4.2 KiB
title, date, lastmod, categories, tags
| title | date | lastmod | categories | tags | ||
|---|---|---|---|---|---|---|
| GPG Best Practices (and Git) | 2019-02-17 | 2019-02-17 |
|
|
I decided to start signing my Git commits for personal, and work Git repositories. Currently, most Git third-party services only support signing commits, but do not support signing pushes. Regardless, it would still be considered good Currently, most Git third-party services only support signing commits, but do not support signing pushes. Regardless, it would still be considered good practice to start signing commits. practice to start signing commits.
That being said, I've added my public key to my GitLab, and set the global config to use my key, and sign all of my commits:
git config --global user.signingKey ADAA54FC
git config --global commit.gpgSign true
Note: I am using git version 2.20.1 in the above example.
Getting Started with OpenPGP
It is recommended to read through the
Getting Started on the official
GnuPG website. However, I would strongly recommend using the --full-gen-key
option in place of the --gen-key. This will allow you to specify additional
details about your key, such as using a 4096-bit RSA key.
OpenPGP Keyserver Pool
In addition to that, there came the addition of using the SKS Keyserver Pool for sending and receiving keys for OpenPGP. This can be done by obtaining the CA and verifying the signature on the HKPS Pool Verification page.
Verification
gpg --auto-key-retrieve --verify sks-keyservers.netCA.pem.asc sks-keyservers.netCA.pem
The output received was as follows:
gpg: Signature made Wed 30 Mar 2016 11:06:29 AM EDT
gpg: using RSA key 250B7AFED6379D85
gpg: key 0B7F8B60E3EDFAE3: 1214 signatures not checked due to missing keys
gpg: key 0B7F8B60E3EDFAE3: public key "Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com>" imported
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Total number processed: 1
gpg: imported: 1
gpg: Good signature from "Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com>" [unknown]
gpg: aka "Kristian Fiskerstrand <kf@gnupg.net>" [unknown]
gpg: aka "Kristian Fiskerstrand <k_f@gentoo.org>" [unknown]
gpg: aka "Kristian Fiskerstrand <kf@sumptuouscapital.com>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Subkey fingerprint: B4EA D120 C7F8 9A4A EA47 2707 250B 7AFE D637 9D85
Adding the HKPS Pool CA
Once the signature has been verified, the CA can be moved over to
/usr/share/ca-certificates to add to your CA certificates via sudo update-ca-trust (Arch) or sudo update-ca-certificates (Debian/Ubuntu).
GnuPG Versions >2.1
Two following parameters should be added to your ~/.gnupg configs:
gpg.conf:
keyserver hkps://hkps.pool.sks-keyservers.net
dirmngr.conf:
hkp-cacert /etc/ca-certificates/path/to/CA.pem
GnuPG Versions <2.1
gpg.conf:
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
{{% admonition tip "CA Path" %}} On my system the full path to the CA certs is:
/etc/ca-certificates/extracted/cadir/sks-keyservers.net_CA.pem{{% /admonition %}}
Optional - Ensure keys refreshed through keyserver
To ensure no keys are pulled from insecure sources, or that an attacked would
not be able to designate a keyserver they control, it is recommended to add the
following additional parameter to the above gpg.conf file:
keyserver-options no-honor-keyserver-url
More Information
There is a whole load of information on OpenPGP Best Practices. A few noteworthy points worth exploring:
- Keep an encrypted backup of your secret key
- Have a separate subkey for signing
- Keep your primary key entirely offline