[Publish AAR to Maven] use GPG to sign files for encryption

This article is part of the "using Gradle to publish AAR to Maven Warehouse" because of the number of things involved, the document is still in the drafting ...

========================================================
Qiujuer
Blog: Blog.csdn.net/qiujuer
Website: www.qiujuer.net
Open Source Library: github.com/qiujuer/genius-android
Reprint Please specify source: http://blog.csdn.net/qiujuer/article/details/44173611
--open source of learning, for open source, beginner's mentality, with June mutual encouragement!

========================================================

In a certain department we need to encrypt our own application or file, and the mail is the most typical example. There are many tools for signing encryption, in this article we use GPG to operate.

What is GPG? To say that this still has to start from PGP, and PGP is using RSA encryption algorithm, so to elaborate on the words not a few articles is said not finished, so or Baidu PGP bar. Or you just have to know that this is a cryptographic signature tool, OK.

Download software

Here you need to explain, Windows GPG software is not the same as the MAC, and if your computer is installed with Cygwin then also automatically the encryption signature software, but is the command line operation. Since the use of Android-studio has been used to compile the NDK is not Cygwin, it is deleted; Here is a demonstration of the operation of the interface, if there is a chance to add the command line operation; I'm sorry.

• mac:https://gpgtools.org/
• windows:http://www.gpg4win.org/

Here's what I'm going to show you: Gpg4win the software.

Installation

Download complete natural is installed, this installation basically nothing to say directly next to OK.

Run

Here we run the installer in: Kleopatra, I wipe, good GPG?

Here it is the GPG manager that runs. The core of Gpg4win is GPG, but includes Kleopatra, GPA, Gpgol, Gpgex, and claws Mail Five related tools, where Kleopatra and GPA are GPG key managers for generating, importing, and exporting GPG keys (including public and private keys) , we generally use two of these. Gpgol is a GPG support plug-in for Outlook 2003 and 2007, Gpgex is a GPG support plugin for the resource Manager (not supported for Windows 64-bit), and claws Mail is a built-in GPG-supported mail client; and of course the mail management is in your installation You will be asked if you want to install it.

1. click on "File", "New Certificate" (Create a new certificate), run the
   Certificate Creation Wizard (Certificate Creation Wizard).
2. enters the certificate Type page with two options to choose from: The first entry is the OPENPGP key pair, and the second is the X-key pair and the certificate. Here we select the first one next step.
   
3. Here you will set your nickname best to use English name, your mailbox, and additional information where additional information can not be.
   
4. Click the Advanced Settings button to set the key algorithm and strength and key usage, and the key algorithm will keep the default "RSA" OK. For enhanced security, you can select 4096 bits (4,096 bits) in the key strength above, and the key usage settings below are mainly three settings: Signing (signature), encryption (encryption), and authentication (authentication), to maintain the default settings, The final valid until option allows you to set the key expiry time. Setup Complete Click Next.
   
5. finally confirms the relevant settings for the key pair.
   
6. Click the Create Key button, enter Passphrase
   (passphrase), Passphrase is the passphrase you need to enter before using the private key, but the Passphrase length is longer than the normal password, and can contain spaces.
   After you enter Passphrase, you can also enter a help computer to create a more secure key in the main interface text box. The input here is irrelevant, tapping randomly, and the computer simply calculates the random number using the keystroke's intermittent time.
   
7. Of course, you will be asked to confirm your passphrase again, and then go back to the main interface and hit it randomly, waiting for a certain amount of time for you to play the following screen.
   
8. Last Kleopatra will prompt to create a key pair complete, three options are to back up the key pair, send the public key via email and upload the public key to the server, then there is finish.

What we need here is to upload the public key to the server, why? When we publish the AAR to the remote repository, we need to use the private key for signature encryption, and then upload to the warehouse, and the warehouse Management Server will be based on your configuration to verify the operation, the need to use the public key you uploaded, if the public key is not uploaded will cause the publication of AAR failure.

1. The first click you will encounter such a situation, meaning that you do not set the remote server, whether you need to set, if not set will be the default, here is generally not set up, if you are hosting the warehouse has requirements, it is necessary, of course, the warehouse in this tutorial does not have this requirement. Click Continue (Continue).
   

