Lib.rs

一个OpenPGP证书检查器。

该程序检查并可以修复OpenPGP证书的问题。当前重点是SHA-1的使用，它已经被成功攻击，并且在2011年被NIST弃用。

自2005年以来，SHA-1被认为不足以抵御财力雄厚的对手，截至2010年，许多组织已建议其替代品。NIST在2011年正式弃用了SHA-1的使用，并在2013年禁止其用于数字签名。截至2020年，对SHA-1的攻击与对MD5的攻击一样实际；因此，建议尽快从产品中删除SHA-1，并使用SHA-256或SHA-3。如果用于签名，则替换SHA-1是紧急的。

该程序检查以下问题

• 使用SHA-1的证书吊销。
• 用户ID的当前自签名是否使用SHA-1；
• 子密钥的当前绑定签名是否使用SHA-1；以及，
• 具有签名能力的子密钥的当前背签是否使用SHA-1。

sq-keyring-linter可以以直接的方式修复这些问题

$ gpg --export-secret-key 4BE50C526C743502 | cargo run -- --fix | gpg --import
Certificate 4BE50C526C743502 is not valid under the standard policy: No binding signature at time 2020-11-26T22:32:12Z
Certificate 4BE50C526C743502 contains a User ID ("SHA1 User ID, SHA256 Subkeys <[email protected]>") protected by SHA-1
Certificate 4BE50C526C743502, key CC6387BFA4D9263D uses a SHA-1-protected binding signature.
Examined 1 certificate.
  0 certificates are invalid and were not linted. (GOOD)
  1 certificate was linted.
  1 of the 1 certificates (100%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
  0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
  1 has at least one User ID protected by SHA-1. (BAD)
  1 has all User IDs protected by SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live subkey:
  1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live, signing-capable subkey:
  0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
gpg: key 4BE50C526C743502: "SHA1 User ID, SHA256 Subkeys <[email protected]>" 2 new signatures
gpg: Total number processed: 1
gpg:         new signatures: 2

(诊断和摘要打印到stderr；修复的密钥打印到stdout并使用ASCII Armor编码。)

如果您再次运行它，将不会检测到任何问题

$ gpg --export-secret-key 4BE50C526C743502 | cargo run -- --fix | gpg --import
Examined 1 certificate.
No issues found (see `/tmp/keyring-linter/debug/sq-keyring-linter --help` for a list of issues that are checked for).
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

您可以使用例如pgpdump来检查sq-keyring-linter创建的签名

$ gpg --export-secret-key 4BE50C526C743502 | cargo run -- --fix | pgpdump
...

根据我们的经验，Sequoia的输出更易于阅读。您可以使用sq packet dump或https://dump.sequoia-pgp.org/。

注意：默认情况下，sq-keyring-linter不导出密钥材料，因为这通常不是必需的。您可以通过传递--export-secret-keys来覆盖此设置。

您可以通过以下方式检查一个或多个OpenPGP证书是否存在问题

$ dpkg -l debian-keyring
...
ii  debian-keyring 2020.09.24
$ cargo run -- /usr/share/keyrings/debian-keyring.gpg
...
Examined 885 certificates.
  1 certificate is invalid and was not linted. (BAD)
  884 certificates were linted.
  203 of the 885 certificates (22%) have at least one issue. (BAD)
0 of the linted certificates were revoked.
  0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
26 of the linted certificates were expired.
858 of the non-revoked linted certificates have at least one non-revoked User ID:
  165 have at least one User ID protected by SHA-1. (BAD)
  102 have all User IDs protected by SHA-1. (BAD)
834 of the non-revoked linted certificates have at least one non-revoked, live subkey:
  160 have at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
228 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
  10 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (BAD)

从上面的输出中，我们可以看到当前的Debian密钥环有885个证书。一个证书被Sequoia视为无效并被跳过。其余203个（22%）以某种方式使用SHA-1。这些应该得到修复。

您不应抓取上述输出。如果想要以编程方式识别哪些证书存在问题，请使用--list-keys选项，该选项将打印出有问题的每个证书的指纹到标准输出，并且像--quiet一样抑制诊断和统计信息

$ cargo run -- --list-keys /usr/share/keyrings/debian-keyring.gpg
124124BD3B4862AF7A0A42F100B45EBD4CA7BABE
7733B328D2795F5BE2325ADD01509D5CAB4AFD3F
...