generated from sig_core/wiki-template
feat: GPG keypair generation and signing documentation
This commit is contained in:
parent
b4c0ad62dd
commit
02a06ef2b5
1
.pages
1
.pages
@ -3,3 +3,4 @@ nav:
|
||||
- Testing Team: index.md
|
||||
- QA:Test Cases: qa_test_cases.md
|
||||
- Release Criteria & Status: release_criteria
|
||||
- Wiki Development Guides: dev_guides
|
||||
|
4
dev_guides/.pages
Normal file
4
dev_guides/.pages
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
nav:
|
||||
- Development Box Setup: development_boxes.md
|
||||
- Git Commit Signing: commit_signing.md
|
99
dev_guides/commit_signing.md
Normal file
99
dev_guides/commit_signing.md
Normal file
@ -0,0 +1,99 @@
|
||||
---
|
||||
title: Signing Commits with GPG
|
||||
author: Al Bowles
|
||||
revision_date: 2022-06-13
|
||||
rc:
|
||||
prod: Rocky Linux
|
||||
ver: 8
|
||||
level: Final
|
||||
---
|
||||
# Creating your primary keypair
|
||||
Create a new gpg keypair, ideally set to expire in <= 1y
|
||||
|
||||
gpg --full-generate-key --expert
|
||||
|
||||
Select eddsa [ECC] and set a validity period
|
||||
Specify real name and email address to associate with this keypair
|
||||
Type a passphrase
|
||||
|
||||
# Create a signing keypair
|
||||
Add a signing subkey
|
||||
|
||||
gpg --edit-key my@email.addr
|
||||
gpg> addkey
|
||||
[ passphrase ]
|
||||
|
||||
Select [ECC] (sign / authenticate / encrypt?) for kind of key, 4096 bits, valid for 180d
|
||||
|
||||
gpg> save
|
||||
|
||||
Create revocation certificate
|
||||
|
||||
gpg --output \<my@email.addr\>.gpg-revocation-certificate --gen-revoke my@email.addr
|
||||
|
||||
# Back up your keypair
|
||||
Export the *primary keypair* (put these somewhere very safe along with revocation certificate)
|
||||
|
||||
gpg --export-secret-keys --armor my@email.addr > \<my@email.addr\>.private.gpg-key
|
||||
gpg --export --armor my@email.addr > \<my@email.addr\>.public.gpg-key
|
||||
|
||||
# Remove the *primary keypair* from your keyring
|
||||
Export all subkeys from the new keypair to a file - use ramfs instead of tmpfs/ or /dev/shm/ because ramfs doesn't write to swap
|
||||
|
||||
mkdir /tmp/gpg
|
||||
sudo mount -t ramfs -o size=1M ramfs /tmp/gpg
|
||||
sudo chown $(logname):$(logname) /tmp/gpg
|
||||
gpg --export-secret-subkeys my@email.addr > /tmp/gpg/subkeys
|
||||
|
||||
Delete original signing subkey from keypair in our keyring
|
||||
|
||||
gpg --delete-secret-key my@email.addr
|
||||
|
||||
Re-import the previously exported keys
|
||||
|
||||
gpg --import /tmp/gpg/subkeys
|
||||
sudo umount /tmp/gpg
|
||||
rmdir /tmp/gpg
|
||||
|
||||
Look for `sec#` instead of `sec` in the output - pound sign means signing subkey is *not* in the keypair located in the keyring
|
||||
gpg --list-secret-keys $HOME/.gnupg/secring.gpg
|
||||
|
||||
# Revoking a *signing keypair*
|
||||
Find the *primary keypair* and import it (preferably into an ephemeral system like a liveUSB)
|
||||
|
||||
gpg --import /path/to/\<my@email.addr\>.public.gpg-key /path/to/\<my@email.addr\>.private.gpg-key
|
||||
gpg --edit-key my@email.addr
|
||||
gpg> revkey
|
||||
[ passphrase twice ]
|
||||
gpg> save
|
||||
|
||||
|
||||
# Renew an expired or expiring keypair
|
||||
|
||||
gpg --edit-key my@email.addr
|
||||
[select a key]
|
||||
gpg> expire
|
||||
[specify an expiration]
|
||||
gpg> save
|
||||
|
||||
# Create a single signed git commit
|
||||
|
||||
git commit -S -m "my awesome signed commit"
|
||||
|
||||
# Configure git to always sign commits with a specified key
|
||||
|
||||
$ gpg --list-secret-keys --keyid-format=long # grab the fingerprint from the 'sec' line
|
||||
git config [--global] commit.gpgsign true
|
||||
git config [--global] user.signingkey DEADB33FBAD1D3A
|
||||
|
||||
# Configure VSCode to sign commits
|
||||
|
||||
# User or workspace setting
|
||||
"git.enableCommitSigning": true
|
||||
|
||||
# References
|
||||
[OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices#key-configuration)<br>
|
||||
[Github: Signing Commits](https://docs.github.com/en/enterprise-server@3.5/authentication/managing-commit-signature-verification/signing-commits)<br>
|
||||
[Braincoke's Log: Create a GPG Key](https://blog.braincoke.fr/security/create-a-gpg-key/)<br>
|
||||
[Creating the Perfect GPG Keypair](https://alexcabal.com/creating-the-perfect-gpg-keypair)<br>
|
||||
[Digital Neanderthal: Generate GPG Keys With Curve Ed25519](https://www.digitalneanderthal.com/post/gpg/)<br>
|
Loading…
Reference in New Issue
Block a user