Difference between revisions of "Gpg and macosx"

From Studiosg
Jump to navigationJump to search
(Aggiunto un nuovo articolo incentrato su GPG per MacOsX)
 
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{header_it|title=StudioSG - Gnu Privacy Guard per MacOsX| keyword={{Template:keyword_it_crittografia}}| description=Installazione, configurazione ed esempi d'uso di Gnu Privacy Guard su piattaforma Mac | link_page=gpg_and_macosx}}
+
{{header_en|title=StudioSG - Gnu Privacy Guard for MacOsX| keyword={{Template:keyword_en_cryptography}}| description=Installing, configuring and using Gnu Privacy Guard for MacOsX | link_page=gpg_e_macosx}}
  
  
== GPG per MacOsX ==
+
== GPG for MacOsX ==
  
'''Gnu Pravacy Guard''' è un programma per la '''crittografia ad uso personale''' che gira su di una moltitudine di piattaforme tra cui i sistemi operativi della famiglia Macintosh. Per tale sistema in particolare esistono '''tre versioni''' "ufficiali" di GPG:
+
'''Gnu Privacy Guard''' is a '''cryptographic software suite for personal use''' running on a wide variety of architectures among them the Macintosh family of operating systems. '''Three distinct versions''' of GPG can run on the Mac:
* [http://macgpg.sourceforge.net/it/index.html MacGPG] è la conversione ufficiale del ramo 1.4 di GPG. Lo sviluppo di tale versione è concluso e i pacchetti forniti servono solo nell'evenienza di dover supportare vecchie installazioni o vecchie versioni di OsX.
+
* [http://macgpg.sourceforge.net/it/index.html MacGPG] is a port of the 1.4 development branch of GPG. Development has come to a halt and packages are meant for old versions of OsX, providing support for legacy installations.
* [https://sourceforge.net/projects/gpgosx GPGOsX] è la conversione ufficiale del ramo 2.1 di GPG. Include tutte le funzionalità introdotte con la versione 2.0 e la recente 2.1.
+
* [https://sourceforge.net/projects/gpgosx GPGOsX] is a port of the 2.1 stable branch of GPG. All of the new functionality of the 2.0 and recent 2.1 releases are included.
* [https://gpgtools.org GPGTools] è un'alternativa a GPGOsX basata sula ramo 2.0 di sviluppo. GPGTools ha il vantaggio di includere molte integrazioni al programma di base come i plug-in per Apple Mail ed un'interfaccia grafica funzionante.
+
* [https://gpgtools.org GPGTools] is an alternate port of the 2.0 stable branch of GPG. GPGTools includes many an integration to the standard software as the Apple Mail plug-in and a native GUI.
  
Sia GPGOsX che GPGTools supportano solo versioni piuttosto recenti di OsX. La versione minima richiesta per installare i due programmi è la 10.6 oppure la 10.7. MacGPG invece supporta le vecchie architetture ed è pertanto indicato per chi ancora possedesse un Mac basato su architettura '''PowerPC'''. Questi ultimi dovranno però prepararsi ad utilizzare la riga di comando dato che il file di installazione non include una interfaccia grafica.
+
Both GPGOsX and GPGTools support recent OsX releases only. The minimum required version for both programs is 10.6 or 10.7. MacGPG is rather suitable for old architectures and as such is ideal for owners of '''PowerPC''' Macs, who will have to accustom themselves to the command line interface because no graphical one is provided.
  
=== Installazione ===
+
=== Installing ===
La procedura di installazione varia leggermente al variare del programma che si installa. Si rimanda alla documentazione presente sui siti web dei rispettivi programmi per istruzioni dettagliate. Di seguito sono forniti alcuni collegamenti a pagine web che descrivono la procedura di installazione di GPGTools:
+
The install procedures slightly differ for each software. You are invited to visit the home page of each one where you'll find updated information and detailed instructions. Some links to web pages detailing the GPGTools installation procedure are available below:
* [http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever Istruzioni passo, passo per installare GPGTools].
+
* [http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever Step by step instructions to install GPGTools].
* [https://www.encrypteverything.ca/index.php?title=Installing_and_configuring_GPGTools_for_Mac_to_encrypt_emails_and_files Un altro semplice tutorial ricco di immagini].
+
* [https://www.encrypteverything.ca/index.php?title=Installing_and_configuring_GPGTools_for_Mac_to_encrypt_emails_and_files Another good tutorial rich in images and details].
  
