Skip to content

Instantly share code, notes, and snippets.

@joni2back

joni2back/using_pgp.md

Last active September 6, 2018 15:47
Show Gist options
  • Save joni2back/080cb7feb1f74a5961602d3836678a35 to your computer and use it in GitHub Desktop.
Save joni2back/080cb7feb1f74a5961602d3836678a35 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
using_pgp.md

What is PGP?

A PGP key is a public encryption key. A PGP key can be used to sign and encrypt different kind of documents, files and things.

How it works?

When you create a PGP key, a keypair having a public key and a private key is generated.
You can share the public key with anyone who wishes to send you encrypted documents or files, but the private key must be used only by you.

Why sign Git commits?

The first reason is to ensure that commiter was you, and prevent any spoofing attempt.

For example I can create a commit marking that was by other user, because GIT have a basic configuration that accepts any username and email
git config --global user.name 'Bill Gates'
git config --global user.email bill@microsoft.com

Using this configuration, all your commits are going to be falsified by pretending to be Bill Gates, in this case with Github, also will show the Bill Gates profile image as the author :)

How to create a PGP key?

Using GPG you can create a key
Depending the version you can use gpg --gen-key or gpg --full-generate-key

  • You will be asked to what kind of key you wanna generate
    For git commits I recommend RSA with 4096 bits

  • Then will ask for the expiration time, this depends on how fanatic you are with security.
    For example you can use 0 to make one without expiration

  • Also you will be asked for your real name and email (for this use the same of your git/github account)

  • In the end you will need to create the passphrase.
    This is like the password for the key, and you will remember this to sign things.
    I recommend to use a strong passphrase in order to prevent bruteforce attacks (without underestimating that an attack can take months)

  • Done this, you will see a success message and the key details like:
    pub 4096R/76886B3B 2018-09-03
    That contains the bits (4096) / The key ID (76886B3B) and the creation date (2018-09-03)
    By the way, this can be listed also with gpg --list-keys
    The keys will be stored by default in: ~/.gnupg/ (home directory)

  • To get the public key in ASCII format (to be used in Github) you need to run
    gpg --armor --export 76886B3B (76886B3B is the key ID)
    This will output a block of text that starts with
    -----BEGIN PGP PUBLIC KEY BLOCK----- and ends with -----END PGP PUBLIC KEY BLOCK-----

Adding the GPG key to your Git client

Here we need to run the following command, to set a default signing key git config --global user.signingkey 76886B3B (76886B3B is the key ID)

Adding the GPG key to your Github account

You can follow this steps https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/

Making a signed commits / merges

Once the PGP key is created and added to your account, all the following commits should include -S parameter that indicates the commit will be signed

git commit README.md -m "Updating readme" -S or git merge develop -S
And you will be asked for the passphrase

FYI: You can also force all commits to be signed by config using git config commit.gpgsign true

Verifying already signed commits

With git log --show-signature or git log COMMIT_ID --show-signature
you can find the details for the signatures of each commits.

From the console:
Signed

From Github:
Signed

More info

Author

Jonas Sciangula Street

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment