Skip to content

Instantly share code, notes, and snippets.

@avoidik

avoidik/README.md

Last active July 23, 2023 11:53
Show Gist options
  • Save avoidik/9e7d63c85a20ac2d2fce37e131b44095 to your computer and use it in GitHub Desktop.
Save avoidik/9e7d63c85a20ac2d2fce37e131b44095 to your computer and use it in GitHub Desktop.
Download ZIP
Configure git, pass, docker and twine to use gpg
Raw
README.md

Install required tools first

$ # ubuntu
$ sudo apt-get install -y git gnupg pass pinentry-curses
$ # macos
$ brew install git gnupg2 docker-credential-helper pass pinentry-mac

There is no PPA for docker-credential-helper on Ubuntu, so install that directly

PKGARCH="linux-amd64$"
DURL="$(curl -s https://api.github.com/repos/docker/docker-credential-helpers/releases/latest | jq -r --arg arch $PKGARCH '.assets[] | select(.name|match($arch)) | .browser_download_url')"
curl -fsSL "$DURL" -o /usr/local/bin/docker-credential-pass
chmod +x /usr/local/bin/docker-credential-pass
chown root:root /usr/local/bin/docker-credential-pass

Initialize a gpg key in non-interactive mode (for extra security omit no-ask-passphrase and no-protection lines below)

$ gpg --batch --generate-key <<'EOF'
%echo Generating gpg key...
Key-Type: default
Subkey-Type: default
Name-Real: John Doe
Name-Email: john.doe@gmail.cn
Name-Comment: GPG
Expire-Date: 1y
%no-ask-passphrase
%no-protection
%commit
%echo done
EOF
$ gpg --list-secret-keys
$ gpg --armor --export $(gpg --list-keys --keyid-format=long | grep pub | grep -o -P '(?<=/)[A-Z0-9]{16}') > "${HOME}/.gnupg/john.doe.asc"

Set the key-type explicitly in case of an error like gpg: key generation failed: Unknown elliptic curve

Key-Type: RSA
Key-Length: 2048
Subkey-Type: RSA
Subkey-Length: 2048

You may import john.doe.asc into your profile on GitHub, GitLab, BitBucket, etc.

Initialize the password store

$ pass init john.doe@gmail.cn

Now do some configuration, on Ubuntu

$ cat <<EOF | tee "${HOME}/.gnupg/gpg-agent.conf" > /dev/null
default-cache-ttl 28800
pinentry-program $(which pinentry-curses)
EOF
$ gpg-connect-agent reloadagent /bye

On MacOS use pinentry-mac instead, also disable keychain to prevent your passphrase from being cached in the MacOS keychain if needed

$ cat <<EOF | tee "${HOME}/.gnupg/gpg-agent.conf" > /dev/null
default-cache-ttl 28800
pinentry-program $(which pinentry-mac)
EOF
$ gpg-connect-agent reloadagent /bye
$ defaults write org.gpgtools.common UseKeychain NO

Configure git

$ git config --global user.name 'John Doe'
$ git config --global user.email 'john.doe@gmail.cn'
$ git config --global gpg.program $(which gpg)
$ git config --global credential.credentialStore gpg
$ git config --global user.signingKey $(gpg --list-keys --keyid-format=long | grep pub | grep -o -P '(?<=/)[A-Z0-9]{16}')
$ git config --global commit.gpgSign true

Make gpg respond to a correct tty (you may want to add this to your ~/.profile)

$ export GPG_TTY="$(tty)"
$ gpg-connect-agent updatestartuptty /bye

Install and configure twine

$ python -m pip install -U -qq pip setuptools wheel keyring-pass twine
$ python -c "import os,keyring.util.platform_; cr=keyring.util.platform_.config_root(); os.makedirs(cr,exist_ok=True); open(os.path.join(cr, 'keyringrc.cfg'), 'w+').writelines('\n'.join(['[backend]', 'default-keyring = keyring_pass.PasswordStoreBackend']))"
$ python -c "import os,keyring.util.platform_; cr=keyring.util.platform_.data_root(); os.makedirs(cr,exist_ok=True); open(os.path.join(cr, 'keyringrc.cfg'), 'w+').writelines('\n'.join(['[backend]', 'default-keyring = keyring_pass.PasswordStoreBackend']))"

Configure Docker

$ jq --arg helper 'pass' -n '.credsStore = $helper' > "${HOME}/.docker/config.json"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment