网站
安装
- Windows 版本下载页面:Gpg4win - Thanks for downloading
- Mac
brew install gnupg
- Debian / Ubuntu (使用
apt)sudo apt update
sudo apt install gnupg
- CentOS / RHEL / Fedora (使用
yum 或 dnf)sudo yum install gnupg
sudo dnf install gnupg
- Arch Linux / Manjaro (使用
pacman)sudo pacman -S gnupg
- openSUSE (使用
zypper)sudo zypper install gnupg
切换语言
# 查看语言
locale
# 中文
# sudo apt update
# sudo apt install -y locales language-pack-zh-hans
# sudo locale-gen zh_CN.UTF-8
# sudo update-locale LANG=zh_CN.UTF-8
LANG=zh_CN.UTF-8
# 英文
LANG=C
生成一个新的密钥对
# 生成一个新的密钥对
gpg --generate-key
# 快速生成一个新的密钥对
gpg --quick-generate-key
完整功能的密钥对生成
# 完整功能的密钥对生成
gpg --full-generate-key
# 中文示例
root@xuxiaowei:~# gpg --full-generate-key
gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
请选择您要使用的密钥类型:
(1) RSA 和 RSA
(2) DSA 和 Elgamal
(3) DSA(仅用于签名)
(4) RSA(仅用于签名)
(9) ECC(签名和加密) *默认*
(10) ECC(仅用于签名)
(14)卡中现有密钥
您的选择是?
请选择您想要使用的椭圆曲线:
(1) Curve 25519 *默认*
(4) NIST P-384
(6) Brainpool P-256
您的选择是?
请设定这个密钥的有效期限。
0 = 密钥永不过期
<n> = 密钥在 n 天后过期
<n>w = 密钥在 n 周后过期
<n>m = 密钥在 n 月后过期
<n>y = 密钥在 n 年后过期
密钥的有效期限是?(0) 730
密钥于 2027年11月08日 星期一 00时06分04秒 CST 过期
这些内容正确吗? (y/N) y
GnuPG 需要构建用户标识以辨认您的密钥。
真实姓名: 徐晓伟
电子邮件地址: xuxiaowei@xuxiaowei.com.cn
注释: 仅用于发布jar包时签名
您正在使用‘utf-8’字符集。
您选定了此用户标识:
“徐晓伟 (仅用于发布jar包时签名) <xuxiaowei@xuxiaowei.com.cn>”
更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)? O
我们需要生成大量的随机字节。在质数生成期间做些其他操作(敲打键盘
、移动鼠标、读写硬盘之类的)将会是一个不错的主意;这会让随机数
发生器有更好的机会获得足够的熵。
我们需要生成大量的随机字节。在质数生成期间做些其他操作(敲打键盘
、移动鼠标、读写硬盘之类的)将会是一个不错的主意;这会让随机数
发生器有更好的机会获得足够的熵。
gpg: 目录‘/root/.gnupg/openpgp-revocs.d’已创建
gpg: 吊销证书已被存储为‘/root/.gnupg/openpgp-revocs.d/B61645D1F1C1B1938E084ECC159AED3074FAD4FA.rev’
公钥和私钥已经生成并被签名。
pub ed25519 2025-11-07 [SC] [有效至:2027-11-07]
B61645D1F1C1B1938E084ECC159AED3074FAD4FA
uid 徐晓伟 (仅用于发布jar包时签名) <xuxiaowei@xuxiaowei.com.cn>
sub cv25519 2025-11-07 [E] [有效至:2027-11-07]
root@xuxiaowei:~#
# 英文示例
root@xuxiaowei:~# gpg --full-generate-key
gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection?
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(4) NIST P-384
(6) Brainpool P-256
Your selection?
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 730
Key expires at Mon Nov 8 00:10:22 2027 CST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: 徐晓伟
Email address: xuxiaowei@xuxiaowei.com.cn
Comment: 仅用于发布jar包时签名
You are using the 'iso-8859-1' character set.
