Episode: 4399
Title: HPR4399: gpg-gen-key
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4399/hpr4399.mp3
Transcribed: 2025-10-26 00:15:45

---

This is Hacker Public Radio Episode 4399 for Thursday 12 June 2025.
Today's show is entitled GPG Janky.
It is hosted by AXO and is about 20 minutes long.
It carries an explicit flag.
The summary is, AXO is back, and today with an interesting script that automates the
generation of GPG keys.
Hello and welcome to another episode of mine for Hacker Public Radio.
I think this is already the fourth episode.
And in this one, I want to talk a little bit about GPG, which is the tool that can be
used inside the command line of Linux, and it's an implementation of GPG standing for
GNU privacy guard, and it's an implementation of the OpenPGP pretty good privacy standard.
What this tool does, it is enabling users to encrypt and sign their data.
For example, files or emails, stuff like that.
By doing so, you can ensure that the file that you receive from another person is really
coming from the person that he is saying he or she is, and also that the file is not
tempered with when it's been sanded over the line.
So there's no man in the middle who has adjusted the contents of the file, and that is authenticity.
I'm not going to dive deep into these encryption terms and encryption theory or cryptology theory
for that.
By the way, that reminds me, for that I want to point out to these very sophisticated
videos of professional par of the Bogen University in Germany.
And here's great lectures on YouTube, I'll show a link in the show notes.
But today I'm going to not talk about that, I'm going to talk about GPG, and GPG is symmetric
key cryptography and also public read cryptography.
And with these public keys, I'm going to work in this episode, I shall quickly point out
the difference when you have symmetric key cryptography.
Then the key that is used by the sender is the same key that is used by the receiver.
So this key has to be shared upon when you want to do it safely, you have to share this
key over another medium than the medium that is used to send the message that is encrypted.
This problem is not existing when you use asymmetric cryptography, because then the sender
uses a different key than the receiver.
Actually, the sender has two keys, one key to encrypt is message with, and another key
that he is sharing openly, that the receiver can use to decrypt the message.
And that is the implementation that I'm going to talk about today.
GPG in the command line, you can install it, I'm on arch linux, you can install, I think
it is J, it is GNUPEG, I think, let's see,
the package in arch linux is called GNUPEG, current version that I'm using is 2.4.7-2,
the description is complete and free implementation of the open PGP standard, and there are quite
a lot of dependencies, but mostly, most of these dependencies are already on your system.
So probably it's not that hard of a net, not that heavy of a package.
Download size for me is 2.78 megabytes, approximately, and then when installed is approximately 10
megabytes.
So I have installed this tool, and then you can use a GPG, and if you want to know, if
you have installed it properly, you can, for example, enter a GPG testdesk version, then
you see what your GPG library version is, and your LyptG crypt library version, and you
can also see which public keys and cipher keys, hash keys and what kind of compression algorithms
are available.
So recently I had to generate quite a few keys, and while doing so, I got so annoyed because
I needed to use the expert flag on GPG, so normally when you generate a ordinary key,
you can just enter GPG, dash, dash full, dash, gen, dash, key.
And that's pretty straightforward, and you don't have to think about that much, probably
only it asks for your name, your email address, and what kind of algorithm, probably, and
that's pretty much it.
But with the expert key, you also need to define what kind of curve you want, and what
kind of subkeys you want to generate, at least because I want to generate subkeys, I
need to use the expert key.
But it's pretty much overhast, so I think it takes quite some time before you have generated
the right key.
You cannot make any mistakes because if you save it, if it's save is 40, then you have
to do it all over again.
So that was another one for me, and therefore I wrote this script, which you can find
in the code book repository under the tool section.
Here you can find three, let's see, again, in the tool section, you can scroll down to
GPG, and you can find three scripts of mine, which are handling of starting with GPG.
And I am currently on the scommet 95408 Delta 3122, and that commit is from 27 of May 2025.
The timestamp on this commit is 1420101, and there is another string attached to the name
of the commit, which is 6835 alpha echo to Delta.
So that's good for you to know, because if you listen into the future, which you probably
do, I hope you not listening live, and then there would be something wrong with my system.
But you will listen in the future, and then you can go back to the same commit and then
see the same file as I see right now in front of me.
I'm choosing for the GenKey script, GPG-Gen-Key, and that is the script that I want to talk
about today, because what this script does is auto-generating GPG keys, and not just the
ordinary keys, but the sophisticated keys, the way I want to have them, I shall explain.
So the script starts with some settings for how the script is running, well, my cat is
jumping on my table, hey, yeah, it's a nation, okay, but that's the side.
So first I want to point you to the end of the script, because probably for the first
time when you run and when you start experimenting with this script, you don't want to have the
key backup script called, which is currently called, as the script is right now, in line
number 180 you can see the key backup, and that is called via main, but if you comment
that one out, then you don't have backups for the keys that are generated.
So probably you want to have that when you are experimenting with how this script works.
Before you want to use it in production, you probably want to switch that off.
