sudo apt install git gnupg gpg -y
Why I put this together? These informations came from different places, but I didnt find them all in one place, so I added them all here. I take no credit for it.
Generate new gpg key
gpg --gen-key
Steps:
- Enter the email address, ensure that you enter the verified email address from the git provider
- No expiration
- Add a password if you prefer
If you are also going to use a
Yubikey
, install their lib https://github.com/Yubico/libfido2
- Plug your Yubikey into USB
- Type
gpg --card-edit
and the information from the card should appear, and you also have access to it - Enter admin mode by typing
admin
- (Optional) You can change the password (PIN) and (Admin PIN) by typing
passwd
- Generate a gpgkey by typing
generate
- Your own choice whether you want a off-card backup
- If you have a key already in the card, and try to generate another, it will give a option to replace or not
- Type
0
so the key does not expire andy
to confirm. - Identity, set exactly what you used at the git provider, after you press
O
for Okay - It will show you the paths that it created for the backup and the rest
- To quit the card-edit, type
quit
- Type
gpg --card-status
to show all the information, it will include data from the new generated key. Any key you see is also a identifier, there is the signature, encryption and authentication, though this has no use for commit signing. - Now you continue the steps from the armor export command below from all steps
(Optional): You can import a gpg key into the card, but it's one way, you cannot remove it. Also if you lose the yubikey, you obviously lose the gpg key, so back it up, if you do this way.
- Type
gpg --edit-key <KEY_ID> or <EMAIL>
- It will show the secret key, move by typing
key 0
andkeytocard
- Type
y
to confirm the move - Type
1
, that will use the signature key slot - Now type
key 1
, it will show a*
for the selected sub key andkeytocard
- Type
2
for encryption key slot - If you list the keys with
gpg --list-keys
the specific key will have a>
in the right side indicating that is stored somewhere else
After being created and return, copy your key id <KEY_ID> (without < and >)
/home/username/.gnupg/secring.gpg
-------------------------------
pub 4096R/<KEY_ID> 2023-05-01
uid User Name <username@provider.com>
ssb 4096R/62E5B29EEA7145E 2023-05-01
List generated keys
gpg --list-secret-keys --keyid-format LONG
Export the (public) key that you specify in ASCII-armored format
gpg --armor --export <KEY_ID>/<EMAIL>
Additionally, you can add
--output pubkey.asc
in the command above to generate a file with the key.
Now, add it to Github or whatever provider you might be using. Follow steps from the url below if you dont know
Note: You can also enable the
Flag unsigned commits as unverified
in the keys page in Github, if you prefer.
Specifiy, so git auto sign your key
git config --global user.signingkey <KEY_ID>
git config --global commit.gpgsign true
git config --global tag.gpgSign true
git config --global tag.forceSignAnnotated true
git config --global gpg.program $(which gpg2)
Note: There is a command that should not be used by default, at least Github do NOT support it, to push signed. If you want to test, type
git config --global push.gpgSign true
, if it fail, you can set tofalse
.
Edit / Create ~/.gnupg/gpg-agent.conf
and add a way for the gpg agent to remember your passphrase for 12 hours in seconds
default-cache-ttl 43200
max-cache-ttl 42300
You can check if gpg is running or not. If not.
gpg-agent --daemon
If you need the key in another machine. You can export the key
gpg --output gpgseckey.gpg --armor --export-secret-key <KEY_ID>
Import public and secret keys in the other machine
gpg --import ~/gpgpubkey.gpg
gpg --allow-secret-key-import --import ~/gpgseckey.gpg
Legends
sec - Secret key
SC - Signing and Certifying
ssb - Sub key
E - Signed and Certified for Encrypting