Open1
notationの追加削除による公開鍵の自己署名証明書の変化
鍵対をつくる
$ gpg --quick-gen-key 'test <test@example.com>'
$ gpg --export test | gpg --list-packets
# off=0 ctb=99 tag=6 hlen=3 plen=397
:public key packet:
version 4, algo 1, created 1618035023, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 65CB1C45D7D1375B
# off=400 ctb=b4 tag=13 hlen=2 plen=23
:user ID packet: "test <test@example.com>"
# off=425 ctb=89 tag=2 hlen=3 plen=468
:signature packet: algo 1, keyid 65CB1C45D7D1375B
version 4, created 1618035023, md5len 0, sigclass 0x13
digest algo 10, begin of digest 3c 4d
hashed subpkt 33 len 21 (issuer fpr v4 663ABA5F8BD3594700D336F465CB1C45D7D1375B)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID 65CB1C45D7D1375B)
data: [3068 bits]
# off=896 ctb=b9 tag=14 hlen=3 plen=397
:public sub key packet:
version 4, algo 1, created 1618035023, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 9E6693154CD4166E
# off=1296 ctb=89 tag=2 hlen=3 plen=438
:signature packet: algo 1, keyid 65CB1C45D7D1375B
version 4, created 1618035023, md5len 0, sigclass 0x18
digest algo 10, begin of digest d2 9e
hashed subpkt 33 len 21 (issuer fpr v4 663ABA5F8BD3594700D336F465CB1C45D7D1375B)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 65CB1C45D7D1375B)
data: [3071 bits]
1つめのnotationを追加してみる
$ gpg --edit-key test
gpg> notation
Enter the notation: test@example.com=test1
No notations on user ID "test <test@example.com>"
Adding notation: test@example.com=test1
sec rsa3072/65CB1C45D7D1375B
created: 2021-04-10 expires: 2023-04-10 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/9E6693154CD4166E
created: 2021-04-10 expires: never usage: E
[ultimate] (1). test <test@example.com>
gpg> save
$ gpg --export test | gpg --list-packets
# off=0 ctb=99 tag=6 hlen=3 plen=397
:public key packet:
version 4, algo 1, created 1618035023, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 65CB1C45D7D1375B
# off=400 ctb=b4 tag=13 hlen=2 plen=23
:user ID packet: "test <test@example.com>"
# off=425 ctb=89 tag=2 hlen=3 plen=499
:signature packet: algo 1, keyid 65CB1C45D7D1375B
version 4, created 1618035817, md5len 0, sigclass 0x13
digest algo 10, begin of digest c5 5a
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 663ABA5F8BD3594700D336F465CB1C45D7D1375B)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 20 len 29 (notation: test@example.com=test1)
subpkt 16 len 8 (issuer key ID 65CB1C45D7D1375B)
data: [3072 bits]
# off=927 ctb=b9 tag=14 hlen=3 plen=397
:public sub key packet:
version 4, algo 1, created 1618035023, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 9E6693154CD4166E
# off=1327 ctb=89 tag=2 hlen=3 plen=438
:signature packet: algo 1, keyid 65CB1C45D7D1375B
version 4, created 1618035023, md5len 0, sigclass 0x18
digest algo 10, begin of digest d2 9e
hashed subpkt 33 len 21 (issuer fpr v4 663ABA5F8BD3594700D336F465CB1C45D7D1375B)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 65CB1C45D7D1375B)
data: [3071 bits]
最初の自己署名証明書にnotationのサブパケットが追加されたようだ。
2つめのnotationを追加してみる
$ gpg --edit-key test
gpg> notation
Enter the notation: test@example.com=test2
Current notations for user ID "test <test@example.com>":
test@example.com=test1
Adding notation: test@example.com=test2
sec rsa3072/65CB1C45D7D1375B
created: 2021-04-10 expires: 2023-04-10 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/9E6693154CD4166E
created: 2021-04-10 expires: never usage: E
[ultimate] (1). test <test@example.com>
gpg> save
$ gpg --export test | gpg --list-packets
# off=0 ctb=99 tag=6 hlen=3 plen=397
:public key packet:
version 4, algo 1, created 1618035023, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 65CB1C45D7D1375B
# off=400 ctb=b4 tag=13 hlen=2 plen=23
:user ID packet: "test <test@example.com>"
# off=425 ctb=89 tag=2 hlen=3 plen=530
:signature packet: algo 1, keyid 65CB1C45D7D1375B
version 4, created 1618036137, md5len 0, sigclass 0x13
