wiki/dev_guides/commit_signing.md
2022-06-13 18:24:55 -05:00

3.6 KiB

title author revision_date rc
Signing Commits with GPG Al Bowles 2022-06-13
prod ver level
Rocky Linux 8 Final

Creating your primary keypair

  1. Initiate the keypair generation wizard

     gpg --full-generate-key --expert
    
  2. Select option (9) ECC and ECC for the key type

  3. Select option (1) Curve 25519 for the elliptic curve

  4. Set a validity period of your choice, ideally less than 1 year

  5. Specify real name and email address to associate with this keypair. The email address must match your verified Github email address or be set to your-github-username@users.noreply.github.com.

  6. Type a passphrase (twice)

Create a signing keypair

  1. Add a signing subkey

     gpg --expert --edit-key my@email.addr
     gpg> addkey
    
  2. Select option (10) ECC (sign only) for the key type

  3. Select option (1) Curve 25519 for the elliptic curve

  4. Set a validity period of your choice, ideally less than 1 year

  5. Accept the prompts and type a passphrase (twice)

  6. Save and exit

     gpg> save
    

Create revocation certificate

gpg --output \<my@email.addr\>.gpg-revocation-certificate --gen-revoke my@email.addr

Back up your keypair

Export the primary keypair (put these somewhere very safe along with revocation certificate)

gpg --export-secret-keys --armor my@email.addr > \<my@email.addr\>.private.gpg-key
gpg --export --armor my@email.addr > \<my@email.addr\>.public.gpg-key

Remove the primary keypair from your keyring

Export all subkeys from the new keypair to a file - use ramfs instead of tmpfs/ or /dev/shm/ because ramfs doesn't write to swap

mkdir /tmp/gpg
sudo mount -t ramfs -o size=1M ramfs /tmp/gpg
sudo chown $(logname):$(logname) /tmp/gpg
gpg --export-secret-subkeys my@email.addr > /tmp/gpg/subkeys

Delete original signing subkey from keypair in our keyring

gpg --delete-secret-key my@email.addr

Re-import the previously exported keys

gpg --import /tmp/gpg/subkeys
sudo umount /tmp/gpg
rmdir /tmp/gpg

Look for sec# instead of sec in the output - pound sign means signing subkey is not in the keypair located in the keyring gpg --list-secret-keys $HOME/.gnupg/secring.gpg

Revoking a signing keypair

Find the primary keypair and import it (preferably into an ephemeral system like a liveUSB)

gpg --import /path/to/\<my@email.addr\>.public.gpg-key /path/to/\<my@email.addr\>.private.gpg-key
gpg --edit-key my@email.addr
gpg> revkey
[ passphrase twice ]
gpg> save

Renew an expired or expiring keypair

gpg --edit-key my@email.addr
[select a key]
gpg> expire
[specify an expiration]
gpg> save

Create a single signed git commit

git commit -S -m "my awesome signed commit"

Configure git to always sign commits with a specified key

$ gpg --list-secret-keys --keyid-format=long # grab the fingerprint from the 'sec' line
git config [--global] commit.gpgsign true
git config [--global] user.signingkey DEADB33FBAD1D3A

Configure VSCode to sign commits

# User or workspace setting
"git.enableCommitSigning": true

References

OpenPGP Best Practices
Github: Signing Commits
Braincoke's Log: Create a GPG Key
Creating the Perfect GPG Keypair
Digital Neanderthal: Generate GPG Keys With Curve Ed25519