From 02a06ef2b5d1e109344314e9b8be969cecb0fb73 Mon Sep 17 00:00:00 2001
From: Al Bowles <bowlesalx@gmail.com>
Date: Mon, 13 Jun 2022 17:42:04 -0500
Subject: [PATCH] feat: GPG keypair generation and signing documentation

---
 .pages                                        |  1 +
 dev_guides/.pages                             |  4 +
 dev_guides/commit_signing.md                  | 99 +++++++++++++++++++
 .../wiki_development_boxes.md                 |  0
 4 files changed, 104 insertions(+)
 create mode 100644 dev_guides/.pages
 create mode 100644 dev_guides/commit_signing.md
 rename wiki_development_boxes.md => dev_guides/wiki_development_boxes.md (100%)

diff --git a/.pages b/.pages
index 5e36c63..8a0ca5f 100644
--- a/.pages
+++ b/.pages
@@ -3,3 +3,4 @@ nav:
   - Testing Team: index.md
   - QA:Test Cases: qa_test_cases.md
   - Release Criteria & Status: release_criteria
+  - Wiki Development Guides: dev_guides
diff --git a/dev_guides/.pages b/dev_guides/.pages
new file mode 100644
index 0000000..52fe553
--- /dev/null
+++ b/dev_guides/.pages
@@ -0,0 +1,4 @@
+---
+nav:
+  - Development Box Setup: development_boxes.md
+  - Git Commit Signing: commit_signing.md
diff --git a/dev_guides/commit_signing.md b/dev_guides/commit_signing.md
new file mode 100644
index 0000000..eef8be8
--- /dev/null
+++ b/dev_guides/commit_signing.md
@@ -0,0 +1,99 @@
+---
+title: Signing Commits with GPG
+author: Al Bowles
+revision_date: 2022-06-13
+rc:
+  prod: Rocky Linux
+  ver: 8
+  level: Final
+---
+# Creating your primary keypair
+Create a new gpg keypair, ideally set to expire in <= 1y
+
+    gpg --full-generate-key --expert
+
+Select eddsa [ECC] and set a validity period
+Specify real name and email address to associate with this keypair
+Type a passphrase
+
+# Create a signing keypair
+Add a signing subkey
+
+    gpg --edit-key my@email.addr
+    gpg> addkey
+    [ passphrase ]
+
+Select [ECC] (sign / authenticate / encrypt?) for kind of key, 4096 bits, valid for 180d
+
+    gpg> save
+
+Create revocation certificate
+
+    gpg --output \<my@email.addr\>.gpg-revocation-certificate --gen-revoke my@email.addr
+
+# Back up your keypair
+Export the *primary keypair* (put these somewhere very safe along with revocation certificate)
+
+    gpg --export-secret-keys --armor my@email.addr > \<my@email.addr\>.private.gpg-key
+    gpg --export --armor my@email.addr > \<my@email.addr\>.public.gpg-key
+
+# Remove the *primary keypair* from your keyring
+Export all subkeys from the new keypair to a file - use ramfs instead of tmpfs/ or /dev/shm/ because ramfs doesn't write to swap
+
+    mkdir /tmp/gpg
+    sudo mount -t ramfs -o size=1M ramfs /tmp/gpg
+    sudo chown $(logname):$(logname) /tmp/gpg
+    gpg --export-secret-subkeys my@email.addr > /tmp/gpg/subkeys
+
+Delete original signing subkey from keypair in our keyring
+
+    gpg --delete-secret-key my@email.addr
+
+Re-import the previously exported keys
+
+    gpg --import /tmp/gpg/subkeys
+    sudo umount /tmp/gpg
+    rmdir /tmp/gpg
+
+Look for `sec#` instead of `sec` in the output - pound sign means signing subkey is *not* in the keypair located in the keyring
+    gpg --list-secret-keys $HOME/.gnupg/secring.gpg
+
+# Revoking a *signing keypair*
+Find the *primary keypair* and import it (preferably into an ephemeral system like a liveUSB)
+
+    gpg --import /path/to/\<my@email.addr\>.public.gpg-key /path/to/\<my@email.addr\>.private.gpg-key
+    gpg --edit-key my@email.addr
+    gpg> revkey
+    [ passphrase twice ]
+    gpg> save
+
+
+# Renew an expired or expiring keypair
+
+    gpg --edit-key my@email.addr
+    [select a key]
+    gpg> expire
+    [specify an expiration]
+    gpg> save
+
+# Create a single signed git commit
+
+    git commit -S -m "my awesome signed commit"
+
+# Configure git to always sign commits with a specified key
+
+    $ gpg --list-secret-keys --keyid-format=long # grab the fingerprint from the 'sec' line
+    git config [--global] commit.gpgsign true
+    git config [--global] user.signingkey DEADB33FBAD1D3A
+
+# Configure VSCode to sign commits
+
+    # User or workspace setting
+    "git.enableCommitSigning": true
+
+# References
+[OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices#key-configuration)<br>
+[Github: Signing Commits](https://docs.github.com/en/enterprise-server@3.5/authentication/managing-commit-signature-verification/signing-commits)<br>
+[Braincoke's Log: Create a GPG Key](https://blog.braincoke.fr/security/create-a-gpg-key/)<br>
+[Creating the Perfect GPG Keypair](https://alexcabal.com/creating-the-perfect-gpg-keypair)<br>
+[Digital Neanderthal: Generate GPG Keys With Curve Ed25519](https://www.digitalneanderthal.com/post/gpg/)<br>
diff --git a/wiki_development_boxes.md b/dev_guides/wiki_development_boxes.md
similarity index 100%
rename from wiki_development_boxes.md
rename to dev_guides/wiki_development_boxes.md