From 205c931e743bb55a2b73f3ed5f1792930a0c7cad Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 22 Feb 2019 22:28:30 -0500 Subject: [PATCH] Updated about with larger QR code, updated gpg best practices --- content/about.md | 115 ++++++++++++++------- content/post/gpg_best_practices_and_git.md | 68 +++++++----- 2 files changed, 120 insertions(+), 63 deletions(-) diff --git a/content/about.md b/content/about.md index 5bc3ef3..2539cda 100644 --- a/content/about.md +++ b/content/about.md @@ -15,7 +15,7 @@ fingerprint QR-code. Feel free to scan it using the [OpenKeychain](https://www.openkeychain.org/) app! I'll provide it here in-case you are on a mobile device, and my full public key:
-![OpenPGP v4 Fingerprint](/img/pubfpr.png) +![OpenPGP v4 Fingerprint](/img/pubfpr-lrg.png) `70A4 AA02 555D BD55 9189 B4E0 F32B E05E ADAA 54FC`
@@ -23,7 +23,6 @@ you are on a mobile device, and my full public key: {{% admonition info "Public Key" true %}} ``` -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.2.13 (GNU/Linux) mQINBFoTpoMBEADDIjRewOTvJBQF4ZxK/LS7yBL0TuU7VbZzEH3s5YKj63P/Rmvx 8/jMm0iop+uiPNo+0imIGYsdfW77bt95I9+kBm27eVf8mDMldMiS/LBCCmnuQ19u @@ -36,45 +35,81 @@ ds1OzX0A5RWzfYLPerx5ssKqHa5n09bq634FNHOXnjr9wQuRpxLmNrBgXWvohpuq E2+ZgdCIh9YmGsjrnlmjPZRUi5Bl/snTYEy422mJ11Mq04IYlS2IW4USxT1iOzt1 nNc+PJ1n921Hy5z9ZG/g0+POrQe9PjCUwlou+2mNutHGvQJNzPOwSq0D7UbFrumi Ak0TZ0QJCLOLG5pREeMuJYkd+SQ/1qTmQ5i9WQY3CmmlGXdM+gD3O0OP7wARAQAB -tCdCYXN0aWFuIGRlIEJ5bCA8YmFzdGlhbmRlYnlsQGdtYWlsLmNvbT6JAk4EEwEK -ADgWIQRwpKoCVV29VZGJtODzK+BerapU/AUCWhOmgwIbAwULCQgHAgYVCgkICwIE -FgIDAQIeAQIXgAAKCRDzK+BerapU/L/+D/0XtboLkk8+f9z0kNO+4Vw/6cQaDFaN -376IBvZneq5lvDV1BjWcsbEnUMFEBDm14hEN5gvsfMT+c+7wS2zYn41rCkhVFV/h -EczuVCWKaCVjeIM9sC8iHbyZgYlrJBU1YKKue1ZC+OIQwScnUu7Ex+b2wze/Unif -471fANTBJcaaulFo92EaDhRWwdvuC0yT5B7qj02Qrpw5Q4udpaWmUE4ZtFFS4+7L -tZ5A39NOntwsIUBZJkWSUj0AdRl2DCq9jEKObibEbPieAkfevkCrkpd4yS+3JQsM -iAsHxNVbs9pPIFQKhwrnJ1XvkekqngTaP8oZ2t0r/Kqg8Fk6WMHJkYMlyP4H59+/ -WVIrRU8+FjrT2GGF37+lM9xk/ebgqarujw3FXOw64HaRkzDYDuZc6yLLjt/qAjP1 -+vcAm1QGaR3t1Xjf9UgEnf3qBeafFcCnxyHzeyNgGewOva4E9xvPWnU3OK49JwJn -rrLmjoWmndPCGTDr4DCLw0Z47Y6eLeEJLuzlnjb3FvJS0D/7FQsU74iY7UcOGNtp -7+sF8LDpGFzfKix6xEMeFPrICxfNOrXj45J7NMIG4/2vVAJwNFTUYh3BMgLta36K -ckkT510Iw9w5m1iazrQoEntmD+/FXMuCGFTvyfAWzUaorQo7e0yHz8b5orBh6bek -FaPznygEozBVc7kCDQRaE6aDARAA1lqJBqZWseKWeIsZCBqm2a56+BSEFuL5aWt+ -pmbuM4udLGexX1kP5+8dYDWQwBC2jXnrCgoaG5ZPkVNSHQ3LObknGhNteNLn3+Mr -pgv/sBSKmo4cDa9wiEgjw/7zlpjmrZoKCgpVSuFigS077EMhsX4YmzZO1J+AxGSr -Wd+DZ3Ye89hcOZqMWW98kjJiEfwFtQfEI2+qRUJ4JyoDjj+znQHJrp2VIloPFvKW -EzArM/ujUYZpP4eaes6/o+iGPwY3qbcnRFeZQLd/CyJFQn4dKVM/7H3VOsJTKnFX -5LfDZgFYXmFsSuzBy7n6UWd6t+6gzbrzhf+UyvM6EBS8gZUCYCuSRP/GoWjoCekD -oxSo510O+JV8nScbf9sV8hGjfy7+j6jngwSltBGrDXEScvK+cQwdAN9YNt+4i9TP -3Hn4GZpC3uq2HSCLX3rmrgT22L1X2QXFKyO1I2S7ksK5DmFQVuV1PR7GgWBLZzx3 -j3I1Q1pZHgv6BXjCj/h70ycgS8Sg20GYedLS+W0PEbd8AKelIOPjthPdQpvBQY8l -3TV7W+7RN3tGpZylhCng28gytoAjbK+IBIXRIQqeq/NYRSgPg9hEjL3ArBKcBlwJ -p6g7/WAuMoTwCMNssNCbK6jKX3IRvztVPdPaQZU5TZMrrb+ZJQtCbDkUArQaFaJG -+C/6X1UAEQEAAYkCNgQYAQoAIBYhBHCkqgJVXb1VkYm04PMr4F6tqlT8BQJaE6aD -AhsMAAoJEPMr4F6tqlT8gMoQAIDp09TEAuDxJuuH5wPOdeV03bsHYcenqhqRY2qV -4lCwUkinJZXzXLrvRwOcKJf23UkdJDQEMggfJc5DLuSgW3qavXBHOQBnGF5Fa2Jo -Cr2eblHg1/SwkSuQ3xh5UCELPwG0xeAoU0aeuncwOtN3Comp9Uo30FPqLzR63pi8 -BCrEY/+f0IhAZggu82l3rbf6pm7sKoucZ12jll6tML+La4qpHLoyrU0clwNylJVz -tWPgfKcpvtbHmMpHLBx5cpuJJQKjuybCB7ODT45xLr/kNkNDb9YJ1DxMuY+sySXX -Bl9exhYmrsYms6+NHxG0w1EmqmGln31JLsjgQVktUuMnFWFTKSO61ZGbnibPmF/Y -RdlRZsjDpetX+VXiFEcgPbYEZBuEz8O1aUK+HCUwBx+a40WNjro90CUk9YZ2s3yR -c1uH47bijOiRLeH5kuDtcEAzqFdvuMAr1BXNejFUPeAEGt8k8fQ0bzGPYICB4Msi -36FPRhHgzA/DpWDKgJ5N3w56RHe7XD96LiHkTp/eyOdgKkM9JY9Q5CoqdJ1q91gT -2NJV6ifF4yeTsCjUhmouuZ+H2Bfi/6XDR1U6ACJq2JYOLa8MZeVlVGgkkeBR6ifv -hRN2IsW1+4Xdb42E0Xjb6QIfbnrWP/4AjiZvVmCYJhLAGgw4ugzJNTx9X5rWKrlW -d65s -=QdhV +tCdCYXN0aWFuIGRlIEJ5bCA8YmFzdGlhbmRlYnlsQGdtYWlsLmNvbT6JAlQEEwEK +AD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQRwpKoCVV29VZGJtODzK+Be +rapU/AUCXHCqDgUJBD43CwAKCRDzK+BerapU/AswEACCY1JDmZPRdpkfNfjuvS/M +SKpHsHwSuNljYVHKGYmVcBGKqA1feZZMBn8bUqKEhmuZNQ6Df6zCximoHKecR7qI +xUi55YkBtwchY66pMF+xAPIxVl9TLgwCJfNmmzbJHU9ZoCwERJD4IsMZOhv2qCzM ++Mbtat8hyCNroFtUPaJu0uR6Wudl9QWKKDLBErZa1caVMSpjXrnUP1U1A7SGqxCw +LbHOm42SyiclNcy2WA7yzGhLq1DviClOdFEk/158fNVimI7zgNwVRtHeOTlF9Klj +PDdp5Ut5UV05R8apA2rvu+PUcTVyfKiUnkaD3cnwL6gORfi4phDXTBEMdntBPToy +K0pPpUms1XJVumOnFrIGNr9jI8LlOScYkL3kIcT3lqDrjjeWEHUlMrSIVe19FfSr +snoA0gZima4fePGi8KviAJLBwKeh5i/vHwF6pdjdIby+Dq5cKvR6qwtJktMMEd12 +FXAIpxDIv0b6nXNsrvGDASHtsdjXYrv4bvFvce0pEUzW0XNCpM0uJsE++DD/mkEP +WxhFDV7+0K4L5unlfcpCP3zN38xlgxcIPMhieckYm1s35FAkMEXd3ei7SvPKrzna +eQ5sq0PmroED51K8SJSahMkcRP5Y47BwknJNVa1fZGJ4lD8uNrTBIqnBGmDizbX1 +lKGAr/F4IojfVM7kEF2strkCDQRaE6aDARAA1lqJBqZWseKWeIsZCBqm2a56+BSE +FuL5aWt+pmbuM4udLGexX1kP5+8dYDWQwBC2jXnrCgoaG5ZPkVNSHQ3LObknGhNt +eNLn3+Mrpgv/sBSKmo4cDa9wiEgjw/7zlpjmrZoKCgpVSuFigS077EMhsX4YmzZO +1J+AxGSrWd+DZ3Ye89hcOZqMWW98kjJiEfwFtQfEI2+qRUJ4JyoDjj+znQHJrp2V +IloPFvKWEzArM/ujUYZpP4eaes6/o+iGPwY3qbcnRFeZQLd/CyJFQn4dKVM/7H3V +OsJTKnFX5LfDZgFYXmFsSuzBy7n6UWd6t+6gzbrzhf+UyvM6EBS8gZUCYCuSRP/G +oWjoCekDoxSo510O+JV8nScbf9sV8hGjfy7+j6jngwSltBGrDXEScvK+cQwdAN9Y +Nt+4i9TP3Hn4GZpC3uq2HSCLX3rmrgT22L1X2QXFKyO1I2S7ksK5DmFQVuV1PR7G +gWBLZzx3j3I1Q1pZHgv6BXjCj/h70ycgS8Sg20GYedLS+W0PEbd8AKelIOPjthPd +QpvBQY8l3TV7W+7RN3tGpZylhCng28gytoAjbK+IBIXRIQqeq/NYRSgPg9hEjL3A +rBKcBlwJp6g7/WAuMoTwCMNssNCbK6jKX3IRvztVPdPaQZU5TZMrrb+ZJQtCbDkU +ArQaFaJG+C/6X1UAEQEAAYkCPAQYAQoAJgIbDBYhBHCkqgJVXb1VkYm04PMr4F6t +qlT8BQJccKoWBQkEPjcTAAoJEPMr4F6tqlT8VNQP+gN+pGZ7R42uLoqLb0746vrV +62kGb7kgWIa9/vxzRNA+ud6mtHs983QaOzNow/2uFFsi3EtZ+t5SKbDUpTtaqI+8 +Q8VGJzx0P2qZVKNbHYfvW0Udn9axoXdMeiwCOvRPsqXQKSEaihWtQT5RzcVwJu7Y +LOWI36hH6tpbx3+yMz22+bXWfLw7Em/1JObS/19WonsfwSAKLaAIyGnQadralzNa +DKQil3Uj0BW6dbYMOuPZF/YoXIr9yQtJsUhInuYkbUGKBjB5dvTLSl1p8Gk2/3Ou +MAfYCF81wDKgtTGJ2NYxi8hALKcDPS+vq4hilhPvfa3hXV0An0viXnsABxQY+xB9 +/BdYMp0VuuCWY51HSljKj2skL92fB1QhMAu/Fz2fHRdn2IWKr7PEH92rufdRanw2 +fGNPH6aOTBdD/G1XQ5S+vQs/gy8VsvlzUc32ntwfygBdA68WQvHqNrgY9PCQ2oqg +BjixZ178jTv9PW8SFPZBg5dEb7p6RG2ErSmjzCQbXnvKx1lHGTy/MMBdU/qq9GCo +gM5PsYAnjCs8x9XNxpnqFuYQT/z6OLYuLzDY795eLRzYB2rJYz6aBp80Ry6h7QwB +6mfGI4O7rqaOW2+hxAfwcoAYvYjRFRQq/TbHJGPMVim3YW0+JII2DYnpIQ2WGjnx +K9KToYW84EkYowriS/ZFuQINBFxwqh0BEADNCoVsNHTXHC1zp0uwciILDJ8GSihs +zIFQkffnbAkP39F0ugdDLM6zvZheWKgw7cu5ddVZ8S6riN+uqIOYBc91enI92kXi +vVvPIVtfQWihSjvR4aPXi9hZUG8VpYL+uyN8hVcv+gqewyjEAQaHVVMiNGijX2QO +X/OigW3n5pcOJt0pjMMs66ZN2M9PRxCDoKbr9hJuONoccgxZik9iy9J1lEeQRSm5 +MjaQvUH5t3Ti/4knnMZ6yDzud3gWboDcQSTvFRbRkO+7mZ9vXRVEQ59Ox/Nr8TD7 +pRo9GFw4fIiJHyGRHFvfxXMNPs1eaqVRAp+VjdbKDn8MXt2Vwu/SAnx3vCajYXQC +6cr2rTgZEHQeOiv7nvCjLSHUSyCBhKVPqiRKV7SkkTGtncHVraW2QJYGqLv84bdM +BVIhGZi0yUAOM85HgXD/EU2LsKUn6IXR+jF8mKPvKELx8p/KJoUy9zlpi08znsPE +hgZ4zGIER2NMAcqX5B/4OjbRGu4eLIBe6OkH1r/Jb2jhGqvgEXAA9R2G96kj6qYZ +aU3QdHXHg6Jk281XFHIIHZrvRWe9fdPdB0JKcZBDHCZURCvR60wasXa4JGtwwsbL +2YZIYltFf1DPt4cYIi5FUCqsY7bAtBJzhvfVWDIAAyafov5iikK9JS9jYOAwdXv4 +6Lt17lkoeXDx7wARAQABiQRyBBgBCAAmFiEEcKSqAlVdvVWRibTg8yvgXq2qVPwF +Alxwqh0CGwIFCQHhM4ACQAkQ8yvgXq2qVPzBdCAEGQEIAB0WIQS108zp70t1/tr8 +fBOy3P6/h1lTogUCXHCqHQAKCRCy3P6/h1lTohOvEACYFk8GRTwFkTCsMD6Wyfw9 +ia5doD1AhxFQKm3Xyis3UdvfxiUDjgN5EZLhSJGsXaIEbug7CUCKnBIYDu6fP+v/ +y4lvpKNqxJkpIIesbr9KMm73UQVL/kdbw2GYWUWecSeQH1joItL6JXlw4Jn7b9Oj +e/J0DF73/RMHfj322EquLLvjlIcuR+ImXHH4vy5eJJvzvDYUAnFBNR1/PjHf21zI +3YgApiRs4XpCieBC0TBfNJLJaWHTuBVnsSZ6BM6H3LghL8ca1EWsob1c1G0qUqni +O3rjmmZbbx7qF7tYV6974wx7vMxTCYmqyfVRP35RjKSbkT2Y3G9+opFOuixdOA3C +x3eXcGeIQEBQTZG5TQj9zcf/Hq0YJMxGQQHDzaEvn4MpnHKvJchelgyZGBjJ+u9O +zjjJ2nthb6EciYP5h1X29jeFGsCJAJBYzLTJZLiYDwYdgJzpz4fdW66G2kh+8Rfv +4Ai5q4oDQQL8PO+mXd2X8Wmr2ZvPvEgA70HrZxlO5v0ekGGCKBSeyRrBSKbtqzDD +54pHB1bf8QXmYG7fi0vC3xYAUPXfkFif/8dLor6MVcAzy2zgY+8Vxt++W9Fqm2OB +CZJwmBkMPMJAnQbjPQbNLGrbeXuA/QPYL/RC7/mQRyLpDWGsSy7GCoFmUVk8IxuM +jFqjmav/2fixclffKf7CEqP7D/9Qoos+nr7WiQPa9yW4a8LDkm/KR6Jl5zZZAGsE +K+yqkEBHrmCNd8Q8i67b1xXCRNJHxXvoBhV1Ct/pEJ9mPgvjbyh/6TrhKN2u7fBn +jwEHPKOeWtBD/+45Rvi0woDBrjqg74ZP2BK089RyWE6MMufsTg1Yw1yPyEFCn+DQ +3shX1+ebtP62yBh6sYozq/zhNfCHUgqmWbnmc2UFZ+tGi9UiEMTwcjB1QimnBt4c +GllJ+HHo8I14v+LMiVC+6z1YiTY7HZi7hWmujAc26bi/NaFSDj8NFoTSYDVRDL9o +SkjedttjNbNskNxCqNsiCINI+9XfwE6UWtTDIvWrE8uLr06em9Rq2mn5ZOdoJ+7i +ZTtVDwlsBjjSDML+pOiKDLh2c1TvvNVBexGfsDlnqO0VFYt0lztWJV6yZqHrgW2A +XEJwxgd6GqnYx3gSmrZIvU7HJaumrURCp1TbIyxIF52aNSF5UNrfgZmmxY26ui8Z +azCSBJyi6EnE9kDYJVRyfk260VQ54K+jsqJW3bUuGa+9Fn9ZVRXnVVguizDlpqn3 +jkxFiRR9iFiPaRnGk5NjJLgymfa166VZBn9YzNS9T0hHqrdFxhsebfLNtdUbMdd4 +sZQNaO9sqwN7NSafZ16x97GH5Tsqk2cSRcMy0wKw2QQzMz7f8GS7Es7nbNikN7m1 +XsiDHQ== +=yi65 -----END PGP PUBLIC KEY BLOCK----- + ``` {{% /admonition %}} diff --git a/content/post/gpg_best_practices_and_git.md b/content/post/gpg_best_practices_and_git.md index 5da56ad..4f30585 100644 --- a/content/post/gpg_best_practices_and_git.md +++ b/content/post/gpg_best_practices_and_git.md @@ -1,44 +1,61 @@ --- title: "OpenPGP Best Practices (and Git)" date: 2019-02-17 -lastmod: 2019-02-18 +lastmod: 2019-02-22 categories: ["Blog"] tags: ["linux"] --- I decided to start signing my Git commits for personal, and work Git repositories. Currently, most third-party Git repository hosts only support -signing commits, but **do not** support signing pushes. +signed commits and **do not** support signed pushes. -That being said, I've added my public key to my -[GitLab](https://gitlab.com/bdebyl), and set the global config to use my key, -and sign all of my commits: +That being said, I have added my public key to my +[GitLab](https://gitlab.com/bdebyl), and set the global config to use my signing +key, and sign all of my commits. ```bash -git config --global user.signingKey ADAA54FC +git config --global user.signingKey 875953A2 git config --global commit.gpgSign true ``` -_Note: I am using git version `2.20.1` in the above example._ + +For reference, I am directly referencing the subkey ID I use for **signing only** +denoted by `[S]`: +``` +pub rsa4096/ADAA54FC 2017-11-21 [SC] [expires: 2020-02-23] +uid Bastian de Byl +sub rsa4096/A72FC2F1 2017-11-21 [E] [expires: 2020-02-23] +sub rsa4096/875953A2 2019-02-23 [S] [expires: 2020-02-23] +``` +Note: _I am using git version `2.20.1` in the above example._ + # Getting Started with OpenPGP It is recommended to read through the [Getting Started](https://www.gnupg.org/gph/en/manual/c14.html) page on the -official GnuPG website. However, I would **strongly** recommend using the -`--full-gen-key` option in place of the `--gen-key`. This will allow you to -specify additional details about your key, such as using a 4096-bit RSA key. +official GnuPG website. It is also **strongly** recommend to use the +`--full-gen-key` option in place of `--gen-key`. This will allow you to specify +additional details about your key, such as using a 4096-bit RSA key. Lastly, +create a separate subkey for **signing only** -- read more about that +[here](https://wiki.debian.org/Subkeys). # OpenPGP Keyserver Pool -In addition to that, there came the addition of using the -[SKS Keyserver Pool](https://sks-keyservers.net/overview-of-pools.php) for -sending and receiving