=== Creazione delle Chiavi & Configurazione ===
+
=== Key Pair and Configuration ===
Le pagine collegate più sopra contengono indicazioni circa la creazione della coppia di chiavi utilizzate da GPG per cifrare e decifrare i file. Le chiavi sono fondamentali per GPG dato che da esse dipende la robustezza delle informazioni cifrate. Per informazioni esaustive si rimanda alla [https://www.gnupg.org/documentation/manuals/gnupg-2.0 documentazione del programma] mentre più sotto verranno riassunti i concetti fondamentali relativi alla crittografia ed al funzionamento di GPG:
+
The above linked pages contain information about key pair creation. GPG uses a key pair to encrypt and decrypt files. The key pair is fundamental to GPG and encryption strength heavily depends on it. Please consult the [https://www.gnupg.org/documentation/manuals/gnupg-2.0 program documentation] for more in depth information. The basic concepts about encryption and GPG internals will be summarized below:
* GPG utilizza la '''crittografia asimmetrica''' anche detta '''crittografia a chiave pubblica'''.
+
* GPG uses '''asymmetric cryptography''' also known as '''public key cryptography'''.
* La crittografia asimmetrica utilizza una coppia di chiavi: una '''chiave pubblica''', che ha la funzione di cifrare le informazioni, ed una '''chiave privata''' necessaria per decifrare i dati.
+
* '''Asymmetric cryptography''' requires a key pair: a '''public key''', used to encrypt information, and a '''private key''' needed to decrypt data.
* La chiave pubblica deve essere distribuita a tutti coloro che desiderano inviarci messaggi o file cifrati.
+
* A copy of the public key should be delivered to whoever wishes to send you encrypted e-mails or files.
* '''La chiave privata è segreta e non deve essere condivisa con nessuno'''.
+
* The private key is secret and '''should never be shared with anyone'''.
* Informazioni cifrate con la chiave pubblica possono essere decifrate solo con quella privata.
+
* Information encrypted with the public key can be decrypted with the private one only.
* '''La chiave privata può essere protetta con una passphrase'''. Anche se sottratta da persone non autorizzate, una chiave protetta risulta inutilizzabile senza conoscere la passphrase.
+
* '''The private key can be protected using a passphrase'''. If stolen, a protected key cannot be used by unauthorized people who do not know the passphrase.
  
Le chiavi devono essere create come prima cosa a seguito dell'installazione per consentire il funzionamento del programma. La lunghezza delle chiavi è un aspetto delicato ed oggetto di discussione frequente. Una chiave di lunghezza maggiore garantisce in teoria una maggiore sicurezza, ma il suo impiego comporta svantaggi da prendere in considerazione. GPG consente di impostare una '''lunghezza massima di 4096 bit''' per le chiavi, ma si consiglia comunque di impostare il valore standard di '''2048 bit'''. La lunghezza standard rappresenta un buon compromesso tra sicurezza e prestazioni garantendo inoltre la possibilità di utilizzare dispositivi esterni quali le smart card. Le [https://www.gnupg.org/faq/gnupg-faq.html FAQ di GPG] (In inglese) contengono una trattazione della lunghezza in cui vengono soppesati i vantaggi e gli svantaggi del ricorso a dimensioni maggiori di 2048 bit.
+
The key pair is the building block for GPG to work and as such should be created soon after the installation to allow the program to work. Key length is a sensitive matter and frequent subject to discussion. A longer key grants a stronger security in theory, but using longer keys involves some disadvantages to be taken into account. GPG supports a '''maximum key length of 4096 bit''', but still you are recommended to set the standard value of '''2048 bit'''. The standard length is a good compromise between security and performances and it grants use of external devices like smart cards and such. The [https://www.gnupg.org/faq/gnupg-faq.html GPG FAQ] includes a discussion of key length where advantages of using more than 2048 bits are weighed against disadvantages.
  
La procedura per la generazione delle chiavi è descritta di seguito. Seppure alcune versioni di GPG per Mac dispongano di una interfaccia grafica di amministrazione, la riga di comando è l'unica interfaccia comune a tutte e tre perciò se ne farà ricorso.
+
The procedure for key generation is described below. Although some versions of GPG for Mac can be administered through a GUI, I'll use the command line interface because it is the only one common to all three programs.
* Aprire un terminale.
+
* Start a terminal.
* Lanciare il comando '''gpg''' ''--gen-key'' fornendo tutte le informazioni richieste come nell'esempio sottostante:
+
* Run command '''gpg''' ''--gen-key'' providing all of the requested information as in the example below:
 
   hostname:~ user1$ '''gpg''' ''--gen-key''
 
   hostname:~ user1$ '''gpg''' ''--gen-key''
 
   gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
 
   gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
Line 86: Line 86:
 
   sub  2048g/1C97007E 2016-03-22
 
   sub  2048g/1C97007E 2016-03-22
  
La procedura chiede di inserire un identificatore ed altre informazioni personali utilizzate per distinguere le chiavi. Per ottenere un elenco delle chiavi registrate utilizzare il comando '''gpg''' ''--list-keys'':
+
The procedure requires to provide a unique identifier and some more personal information used to distinguish keys. To get a list of saved keys use the command: '''gpg''' ''--list-keys'':
 
   hostname:~ user1$ '''gpg''' ''--list-keys''
 
   hostname:~ user1$ '''gpg''' ''--list-keys''
 
   /home/user1/.gnupg/pubring.gpg
 
   /home/user1/.gnupg/pubring.gpg
Line 94: Line 94:
 
   sub  2048g/1C97007E 2016-03-22
 
   sub  2048g/1C97007E 2016-03-22
  
'''Durante la creazione delle chiavi è possibile digitare una passphrase opzionale per la chiave privata'''. Si consiglia caldamente di utilizzare sempre una passphrase, che tutela l'utente in caso di furto del dispositivo su cui siano custodite le chiavi. Una password troppo corta o troppo facile potrebbe essere decifrata mediante un attacco di forza bruta. Una passphrase lunga più di otto caratteri contenente lettere, numeri e caratteri speciali salvaguarderà da tale tipo di attacchi.
+
'''During key creation you can provide an optional passphrase for the private key'''. You are encouraged to always use a passphrase, which safeguards users in case the device where thee keys are saved is stolen. A passphrase too short or too easy cold be discovered by a brute force attack. Please use a passphrase longer than 8 characters containing letters, numbers and special characters to defend against such attacks.
  
