3.4 KiB
title | author | revision_date | rc | ||||||
---|---|---|---|---|---|---|---|---|---|
Signing Commits with GPG | Al Bowles | 2022-06-13 |
|
Creating your primary keypair
-
Initiate the keypair generation wizard
gpg --full-generate-key --expert
-
Select option
(9) ECC and ECC
for the key type -
Select option
(1) Curve 25519
for the elliptic curve -
Set a validity period of your choice, ideally less than 1 year
-
Specify real name and email address to associate with this keypair. The email address must match your verified Github email address or be set to
your-github-username@users.noreply.github.com
. -
Type a passphrase (twice)
Create a signing keypair
-
Add a signing subkey
gpg --expert --edit-key my@email.addr gpg> addkey
-
Select option
(10) ECC (sign only)
for the key type -
Select option
(1) Curve 25519
for the elliptic curve -
Set a validity period of your choice, ideally less than 1 year
-
Accept the prompts and type a passphrase (twice)
-
Save and exit
gpg> save
Create revocation certificate
gpg --output my_email_addr.gpg-revocation-certificate --gen-revoke my@email.addr
Back up your keypair
Export the primary keypair (put these somewhere very safe along with revocation certificate)
gpg --export-secret-keys --armor my@email.addr > my_email_addr.private.gpg-key
gpg --export --armor my@email.addr > my_email_addr.public.gpg-key
Remove the primary keypair from your keyring
-
Export all subkeys from the new keypair to a file
gpg --export-secret-subkeys my@email.addr > $HOME/.gnupg/subkeys
-
Delete primary key from keyring - BE SURE TO BACK UP YOUR PRIMARY KEYPAIR FIRST!
gpg --delete-secret-key my@email.addr
-
Re-import the previously exported keys
gpg --import $HOME/.gnupg/subkeys
-
Look for
sec#
instead ofsec
in the output - pound sign means signing subkey is not in the keypair located in the keyringgpg --list-secret-keys $HOME/.gnupg/secring.gpg
Revoking a signing keypair
Find the primary keypair and import it (preferably into an ephemeral system like a liveUSB)
gpg --import /path/to/my_email_addr.public.gpg-key /path/to/my_email_addr.private.gpg-key
gpg --edit-key my@email.addr
gpg> revkey
[ passphrase twice ]
gpg> save
Renew an expired or expiring keypair
gpg --edit-key my@email.addr
[select a key]
gpg> expire
[specify an expiration]
gpg> save
Create a single signed git commit
git commit -S -m "my awesome signed commit"
Configure git to always sign commits with a specified key
$ gpg --list-secret-keys --keyid-format=long # grab the fingerprint from the 'sec' line
git config [--global] commit.gpgsign true
git config [--global] user.signingkey DEADB33FBAD1D3A
Configure VSCode to sign commits
# User or workspace setting
"git.enableCommitSigning": true
References
OpenPGP Best Practices
Github: Signing Commits
Braincoke's Log: Create a GPG Key
Creating the Perfect GPG Keypair
Digital Neanderthal: Generate GPG Keys With Curve Ed25519