You selected this USER-ID:
"徐晓伟 (仅用于发布jar包时签名) <xuxiaowei@xuxiaowei.com.cn>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6.rev'
public and secret key created and signed.
pub ed25519 2025-11-07 [SC] [expires: 2027-11-07]
18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6
uid 徐晓伟 (仅用于发布jar包时签名) <xuxiaowei@xuxiaowei.com.cn>
sub cv25519 2025-11-07 [E] [expires: 2027-11-07]
root@xuxiaowei:~#
列出密钥
# 列出密钥
gpg --list-keys
# 示例
root@xuxiaowei:~# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub ed25519 2025-11-07 [SC] [expires: 2027-11-07]
18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6
uid [ultimate] 徐晓伟 (仅用于发布jar包时签名) <xuxiaowei@xuxiaowei.com.cn>
sub cv25519 2025-11-07 [E] [expires: 2027-11-07]
root@xuxiaowei:~#
# 不存在时,创建密钥文件(夹):中文
root@xuxiaowei:~# gpg --list-keys
gpg: 目录‘/root/.gnupg’已创建
gpg: 钥匙箱‘/root/.gnupg/pubring.kbx’已创建
gpg: /root/.gnupg/trustdb.gpg:建立了信任度数据库
root@xuxiaowei:~#
# 不存在时,创建密钥文件(夹):英文
root@xuxiaowei:~# gpg --list-keys
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
root@xuxiaowei:~#
指纹
gpg --list-keys --with-colons --fingerprint
# gpg --list-keys --with-colons --fingerprint A6592FF32F400C6D0CD7B1495862F49BC20BC316
# gpg --list-keys --with-colons --fingerprint A6592FF32F400C6D0CD7B1495862F49BC20BC316 | awk -F: '/^fpr:/ {print $10; exit}'
列出公钥
gpg --list-public-keys
列出私钥
gpg --list-secret-keys
导出公钥
# 导出公钥
# 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 是密钥的ID
gpg --armor --export 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6
# 导出公钥示例
# 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 是密钥的ID
root@xuxiaowei:~# gpg --armor --export 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaQ4aERYJKwYBBAHaRw8BAQdAH4e0I5bQyqq7Y1KCkl+zdrSFwmQ8Rfk6Zvy0
165tchO0a8Olwr7CkMOmwpnCk8OkwrzCnyAow6TCu8KFw6fClMKow6TCusKOw6XC
j8KRw6XCuMKDamFyw6XCjMKFw6bCl8K2w6fCrcK+w6XCkMKNKSA8eHV4aWFvd2Vp
QHh1eGlhb3dlaS5jb20uY24+iJYEExYKAD4WIQQYaIuDUvTb0M1MhvY1pMfG4wpV
1gUCaQ4aEQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA1pMfG
4wpV1gQKAQCbdYC3tSJvWRHWtY/qO9hVVJfsJoUMLXzjGnf40fhk9wD+PFWtE2QT
PxNrjVQ3/0rTFXBHupwThYrla0PEUmXemwq4OARpDhoREgorBgEEAZdVAQUBAQdA
wS1jg62STLQy4vXyUrp6KF3CbZiAdNm4Tpqw/pinulwDAQgHiH4EGBYKACYWIQQY
aIuDUvTb0M1MhvY1pMfG4wpV1gUCaQ4aEQIbDAUJA8JnAAAKCRA1pMfG4wpV1lU+
AP0Tn7N9fxdv7eySSeH/r7iXXJ8ebETYrqOZBNcxcpWjVAD+PRLqXbdvJbpdNuob
XovL9/+xINVNLY0SEPy/Y7D4twA=
=BvF/
-----END PGP PUBLIC KEY BLOCK-----
root@xuxiaowei:~#
# 导出公钥:输出到文件中
# 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 是密钥的ID
gpg --armor --export 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 > public-key.asc
导出私钥
# 导出私钥
# 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 是密钥的ID
gpg --armor --export-secret-keys 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6
# 导出私钥示例
# 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 是密钥的ID
root@xuxiaowei:~# gpg --armor --export-secret-keys 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6
-----BEGIN PGP PRIVATE KEY BLOCK-----
lFgEaQ4aERYJKwYBBAHaRw8BAQdAH4e0I5bQyqq7Y1KCkl+zdrSFwmQ8Rfk6Zvy0
165tchMAAQD/bOM9EUf4WOTRYl1ImjE91KZB8Qqe6oQiB7XU0FICSA/YtGvDpcK+
wpDDpsKZwpPDpMK8wp8gKMOkwrvChcOnwpTCqMOkwrrCjsOlwo/CkcOlwrjCg2ph
csOlwozChcOmwpfCtsOnwq3CvsOlwpDCjSkgPHh1eGlhb3dlaUB4dXhpYW93ZWku
Y29tLmNuPoiWBBMWCgA+FiEEGGiLg1L029DNTIb2NaTHxuMKVdYFAmkOGhECGwMF
CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQNaTHxuMKVdYECgEAm3WA
t7Uib1kR1rWP6jvYVVSX7CaFDC184xp3+NH4ZPcA/jxVrRNkEz8Ta41UN/9K0xVw
R7qcE4WK5WtDxFJl3psKnF0EaQ4aERIKKwYBBAGXVQEFAQEHQMEtY4Otkky0MuL1
8lK6eihdwm2YgHTZuE6asP6Yp7pcAwEIBwAA/0GgGCGrDoTscsRPa6LYBp+ZaxJE
vp8RZWeaxr+O+234EPKIfgQYFgoAJhYhBBhoi4NS9NvQzUyG9jWkx8bjClXWBQJp
DhoRAhsMBQkDwmcAAAoJEDWkx8bjClXWVT4A/ROfs31/F2/t7JJJ4f+vuJdcnx5s
RNiuo5kE1zFylaNUAP49Eupdt28lul026htei8v3/7Eg1U0tjRIQ/L9jsPi3AA==
=vvjA
-----END PGP PRIVATE KEY BLOCK-----
root@xuxiaowei:~#
# 导出私钥:输出到文件中
# 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 是密钥的ID
gpg --armor --export-secret-keys 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 > private-key.asc
仅查看文件(不导入)
# 查看私钥文件
# xxx.asc 是密钥的文件名(路径)
gpg --dry-run --import --import-options show-only xxx.asc
导入私钥
# 导入私钥文件
# xxx.asc 是密钥的文件名(路径)
gpg --import xxx.asc
从公钥钥匙环里删除密钥
# 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 是密钥的ID
gpg --delete-keys 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6
从私钥钥匙环里删除密钥
# 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6 是密钥的ID
gpg --delete-secret-keys 18688B8352F4DBD0CD4C86F635A4C7C6E30A55D6
分离签名
gpg --detach-sign --armor 文件名
验证签名
gpg --verify 文件名.asc 文件名
帮助文档
# 中文
root@xuxiaowei:~# gpg -h
gpg (GnuPG) 2.4.7
libgcrypt 1.11.0
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
支持的算法:
公钥: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
密文: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
散列: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
压缩: 不压缩, ZIP, ZLIB, BZIP2
语法:gpg [选项] [文件]
签名、检查、加密或解密
默认的操作依输入数据而定
命令:
-s, --sign 生成一份签名
--clear-sign 生成一份明文签名
-b, --detach-sign 生成一份分离的签名
-e, --encrypt 加密数据
-c, --symmetric 仅使用对称密文加密
-d, --decrypt 解密数据(默认)
--verify 验证签名
-k, --list-keys 列出密钥
--list-signatures 列出密钥和签名
--check-signatures 列出并检查密钥签名
--fingerprint 列出密钥和指纹
-K, --list-secret-keys 列出私钥
--generate-key 生成一个新的密钥对
--quick-generate-key 快速生成一个新的密钥对
--quick-add-uid 快速添加一个新的用户标识
--quick-revoke-uid 快速吊销一个用户标识
--quick-set-expire 快速设置一个过期日期
--full-generate-key 完整功能的密钥对生成
--generate-revocation 生成一份吊销证书
--delete-keys 从公钥钥匙环里删除密钥
--delete-secret-keys 从私钥钥匙环里删除密钥
--quick-sign-key 快速签名一个密钥
--quick-lsign-key 快速本地签名一个密钥
--quick-revoke-sig 快速吊销一个密钥签名
--sign-key 签名一个密钥
--lsign-key 本地签名一个密钥
--edit-key 签名或编辑一个密钥
--change-passphrase 更改密码
--export 导出密钥
--send-keys 将密钥导出到一个公钥服务器上
--receive-keys 从公钥服务器上导入密钥
--search-keys 在公钥服务器上搜索密钥
--refresh-keys 从公钥服务器更新所有密钥
--import 导入/合并密钥
--card-status 打印卡片状态
--edit-card 更改卡片上的数据
--change-pin 更改卡片的 PIN
--update-trustdb 更新信任数据库
--print-md 打印消息摘要
--server 以服务器模式运行
--tofu-policy VALUE 设置一个密钥的 TOFU 政策
控制诊断输出的选项:
-v, --verbose 详细模式
-q, --quiet 尽量减少提示信息
--options FILE 从 FILE 中读取选项
--log-file FILE 将服务器模式的日志写入到 FILE
控制配置的选项:
--default-key NAME 使用 NAME 作为默认的私钥
--encrypt-to NAME 同时给以 NAME 为名称的用户标识加密
--group SPEC 设置电子邮件别名
--openpgp 使用严格的 OpenPGP 行为
-n, --dry-run 不做任何更改
-i, --interactive 覆盖前提示
控制输出的选项:
-a, --armor 创建 ASCII 字符封装的输出
-o, --output FILE 写输出到 FILE
-z N 设置压缩等级为 N (0 为禁用)
控制密钥导入导出的选项:
--auto-key-locate MECHANISMS 通过邮件地址定位密钥时使用机制 MECHANISMS
--auto-key-import 从签名中导入缺少的密钥
--include-key-block 在签名中包含公钥
--disable-dirmngr 禁用对 dirmngr 的所有访问
指定密钥的选项:
-r, --recipient USER-ID 为 USER-ID 加密
-u, --local-user USER-ID 使用 USER-ID 来签名或者解密
(请参考手册页以获得所有命令和选项的完整列表)
例子:
-se -r Bob [文件] 为用户 Bob 签名和加密
--clear-sign [文件] 创建一个明文签名
--detach-sign [文件] 创建一个分离签名
--list-keys [名字] 列出密钥
--fingerprint [名字] 显示指纹
