17 August 2008

(GnuPG) PHPでGnuPGを用いた暗号化

PHPでGnuPGで暗号化したファイルを作成する

GnuPG側の作業
・公開鍵をインポートする
・公開鍵の信頼性を「ultimate」にする
  (暗号化時に、信頼性確認のユーザ入力を回避するため)

%gpg --import key1.asc gpg: key 86DD2CCE: public key "user_1 <user_1@dummy.net>" imported gpg: Total number processed: 1 gpg: imported: 1 %gpg --list-keys /home/HOME_DIR/.gnupg/pubring.gpg -------------------------------------- pub 1024D/752F3F28 2008-08-15 uid user_1 <user_1@dummy.net> sub 1792g/49AC0A45 2008-08-15 pub 1024D/28D40E5F 2008-08-16 uid user_2 <user_2@hogehoge.net> sub 2048g/6F005BC9 2008-08-16 %gpg --edit-key user_1@dummy.net gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc. pub 1024D/752F3F28 created: 2008-08-15 expires: never usage: SC trust: unknown validity: unknown sub 1792g/49AC0A45 created: 2008-08-15 expires: never usage: E [ unknown] (1). user_1 <user_1@dummy.net> Command> trust pub 1024D/752F3F28 created: 2008-08-15 expires: never usage: SC trust: unknown validity: unknown sub 1792g/49AC0A45 created: 2008-08-15 expires: never usage: E [ unknown] (1). user_1 <user_1@dummy.net> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 1024D/752F3F28 created: 2008-08-15 expires: never usage: SC trust: ultimate validity: unknown sub 1792g/49AC0A45 created: 2008-08-15 expires: never usage: E [ unknown] (1). user_1 <user_1@dummy.net> Please note that the shown key validity is not necessarily correct unless you restart the program. Command> trust q

PHP側でのプログラム
(2つの公開鍵を使って暗号化する場合)

<?php unlink("data.txt.asc"); // 出力ファイルを消去しておく system("gpg -e -a -r user_1@dummy.net -r user_2@hogehoge.net data.txt"); unlink("data.txt"); // 元ファイルを消去する(必要なら) ?>


※ GnuPGの鍵管理で、公開鍵の信頼性を ultimate にしておかないと、次のようなユーザ入力街になり、PHPスクリプトが途中で止まってしまう

%gpg -e -r user_1@dummy.net data.txt gpg: 49AC0A45: There is no assurance this key belongs to the named user pub 1792g/49AC0A45 2008-08-16 user_1 <user_1@dummy.net> Primary key fingerprint: A9D3 45E3 55B5 D4A0 3487 E759 00FB 2A02 9FD4 8848 Subkey fingerprint: A9D3 45E3 55B5 D4A0 3487 E759 00FB 2A02 9FD4 8848 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N)