Il comportamento di GPG varia impostando opportuni valori per le opzioni del programma. In un sistema MacOsX le opzioni di configurazione sono salvate in file di testo modificabili con comune elaboratore di testo. Ogni utenza configurata sul sistema possiede una copia personale dei file di configurazione, che sono salvati nella cartella principale. Il file di configurazione di GPG &egrave; '''/Users/<nome utente>/.gnupg/gpg.conf'''. Ad esempio il file di configurazione di un ipotetico utente user1 sar&agrave;: /Users/user1/.gnupg/gpg.conf. Il punto all'inizio del nome .gnupg impone che la cartella sia nascosta. Per visualizzare la cartella utilizzare l'opzione ''-a'' del comando '''ls''':
+
GPG standard behavior can be customized setting proper values for the program options. Configuration options are saved in text files in MacOsX and can be edited recurring to any text editor. Every configured user has his or her personal copy of the configuration files, which are located in the home directory. The standard GPG configuration file for any user is '''/Users/<user name>/.gnupg/gpg.conf'''.  
 +
For example, the configuration file of a hypothetical user1 user is: /Users/user1/.gnupg/gpg.conf. The dot preceding the .gnupg directory name means that the directory is a hidden one. To list a hidden directory when inspecting the content of its father one use option ''-a'' of command '''ls''':
 
: '''ls''' ''-la''
 
: '''ls''' ''-la''
Per leggere o modificare il proprio file di configurazione:
+
To read or update your own configuration file:
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' /Users/<nome utente>/.gnupg/gpg.conf
+
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' /Users/<user name>/.gnupg/gpg.conf
  
Il file &egrave; commentato scrupolosamente, ma si rimanda comunque al manuale del programma per una descrizione di tutte le opzioni ivi contenute. Le opzioni predefinite sono adeguate per la quasi totalit&agrave; degli usi privati o professionali. Si consiglia di cambiare tali valori solo quando si sia certi del risultato ottenuto.
+
The file is fully commented, but still refer to the program manual for a description of all the options contained therein. Standard values are suitable for almost all private or professional uses. Please set different values only when you are certain of the outcome.
  
Il comando gpg deve essere rimpiazzato da '''gpg2''' dagli utenti di GPGOsX o GPGTools che usino la riga di comando invece delle rispettive interfacce grafiche.
+
GPGOsX and GPGTools users should replace command gpg with '''gpg2''' when using the command line interface instead of the graphical one.
  
==== Back-up della Coppia di Chiavi ====
+
==== Key Pair Back-up ====
La coppia di chiavi &egrave; fondamentale per leggere i file cifrati: la perdita della chiave privata potrebbe rivelarsi una catastrofe essendo impossibile per i processori attualmente in commercio decifrare i file senza di essa. L'intero archivio andrebbe perso assieme alla chiave ed &egrave; pertanto buona norma generare una copia delle chiavi da conservare poi in un luogo sicuro, diverso dalla macchina su cui si lavori abitualmente. Tutte le chiavi generate sono contenute all'interno della cartella '''/Users/<nome utente>/.gnupg''' in appositi file binari. Un modo semplice ottenere la copia di sicurezza delle chiavi consiste nella creazione di un archivio compresso protetto da password:
+
The key pair is mandatory to open encrypted files: its loss could prove to be catastrophic as currently available processors are not powerful enough to decrypt files without. A whole document archive cold be lost for want of a key. It is a good idea to keep a safety copy of both keys stored in a safe place, different from the machine where they were created. All keys are stored inside directory '''/Users/<user name>/.gnupg''' in the form of binary files. A safe and easy way to generate a copy of the key pair consists of creating a password protected compressed archive of the directory:
: '''zip''' ''-er'' key_backup.zip /Users/<nome utente>/.gnupg
+
: '''zip''' ''-er'' key_backup.zip /Users/<user name>/.gnupg
  
Il comando zip chiederà all'utente di fornire una password per l'archivio e di confermarla immediatamente dopo. L'archivio generato, key_backup.zip, potrà essere aperto solo fornendo la password impostata. La versione del comando '''zip''' installata in OsX 10.4 o precedenti '''non supporta la crittografia'''. Gli utenti di tali sistemi devono rimuovere l'opzione ''-e'' altrimenti il comando fallir&agrave; rendendo l'errore "(encryption not supported)":
+
The zip command will ask the user to provide a password for the archive, then to confirm the provided value by retyping it. The resulting archive, key_backup.zip, can be opened only by providing the password. The zip version shipping with OsX 10.4 or earlier releases '''does not support cryptography'''. Users should remove the ''-e'' option or the program will return error "(encryption not supported)" and fail:
 
: '''zip''' ''-r'' key_backup.zip /Users/<nome utente>/.gnupg
 
: '''zip''' ''-r'' key_backup.zip /Users/<nome utente>/.gnupg
  
=== Cifrare e Decifrare File ===
+
=== How-to Encrypt and Decrypt Files ===
Il lancio dei comandi di GPG per cifrare e decifrare documenti su Mac dipende dal software installato pertanto anche in questo caso si rimanda alla documentazione del programma specifico. Seguono alcuni collegamenti alle pagine del sito di GPGTools:
+
Commands to encrypt and decrypt files with GPG vary with the program installed on your Mac. Please refer to the documentation of the specific program. Below are some links to the web pages of GPGTool:
* [https://gpgtools.tenderapp.com/kb/gpgservices-faq/how-to-encrypt-and-sign-text-or-files-with-gpgservices Cifrare e decifrare file con GPGTools]].
+
* [https://gpgtools.tenderapp.com/kb/gpgservices-faq/how-to-encrypt-and-sign-text-or-files-with-gpgservices How to encrypt and decrypt files using GPGTools]].
* [http://sites.allegheny.edu/its/best-practices/encrypting-files-gpg-tools Altri esempi d'uso di GPGTools].
+
* [http://sites.allegheny.edu/its/best-practices/encrypting-files-gpg-tools Some more GPGTools examples].
  