keys for OpenPGP. This can be done by obtaining the CA and -verifying the signature on the -[HKPS Pool Verification](https://sks-keyservers.net/verify_tls.php) page. +As of GnuPG version +[2.1.11](https://github.com/riseupnet/riseup_help/issues/294#issuecomment-192913705), +the `hpks.pool.sks-keyservers.net` CA certificate is installed and made use by +default meaning there is nothing to do. + +However, if you are using older versions then obtain the CA and verify the +signature. Instructions can be found on the +[HKPS Pool Verification](https://sks-keyservers.net/verify_tls.php) page or by +reading further below. ## Verification +To verify and retrieve the necessary keys to do so (automatically, if possible): ``` gpg --auto-key-retrieve --verify sks-keyservers.netCA.pem.asc sks-keyservers.netCA.pem ``` -The output received was as follows: +The expected output: ``` gpg: Signature made Wed 30 Mar 2016 11:06:29 AM EDT gpg: using RSA key 250B7AFED6379D85 @@ -59,8 +76,12 @@ Primary key fingerprint: 94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ## Adding the HKPS Pool CA Once the signature has been verified, the CA can be moved over to -`/usr/share/ca-certificates` to add to your CA certificates via `sudo -update-ca-trust` (_Arch_) or `sudo update-ca-certificates` (_Debian/Ubuntu_). +`/usr/share/ca-certificates` to update the list of trusted CA certificates. Do +this via: + ++ `sudo update-ca-trust` (_Arch_) ++ `sudo update-ca-certificates` (_Debian/Ubuntu, RHEL_) + {{% admonition tip "CA Path" %}} On my system the full path to the CA certs is: @@ -102,10 +123,11 @@ keyserver-options no-honor-keyserver-url --- # More Information -There is a whole load of information on -[OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices). -A few noteworthy points worth exploring: +The +[OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices) +page is a good resource for finding out more on best practices. A few points +worth exploring, that I personally recommend: -- **Keep an encrypted backup of your secret key** -- Have a separate subkey for signing +- Keep an encrypted backup of your secret key - Keep your primary key entirely offline +- Have a separate subkey for signing