3.3 KiB
| title | author | revision_date | rc | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Signing Commits with GPG | Al Bowles | 2022-06-13 |
|
Creating your primary keypair
Initiate the keypair generation wizard
gpg --full-generate-key --expert
Select option (9) ECC and ECC for the key type
Select option (1) Curve 25519 for the elliptic curve
Set a validity period of your choice, ideally less than 1 year
Specify real name and email address to associate with this keypair
Type a passphrase (twice)
Create a signing keypair
Add a signing subkey
gpg --edit-key my@email.addr
gpg> addkey
[ passphrase ]
Select [ECC] (sign / authenticate / encrypt?) for kind of key, 4096 bits, valid for 180d
gpg> save
Create revocation certificate
gpg --output \<my@email.addr\>.gpg-revocation-certificate --gen-revoke my@email.addr
Back up your keypair
Export the primary keypair (put these somewhere very safe along with revocation certificate)
gpg --export-secret-keys --armor my@email.addr > \<my@email.addr\>.private.gpg-key
gpg --export --armor my@email.addr > \<my@email.addr\>.public.gpg-key
Remove the primary keypair from your keyring
Export all subkeys from the new keypair to a file - use ramfs instead of tmpfs/ or /dev/shm/ because ramfs doesn't write to swap
mkdir /tmp/gpg
sudo mount -t ramfs -o size=1M ramfs /tmp/gpg
sudo chown $(logname):$(logname) /tmp/gpg
gpg --export-secret-subkeys my@email.addr > /tmp/gpg/subkeys
Delete original signing subkey from keypair in our keyring
gpg --delete-secret-key my@email.addr
Re-import the previously exported keys
gpg --import /tmp/gpg/subkeys
sudo umount /tmp/gpg
rmdir /tmp/gpg
Look for sec# instead of sec in the output - pound sign means signing subkey is not in the keypair located in the keyring
gpg --list-secret-keys $HOME/.gnupg/secring.gpg
Revoking a signing keypair
Find the primary keypair and import it (preferably into an ephemeral system like a liveUSB)
gpg --import /path/to/\<my@email.addr\>.public.gpg-key /path/to/\<my@email.addr\>.private.gpg-key
gpg --edit-key my@email.addr
gpg> revkey
[ passphrase twice ]
gpg> save
Renew an expired or expiring keypair
gpg --edit-key my@email.addr
[select a key]
gpg> expire
[specify an expiration]
gpg> save
Create a single signed git commit
git commit -S -m "my awesome signed commit"
Configure git to always sign commits with a specified key
$ gpg --list-secret-keys --keyid-format=long # grab the fingerprint from the 'sec' line
git config [--global] commit.gpgsign true
git config [--global] user.signingkey DEADB33FBAD1D3A
Configure VSCode to sign commits
# User or workspace setting
"git.enableCommitSigning": true
References
OpenPGP Best Practices
Github: Signing Commits
Braincoke's Log: Create a GPG Key
Creating the Perfect GPG Keypair
Digital Neanderthal: Generate GPG Keys With Curve Ed25519