digest algo 10, begin of digest 05 a3
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 663ABA5F8BD3594700D336F465CB1C45D7D1375B)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 20 len 29 (notation: test@example.com=test2)
hashed subpkt 20 len 29 (notation: test@example.com=test1)
subpkt 16 len 8 (issuer key ID 65CB1C45D7D1375B)
data: [3070 bits]
# off=958 ctb=b9 tag=14 hlen=3 plen=397
:public sub key packet:
version 4, algo 1, created 1618035023, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 9E6693154CD4166E
# off=1358 ctb=89 tag=2 hlen=3 plen=438
:signature packet: algo 1, keyid 65CB1C45D7D1375B
version 4, created 1618035023, md5len 0, sigclass 0x18
digest algo 10, begin of digest d2 9e
hashed subpkt 33 len 21 (issuer fpr v4 663ABA5F8BD3594700D336F465CB1C45D7D1375B)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 65CB1C45D7D1375B)
data: [3071 bits]
最初の自己署名証明書にもう1つnotationのサブパケットが追加されたようだ。
1つめのnotationを削除してみる
$ gpg --edit-key test
gpg> notation
Enter the notation: -test@example.com=test1
Current notations for user ID "test <test@example.com>":
test@example.com=test1
test@example.com=test2
Removing notation: test@example.com=test1
Proceed? (y/N) y
sec rsa3072/65CB1C45D7D1375B
created: 2021-04-10 expires: 2023-04-10 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/9E6693154CD4166E
created: 2021-04-10 expires: never usage: E
[ultimate] (1). test <test@example.com>
gpg> save
$ gpg --export test | gpg --list-packets
# off=0 ctb=99 tag=6 hlen=3 plen=397
:public key packet:
version 4, algo 1, created 1618035023, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 65CB1C45D7D1375B
# off=400 ctb=b4 tag=13 hlen=2 plen=23
:user ID packet: "test <test@example.com>"
# off=425 ctb=89 tag=2 hlen=3 plen=499
:signature packet: algo 1, keyid 65CB1C45D7D1375B
version 4, created 1618036440, md5len 0, sigclass 0x13
digest algo 10, begin of digest 32 bd
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 663ABA5F8BD3594700D336F465CB1C45D7D1375B)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 20 len 29 (notation: test@example.com=test2)
subpkt 16 len 8 (issuer key ID 65CB1C45D7D1375B)
data: [3071 bits]
# off=927 ctb=b9 tag=14 hlen=3 plen=397
:public sub key packet:
version 4, algo 1, created 1618035023, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 9E6693154CD4166E
# off=1327 ctb=89 tag=2 hlen=3 plen=438
:signature packet: algo 1, keyid 65CB1C45D7D1375B
version 4, created 1618035023, md5len 0, sigclass 0x18
digest algo 10, begin of digest d2 9e
hashed subpkt 33 len 21 (issuer fpr v4 663ABA5F8BD3594700D336F465CB1C45D7D1375B)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 65CB1C45D7D1375B)
data: [3071 bits]
削除したnotationのサブパケットが自己署名証明書から削除され、サイズも小さくなった。
2つめの自己署名証明書は公開鍵サーバとのやりとりがないと現われないようだ。
公開鍵サーバに送ったものを再度戻してみる
https://zenn.dev/zunda/scraps/86cb301d55aa6f でローカルに公開鍵サーバを走らせることができた。
$ gpg --send-keys --keyserver http://0.0.0.0:8080 663ABA5F8BD3594700D336F465CB1C45D7D1375B
gpg: sending key 65CB1C45D7D1375B to http://0.0.0.0:8080
$ gpg --recv-keys --keyserver http://0.0.0.0:8080 663ABA5F8BD3594700D336F465CB1C45D7D1375B
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
あれれ?
手元の鍵を消してみよう。
$ gpg --delete-secret-keys test
$ gpg --recv-keys --keyserver http://0.0.0.0:8080 663ABA5F8BD3594700D336F465CB1C45D7D1375B
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
あれれれ?
$ gpg --recv-keys --keyserver http://0.0.0.0:8080 65CB1C45D7D1375B
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
検索パスを含めたら受け取ることができた。
$ gpg --recv-keys --keyserver http://localhost:8080/vks/v1/by-fingerprint/663ABA5F8BD3594700D336F465CB1C45D7D1375B 663ABA5F8BD3594700D336F465CB1C45D7D1375B
gpg: key 65CB1C45D7D1375B: "test <test@example.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
私有鍵を消しちゃったのでこの鍵対での検証はここまで。
gpg --delete-keys 663ABA5F8BD3594700D336F465CB1C45D7D1375B