L'interfaccia a riga di comando ha il vantaggio di essere uniforme per tutti i programmi. &Egrave; possibile ottenere informazioni ed esempi d'uso nella [http://blog.ghostinthemachines.com/2015/03/01/how-to-use-gpg-command-line documentazione ufficiale di GPG], che illustra i comandi e le relative opzioni. Il comando base per cifrare un file è:
+
The command line interface is uniform for all of the three programs. You can retrieve information and some examples in the [http://blog.ghostinthemachines.com/2015/03/01/how-to-use-gpg-command-line GPG documentation], where commands and related options usage is explained. The base encryption command is:
 
: '''gpg''' ''--encrypt'' <file>
 
: '''gpg''' ''--encrypt'' <file>
GPG chieder&agrave; all'utente di fornire un identificatore per la chiave del destinatario del file che verr&agrave; utilizzata per cifrare il documento come illustrato nell'esempio sottostante:
+
GPG will ask you to provide the unique identifier for the public key of the file recipient. The key will be used to encrypt the file as in the example below:
  hostname:~ user1$ '''gpg''' ''--encrypt'' st_test01.pdf
+
  hostname:~ user1$ '''gpg''' ''--encrypt'' st_test01.pdf
 
   You did not specify a user ID. (you may use "-r")
 
   You did not specify a user ID. (you may use "-r")
 
    
 
    
Line 134: Line 135:
 
   hostname:~ user1$
 
   hostname:~ user1$
  
Il file così generato avrà il medesimo nome del file origine ed estensione '''.gpg'''.
+
The encrypted file retains the name of the original one but a different extension: '''.gpg'''.
  
Per impostare molti destinatari diversi bisogna digitarne uno per riga. '''Una riga vuota indica la fine dell'elenco di destinatari'''. Un elenco delle chiavi registrate ed utilizzabili per cifrare i file può essere richiamato mediante l'opzione ''--list-keys'':
+
You can provide a list of recipients one for each line. '''An empty line of text marks the archive end'''. A list of saved keys available to encrypt files can be retrieved recurring to the ''--list-keys'' option:
 
   hostname:~ user1$ '''gpg''' ''--list-keys''
 
   hostname:~ user1$ '''gpg''' ''--list-keys''
 
   /Users/user1/.gnupg/pubring.gpg
 
   /Users/user1/.gnupg/pubring.gpg
Line 144: Line 145:
 
   sub  2048g/1C97007E 2016-03-22
 
   sub  2048g/1C97007E 2016-03-22
  
Per cifrare molti file con un unico comando esiste l'opzione ''--multi''. Nel caso sar&agrave; necessario fornire un elenco di destinatari per ogni file. L'operazione potrebbe risultare tediosa e, per semplificarla, GPG offre l'opzione ''-r'' che consente di fornire i destinatari direttamente nella riga di comando. Nell'esempio riportato sotto tre documenti sono protetti utilizzando la chiave del destinatario StudioSG:
+
Many files can be encrypted at once recurring to the ''--multi'' option. You'll have to provide a recipients list for each file. This could prove to be a lot of work and GPG provides option ''-r'' to simplify it. Using ''-r'' the recipient list can be added to the command line. In the example below three documents are encrypted using the key of recipient StudioSG:
 
   hostname:~ user1$ '''ls''' ''-la''
 
   hostname:~ user1$ '''ls''' ''-la''
 
   total 48
 
   total 48
Line 164: Line 165:
 
   -rw-------  1 user1 user1 7574 Mar 18 18:50 st_test03.pdf.gpg
 
   -rw-------  1 user1 user1 7574 Mar 18 18:50 st_test03.pdf.gpg
  
Per decifrare un file si utilizza il comando gpg seguito dall'opzione ''--decrypt''. GPG chieder&agrave; all'utente di fornire una password, ricevuta la quale esporter&agrave; il contenuto del file cifrato sull'output della console. Per ottenere un file in chiaro, invece, &egrave; necessario utilizzare l'opzione ''--output'' e fornire un nome per detto file.
+
A file is decrypted with the ''--decrypt'' option of the gpg command. GPG will prompt the user for a password and, once inserted, will output the "clear text" content of the encrypted file on the standard output. To save a decrypted version of the file the ''--output'' option and the name of the saved file are needed:
: '''gpg''' ''--output'' <file in chiaro> ''--decrypt'' <file cifrato>
+
: '''gpg''' ''--output'' <decrypted file> ''--decrypt'' <encrypted file>
 
   hostname:~ user1$ '''gpg''' ''--output'' st_test01.pdf ''--decrypt'' st_test01.pdf.gpg
 
   hostname:~ user1$ '''gpg''' ''--output'' st_test01.pdf ''--decrypt'' st_test01.pdf.gpg
 
    
 
    
Line 184: Line 185:
  
 
=== GPG-AGENT ===
 
=== GPG-AGENT ===
'''Gpg-agent''' &egrave; un demone che memorizza in una propria cache tutte le passphrase digitate da un utente fornendole poi ai programmi che le richiedano successivamente. L'utente dovr&agrve; inserire ogni password solo una volta e non all'apertura di ogni documento. Il risparmio di tempo risulter&agrave; notevole per il personale di un ufficio che debba leggere e gestire una gran quantit&agrave; di documenti ogni giorno.
+
'''Gpg-agent''' is a daemon that stores in an internal cache all of the user provided passphrases then forwards them to all programs asking for one later. You basically have to insert any password only once and not each time a document is opened. The time saving is considerable for the staff of an office that needs to read and handle large amounts of documents every day.
  
