- do a fresh Erase Install Script
- create user account as
admin
- login and auth iCloud
- login to github with iCloud passkey
- setup TouchID with sudo https://gist.github.com/ChristopherA/a0f6612b1a0491b8a80e0e0a1e58318e
- terminal and my simple macOS Preferences Defaults
scutil --set HostName eurynome
scutil --set LocalHostName eurynome
scutil --set ComputerName eurynome
sudo hostname eurynome
diskutil rename / eurynome
- TBD: defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName -string eurynome
- install brew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install visual-studio-code
- TBD: Set up best practices of
.ssh/config
- TBD: this isn't working anymore, not sure why
ssh -T git@github.com
should get Hi ChristopherA! You've successfully authenticated, but GitHub does not provide shell access.
ssh-keygen -t ed25519 -f ~/.ssh/auth_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -C "auth_id_ed25519-mnemosyne.local-christophera@github_2024_02_16" | tee auth_id_ed25519_mnemosyne.local-christophera@github_2024_01_26.txt
ssh-keygen -t ed25519 -f ~/.ssh/sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -C "sign_id_ed25519-mnemosyne.local-christophera@github_2024_02_26" | tee sign_id_ed25519_mnemosyne.local-christophera@github_2024_01_26.txt
ssh-keygen -t ed25519 -f ~/.ssh/enc_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -C "enc_id_ed25519-mnemosyne.local-christophera@github_2024_02_26" | tee enc_id_ed25519_mnemosyne.local-christophera@github_2024_01_26.txt
ssh-keygen -t ed25519 -f ~/.ssh/cert_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -C "cert_id_ed25519-mnemosyne.local-christophera@github_2024_02_26" | tee cert_id_ed25519_mnemosyne.local-christophera@github_2024_01_26.txt
brew install gh
- TBD: (
gh auth login
will ask ask you if you want to create new ssh key, but there may be another way in gh auth login
to skip that question and just give it in one command) Also: gh auth refresh -h github.com -s admin:ssh_signing_key
lets you change key.
- git config --global user.name "Christopher Allen"`
- git config --global user.email ChristopherA@LifeWithAlacrity.com`
- git config --global github.user ChristopherA`
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global user.signingkey ~/.ssh/sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26.pub
touch ~/.ssh/allowed_signers
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
- set permissions for ssh
sudo chown -R christophera ~/.ssh/
sudo chown -R christophera ~/.ssh/*
sudo chmod 600 ~/.ssh/sign_id*
sudo chmod 600 ~/.ssh/auth_id*
sudo chmod 644 ~/.ssh/*.pub
sudo chmod 644 ~/.ssh/authorized_keys
sudo chmod 644 ~/.ssh/known_hosts
sudo chmod 644 ~/.ssh/allowed_signers
sudo chmod 700 ~/.ssh
ssh-add /Users/christophera/.ssh/auth_id_ed25519-mnemosyne.local-christophera@github_2024_01_26
ssh-add /Users/christophera/.ssh/sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26
ssh-add -L
ssh-keygen -Y sign -f sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -n file sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26.pub
- TBD:
ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I "christophera@lifewithalacrity.com" -n file -s ~/.ssh/sign_id_ed25519_christophera@github.pub.sig < sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26.pub
gh auth refresh -h github.com -s admin:ssh_signing_key
gh ssh-key list
git commit --allow-empty --message="Testing SSH signing"
- https://github.com/settings/keys
- https://github.com/ChristopherA.keys
- https://api.github.com/users/ChristopherA/keys
- https://api.github.com/users/ChristopherA/ssh_signing_keys
# Signing content:
ssh-keygen
-Y sign # The 'sign' signature operation
-n <namespace> # <namespace> Signature namespace (e.g. file or email)
-f <file> # <file> Path to the private key to sign the content with
<files> # <files> Paths to one or more files you want to sign (optional, by default reads from stdin)
# Checking the signature of signed content:
ssh-keygen
-Y check-novalidate # The 'check' signature operation
-n <namespace> # <namespace> Namespace the signature was generated in
-f <file> # <file> Path to the public key to validate the signature with
-s <file> # Path to the signature file
# Check signature and verify whether the signer is authorized to sign the content:
ssh-keygen
-Y verify # The 'verify' signature operation
-n <namespace> # <namespace> Namespace the signature was generated in
-f <file> # <file> Path to the ALLOWED SIGNERS file
-s <file> # <file> Path to the signature file
-I <principal> # <principal> The expected identity principal used to generate the signature
# Search the ALLOWED SIGNERS file for any principals that are applicable for the specified signature:
ssh-keygen
-Y find-principals # The 'find principals' signature operation
-f <file> # <file> Path to the ALLOWED SIGNERS file
-s <file> # <file> Path to the signature file
# Display your key's principal (usually <username>@<hostname> from when it was generated):
ssh-keygen
-l # Print the key's fingerprint
-f <file> # <file> Path to the public key
# Generate a user certificate from an Certificate Authority (CA) SSH key:
ssh-keygen
-I <cert_id> # <cert_id> The certificate identity
-s <file> # <file> Path to the CA's private key
-n <principals> # <principals> Identity principals allowed by the generated certificate
<files> # <files> Path to one or more public keys to generate a certificate for
Active Github ticket https://support.github.com/ticket/personal/0/2398911
In the past you can verify someone's signed commit by getting the public PGP key from https://github.com/christophera.gpg. However, we are trying to transition away from GPG signing to SSH signing.
You can use https://github.com/christophera.keys to get ssh auth keys for that user, however, it doesn't show their ssh auth keys registered with GitHub.
I don't need a GitHub users auth keys, I need their ssh signing key to verify their signed code. Is there some magic URL to get the ssh auth keys?
I know that you can use the same ssh key for both, but security best practices for SSH signing are to keep those as separate ssh keys.