Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require GPG signed commits #52

Open
3 tasks
Robbert opened this issue May 26, 2016 · 3 comments
Open
3 tasks

Require GPG signed commits #52

Robbert opened this issue May 26, 2016 · 3 comments
Labels
opsec
Milestone
Epic Process

Comments

@Robbert
Copy link
Member

Robbert commented May 26, 2016
edited
Loading

  • Enable pre-commit hook?
  • Enable pre-accept hook?
  • Describe how contributors should enable signing of commits with GPG on their Mac
  1. Download GPGTools from https://gpgtools.org to install the gpg command line utility, if you don't have it already.
  2. Open the application GPG Keychain and setup a new private key for the e-mail address you use for commits to Git.
    • Generate a password with 1Password and use it as passphrase for your GPG key.
  3. Export the newly generated keys from GPG Keychain, including the secret key, and store it in 1Password as attachment, along with your passphrase.
  4. Configure git to use your key: git config --global user.signingkey $INSERT_KEY_HERE
  5. Enable GPG signing in git using git config commit.gpgsign true.
  6. Export your public key using these instructions, starting from gpg --list-keys and then using gpg --armor --export $INSERT_KEY_HERE.
  7. Login to github.com and let them know what your public GPG key is, in Settings > SSH and GPG keys > GPG keys.

Related reading: Github: Generating a GPG key
@Robbert Robbert added the opsec label May 26, 2016
@Robbert Robbert added this to the Epic Process milestone May 26, 2016
@Robbert
Copy link
Member Author

Robbert commented May 26, 2016

We should try to find the $INSERT_KEY_HERE automatically

Work in progress attempt:

gpg --list-keys  --with-colons gpg "`git config --global user.email`" | grep '^pub:[[:alpha:]]:[[:digit:]]\{4\}:1:[[:alnum:]]\{8\}\([[:alnum:]]\{8\}\)'
  • I'm using git config to automatically look for the e-mail address for git commits.
  • --with-colons makes the output more easily parseable.
  • I'm not yet sure how to extract text using grep.

@Robbert
Copy link
Member Author

Robbert commented May 26, 2016
edited
Loading

OK, it turns out there is a very simple UNIX utility called cut that can find values delimiter separated columns, CSV for example, but also values from colon separated columns.

Using that now:

gpg --with-colons --list-keys $GIT_COMMITTER_EMAIL \
    grep ^pub                       | # Show only public keys
    sort                            | # Sort by key strength
    tail -n 1                       | # Only use the strongest key (from the last line)
    cut -d : -f 5                   | # Only output the key ID column
    grep -o "\([[:alnum:]]\)\{8\}$"   # Only output the last eight characters

@Robbert
Copy link
Member Author

Robbert commented May 27, 2016

@Yolijn Would you please also setup GPG on your computers?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
opsec
Projects
None yet
Milestone
Epic Process
Development

No branches or pull requests
1 participant
@Robbert