Git itself has supported signing your work for a while, but I think this new visibility into being a good “Git Citizen” will encourage more people to start using that feature.
According to the Git docs
Git is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.
Signing my work hasn’t really come up, I haven’t had to make sure I was actually the one who committed to my own lame side project. If you’re even casually involved in OSS, that’s where the real value seems to come in. That being said, it also doesn’t have any downsides, so regardless of OSS hero status, might as well do it as good practice.
I’ve been a user on Keybase since it went public, and until now, had no idea what the heck to do with it other than verify my web presence on all of the sites it supports.
When I decided to start signing my commits for that sweet sweet Verified badge, I started to follow the instructions on GitHub for the how, then realized HOLY CRAP I CAN USE KEYBASE RIGHT?!
Only problem being I had no idea how to actually accomplish this. I knew Keybase had SOMETHING to do with GPG, and you signed commits with GPG but mixing the two required some time on Google. My search led me to a repo on GitHub with a nice how-to, with most of the commits unsigned.
The write-up is pretty great and makes things simple if you are on OS X and using Homebrew, which I am. I think there could be a little more color added to it though, mostly the requirements.
If you haven’t already, I would say you should 100% install Git through Homebrew so you can keep up to date faster than what Apple will do through OS updates. As infrequent as it can be, there have been bugs and security issues in various versions of Git, so like with all software, the faster you can get the updates, the better.
$ brew update && brew upgrade $ brew install git gnupg keybase
Assuming you have not set up
keybase on your machine just yet, now is the time to log in and go through the initial setup.
$ keybase login Your keybase username or email address: firstname.lastname@example.org Please enter the Keybase passphrase for email@example.com: Enter a public name for this device: whatever_bruh =============================== IMPORTANT: PAPER KEY GENERATION =============================== During Keybase's alpha, everyone gets a paper key. This is a private key. 1. you must write it down 2. the first two words are a public label 3. it can be used to recover data 4. it can provision new keys/devices, so put it in your wallet 5. just like any other device, it'll be revokable/replaceable if you lose it
After that it will display your paper key to write down and hide on your person somewhere, ask you to make sure you did that (you did, right?!) then announces you’re logged in!
Generating Your Shiny GPG Key
Now to generate the key to use with Git and GitHub
$ keybase pgp gen --multi Enter your real name, which will be publicly visible in your new key: Rami Massoud Enter a public email address for your key: firstname.lastname@example.org Enter another email address (or when done): Push an encrypted copy of your new secret key to the Keybase.io server? [Y/n] Y > INFO PGP User ID: Rami Massoud <email@example.com> [primary] > INFO Generating primary key (4096 bits) > INFO Generating encryption subkey (4096 bits) > INFO Generated new PGP key: > INFO user: Rami Massoud <firstname.lastname@example.org> > INFO 4096-bit RSA key, ID F905177315FBAF31, created 2016-06-01 > INFO Exported new key to the local GPG keychain
Make sure to take special note of the key’s ID in the second to last line of the output, you’ll need that later.
If you’re anything like me, you just copy and pasted the command I highlighted, but in case you’re wondering about
--multi, the author of the repo pointed out
That flag is required if you want to have multiple keys. As keybase already added one for @keybase.io, we create a new one at this place using the email address used for git commits.
So just for having a Keybase account, you have one existing PGP key, but you need to have one paired with the email you use on GitHub, which is why you have to follow the instructions to create a new one.
Now that you have a key to sign everything, we’re livin’ on easy street. The next thing you need is the the 8 digit ID of the key you generated, which you can lazily grab from:
$ gpg --list-secret-keys ------------------------------------- sec 4096R/15FBAF31 2016-06-01 [expires: 2032-05-28] uid Rami Massoud <email@example.com>
Before continuing, think about if you want to have a single key to sign everything you do with Git on the computer you’re on, which is most likely what you’d want to do. As long as that’s the case, configuring Git is as simple as updating two config variables. Note: if you wanted to go the multiple key route, navigate to the directory where your specific repo is, then run the commands without
$ git config --global user.signingkey 15FBAF31 $ git config --global commit.gpgsign true
If you want to quickly verify everything is 💯
$ git config --global -l user.name=Rami Massoud firstname.lastname@example.org user.signingkey=15FBAF31 commit.gpgsign=true
Get That 🔑 To GitHub
To finish setting everything up, you need that 64-bit ID of the generated key I told you to take special note of earlier.
> INFO 4096-bit RSA key, ID F905177315FBAF31, created 2016-06-01
Navigate to the “SSH and GPG keys” section of your GitHub account settings (https://github.com/settings/keys) and click the button to add a new GPG key
Then go back to your terminal and export the new key direct to the clipboard with
$ keybase pgp export -q F905177315FBAF31 | pbcopy
-q flag here is necessary because you have (at least) two GPG keys and the export needs to know which one you want.
Finally you paste your public key block into the textbox and click that sweet “Add GPG key” and feel soooo Verified