Il demone deve essere esplicitamente avviato ed attivo perch&egrave; memorizzi le password e l'ambiente deve essere opportunamente configurato perch&egrave; ne avverta la presenza e lo interroghi quando necessario. Per automatizzare l'avvio di gpg-agent in MacOsX &egrave; necessario configurare un '''launch agent''':
+
The daemon must be up and running to store passwords and the environment must be properly configured in order for programs to know of the daemon existence and to query it when needed. To start gpg-agent automatically in MacOsX you have to configure a '''launch agent''':
* Aprire il terminale.
+
* Open the terminal window.
* Spostarsi nella cartella del launch agent:
+
* Move to the launch agent root directory:
 
: '''cd''' ~/Library/LaunchAgents
 
: '''cd''' ~/Library/LaunchAgents
* Creare un file che contenga la configurazione di gpg-agent:
+
* Create a file containing the gpg-agent configuration:
 
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' org.gnupg.gpg-agent.plist
 
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' org.gnupg.gpg-agent.plist
* Popolare il file con la configurazione di gpg-agent in formato '''XML''':
+
* Populate the file with the '''XML''' formatted gpg-agent configuration:
 
<syntaxhighlight lang="xml">
 
<syntaxhighlight lang="xml">
 
   <?xml version="1.0" encoding="UTF-8"?>
 
   <?xml version="1.0" encoding="UTF-8"?>
Line 202: Line 203:
 
       <key>ProgramArguments</key>
 
       <key>ProgramArguments</key>
 
       <array>
 
       <array>
         <string>/Users/<nome utente>/bin/gpg_agent_start.sh</string>
+
         <string>/Users/<user name>/bin/gpg_agent_start.sh</string>
 
       </array>
 
       </array>
 
       <key>RunAtLoad</key>
 
       <key>RunAtLoad</key>
Line 209: Line 210:
 
   </plist>
 
   </plist>
 
</syntaxhighlight>
 
</syntaxhighlight>
* Nella cartella del proprio utente creare la sotto-cartella '''bin''' ove salvare lo script di avvio di GPG:
+
* Move back to your home directory and create a sub directory named '''bin''' where to save the start script for GPG:
: '''mkdir''' /Users/<nome utente>/bin
+
: '''mkdir''' /Users/<user name>/bin
* Creare lo script di avvio:
+
* Create the start script:
 
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' gpg_agent_start.sh
 
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' gpg_agent_start.sh
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 223: Line 224:
 
   export GPG_TTY=`tty`
 
   export GPG_TTY=`tty`
 
</syntaxhighlight>
 
</syntaxhighlight>
* Rendere il file di avvio eseguibile:
+
* Make the file executable:
 
: '''chmod''' 700 gpg_agent_start.sh
 
: '''chmod''' 700 gpg_agent_start.sh
* Aggiornare la configurazione del terminale perch&agrave; tutti i comandi siano informati della presenza dell'agente. Il terminale utilizza una shell '''bash''' ergo sar&agrave; necessario aggiornare il file di configurazione della stessa:
+
* Update the terminal configuration in order for all commands to know about the agent. The standard terminal uses a '''bash''' shell  then the file to update is the bash configuration file:
 
: ''cd''
 
: ''cd''
 
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' .bash_profile
 
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' .bash_profile
Line 236: Line 237:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
I parametri di configurazione di gpg-agent sono contenuti nel file /'''Users/<nome utente>/.gnupg/gpg-agent.conf'''. Tra questi vale la pena citare '''default-cache-ttl''' che imposta '''l'intervallo di tempo per cui una password verr&agrave; mantenuta nella cache'''. Scaduto tale limite la password verrà rimossa e chiesta nuovamente all'utente in caso di bisogno. Il tempo di vita standard di una password ammonta a 600 secondi ossia 10 minuti. Per aumentare tale intervallo ad un'ora si modifichi la riga:
+
The configuration parameters for gpg-agent reside in the /'''Users/<user name>/.gnupg/gpg-agent.conf''' file. Some are worth mentioning. Among them is '''default-cache-ttl''' responsible for the '''amount of time a password is kept in the cache'''. When the period expires the password entry is removed and asked for again to the user when needed. The standard lifetime of a password is 600 seconds or 10 minutes. To increase the period to 1 hour update line:
 
   default-cache-ttl 600
 
   default-cache-ttl 600
 
in
 
in
 
   default-cache-ttl 3600
 
   default-cache-ttl 3600
e si riavvii il demone gpg-agent.
+
then restart the gpg-agent daemon.
  
Gli utenti con versione di OsX 10.4 o meno recente '''non potranno usufruire dei servizi di gpg-agent''' essendo lo stesso un componente introdotto con la versione 2.0 di GPG.
+
Users of the OsX 10.4 release or earlier '''cannot use the gpg-agent service''' as it was introduced in release 2.0 of GPG.
  
