Days are not good, NSA or other Governmental agencies can add vulnerability on your patches, repo which many peoples may use. It is Not Safe to Commit All on VPS or Cloud Server Hosted Git Without Signing At All. Here is How to Sign Git, Github Commits With GPG For Security. Previously we talked about GNU PG, GPG on Facebook (do not laugh, Facebook about page is ONLY for showing your Public Key), OS X GNU PG tricks (it is actually possible even on most vulnerable unix like OS to encrypt), KeyBase.io, Git etc. Today will be combined application of everything. We are showing method on the vulnerable OS X.
What Commits to Sign For Git, Github With GPG?
Whatever a part of bigger user base or chance of using, it is near mandatory to sign. When a repo is not used but kept as fork for many months, one must think to make them gzip to add password. Ask the users to ask to temporarily publish a copy. Most important part is that – one must not enable automatically signing on own computer. It is just bad idea and only gives a tag. The computer itself can become vulnerable. All files for others’ usage better to be signed.
How to Sign Git, Github Commits With PGP For Security
MIT has SKS running for providing OpenPGP key server service on https://pgp.mit.edu, GNU has own public server. KeyBase is kind of same but has some work in the danger zone of GUI based social networks. That basically makes it practical for ordinary works. You can signup for KeyBase.io. If you need KeyBase Invitation, simply ask me on Twitter. SKS is an OpenPGP key server, obviously free software whose goal is to provide easy to deploy, decentralized, and highly reliable synchronization. You can run SKS on your server too, it is optional. In very basic and most powerful way, only :
---
1 | git tag -s |
on a commit does the job. Github has guide on how to :
1 | https://help.github.com/articles/signing-commits-using-gpg/ |
How to Sign Git, Github Commits With PGP For Security For Too Much Lazy
It is possible to setup Keybase.io, GPG & Git to automatically sign commits on GitHub. But really that is somewhat compromised on security part. We use tools for GPGMail from gpgtools.org. That OS X GNG tool is just helpful. You need to have KeyBase account for this guide.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | keybase login brew update brew install gpg keybase git gpg-agent pinentry-mac gpg --gen-key keybase pgp gen --multi gpg --list-secret-keys --keyid-format LONG # read https://help.github.com/articles/telling-git-about-your-gpg-key/ to see which # part of the key is used # 3AA5C34371567BD2 is example git config --global user.signingkey 3AA5C34371567BD2 # we can run to see keybase pgp export # you are likely to get prompt for having more than 1 key # go to https://github.com/settings/keys # click "New GPG key" there # 3AA5C34371567BD2 is example # run keybase pgp export -q 3AA5C34371567BD2 > ~/gpg-key.txt cat ~/gpg-key.txt # copy that # paste it on Github's "New GPG key" and save nano ~/.gnupg/gpg-agent.conf |
On that ~/.gnupg/gpg-agent.conf file, add these 3 lines :
1 2 3 | use-standard-socket pinentry-program /usr/local/bin/pinentry-mac allow-loopback-pinentry |
There is another file – ~/.gnupg/gpg.conf. Your file should have these uncommented like mine :
1 2 3 4 5 6 7 8 9 10 11 12 13 | # 3AA5C34371567BD2 is example default-key 3AA5C34371567BD2 no-tty require-cross-certification auto-key-locate keyserver keyserver auto-key-locate keyserver hkps://hkps.pool.sks-keyservers.net comment GPGTools - https://gpgtools.org cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed personal-digest-preferences SHA512 SHA384 SHA256 SHA224 no-emit-version keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options auto-key-retrieve |
Run these commands :
1 2 3 4 5 6 | # 3AA5C34371567BD2 is example git config --global user.name "John Doe" git config --global user.email johndoe@example.com git config --global user.signingkey 3AA5C34371567BD2 git config --global commit.gpgsign true git config --global tag.gpgsign true |
That git config --global writes to ~/.gitconfig file. If you run this command :
1 | git config user.name |
You will your name. You can do many funny things with that ~/.gitconfig file, here is a gist as example. Complete the current project first.
