From a02606f3c89c73769c63a0b778c2316584df3c3b Mon Sep 17 00:00:00 2001 From: Brandon Rozek Date: Sun, 18 Dec 2022 12:38:23 -0500 Subject: [PATCH] Updated some GPG posts --- content/blog/gpgkeygen.md | 18 +++++--- content/blog/signingcommits.md | 83 ++++++++++++++++++++++++++++++++-- 2 files changed, 92 insertions(+), 9 deletions(-) diff --git a/content/blog/gpgkeygen.md b/content/blog/gpgkeygen.md index 0f23b96..ee81d4d 100644 --- a/content/blog/gpgkeygen.md +++ b/content/blog/gpgkeygen.md @@ -5,7 +5,7 @@ draft: false tags: ["GPG"] --- -GPG keys have a variety of different uses from sending encrypted emails to verifying git commits. Here I'll show how easy it is to create a public/private key-pair. Assuming you have the `gpg` client installed. +GPG keys have a variety of different uses from sending encrypted emails to verifying git commits. Here I'll show how to create a public/private key-pair. This post assumes you have the `gpg` client installed. Type the following command @@ -28,7 +28,7 @@ Please select what kind of key you want: Your selection? 1 ``` -I selected the default option. +I generally recommend selecting the default option. As cryptography standards change, I would expect the options presented to you to differ from my selection screen. ``` RSA keys may be between 1024 and 4096 bits long. @@ -36,7 +36,9 @@ What keysize do you want? (3072) 4096 Requested keysize is 4096 bits ``` -I went for the highest available option. +For keysizes, the bigger the more secure. The tradeoff is in the time it takes to perform the cryptographic operations. +Since I rarely encrypted very large inputs, I went for the highest available option as the encryption time to me +is negligable. ``` Please specify how long the key should be valid. @@ -48,14 +50,17 @@ Please specify how long the key should be valid. Key is valid for? (0) 1y ``` -It's highly recommended that you set an expiration date. I usually set it for around 1-3 years. +I highly recommend that you set an expiration date. Not only does this allow for the key to become invalid if you happen to +lose your private key, it also announces to the wider world that you actually use your GPG key. + +I try to set my key expiration dates to be a year out. ``` Key expires at Mon 11 Apr 2021 06:42:01 PM EDT Is this correct? (y/N) y ``` -Quick sanity check. +As a quick sanity check, it'll provide the date that the key will expire. ``` GnuPG needs to construct a user ID to identify your key. @@ -74,7 +79,8 @@ You selected this USER-ID: Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O ``` -More sanity checks. +Another sanity check, to ensure that you set your user information correctly. +Keep in mind that this information is included in plaintext as part of your public key. ``` We need to generate a lot of random bytes. It is a good idea to perform diff --git a/content/blog/signingcommits.md b/content/blog/signingcommits.md index bee66f3..4e7dd4d 100644 --- a/content/blog/signingcommits.md +++ b/content/blog/signingcommits.md @@ -7,7 +7,7 @@ tags: ["Git", "GPG"] Git and their various hosting platforms support commit signing as an additional step of verification. There seems to be an active debate on whether it should be used regularly, though I'll describe it on here in case you want to set it up. -You'll need to have a [GPG key already created](https://brandonrozek.com/blog/gpgkeygen). +You'll need to have a [GPG key already created](/blog/gpgkeygen). First locate the key you want to sign with @@ -25,9 +25,86 @@ uid [ultimate] Brandon Rozek (Git) ssb rsa4096/9582109R 2020-04-11 [E] [expires: 2021-04-11] ``` -Copy the string starting with "KDI..". This will be your *fingerprint*. +If you want to sign your commits with your main private key, then you can use the main +key's *fingerprint*. In the example above, that's the part that starts with `KDI`. -Now tell git the key you want to sign with +## (Optional) Creating a signing subkey + +Alternatively, we can create a subkey specifically for signing commits. +To do that, first we need to enter the edit mode for that key. + +```bash +gpg --edit-key $FINGERPRINT +``` +where `$FINGERPRINT` is the same fingerprint above. + +You'll see something like the following +``` +sec rsa3072/3E40C8DB05FCCFAD + created: 2022-12-18 expires: 2023-12-18 usage: SC + trust: ultimate validity: ultimate +ssb rsa3072/50CC6B37C26F7882 + created: 2022-12-18 expires: 2023-12-18 usage: E +[ultimate] (1). Brandon Rozek + +gpg> +``` + +From there you type `addkey`, which will then present you with some options +``` +Please select what kind of key you want: + (3) DSA (sign only) + (4) RSA (sign only) + (5) Elgamal (encrypt only) + (6) RSA (encrypt only) + (14) Existing key from card +Your selection? +``` + +As before, I recommend going with the default signing key option. +In this case it's `(3) DSA (sign only)`. + +``` +DSA keys may be between 1024 and 3072 bits long. +What keysize do you want? (2048) +``` + +As before, either stick with the default or tweak based +on your personal assesment of risk. + +``` +Please specify how long the key should be valid. + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +``` + +Same advice as before in terms of key expiration. +I generally stick with `1y`. Then, after +confirming the sanity checks you should see the key created. + +``` +sec rsa3072/3E40C8DB05FCCFAD + created: 2022-12-18 expires: 2023-12-18 usage: SC + trust: ultimate validity: ultimate +ssb rsa3072/50CC6B37C26F7882 + created: 2022-12-18 expires: 2023-12-18 usage: E +ssb dsa2048/5C1B6FCA0DABB046 + created: 2022-12-18 expires: 2023-12-18 usage: S +[ultimate] (1). TestKey +``` + +The signing key is denoted by the label `usage: S`. +From there we can take its fingerprint, which for +the example above starts with `5C1B` and proceed +with the next step. + + +## Configuring Git + +From here, we need to tell git the key we want to sign with ```bash git config --global user.signingkey $FINGERPRINT