  
== Conclusioni ==
+
== Conclusions ==
  
Il presente articolo contiene una breve presentazione delle versioni di Gnu Privacy Guard sviluppate per piattaforma Mac. Sono state descritte la procedura di installazione ed il funzionamento base del programma. Per maggiori informazioni si rimanda al manuale del progetto ed ai numerosi articoli disponibili in rete e in questo stesso sito web. Se foste interessati ai servizi offerti o solo per ottenere maggiori informazioni, per cortesia contattateci attraverso l'apposita [[Special:Contact/crittografia | maschera]].
+
This paper provides a brief description of the MacosX optimized versions of GNU Privacy Guard. The installation and the basic operation of the program were described. For more information you are encouraged to read the manual and the many articles available on the net and in this very same website. Were You interested in our offerings or simply looking for more information, please refer to our [[studiosg:About|contacts]] page. Thank You.
  
  
Per commenti, consigli, domande inviate una e-mail all'indirizzo ''studiosg [chiocciola] giustetti [punto] net''.
+
To contact me or leave me your feedback, Please e-mail at ''studiosg [at] giustetti [dot] net''.
  
  
Link esterni
+
External links
  
 
----
 
----
  
* [https://www.gnupg.org/index.it.html Pagina ufficiale di GNU Privacy Guard (Inglese)]
+
* [https://www.gnupg.org/index.it.html GNU Privacy Guard home page]
* [http://macgpg.sourceforge.net/it/index.html GPG versione 1.4 per MacOsX]
+
* [http://macgpg.sourceforge.net/it/index.html GPG 1.4 for MacOsX]
* [https://gpgtools.org GPG versione 2.0 per MacOsX (Inglese)]
+
* [https://gpgtools.org GPG versione 2.0 for MacOsX]
* [https://sourceforge.net/projects/gpgosx Versione alternativa di GPG 2.0 per MacOsX (Inglese)]
+
* [https://sourceforge.net/projects/gpgosx Another version of GPG 2.0 for MacOsX]
  
 
----
 
----
  
{{footer_it | link_page=gpg_and_macosx}}
+
{{footer_en | link_page=gpg_e_macosx}}

Latest revision as of 11:57, 21 March 2022

Welcome to Simone Giustetti's wiki pages.


Languages: English - Italiano



GPG for MacOsX

Gnu Privacy Guard is a cryptographic software suite for personal use running on a wide variety of architectures among them the Macintosh family of operating systems. Three distinct versions of GPG can run on the Mac:

  • MacGPG is a port of the 1.4 development branch of GPG. Development has come to a halt and packages are meant for old versions of OsX, providing support for legacy installations.
  • GPGOsX is a port of the 2.1 stable branch of GPG. All of the new functionality of the 2.0 and recent 2.1 releases are included.
  • GPGTools is an alternate port of the 2.0 stable branch of GPG. GPGTools includes many an integration to the standard software as the Apple Mail plug-in and a native GUI.

Both GPGOsX and GPGTools support recent OsX releases only. The minimum required version for both programs is 10.6 or 10.7. MacGPG is rather suitable for old architectures and as such is ideal for owners of PowerPC Macs, who will have to accustom themselves to the command line interface because no graphical one is provided.

Installing

The install procedures slightly differ for each software. You are invited to visit the home page of each one where you'll find updated information and detailed instructions. Some links to web pages detailing the GPGTools installation procedure are available below:

Key Pair and Configuration

The above linked pages contain information about key pair creation. GPG uses a key pair to encrypt and decrypt files. The key pair is fundamental to GPG and encryption strength heavily depends on it. Please consult the program documentation for more in depth information. The basic concepts about encryption and GPG internals will be summarized below:

  • GPG uses asymmetric cryptography also known as public key cryptography.
  • Asymmetric cryptography requires a key pair: a public key, used to encrypt information, and a private key needed to decrypt data.
  • A copy of the public key should be delivered to whoever wishes to send you encrypted e-mails or files.
  • The private key is secret and should never be shared with anyone.
  • Information encrypted with the public key can be decrypted with the private one only.
  • The private key can be protected using a passphrase. If stolen, a protected key cannot be used by unauthorized people who do not know the passphrase.

The key pair is the building block for GPG to work and as such should be created soon after the installation to allow the program to work. Key length is a sensitive matter and frequent subject to discussion. A longer key grants a stronger security in theory, but using longer keys involves some disadvantages to be taken into account. GPG supports a maximum key length of 4096 bit, but still you are recommended to set the standard value of 2048 bit. The standard length is a good compromise between security and performances and it grants use of external devices like smart cards and such. The GPG FAQ includes a discussion of key length where advantages of using more than 2048 bits are weighed against disadvantages.

The procedure for key generation is described below. Although some versions of GPG for Mac can be administered through a GUI, I'll use the command line interface because it is the only one common to all three programs.

  • Start a terminal.
  • Run command gpg --gen-key providing all of the requested information as in the example below:
  hostname:~ user1$ gpg --gen-key
  gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  
  Please select what kind of key you want:
     (1) DSA and Elgamal (default)
     (2) DSA (sign only)
     (5) RSA (sign only)
  Your selection? 1
  DSA keypair will have 1024 bits.
  ELG-E keys may be between 1024 and 4096 bits long.
  What keysize do you want? (2048) 
  Requested keysize is 2048 bits
  Please specify how long the key should be valid.
           0 = key does not expire
        <n>  = key expires in n days
        <n>w = key expires in n weeks
        <n>m = key expires in n months
        <n>y = key expires in n years
  Key is valid for? (0) 0
  Key does not expire at all
  Is this correct? (y/N) y
  
  You need a user ID to identify your key; the software constructs the user ID
  from the Real Name, Comment and Email Address in this form:
  "Heinrich heine (Der Dichter) <heinrichh@dusseldorf.de>"
  
  Real name: StudioSG
  Email address: studiosg@giustetti.net
  Comment: sg_test_03
  You selected this USER-ID:
     "StudioSG (sg_test_03) <studiosg@giustetti.net>"
  
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  You need a Passphrase to protect your secret key.
  
