Quick setup GitHub Keybase.io PGP signed/verified commit

With recent cybersecurity scandals over user modules written in Python and other languages, it’s past time to employ signed/verified commits at GitHub. PGP IDs can be readily tied between GitHub, online personality at Twitter, website, etc. via the free Keybase.io service. (contact me for a Keybase.io invite if needed).

This process assume an existing Keybase.io ID.

  1. Install the keybase.io client on laptop.
  2. Import Keybase public key into GPG:
    keybase pgp export | gpg --import
    
  3. Import the Keybase private key into GPG:
    keybase pgp export --secret | gpg --allow-secret-key --import
    
  4. verify:
     gpg --list-secret-keys --keyid-format LONG
    

    one of the first lines will be like:

    sec   rsa4096/05F2BD2A525007DF
    

    copy the hexadecimal part after the /. This is a public reference to keybase.io keypair. It’s shown on the keybase.io public profile, next to the key icon.

  5. add one or more GitHub verified emails. At least one of these GitHub verified email address MUST match the [user] email in ~/.gitconfig or Unverified warnings appear on GitHub commits! For this example I use my GPG public ID–you use yours.
    gpg --edit-key 05F2BD2A525007DF
    

    this starts an interactive GPG session. Type

    adduid
    

    and enter Name and the Email address–which must exactly match the GitHub verified email address. I also add the @users.noreply.github.com fake email that I always use to avoid spam. Do adduid twice–once for the real GitHub verified email address and again for the github_username@users.noreply.github.com fake email.

  6. add “trust” from the GPG> prompt:
    trust
    

    Since it’s you, perhaps a trust level of 5 is appropriate. type

    save
    

    to save changes, which may not show up until exiting and reentering the GPG> prompt.

  7. Configure Git to use this key (after exiting GPG> prompt)
    git config --global user.signingkey 05F2BD2A525007DF
        
    git config --global commit.gpgsign true
    

    check ~/.gitconfig to see entries under [user] signingkey and [commit] gpgsign

  8. Add the GPG public key to GitHub–copy and paste the output from this command into the GitHub New GPG Key
    gpg --armor --export 05F2BD2A525007DF
    

Verify

Make a git commit after the procedure above, and see the signature notes:

git log --show-signature

it will start with

gpg: Signature made

Temporary disable signing

If you temporarily lose access to your GPG password, you won’t be able to git commit. A temporary workaround is to edit ~/.gitconfig to have

[commit]
    gpgsign = false

Alternatively, if you prefer not signing as default, you can sign only certain commits by

git commit -S

Note that’s a capital S.

Notes

reference 1

Tags: ,

Categories:

Written by Michael Hirsch, Ph.D. //

Comments