2. At this point you will see, meaning: once uploaded to the server is almost irrevocable, so you confirm that you will not be revoked operation, please confirm, at this time continue to OK, then the link server to upload, you need to wait a while will prompt you to upload success and failure, failure does not matter you can upload again. Of course, it is possible that you will encounter the need to turn over the wall of the situation, this is xxx.
   

Backup restore

There is a natural problem with saving and importing after creating a key (public key + key).

1. Go back to the main screen, right-click on the key you created, and you can see the following directory menu.
   

2. In the last few items of the menu:

   • Export Certificates (exporting public key): used to export a public key pair.
   • Export Secret keys (exporting private key): Used to export the private key pair.
   • Export certificates to server (exporting certificates to servers): Used to export the public key to the server. Other users can search for the public key on the public server where the public key is stored and import it, and the default public key server is keys.gnupg.net.

3. The operation is relatively simple, only need to directly set up the directory can be exported, if not uploaded successfully to the server can also be re-uploaded here.

Return

Basically can be done here, because if it is used to sign encrypted AAR here is basically OK, where the signature encryption work can be completely given to Gradle to complete, only need to set the corresponding private key + private key passphrase + private key location

• How is the ID of the private key known?
  
• The key phrase, which is what you set yourself before.
• Key location, this looks at you, you can use the previous export operation to export the private key (*.GPG), you can find the GPG default directory, this is very simple:

C:\Users\(YourName)\AppData\Roaming\gnupg

• In which you can find a file called "SECRING.GPG" that stores all your private keys in the file, using the key ID and key phrase to operate.

This is basically done, you can go back to the article published AAR, if you do not use Gradle encryption and use GPG software encryption, then see the next section.

Encrypted decryption

There are three ways to start the Encryption Operation Wizard, one is to select Sign/encrypt files (signature/encrypted file) from the File menu in the Kleopatra main interface, and one is to drag the file or folder you want to encrypt into the Kleopatra main interface. Then choose Sign/encrypt (Signature/encrypt) in the popup's right-click menu, and choose Sign and Encrypt (signature and encryption) in the right-click menu of the file or folder you want to encrypt.

1. Here I use a text file to encrypt. Where you can see there are 3 choices: Encrypt and sign, encrypt only, sign only. Delete the source file after the last selection is complete, optional.
   

2. Select the key pair you want to use.
   

3. Tapping encrypt will output the encrypted file.
   

   If you choose someone else's public key, then Kleopratra will pop up a dialog box prompts you to encrypt after you will not be able to decrypt, click on the Continue confirmation, after the confidential finish click Finish to confirm. When encryption is complete, the. gpg file is generated in the same folder as the source file, and you can now send the file to the public key owner.

4. I open the encrypted file to see (source file character: Encrypted text)
   

5. When someone else receives the file, it uses the private key to decrypt it, and the decryption method is three, which is no longer cumbersome to describe in a similar way to cryptographic operations. Its operation name is: decrypt/verify (decryption/authentication).
   

6. You will be asked to enter the key phrase, which is the operation password for the private key. After the input is successful you will be able to decrypt it successfully. Now you're looking at whether your file is the same as the original?
   

It is important to note that if you enter a decryption phrase once, you will not be prompted for a key phrase, so it is usually done in a timely manner.

Summarize

Compared with other cryptographic tools, GNUPG has the characteristics of asymmetric encryption, which makes it more suitable for the transfer of confidential information. In addition to encrypting and decrypting, GPG can also be used to sign and verify files, which is very powerful.

In the AAR release, it is not to use GPG to encrypt but to sign, get the signature file, and then publish to the server, the server is based on the source files and signature files to verify, to determine whether the file in the network transmission caused damage.

5.5 hours, from re-download software to-edit-adjust ....

========================================================
Qiujuer
Blog: Blog.csdn.net/qiujuer
Website: www.qiujuer.net
Open Source Library: github.com/qiujuer/genius-android
Reprint Please specify source: http://blog.csdn.net/qiujuer/article/details/44173611
--open source of learning, for open source, beginner's mentality, with June mutual encouragement!

========================================================

[Publish AAR to Maven] use GPG to sign files for encryption