tarball安装GnuPG (gpg) 2.2.10

https://www.gnupg.org/download/

mac
方式一：推荐
mac
$ brew install gpg pinentry pinentry-mac
$ echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
$ killall gpg-agent
如果使用期间发生错误，参考后面的 Inappropriate ioctl for device 配置环境变量。
SourceTree支持：
$ ls -la /usr/local/bin/gpg
lrwxr-xr-x /usr/local/bin/gpg -> ../Cellar/gnupg/2.2.10/bin/gpg
$ ln -s /usr/local/bin/gpg /usr/local/bin/gpg2
在SourceTree的配置界面，点“高级”，更改“GPG程序”路径为 /usr/local/bin。
方式二：
https://gpgtools.org/
下载dmg安装

pc
https://gpg4win.org/download.html

linux (tarball)
$ mkdir ~/gnupg
$ cd ~/gnupg
$ wget https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.10.tar.bz2
wget https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.32.tar.bz2
wget https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.3.tar.bz2
wget https://www.gnupg.org/ftp/gcrypt/libksba/libksba-1.3.5.tar.bz2
wget https://www.gnupg.org/ftp/gcrypt/libassuan/libassuan-2.5.1.tar.bz2
wget https://www.gnupg.org/ftp/gcrypt/ntbtls/ntbtls-0.1.2.tar.bz2
wget https://www.gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2
wget https://www.gnupg.org/ftp/gcrypt/pinentry/pinentry-1.1.0.tar.bz2
// wget https://www.gnupg.org/ftp/gcrypt/gpgme/gpgme-1.11.1.tar.bz2
// wget https://www.gnupg.org/ftp/gcrypt/gpa/gpa-0.9.10.tar.bz2

$ tar xvjf gnupg-2.2.10.tar.bz2
tar xvjf libgpg-error-1.32.tar.bz2
tar xvjf libgcrypt-1.8.3.tar.bz2
tar xvjf libksba-1.3.5.tar.bz2
tar xvjf libassuan-2.5.1.tar.bz2
tar xvjf ntbtls-0.1.2.tar.bz2
tar xvjf npth-1.6.tar.bz2
tar xvjf pinentry-1.1.0.tar.bz2
// tar xvjf gpgme-1.11.1.tar.bz2
// tar xvjf gpa-0.9.10.tar.bz2

// 编译安装GnuPG组件
$ cd libgpg-error-1.32
$ ./configure
$ sudo make && sudo make install

$ cd ../libgcrypt-1.8.3
$ ./configure
$ sudo make && sudo make install

$ cd ../libksba-1.3.5
$ ./configure
$ sudo make && sudo make install

$ cd ../libassuan-2.5.1
$ ./configure
$ sudo make && sudo make install

$ cd ../ntbtls-0.1.2
$ ./configure
$ sudo make && sudo make install

$ cd ../npth-1.6
$ ./configure
$ sudo make && sudo make install

// 编译安装GnuPG
$ cd ../gnupg-2.2.10
$ ./configure
$ sudo make -j8 && sudo make install

$ whereis gpg
gpg: /usr/bin/gpg /usr/local/bin/gpg /usr/share/man/man1/gpg.1.gz

$ /usr/local/bin/gpg --version
/usr/local/bin/gpg: error while loading shared libraries: libgcrypt.so.20: cannot open shared object file: No such file or directory
正常会显示版本信息，如果出现这个错误，先获得libgcrypt.so.20文件的位置，然后加入变量LD_LIBRARY_PATH中：
$ whereis libgcrypt.so.20
libgcrypt.so: /usr/lib/libgcrypt.so.11 /usr/lib64/libgcrypt.so.11 /usr/local/lib/libgcrypt.so.20 /usr/local/lib/libgcrypt.so
$ export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
$ /usr/local/bin/gpg --version
gpg (GnuPG) 2.2.10
libgcrypt 1.8.3
Copyright (C) 2018 Free Software Foundation, Inc.
...
将环境变量添加到启动配置，如.bashrc中
$ echo export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH >> ~/.bashrc

同理检查PATH环境变量，使/usr/local/bin在/usr/bin前，然gpg命令直接运行我们编译的版本。
重新进入会话，输入 gpg --version 应该是刚才安装的版本。

必要组件安装：
---
// 用于输入密码保护（必须）
$ cd ../pinentry-1.1.0
$ ./configure
$ sudo make && sudo make install

