document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8128 from geekpi/master

Browse Source 
translated
This commit is contained in:
geekpi 2018-03-14 08:57:02 +08:00 committed by GitHub
commit 73c10b0eab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 110 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
sources/tech/20180228 Protecting Code Integrity with PGP - Part 3- Generating PGP Subkeys.md
View File

@ -1,113 +0,0 @@
translating---geekpi
Protecting Code Integrity with PGP — Part 3: Generating PGP Subkeys
======
![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/binary.jpg?itok=h62HujOC)
In this tutorial series, we're providing practical guidelines for using PGP. Previously, we provided an introduction to [basic tools and concepts][1], and we showed how to [generate and protect your master PGP key][2]. In this third article, we'll explain how to generate PGP subkeys, which are used in daily work.
### Checklist
1. Generate a 2048-bit Encryption subkey (ESSENTIAL)
2. Generate a 2048-bit Signing subkey (ESSENTIAL)
3. Generate a 2048-bit Authentication subkey (NICE)
4. Upload your public keys to a PGP keyserver (ESSENTIAL)
5. Set up a refresh cronjob (ESSENTIAL)
#### Considerations
Now that we've created the master key, let's create the keys you'll actually be using for day-to-day work. We create 2048-bit keys because a lot of specialized hardware (we'll discuss this more later) does not handle larger keys, but also for pragmatic reasons. If we ever find ourselves in a world where 2048-bit RSA keys are not considered good enough, it will be because of fundamental breakthroughs in computing or mathematics and therefore longer 4096-bit keys will not make much difference.
##### Create the subkeys
To create the subkeys, run:
```
$ gpg --quick-add-key [fpr] rsa2048 encr
$ gpg --quick-add-key [fpr] rsa2048 sign
```
You can also create the Authentication key, which will allow you to use your PGP key for ssh purposes:
```
$ gpg --quick-add-key [fpr] rsa2048 auth
```
You can review your key information using gpg --list-key [fpr]:
```
pub rsa4096 2017-12-06 [C] [expires: 2019-12-06]
111122223333444455556666AAAABBBBCCCCDDDD
uid [ultimate] Alice Engineer <alice@example.org>
uid [ultimate] Alice Engineer <allie@example.net>
sub rsa2048 2017-12-06 [E]
sub rsa2048 2017-12-06 [S]
```
##### Upload your public keys to the keyserver
Your key creation is complete, so now you need to make it easier for others to find it by uploading it to one of the public keyservers. (Skip the step if you're not planning to actually use the key you've created, as this just litters keyservers with useless data.)
```
$ gpg --send-key [fpr]
```
If this command does not succeed, you can try specifying the keyserver on a port that is most likely to work:
```
$ gpg --keyserver hkp://pgp.mit.edu:80 --send-key [fpr]
```
Most keyservers communicate with each other, so your key information will eventually synchronize to all the others.
**Note on privacy:** Keyservers are completely public and therefore, by design, leak potentially sensitive information about you, such as your full name, nicknames, and personal or work email addresses. If you sign other people's keys or someone signs yours, keyservers will additionally become leakers of your social connections. Once such personal information makes it to the keyservers, it becomes impossible to edit or delete. Even if you revoke a signature or identity, that does not delete them from your key record, just marks them as revoked -- making them stand out even more.
That said, if you participate in software development on a public project, all of the above information is already public record, so making it additionally available via keyservers does not result in a net loss in privacy.
###### Upload your public key to GitHub
If you use GitHub in your development (and who doesn't?), you should upload your key following the instructions they have provided:
To generate the public key output suitable to paste in, just run:
```
$ gpg --export --armor [fpr]
```
##### Set up a refresh cronjob
You will need to regularly refresh your keyring to get the latest changes on other people's public keys. You can set up a cronjob to do that:
```
$ crontab -e
```
Add the following on a new line:
```
@daily /usr/bin/gpg2 --refresh >/dev/null 2>&1
```
**Note:** Check the full path to your gpg or gpg2 command and use gpg2 if regular gpg for you is the legacy GnuPG v.1.
--------------------------------------------------------------------------------
via: https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-3-generating-pgp-subkeys
作者:[Konstantin Ryabitsev][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.linux.com/users/mricon
[1]:https://www.linux.com/blog/learn/2018/2/protecting-code-integrity-pgp-part-1-basic-pgp-concepts-and-tools
[2]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-2-generating-and-protecting-your-master-pgp-key

110
translated/tech/20180228 Protecting Code Integrity with PGP - Part 3- Generating PGP Subkeys.md Normal file
View File