请向 <https://bugs.gnupg.org> 报告程序缺陷。
请向 <i18n-zh@googlegroups.com> 邮件列表反映简体中文的翻译问题或建议。
root@xuxiaowei:~#
# 英文
root@xuxiaowei:~# gpg -h
gpg (GnuPG) 2.4.7
libgcrypt 1.11.0
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data
Commands:
-s, --sign make a signature
--clear-sign make a clear text signature
-b, --detach-sign make a detached signature
-e, --encrypt encrypt data
-c, --symmetric encryption only with symmetric cipher
-d, --decrypt decrypt data (default)
--verify verify a signature
-k, --list-keys list keys
--list-signatures list keys and signatures
--check-signatures list and check key signatures
--fingerprint list keys and fingerprints
-K, --list-secret-keys list secret keys
--generate-key generate a new key pair
--quick-generate-key quickly generate a new key pair
--quick-add-uid quickly add a new user-id
--quick-revoke-uid quickly revoke a user-id
--quick-set-expire quickly set a new expiration date
--full-generate-key full featured key pair generation
--generate-revocation generate a revocation certificate
--delete-keys remove keys from the public keyring
--delete-secret-keys remove keys from the secret keyring
--quick-sign-key quickly sign a key
--quick-lsign-key quickly sign a key locally
--quick-revoke-sig quickly revoke a key signature
--sign-key sign a key
--lsign-key sign a key locally
--edit-key sign or edit a key
--change-passphrase change a passphrase
--export export keys
--send-keys export keys to a keyserver
--receive-keys import keys from a keyserver
--search-keys search for keys on a keyserver
--refresh-keys update all keys from a keyserver
--import import/merge keys
--card-status print the card status
--edit-card change data on a card
--change-pin change a card's PIN
--update-trustdb update the trust database
--print-md print message digests
--server run in server mode
--tofu-policy VALUE set the TOFU policy for a key
Options controlling the diagnostic output:
-v, --verbose verbose
-q, --quiet be somewhat more quiet
--options FILE read options from FILE
--log-file FILE write server mode logs to FILE
Options controlling the configuration:
--default-key NAME use NAME as default secret key
--encrypt-to NAME encrypt to user ID NAME as well
--group SPEC set up email aliases
--openpgp use strict OpenPGP behavior
-n, --dry-run do not make any changes
-i, --interactive prompt before overwriting
Options controlling the output:
-a, --armor create ascii armored output
-o, --output FILE write output to FILE
-z N set compress level to N (0 disables)
Options controlling key import and export:
--auto-key-locate MECHANISMS use MECHANISMS to locate keys by mail address
--auto-key-import import missing key from a signature
--include-key-block include the public key in signatures
--disable-dirmngr disable all access to the dirmngr
Options to specify keys:
-r, --recipient USER-ID encrypt for USER-ID
-u, --local-user USER-ID use USER-ID to sign or decrypt
(See the man page for a complete listing of all commands and options)
Examples:
-se -r Bob [file] sign and encrypt for user Bob
--clear-sign [file] make a clear text signature
--detach-sign [file] make a detached signature
--list-keys [names] show keys
--fingerprint [names] show fingerprints
Please report bugs to <https://bugs.gnupg.org>.
root@xuxiaowei:~#
常用公钥服务器列表
推荐,功能强大
传统但较慢
如何使用公钥服务器
核心命令行操作
图形化工具(如 Kleopatra)
更好的选择:Web Key Directory (WKD)