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  gpg: key CE95C1E9 marked as ultimately trusted
  public and secret key created and signed.
  
  gpg: checking the trustdb
  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
  pub   1024R/CE95C1E9 2016-03-22
        Key fingerprint = 4313 91CC F222 161E 3B19  54CE AC09 5248 CE95 C1E9
  uid                  StudioSG (sg_test_03) <studiosg@giustetti.net>
  sub   2048g/1C97007E 2016-03-22

The procedure requires to provide a unique identifier and some more personal information used to distinguish keys. To get a list of saved keys use the command: gpg --list-keys:

  hostname:~ user1$ gpg --list-keys
  /home/user1/.gnupg/pubring.gpg
  -----------------------------
  pub   1024D/CE95C1E9 2016-03-22
  uid                  StudioSG (sg_test_03) <studiosg@giustetti.net>
  sub   2048g/1C97007E 2016-03-22

During key creation you can provide an optional passphrase for the private key. You are encouraged to always use a passphrase, which safeguards users in case the device where thee keys are saved is stolen. A passphrase too short or too easy cold be discovered by a brute force attack. Please use a passphrase longer than 8 characters containing letters, numbers and special characters to defend against such attacks.

GPG standard behavior can be customized setting proper values for the program options. Configuration options are saved in text files in MacOsX and can be edited recurring to any text editor. Every configured user has his or her personal copy of the configuration files, which are located in the home directory. The standard GPG configuration file for any user is /Users/<user name>/.gnupg/gpg.conf. For example, the configuration file of a hypothetical user1 user is: /Users/user1/.gnupg/gpg.conf. The dot preceding the .gnupg directory name means that the directory is a hidden one. To list a hidden directory when inspecting the content of its father one use option -a of command ls:

ls -la

To read or update your own configuration file:

/Applications/TextEdit.app/Contents/MacOS/TextEdit /Users/<user name>/.gnupg/gpg.conf

The file is fully commented, but still refer to the program manual for a description of all the options contained therein. Standard values are suitable for almost all private or professional uses. Please set different values only when you are certain of the outcome.

GPGOsX and GPGTools users should replace command gpg with gpg2 when using the command line interface instead of the graphical one.

Key Pair Back-up

The key pair is mandatory to open encrypted files: its loss could prove to be catastrophic as currently available processors are not powerful enough to decrypt files without. A whole document archive cold be lost for want of a key. It is a good idea to keep a safety copy of both keys stored in a safe place, different from the machine where they were created. All keys are stored inside directory /Users/<user name>/.gnupg in the form of binary files. A safe and easy way to generate a copy of the key pair consists of creating a password protected compressed archive of the directory:

zip -er key_backup.zip /Users/<user name>/.gnupg

The zip command will ask the user to provide a password for the archive, then to confirm the provided value by retyping it. The resulting archive, key_backup.zip, can be opened only by providing the password. The zip version shipping with OsX 10.4 or earlier releases does not support cryptography. Users should remove the -e option or the program will return error "(encryption not supported)" and fail:

zip -r key_backup.zip /Users/<nome utente>/.gnupg

How-to Encrypt and Decrypt Files

Commands to encrypt and decrypt files with GPG vary with the program installed on your Mac. Please refer to the documentation of the specific program. Below are some links to the web pages of GPGTool:

The command line interface is uniform for all of the three programs. You can retrieve information and some examples in the GPG documentation, where commands and related options usage is explained. The base encryption command is:

gpg --encrypt <file>

GPG will ask you to provide the unique identifier for the public key of the file recipient. The key will be used to encrypt the file as in the example below:

 hostname:~ user1$ gpg --encrypt st_test01.pdf
  You did not specify a user ID. (you may use "-r")
  
  Current recipients:
  
  Enter the user ID.  End with an empty line: StudioSG
  
  Current recipients:
  2048g/1C97007E 2016-03-22 "StudioSG (sg_test_03) <studiosg@giustetti.net>"
  
  Enter the user ID.  End with an empty line: 
  
  hostname:~ user1$

The encrypted file retains the name of the original one but a different extension: .gpg.

You can provide a list of recipients one for each line. An empty line of text marks the archive end. A list of saved keys available to encrypt files can be retrieved recurring to the --list-keys option:

  hostname:~ user1$ gpg --list-keys
  /Users/user1/.gnupg/pubring.gpg
  -----------------------------
  pub   1024D/CE95C1E9 2016-03-22
  uid                  StudioSG (sg_test_03) <studiosg@giustetti.net>
  sub   2048g/1C97007E 2016-03-22

