MacOS Sonoma New Dev System Notes

MacOS_Sonoma_New_System_Notes.md

1. do a fresh Erase Install Script
2. create user account as admin
3. login and auth iCloud
4. login to github with iCloud passkey
5. setup TouchID with sudo https://gist.github.com/ChristopherA/a0f6612b1a0491b8a80e0e0a1e58318e
6. terminal and my simple macOS Preferences Defaults
7. scutil --set HostName eurynome
8. scutil --set LocalHostName eurynome
9. scutil --set ComputerName eurynome
10. sudo hostname eurynome
11. diskutil rename / eurynome
12. TBD: defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName -string eurynome
13. install brew /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
14. brew install visual-studio-code
15. TBD: Set up best practices of .ssh/config
16. TBD: this isn't working anymore, not sure why ssh -T git@github.com should get Hi ChristopherA! You've successfully authenticated, but GitHub does not provide shell access.
17. ssh-keygen -t ed25519 -f ~/.ssh/auth_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -C "auth_id_ed25519-mnemosyne.local-christophera@github_2024_02_16" | tee auth_id_ed25519_mnemosyne.local-christophera@github_2024_01_26.txt
18. ssh-keygen -t ed25519 -f ~/.ssh/sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -C "sign_id_ed25519-mnemosyne.local-christophera@github_2024_02_26" | tee sign_id_ed25519_mnemosyne.local-christophera@github_2024_01_26.txt
19. ssh-keygen -t ed25519 -f ~/.ssh/enc_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -C "enc_id_ed25519-mnemosyne.local-christophera@github_2024_02_26" | tee enc_id_ed25519_mnemosyne.local-christophera@github_2024_01_26.txt
20. ssh-keygen -t ed25519 -f ~/.ssh/cert_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -C "cert_id_ed25519-mnemosyne.local-christophera@github_2024_02_26" | tee cert_id_ed25519_mnemosyne.local-christophera@github_2024_01_26.txt
21. brew install gh
22. TBD: (gh auth login will ask ask you if you want to create new ssh key, but there may be another way in gh auth login to skip that question and just give it in one command) Also: gh auth refresh -h github.com -s admin:ssh_signing_key lets you change key.
23. git config --global user.name "Christopher Allen"`
24. git config --global user.email ChristopherA@LifeWithAlacrity.com`
25. git config --global github.user ChristopherA`
26. git config --global gpg.format ssh
27. git config --global commit.gpgsign true
28. git config --global tag.gpgsign true
29. git config --global user.signingkey ~/.ssh/sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26.pub
30. touch ~/.ssh/allowed_signers git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
31. set permissions for ssh

sudo chown -R christophera ~/.ssh/
sudo chown -R christophera ~/.ssh/*
sudo chmod 600 ~/.ssh/sign_id*
sudo chmod 600 ~/.ssh/auth_id*
sudo chmod 644 ~/.ssh/*.pub
sudo chmod 644 ~/.ssh/authorized_keys
sudo chmod 644 ~/.ssh/known_hosts
sudo chmod 644 ~/.ssh/allowed_signers
sudo chmod 700 ~/.ssh
ssh-add /Users/christophera/.ssh/auth_id_ed25519-mnemosyne.local-christophera@github_2024_01_26
ssh-add /Users/christophera/.ssh/sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26
ssh-add -L

32. ssh-keygen -Y sign -f sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26 -n file sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26.pub
33. TBD: ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I "christophera@lifewithalacrity.com" -n file -s ~/.ssh/sign_id_ed25519_christophera@github.pub.sig < sign_id_ed25519-mnemosyne.local-christophera@github_2024_01_26.pub
34. gh auth refresh -h github.com -s admin:ssh_signing_key
35. gh ssh-key list
36. git commit --allow-empty --message="Testing SSH signing"
37. https://github.com/settings/keys
38. https://github.com/ChristopherA.keys
39. https://api.github.com/users/ChristopherA/keys
40. https://api.github.com/users/ChristopherA/ssh_signing_keys

# Signing content:
ssh-keygen 
-Y sign        # The 'sign' signature operation
-n <namespace> # <namespace> Signature namespace (e.g. file or email)
-f <file>      # <file> Path to the private key to sign the content with
<files>        # <files> Paths to one or more files you want to sign (optional, by default reads from stdin)

# Checking the signature of signed content:

ssh-keygen 
-Y check-novalidate # The 'check' signature operation
-n <namespace>      # <namespace> Namespace the signature was generated in
-f <file>           # <file> Path to the public key to validate the signature with
-s <file>           # Path to the signature file
  
# Check signature and verify whether the signer is authorized to sign the content:

ssh-keygen 
-Y verify      # The 'verify' signature operation
-n <namespace> # <namespace> Namespace the signature was generated in
-f <file>      # <file> Path to the ALLOWED SIGNERS file
-s <file>      # <file> Path to the signature file
-I <principal> # <principal> The expected identity principal used to generate the signature

# Search the ALLOWED SIGNERS file for any principals that are applicable for the specified signature:

ssh-keygen 
-Y find-principals # The 'find principals' signature operation
-f <file>          # <file> Path to the ALLOWED SIGNERS file
-s <file>          # <file> Path to the signature file

# Display your key's principal (usually <username>@<hostname> from when it was generated):

ssh-keygen 
-l        # Print the key's fingerprint
-f <file> # <file> Path to the public key 

# Generate a user certificate from an Certificate Authority (CA) SSH key:

ssh-keygen 
-I <cert_id>    # <cert_id> The certificate identity
-s <file>       # <file> Path to the CA's private key
-n <principals> # <principals> Identity principals allowed by the generated certificate
<files>         # <files>  Path to one or more public keys to generate a certificate for

Active Github ticket https://support.github.com/ticket/personal/0/2398911

---

In the past you can verify someone's signed commit by getting the public PGP key from https://github.com/christophera.gpg. However, we are trying to transition away from GPG signing to SSH signing.

You can use https://github.com/christophera.keys to get ssh auth keys for that user, however, it doesn't show their ssh auth keys registered with GitHub.

I don't need a GitHub users auth keys, I need their ssh signing key to verify their signed code. Is there some magic URL to get the ssh auth keys?

I know that you can use the same ssh key for both, but security best practices for SSH signing are to keep those as separate ssh keys.

See also:

• github/docs#28577
• dolmen/github-keygen#54

Other links:

• https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#ssh-commit-signature-verification
• GitHub-Keygen by @dolmen creates an ssh config, but it is really more for protecting auth not both auth and sign. Need a reference ~/.ssh/config file.
  • https://github.com/dolmen/github-keygen
• https://github.blog/2021-09-01-improving-git-protocol-security-github/
• https://www.agwa.name/blog/post/ssh_signatures
• https://mcgillij.dev/git-sign-commits-with-ssh.html
• https://superuser.com/a/1616656
• https://www.cryptoquantique.com/blog/how-to-separate-your-cryptographic-keys/
• https://developers.yubico.com/SSH/Securing_git_with_SSH_and_FIDO2.html
• https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/
• https://bytes.zone/posts/signing-commits-with-ssh-keys/
• https://calebhearth.com/sign-git-with-ssh cc/ @calebhearth
• https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html
• https://gitlab.com/gitlab-org/gitlab/-/issues/384473