@ -0,0 +1,110 @@
使用 PGP 保护代码完整性 - 第 3 部分:生成 PGP 子密钥
======
![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/binary.jpg?itok=h62HujOC)
在本系列教程中,我们提供了使用 PGP 的实用指南。在此之前,我们介绍了[基本工具和概念][1],并介绍了如何[生成并保护您的主 PGP 密钥][2]。在第三篇文章中,我们将解释如何生成 PGP 子密钥,以及它们在日常工作中使用。
### 清单
1. 生成 2048 位加密子密钥(必要)
  2. 生成 2048 位签名子密钥(必要)
  3. 生成一个 2048 位验证子密钥(可选)
  4. 将你的公钥上传到 PGP 密钥服务器(必要)
  5. 设置一个刷新的定时任务(必要)
#### 注意事项
现在我们已经创建了主密钥,让我们创建用于日常工作的密钥。我们创建了 2048 位密钥,因为很多专用硬件(我们稍后会讨论这个)不能处理更长的密钥,但同样也是出于实用的原因。如果我们发现自己处于一个 2048 位 RSA 密钥也不够好的世界,那将是由于计算或数学的基本突破,因此更长的 4096 位密钥不会产生太大的差别。
##### 创建子密钥
要创建子密钥,请运行:
```
$ gpg --quick-add-key [fpr] rsa2048 encr
$ gpg --quick-add-key [fpr] rsa2048 sign
```
你也可以创建验证密钥,这能让你使用你的 PGP 密钥来使用 ssh
```
$ gpg --quick-add-key [fpr] rsa2048 auth
```
你可以使用 gpg --list-key [fpr] 来查看你的密钥信息:
```
pub rsa4096 2017-12-06 [C] [expires: 2019-12-06]
111122223333444455556666AAAABBBBCCCCDDDD
uid [ultimate] Alice Engineer <alice@example.org>
uid [ultimate] Alice Engineer <allie@example.net>
sub rsa2048 2017-12-06 [E]
sub rsa2048 2017-12-06 [S]
```
##### 上传你的公钥到密钥服务器
你的密钥创建已完成,因此现在需要你将其上传到一个公共密钥服务器,使其他人能更容易找到密钥。 (如果你不打算实际使用你创建的密钥,请跳过这一步,因为这只会在密钥服务器上留下垃圾数据。)
```
$ gpg --send-key [fpr]
```
如果此命令不成功,你可以尝试指定一台密钥服务器以及端口,这很有可能成功:
```
$ gpg --keyserver hkp://pgp.mit.edu:80 --send-key [fpr]
```
大多数密钥服务器彼此进行通信,因此你的密钥信息最终将与所有其他密钥信息同步。
**关于隐私的注意事项:**密钥服务器是完全公开的,因此在设计上会泄露有关你的潜在敏感信息,例如你的全名、昵称以及个人或工作邮箱地址。如果你签名了其他人的钥匙或某人签名你的钥匙,那么密钥服务器还会成为你的社交网络的泄密者。一旦这些个人信息发送给密钥服务器,就不可能编辑或删除。即使你撤销签名或身份,它也不会将你的密钥记录删除,它只会将其标记为已撤消 - 这甚至会显得更突出。
也就是说,如果你参与公共项目的软件开发,以上所有信息都是公开记录,因此通过密钥服务器另外让这些信息可见,不会导致隐私的净损失。
###### 上传你的公钥到 GitHub
如果你在开发中使用 GitHub谁不是呢则应按照他们提供的说明上传密钥
要生成适合粘贴的公钥输出,只需运行:
```
$ gpg --export --armor [fpr]
```
##### 设置一个刷新定时任务
你需要定期刷新你的 keyring以获取其他人公钥的最新更改。你可以设置一个定时任务来做到这一点
```
$ crontab -e
```
在新行中添加以下内容:
```
@daily /usr/bin/gpg2 --refresh >/dev/null 2>&1
```
**注意:**检查你的 gpg 或 gpg2 命令的完整路径,如果你的 gpg 是旧式的 GnuPG v.1,请使用 gpg2。
--------------------------------------------------------------------------------
via: https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-3-generating-pgp-subkeys
作者:[Konstantin Ryabitsev][a]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.linux.com/users/mricon
[1]:https://www.linux.com/blog/learn/2018/2/protecting-code-integrity-pgp-part-1-basic-pgp-concepts-and-tools
[2]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-2-generating-and-protecting-your-master-pgp-key