---
下面两个可选，可能需要修改库的路径，configure才能正确通过。
// GPGME is the standard library to access GnuPG functions from programming languages.
$ cd ../gpgme-1.11.1
$ ./configure
$ sudo make && sudo make install

// GPA is a graphical frontend to GnuPG.
$ cd ../gpa-0.9.10
$ ./configure
$ sudo make && sudo make install
---

最后可删除无用的源文件
$ cd ~
$ sudo rm -rf gnupg

-----------------
使用
-----------------
1. 查看已有的GPG keys
$ gpg --list-secret-keys --keyid-format LONG

2. 创建一个GPG key
$ gpg --full-generate-key

gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: yourname
Email address: yourname@email.com
Comment: demo
You selected this USER-ID:
    "yourname (demo) <yourname@email.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key F461FA2D923C3798 marked as ultimately trusted
gpg: revocation certificate stored as '/home/yourname/.gnupg/openpgp-revocs.d/BA4CF1650621335540E42DB5F461FA2D923C3798.rev'
public and secret key created and signed.

pub   rsa2048 2018-09-18 [SC]
      BA4CF1650621335540E42DB5F461FA2D923C3798
uid                      yourname (demo) <yourname@email.com>
sub   rsa2048 2018-09-18 [E]

3. 生成吊销证书
$ gpg --list-secret-keys --keyid-format LONG
/home/yourname/.gnupg/pubring.gpg
------------------------

sec   rsa2048/F461FA2D923C3798 2018-09-18 [SC]
      BA4CF1650621335540E42DB5F461FA2D923C3798
uid                 [ultimate] yourname (demo) <yourname@email.com>
ssb   rsa2048/96E3D9B0C023B825 2018-09-18 [E]

记住sec中算法后面的值，输入在下面
（说明：也可以用邮箱地址替换这个KEY值）

$ gpg --gen-revoke F461FA2D923C3798

4. 导出GPG key
$ gpg --armor --export F461FA2D923C3798

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFugt1QBCACpIrObmogNUtVRGogRUub4GmP+4IlZxu+Q5ExhGHFNhdTOEbii
9OT4Vy6snZoURWwxKPNu5/W35cs57+tv/FjVEqp1fDgnhK8YHo1AtfO5Yjqq/UR/
mPBdOBsKlstKl9+cCR/dv+uE23/fJnNqfbLZUyv8GRPwBh7OggX2MO4elzzzujnH
...
-----END PGP PUBLIC KEY BLOCK-----

复制包括-----BEGIN PGP PUBLIC KEY BLOCK-----和-----END PGP PUBLIC KEY BLOCK-----的全部内容。

5. 添加一个user id到GPG key
$ gpg --edit-key F461FA2D923C3798
> adduid
Real name: myname
Email address: myname@email.com
Comment:
You selected this USER-ID:
    "myname <myname@email.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

sec  rsa2048/F461FA2D923C3798
     created: 2018-09-18  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/96E3D9B0C023B825
     created: 2018-09-18  expires: never       usage: E
[ultimate] (1)  yourname (demo) <yourname@email.com>
[ unknown] (2). myname <myname@email.com>

> quit
Save changes? (y/N) y
可以使用help了解更多命令。

6. 应用
- 可在github设置 -> SSH and GPG keys里，添加生成PGP KEY，注意使用对应的邮箱和user id的GPG KEY
- 可用于git签名，如
  $ git config --global user.signingkey F461FA2D923C3798

  提交的签名
  $ git config commit.gpgsign true
  $ git config --global commit.gpgsign true
  然后提交代码（-S）：
  $ git commit -S -m your commit message

  tag的签名（-s）
  $ git tag -s mytag
  验证（-v）
  $ git tag -v mytag

- 使用gpg-agent帮助减少密码输入，可将下面命令写入~/.xsession、 ~/.profile或者.bash_profile等启动文件
  eval $(gpg-agent --daemon)

-----------------
排除故障
-----------------
故障：Inappropriate ioctl for device
解决：
$ echo "test" | gpg --clearsign
如果提示 Inappropriate ioctl for device，设置变量指向tty
$ export GPG_TTY=$(tty)
$ echo 'export GPG_TTY=$(tty)' >> ~/.zshrc    // 或者.bashrc, .bash_profile

故障：apt: Unknown error executing apt-key
解决：
sudo apt-get clean
sudo rm /var/lib/apt/lists/*
sudo rm /var/lib/apt/lists/partial/*
sudo apt-get clean
sudo apt-get update