So then I'm going back to the top of the script, in line 10, there is a function set
Vars, that is set variables, and these variables are quite straightforward, I think the first
one is name, which is used for the key ID, as well as email and command R. So you fill out
your name, your email address that you want to have associated with this generated key,
and a command line, which you want to have quite short, but maybe you can make a unique
string or whatever.
And then there is a pass field, which contains the password that is being applied on this
key.
It is automatically applied, so you don't have to enter your password in the command line.
So you enter your password here in plain text in the script, and that's normally not
such a good idea, and that's why I recommend you to relieve the pass as is in the script
now.
And when after you have generated the key, you can use GPG password, pass WD, and then
you can change the password there.
And then there is another field, which is expiry, and that is setting an expiration date
for the key, you can leave this blank, and then there will be no expiration date.
And the last field you have to fill out is the curve, I have chosen for an elliptic curve
here, but you can also choose an RSA algorithm if you want.
And now my little cat is annoying me, huh?
There, continue with our podcast.
So those fields, you have to fill out before you run the script.
I have not built in a user interface, because I was thinking, yeah, if you want to have
that user interface, it's already built in in GPG itself, and then you have to, then
you can happily use that one, I think.
But the plus side of this one is, like I did, I have to generate quite a few keys, and
then you can automate the names, for example, with a number that is up to every time there
is a new key generated, you can add to the number, for example, or you can, yeah, you can
script everything here, and that is, that is, I think quite convenient.
But back to the working of this script, probably if you are going to download this script,
you have to invoke it with SH and then GPG dashed in just key, unless you have my full stack
integrated in your system, then you can just type GPG, dash, gen, dash key.
And if you run that, and I have to run it not here in this environment, wait a minute,
gen, okay, if you run it, that's all you have to do, there is nothing more than this
it gives some information back when it has run, and if you are prompted at the end of the
script with the pseudo, with the question of pseudo entering pseudo password, then you
have not commented out this backup script, and that is being called, and that is needing
pseudo privileges, so be careful with that, because if you enter your password, then it
will export also the armoured files to the backup location, and I'm not sure out of
my head here where that goes, but if you want to know more about that, then you have to
check the GPG backup key script as well.
But the gen key script is creating first of all a refocation certificate, which you can
use when your public key is compromised, and that is stored inside the GNU PG Home directory
and under the fingerprint string dot ref, the long accidental string you see there in front
of the ref is the fingerprint of the key, and that is a unique key identifying string.
Then there is some information about the generation of the key, and the first line of data about
the key itself is starting with Papa Uniform Bravo, but that is showing the algorithm that
is used for me, that is Echo Delta 25519, which is the elliptic curve algorithm, and then
0x to designate the hexadecimal value of the key, and then the hexadecimal long format of
this key. The long format of the key is the last part of the fingerprint, and then you have also
a short format, and that are the last eight characters of the fingerprint, or the last eight
characters of the long format. After the long format you can see the generation date, and then you
can see in square brackets what this key is used for, and for me that is a Charlie for a certificate,
certify, this is a certification key. Then my GPG config is printing out the key fingerprint as
well as the key grip. I'm not going into any details about what those are, and what the differences
are, like I said, the fingerprint is a unique identifier for the key, and the key grip is essentially
the same, but just with a little bit of tweaks here and there. The next line, which is interesting,
is the UID. This is the user ID, user identifier for the key, and that is for a human to designate
instead of these long strings of hexadecimal characters. You can just see, okay, there is a name,
called TestName, and then there is a number, and then there is a email address, and that is for
humans to identify the key. But also scripts, GPG King, you can also call TestName to call the key,
as long as it is unique in your key ring, that is. Your key ring is, by the way,
all the keys together, and you can call them by the command GPG-list-keys.
After the UID line, there are three lines starting with sub, which are my three sub keys.
The first sub key is an authentication key. The next one is an encryption key, and the last one
is a signing key. And that is how you generate this GPG key. By the way, the sub keys are all
expiring in 2026, the first of January. So there you have it. I also want to mention these other
two scripts of mine briefly. If you go into the tool section or the tool directory of my repository,
you can scroll to GPG, and you see, besides the generation, the Gen-key script, you can see the backup
key, and with this script you can designate a key, and then designate a target directory in which
you can store your backups. And the other script is GPG pass verify, or short the short form,
GPG-pass-VFI, Victor Foxtrot Yankee. That script is used to verify the password of your script,
and what it does, basically, if you do it right, if you enter your password right, it gives back
an exit code of zero. So then you have entered a correct password, and if it's giving back
an error, then you have the wrong password. I use this to verify my password, of course,
for the scripts, because I often forget them, and I want to verify if I still remember them correctly.
That is the end of this episode about my GPG scripts. I hope you find this episode interesting,
see you later next time. Goodbye.
You have been listening to Hacker Public Radio, and Hacker Public Radio does a walk.
Today's show was contributed by a HBR listener like yourself. If you ever thought of recording
broadcast, you can click on our contribute link to find out how easy it really is.
Hosting for HBR has been kindly provided by an honesthost.com, the internet archive, and our
things.net. On this address status, today's show is released under Creative Commons,
Attribution 4.0 International License.