Many files can be encrypted at once recurring to the --multi option. You'll have to provide a recipients list for each file. This could prove to be a lot of work and GPG provides option -r to simplify it. Using -r the recipient list can be added to the command line. In the example below three documents are encrypted using the key of recipient StudioSG:

  hostname:~ user1$ ls -la
  total 48
  drwx------  3 user1 user1 4096 Mar 18 18:50 .
  drwx------ 17 root  admin 4096 Mar 18 18:37 ..
  -rw-------  1 user1 user1 7737 Mar 18 18:50 st_test01.pdf
  -rw-------  1 user1 user1 7844 Mar 18 18:50 st_test02.pdf
  -rw-------  1 user1 user1 7932 Mar 18 18:50 st_test03.pdf
  hostname:~ user1$ gpg -r StudioSG --multi --encrypt st_test0*
  hostname:~ user1$ ls -la
  total 72
  drwx------  3 user1 user1 4096 Mar 18 18:50 .
  drwx------ 17 root  admin 4096 Mar 18 18:37 ..
  -rw-------  1 user1 user1 7737 Mar 18 18:50 st_test01.pdf
  -rw-------  1 user1 user1 7378 Mar 18 18:50 st_test01.pdf.gpg
  -rw-------  1 user1 user1 7844 Mar 18 18:50 st_test02.pdf
  -rw-------  1 user1 user1 7487 Mar 18 18:50 st_test02.pdf.gpg
  -rw-------  1 user1 user1 7932 Mar 18 18:50 st_test03.pdf
  -rw-------  1 user1 user1 7574 Mar 18 18:50 st_test03.pdf.gpg

A file is decrypted with the --decrypt option of the gpg command. GPG will prompt the user for a password and, once inserted, will output the "clear text" content of the encrypted file on the standard output. To save a decrypted version of the file the --output option and the name of the saved file are needed:

gpg --output <decrypted file> --decrypt <encrypted file>
  hostname:~ user1$ gpg --output st_test01.pdf --decrypt st_test01.pdf.gpg
  
  You need a passphrase to unlock the secret key for
  user: "StudioSG (sg_test_03) <studiosg@giustetti.net>"
  2048-bit ELG-E key, ID 1C97007E, created 2016-03-22 (main key ID CE95C1E9)
  
  gpg: encrypted with 2048-bit ELG-E key, ID 1C97007E, created 2016-03-22
        "StudioSG (sg_test_03) <studiosg@giustetti.net>"
  hostname:~ user1$ ls -la
  total 56
  drwx------  3 user1 user1 4096 Mar 18 18:50 .
  drwx------ 17 root  admin 4096 Mar 18 18:37 ..
  -rw-------  1 user1 user1 7737 Mar 18 18:50 st_test01.pdf
  -rw-------  1 user1 user1 7378 Mar 18 18:50 st_test01.pdf.gpg
  -rw-------  1 user1 user1 7487 Mar 18 18:50 st_test02.pdf.gpg
  -rw-------  1 user1 user1 7574 Mar 18 18:50 st_test03.pdf.gpg

GPG-AGENT

Gpg-agent is a daemon that stores in an internal cache all of the user provided passphrases then forwards them to all programs asking for one later. You basically have to insert any password only once and not each time a document is opened. The time saving is considerable for the staff of an office that needs to read and handle large amounts of documents every day.

The daemon must be up and running to store passwords and the environment must be properly configured in order for programs to know of the daemon existence and to query it when needed. To start gpg-agent automatically in MacOsX you have to configure a launch agent:

  • Open the terminal window.
  • Move to the launch agent root directory:
cd ~/Library/LaunchAgents
  • Create a file containing the gpg-agent configuration:
/Applications/TextEdit.app/Contents/MacOS/TextEdit org.gnupg.gpg-agent.plist
  • Populate the file with the XML formatted gpg-agent configuration:
   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
   <plist version="1.0">
   <dict>
      <key>Label</key>
      <string>org.gnupg.gpg-agent</string>
      <key>ProgramArguments</key>
      <array>
         <string>/Users/<user name>/bin/gpg_agent_start.sh</string>
      </array>
      <key>RunAtLoad</key>
      <true/>
   </dict>
   </plist>
  • Move back to your home directory and create a sub directory named bin where to save the start script for GPG:
mkdir /Users/<user name>/bin
  • Create the start script:
/Applications/TextEdit.app/Contents/MacOS/TextEdit gpg_agent_start.sh
   if test -f $HOME/.gpg-agent-info && \
      kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
      GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
      export GPG_AGENT_INFO
   else
      eval `/usr/local/bin/gpg-agent --daemon --write-env-file $HOME/.gpg-agent-info`
   fi
   export GPG_TTY=`tty`
  • Make the file executable:
chmod 700 gpg_agent_start.sh
  • Update the terminal configuration in order for all commands to know about the agent. The standard terminal uses a bash shell then the file to update is the bash configuration file:
cd
/Applications/TextEdit.app/Contents/MacOS/TextEdit .bash_profile
   export GPG_TTY=$(tty)
   if [[ -f "${HOME}/.gpg-agent-info" ]]; then
      . "${HOME}/.gpg-agent-info"
      export GPG_AGENT_INFO
   fi

The configuration parameters for gpg-agent reside in the /Users/<user name>/.gnupg/gpg-agent.conf file. Some are worth mentioning. Among them is default-cache-ttl responsible for the amount of time a password is kept in the cache. When the period expires the password entry is removed and asked for again to the user when needed. The standard lifetime of a password is 600 seconds or 10 minutes. To increase the period to 1 hour update line:

  default-cache-ttl 600

in

  default-cache-ttl 3600

then restart the gpg-agent daemon.

Users of the OsX 10.4 release or earlier cannot use the gpg-agent service as it was introduced in release 2.0 of GPG.


Conclusions

This paper provides a brief description of the MacosX optimized versions of GNU Privacy Guard. The installation and the basic operation of the program were described. For more information you are encouraged to read the manual and the many articles available on the net and in this very same website. Were You interested in our offerings or simply looking for more information, please refer to our contacts page. Thank You.


To contact me or leave me your feedback, Please e-mail at studiosg [at] giustetti [dot] net.


External links





Languages: English - Italiano