Ubuntu Tutorials

I know many of you use Launchpad’s “Personal Package Archive” for updated and beta packages. I have about a half-dozen configured on my machine to give me the latest and greatest of my favorite applications. The one problem with a PPA though is that the packages can’t be verified when downloaded because you don’t have the GPG imported into your Apt Keyring. The following command is a template that you can use to import whatever PPA based keys you have warnings on:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <key id>

You can gather the <key id> in the output of:

sudo apt-get update

You should see the warnings, along with the key id at the bottom of the output.

For each GPG key that you get a warning on, run the command above, and you’ll stop seeing the warnings. You will have imported that team/project’s GPG key into your keyring, considering them trusted.

This post is published in the hope that it’ll help others solve an issue I’ve been dealing with for the past few weeks.  I have searched and searched for a solution and only recently found one workaround for the problem.  The bug that I have found is here.  Hopefully with some more attention it’ll be properly fixed.

The issue that I have been running into is that no supported PGP passphrase agents were running.  In other words I was not able to unlock my PGP keys for email signing and encryption.  You will have noticed this problem if you use email signing and encryption with tools such as Enigmail, etc.

The solution that I found, which is also outlined within the bug, is to remove a file that is apparently being loaded when the X session starts.  For some reason this file conflicts with the seahorse key caching system, and neither work.

To fix the issue simply move the conflicting file elsewhere:

sudo mv /etc/X11/Xsession.d/90gpg-agent ~/90gpg-agent.bak

Once this file is moved you should be able to restart X and have your key-caching functionality again.  If anyone else has a better fix or other suggestions please comment.

Preface

Saturday night the Ubuntu Utah Team had a great presentation on Privacy and Encryption. One very important topic and another very interesting topic. With as much is going on these days to screw with our privacy (NSA) it isn’t a bad idea to learn a little bit about encryption. Now, I know you may think that you aren’t doing anything private so what is the point? I’m not doing anything “private” either, but honestly if I really wanted to talk to the NSA I’d send my emails directly to them. I’m not doing things that *needs* to be hidden, it’s simply a matter of it not being any of their business.

I have for some time now been digitally signing my emails. If you’ve seen me pop-up on a mailing list or got any emails from me you’ve probably seen a digital signature in-line or as an attachment. Via this digital signature you can verify that the exact contents of the email into your box is the same contents that came out of mine. If even *one* character changed the signature would not validate and you could tell the email or signature had been tampered with.

I have also started signing and *encrypting* emails to others that also have a PGP key pair that I have personally trust-signed. We’ll get into the trust signing later but I wanted to share a few steps and some other references to how you can generate your own key and also be able to sign and / or encrypt emails or files.

The GUI Front-End

There are a number of tools to help you generate and manage your PGP keys. I suggest seahorse on gnome or kgpg on KDE. You can also use the command line equivalent on either system, which will be standard between the two. (note: there are also solutions for OS X and Windows, but I won’t get into those.)

First we’ll install the GUI front-end to go with the pre-installed GnuPG back-end.

sudo aptitude install seahorse (gnome)

or

sudo aptitude install gpa (gnome)

or

sudo aptitude install kgpg (kde)

Creating The Key

Now that we have one of these installed we’ll launch the front-end and start creating a key. In this example I’ll refer to seahorse but the steps should fairly easily transfer to the other two applications.

Applications > Accessories > Passwords and Encryption Keys

Select “Key” from the File Menu and “Create New Key (ctrl-N)”

This will prompt you with a selection between PGP and SSH. In this case we’ll want PGP.

The next window will prompt you for your full name, email address and comment. It is generally recommended to use your full legal name (not nicknames or aliases) and your primary valid email address. I suggest leaving the comment section empty.

You may want to select the “Advanced key options” button and set a higher key strength. The default type DSA Elgamal of 2048 is a very powerful key strength but it does support up to 4096 as well. Personally I chose the 4096 but, again, the default 2048 is plenty powerful in itself.

You can also optionally select a date that this key will expire. Unless you know a reason why you’d want to do that (sometimes for temporary project-based keys, etc) you can safely set it to not-expire.

When you hit “Create” it will ask you for a passphrase to bind to this key pair. Choose a good, solid, more-than-a-dozen character passphrase to make this even more solid. Your digital signature and key are only as strong as its weakest link which is the passphrase. If someone gets a hold of your passphrase they can make use of your private key, un-encrypt emails sent to you or appear to be you! Once you have entered the passphrase it will generate your key pair. Remember this passphrase because, without it, the key pair is useless!

Depending on the key strength and the speed of your machine this may take a while. You should see a progress bar on the screen while it processes a new key. Just be patient.

You now have a basic key that is capable of digitally signing and optionally encrypting emails or files. One great use of this is to digitally sign the Ubuntu Code of Conduct as outlined here.

Using the Key

For those of you that want to get started right away signing emails you may be interested in some of the extensions available for commonly used mail applications. Thunderbird has a great one (actually the #1 reason I use Thunderbird as my client) with Enigmail. You can find it on the mozilla addons site or via the ubuntu repositories.

Evolution has PGP support built in but it is not as flexible (or at least I haven’t figured it out). You can find this in the Privacy tab of your email box settings.

Now this tutorial is getting a bit long so I’ll have to expand this next time and explain expanding your key with your alternate email addresses, keysigning parties, etc.

Until then I hope this helped a little bit.

UPDATE: screenshots of the key creation here [1,2,3,4]

Two major things to remember before you run off and start playing around. Remember your passphrase and back up your private key!!

Your public and private keys are found in ~/.gnupg/ . I suggest backing up this entire folder to an external USB. If you lose your private key the whole pair is useless. Even if you still have the public key and the passphrase the private key section is the most critical part of the process.