Cross posted from my blog's RSS feed at shermisaurus.xyz
First things first you might be familiar with GitHub a VCS but well keybase, what the heck it is? Well quoted directly from keybase.io's docs:
The central function of Keybase is to store, in a standardized format, public signatures for our users
Also from Wikipedia:
Keybase is a key directory that maps social media identities to encryption keys in a publicly auditable manner. Keybase offers an end-to-end encrypted chat and cloud storage system, called Keybase Chat and the Keybase filesystem respectively.
In this very first Tooling Saturday article we'll learn how to use keybase to make our own public encryption key which will hold all our social media identities like GitHub, Reddit, Twitter etc. The key that Keybase makes is called a PGP key. Know more on relation of PGP and GPG in this article's footer.
PGP Keys as defined on Wikipedia goes as:
Pretty Good Privacy is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications
In current scenario PGP and thus derived GPG keys uses are not only limited for email communications but used extensively across source control platforms like GitHub for signing commits and thus verifying to repositories owners that commits are coming from a trusted source and are verified.
Manual methods do exist for making GPG keys in command line but in this article we'll make our keys in an easy to eyes GUI interface provided by keybase.io.
We'll use our PGP keys generated from Keybase to add to out GitHub commits and verified Git signatures on our local workstations. We can also use these keys for many other purposes but well those would be for later tooling articles when I found some integration with these cool enough. My all eyes are on making a U2F and FIDO2 based security key for unlocking our laptops with physical pen drives without hassle of entering passwords. I've heard it improves boot times as well.
_ Grabbing your PGP key from keybase: _
- Signup for a keybase.io account here
- You can install apps from the page for platform of your choice. The program installs keybase CLI utility on the fly as well.
- Set up identities on various media platforms by following the on screen instructions, y'all can do that.
- Add your PGP fingerprint at last after verifying all the identities in the same column.
_ Adding GPG key to your GitHub and git: _
- Fire up your terminal application given you've keybase application installed and configured on your workstation.
Import the private key
keybase pgp export -s | gpg --allow-secret-key-import --importDuring this command, you may be asked by keybase to authenticate and create a passphrase for the key.
Something like this comes up
/home/shermisaurus/.gnupg/pubring.kbx ------------------------------------------ sec rsa4086 2019-07-05 [SC] [expires: 2035-07-01] 63CBCDE92 uid [unknown] Ankesh Bharti <firstname.lastname@example.org> ssb rsa4086 2019-07-05 [E] [expires: 2035-07-01]
The email address should be same as your Github email.
63CBCDE92 part is what you need next. No we will make this key “trusted”.
- To edit trust
$ gpg --edit-key C9D8E1A1 gpg> trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y
Choose level of trust as you wish, in my case I'll prefer and recommend going with
5 = I trust ultimately.
Now add it to your GitHub profile:
gpg --armor --export C9D8E1A1
Copy and paste the output at https://github.com/settings/keys
Now for git on your local workstation, figure out with the following commands.
shermisaurus@pop-os:~$ gpg --list-secret-keys --keyid-format LONG gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2035-07-01 /home/shermisaurus/.gnupg/pubring.kbx ------------------------------------------ sec rsa4086/7E8134F35 2019-07-05 [SC] [expires: 2035-07-01] 63CBCDE92A8B19FB3D44FA137E8134F3588DFA01 uid [ultimate] Ankesh Bharti <email@example.com> ssb rsa4086/0C40D2B88CD11958 2019-07-05 [E] [expires: 2035-07-01] shermisaurus@pop-os:~$ git config --global user.signingkey 7E8134F35 shermisaurus@pop-os:~$ git config --global commit.gpgsign true
Thanks for reading this far :)
“GPG” stands for “Gnu Privacy Guard.” GPG is a re-write or upgrade of PGP. It does not use the IDEA encryption algorithm. This is to make it completely free. It uses the NIST AES, Advanced Encryption Standard .