypassphrase"
_=/usr/bin/env
Can someone point me in the right direction ?
Regards,
pierre
Edit1 :
I tried to compare both private key file (Amazon and Company) using
openssl rsa -in yourkey.pem -check and both says
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----
Edit2 :
1 . Had a look without any success at duplicity-backendexception
For information, Paramiko version is 2.2.1
Connection is successful using the following python script.
import paramiko
import StringIO
f = open('/MyFolder/Keys/myuserkey','r')
s = f.read()
keyfile = StringIO.StringIO(s)
mykey = paramiko.RSAKey.from_private_key(keyfile,password='mypassphrase')
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('mybackupserver',username='mouser',pkey=mykey)
stdin, stdout, stderr = ssh.exec_command('uptime')
stdout.readlines()
[u' 12:35:27 up 3 days, 1:42, 0 users, load average: 1.59, 3.10, 3.00\n']
try the pexpect+scp:// backend (more on available ssh backends can be found in the duplicity manpage http://duplicity.nongnu.org/duplicity.1.html ).
it uses the command line ssh binaries. maybe the error is different or more detailed there?
the error on
ssh -i /MyFolder/Keys/myuserkey myuser#mybackupserver
key_load_public: invalid format
does not seem normal. try to provide the public key in the proper format or not at all.
..ede/duply.net

How to generate gpg signing keys in bintray for jcenter in windows

I am unable to get GPG signing keys. Please any one tell me. Thanks
How to generate gps signing keys in windows for jcenter
For Linux/Mac you can use gpg. I learned how to do this here. I needed to prefix the following commands with sudo.
Generate the keys
gpg --gen-key
Follow the defaults but enter your name and email and optionally a password.
List the keys.
gpg --list-keys
which should show something like this:
pub 2038R/91E83BF2 2017-05-13
uid Bob <name#example.com>
sub 2038R/E3872671 2017-05-13
Upload the public key to a keyserver
gpg --keyserver hkp://pool.sks-keyservers.net --send-keys PUBLIC_KEY_ID
replacing PUBLIC_KEY_ID with your id (91E83BF2 in the example above).
Export your public and private keys to a text file
gpg -a --export name#example.com > public_key_sender.asc
gpg -a --export-secret-key name#example.com > private_key_sender.asc
Copy the contents of these files to Bintray at Edit Profile > GPG signing.
Windows users can generate GPG keys using GPG4Win.
There are many tutorials available, for example this one.
Here is a nice tutorial for gen gpg-key https://help.github.com/articles/generating-a-new-gpg-key/
Some note
-For Ubuntu 14.04 we need to use gpg --gen-key instead of gpg --full-generate-key https://askubuntu.com/questions/1019793/how-to-solve-gpg-invalid-option-full-generate-key.
-For gen private key
gpg --armor --export-secret-keys {sec_value}
eg: gpg --armor --export-secret-keys 3AA5C34371567BD2
-When copy public key or private key, remember copy ALL (including -----BEGIN ...----- and -----END ...-----)
I found solution, I needed it configure gpg signing in bintray. If you not created gpg keys follow this tutorial: https://help.github.com/articles/generating-a-new-gpg-key/
After you created gpg keys if you do not know how to copy private key in armored form follow this steps on git bash:
list private keys: gpg --list-secret-keys
copy long string after(or below) [SC]
export armored private key: gpg --export-secret-keys --armor string you have copied > private_key.asc
open private_key.asc with some editor(i used sublime text), and copy your private key
Hope it helps