1
0
forked from testing/wiki
wiki/dev_guides/commit_signing.md

3.2 KiB

title author revision_date rc
Signing Commits with GPG Al Bowles 2022-06-13
prod ver level
Rocky Linux 8 Final

Creating your primary keypair

Create a new gpg keypair, ideally set to expire in <= 1y

gpg --full-generate-key --expert

Select eddsa [ECC] and set a validity period Specify real name and email address to associate with this keypair Type a passphrase

Create a signing keypair

Add a signing subkey

gpg --edit-key my@email.addr
gpg> addkey
[ passphrase ]

Select [ECC] (sign / authenticate / encrypt?) for kind of key, 4096 bits, valid for 180d

gpg> save

Create revocation certificate

gpg --output \<my@email.addr\>.gpg-revocation-certificate --gen-revoke my@email.addr

Back up your keypair

Export the primary keypair (put these somewhere very safe along with revocation certificate)

gpg --export-secret-keys --armor my@email.addr > \<my@email.addr\>.private.gpg-key
gpg --export --armor my@email.addr > \<my@email.addr\>.public.gpg-key

Remove the primary keypair from your keyring

Export all subkeys from the new keypair to a file - use ramfs instead of tmpfs/ or /dev/shm/ because ramfs doesn't write to swap

mkdir /tmp/gpg
sudo mount -t ramfs -o size=1M ramfs /tmp/gpg
sudo chown $(logname):$(logname) /tmp/gpg
gpg --export-secret-subkeys my@email.addr > /tmp/gpg/subkeys

Delete original signing subkey from keypair in our keyring

gpg --delete-secret-key my@email.addr

Re-import the previously exported keys

gpg --import /tmp/gpg/subkeys
sudo umount /tmp/gpg
rmdir /tmp/gpg

Look for sec# instead of sec in the output - pound sign means signing subkey is not in the keypair located in the keyring gpg --list-secret-keys $HOME/.gnupg/secring.gpg

Revoking a signing keypair

Find the primary keypair and import it (preferably into an ephemeral system like a liveUSB)

gpg --import /path/to/\<my@email.addr\>.public.gpg-key /path/to/\<my@email.addr\>.private.gpg-key
gpg --edit-key my@email.addr
gpg> revkey
[ passphrase twice ]
gpg> save

Renew an expired or expiring keypair

gpg --edit-key my@email.addr
[select a key]
gpg> expire
[specify an expiration]
gpg> save

Create a single signed git commit

git commit -S -m "my awesome signed commit"

Configure git to always sign commits with a specified key

$ gpg --list-secret-keys --keyid-format=long # grab the fingerprint from the 'sec' line
git config [--global] commit.gpgsign true
git config [--global] user.signingkey DEADB33FBAD1D3A

Configure VSCode to sign commits

# User or workspace setting
"git.enableCommitSigning": true

References

OpenPGP Best Practices
Github: Signing Commits
Braincoke's Log: Create a GPG Key
Creating the Perfect GPG Keypair
Digital Neanderthal: Generate GPG Keys With Curve Ed25519