The following guide are steps that can be used to generate GPG keys on a YubiKey, use the gpg keys to sign github commits, and publish the public gpg key to Keybase.
Why is this a good idea?
- Generating and storing GPG keys on a YubiKey allows the private key to be protected and ported between physical machines.
- Signing git commits adds an extra layer of verification that code changes originated from an trusted source.
- Using a YubiKey + touch-to-sign requires a physical presence to use the GPG signing key.
- GitHub supports restricting commits to a repo to only those that are signed.
- Putting a physical stamp on your code commits invokes a feeling of pride.