A GnuPG Tutorial

by Nat Queen

[Note. This is a slightly modified version of an article that originally appeared in the August 2002 issue of Archive magazine. It is written specifically for users of RISC OS computers, but much of the information applies equally to other versions of GnuPG.]

In a previous article I gave a Beginner's guide to GnuPG (GNU Privacy Guard) for RISC OS. In that article I explained how to install GnuPG and use it for simple encryption, decryption and signing of e-mail, and I also explained several basic characteristics of public keys to which reference will be made in the present article. Here I shall describe some of the other things that GnuPG can do.

First of all, it should be mentioned that GnuPG was updated to version 1.0.7 at the end of April 2002. This new version has many additional useful features, and any readers who are still using earlier versions should get the upgrade from Stefan Bellon's website at http://www.sbellon.de/gnupg.html.

As explained in my previous article, GnuPG is a good replacement for the ageing RISC OS version of PGP, and it enables RISC OS users to make use of the latest worldwide standards for secure e-mail. There are so many possible options in GnuPG that it is impossible to describe them all in an article such as this. I shall concentrate here on features that will be new to users of PGP for RISC OS, as well as some important older features that were not covered in my previous article.

Henceforth, whenever PGP is mentioned, it will always refer to the RISC OS version 2.6.3ia.


Before discussing GnuPG itself, let me make a small diversion for the benefit of readers who are already familiar with PGP for RISC OS. Others may safely skip this section.

Like the PGP which it replaces, GnuPG is used entirely from the command line. However, some of its commands are different, and experienced users of PGP may find it hard to get used to the new syntax of GnuPG, as I did myself.

One possible solution is provided by a small program "pgpgpg" which, like GnuPG itself, was ported to RISC OS by Stefan Bellon and is also available from his website mentioned above. This program is described as a wrapper around GnuPG that emulates the command-line options of the old PGP version. Although it uses the same commands as PGP 2.6.3ia, it does not produce the same output. It uses instead the new default algorithms of GnuPG, which are now in more common use.

This program enables you to use GnuPG for encryption, decryption and signing, while continuing to use the same commands as in the old PGP version. However, it does not handle any of the new special functions of GnuPG, including some of the things described below in this article.

Compatibility issues

GnuPG is compatible with all versions of PGP, but various versions of PGP use different conventions. As a consequence, if you are sending e-mail to someone who is known to use a particular version of PGP, you must ensure that the output from GnuPG is compatible with that version. If the recipient uses PGP 2, you can do this by adding the switch "--pgp2" to the relevant command. For example, if you know that your friend Alice uses PGP 2, you can encrypt and sign a file called "text" to her by means of the command

gpg --pgp2 -es -r Alice text

If she uses PGP 6, add "--pgp6" instead. In either case, GnuPG will set all the appropriate options and will warn you if you try to do something that is not allowed. Note in particular that it is not possible to encrypt and sign a file at the same time while in "--pgp2" mode. (This can be done by a rather roundabout procedure, as described in the document "pgp2x/html" included in the GnuPG distribution.)

There is no "--pgp5" option because PGP 5 is generally deprecated. I understand that a future version of GnuPG will contain a "--pgp7" option.

The web of trust

Suppose that you want to communicate securely with Alice for the first time, using GnuPG. In order to encrypt messages for her, or to check her digital signatures, you will need her public key. You can easily get Alice's key from her by e-mail, or you may be able to download it from one of the key servers on the internet, but how can you be sure that what you get is really Alice's key?

If, for example, an imposter sends you a fake key in Alice's name, he would be able to read any mail which you mistakenly encrypt with that key, and also produce misleading signatures in Alice's name. If the imposter has the means to intercept messages between you and Alice, he can implement the well known "man-in-the-middle attack". If you can obtain Alice's key from her in person, there is of course no problem. However, if this is not possible, perhaps because Alice lives too far away, the web of trust may provide a neat solution.

If your friend Bob already has a trusted key from Alice, then Bob can certify the integrity of that key for you. He can do this by giving you a signed copy of Alice's key. If you trust Bob to sign public keys only when he is absolutely confident of their authenticity, you can then gain trust in Alice's key even if you can't obtain it from her in person.

Signing public keys

To sign a public key using GnuPG, you can use the command

gpg --sign-key <name>

where <name> is the user ID of the key, or (more conveniently) any substring of it which specifies it uniquely. GnuPG will then select the first key that it finds in your keyring which matches the given specification and will ask whether you really want to sign it. If you have two or more keys with the same user ID, you can use the key ID instead of the user ID to specify the key uniquely. Note that GnuPG (unlike PGP) will not accept any substring of the key ID for this purpose.

Unlike PGP for RISC OS, GnuPG has an option for creating "local" signatures. A local signature is one that cannot be exported together with the public key to which it applies. This prevents your signature from being propagated if you send a copy of the signed key to anyone else. To create a local signature, use "--lsign-key" instead of "--sign-key".

Editing public keys

Another command that is important for managing public keys is

gpg --edit-key <name>

When you enter this command, GnuPG asks you to select a particular option. To see the list of available options, type "help", or simply the character "?". The meaning of most of the options will be fairly self-explanatory. They include the ability to delete a user ID or signature on a key, to sign a key, or to change the "ownertrust".

The ownertrust that you assign to a key is a measure of how far you trust the owner of the key to sign other users' keys correctly, i.e. to sign a key only when it has been rigorously verified by the signatory that the key actually belongs to the person identified in its user ID. On the basis of the signatures on a key and the corresponding ownertrusts that you have assigned to the keys used to create those signatures, GnuPG automatically calculates a trust value for the key. This calculated trust measures your confidence that the key actually belongs to the person identified in the user ID. Experienced users of PGP will be more familiar with the concept of calculated trust under the term "validity".

When you enter the command for editing a particular key, the first line of output shows two trust values: first your assigned ownertrust, and then the calculated trust. The possible trust values include "-" (trust value not yet assigned or calculated), "n" (no trust), "m" (marginal trust), "f" (full trust) and "u" (ultimate trust, which is possible only for your own keys). For example, if you assign marginal ownertrust for a particular key, and if that key is signed by you or by a fully trusted signatory, GnuPG will show the trust values "m/f".

If you want to change the ownertrust for a key, enter the command "trust" during the editing process. To sign a key, enter "sign". When you have finished editing a key, enter "quit" to terminate the editing process.

In contrast with PGP and with early versions of GnuPG, ultimate trust is not automatically assigned to your own public key - it must be set by the user. If no ultimate trust is set, the web of trust will not work, and GnuPG will report that the ownership of a key has not been validated even if you have signed that key with your own key.

GnuPG stores its trust values in a special trust database (a file "trustdb/gpg" contained inside the application !GnuPGUser which accompanies the main !GnuPG application), and not in the public keyring as in PGP. This means that you can safely send a copy of your public keyring to any other user without revealing your personal trust values.

Photo IDs

GnuPG has the ability to add a photo ID to a public key, exactly as in recent Windows versions of PGP. A photo ID attached to a public key can help other users to identify the owner of the key. To add a photo ID to your own public key, use the command "gpg --edit-key <name>" and then enter "addphoto". GnuPG will ask for the filename of a suitable JPEG. No other types of image files can be used.

If you want to see a photo ID on a particular key, enter the command "--show-photos" before using the command "gpg --list-keys <name>". If <name> is omitted, GnuPG will display all the photos (if any) after listing all the keys in your public keyring. Alternatively, if you want photos to be displayed in all cases by default, you should uncomment the line "# show-photos" in the options file inside !GnuPGUser.

Other options

In an article of this length I cannot hope to describe or even mention all the possible options of GnuPG. All the important ones are described in the documents which accompany the GnuPG distribution. However, there are many additional, more specialised options for advanced users which are not explained in any detail in the accompanying documentation. In fact, there are many more options than in any version of PGP. You can obtain a complete list of all available GnuPG options by typing "gpg --dump-options" at the command line. The purpose of most of them should be clear, at least if you have gained a reasonable understanding of how GnuPG works and have read the documentation. The adventurous user may have fun experimenting with some of these "undocumented" options.

Back Back to download page, where you can also find information about other RISC OS security programs.

Back Main PGP page for general information about PGP.