knowledge › Software

GPG

  1. Create a master key with the YubiKey Guide
  2. Create signing, encryption, and authentication sub keys with the same guide

I also like to create a $KEYID environment variable with my master key. Retrieve your keys with gpg --list-keys --keyid-format long and set the environment variable in ~/.zshrc:

export KEYID="0x<YOUR_KEY_ID>"

Keyserver

I prefer to use the ubuntu keyserver to store my public keys. Simply upload your key like so:

gpg --keyserver hkps://keyserver.ubuntu.com --send-keys $KEYID

To import a public key from the keyserver run:

gpg --keyserver hkps://keyserver.ubuntu.com --recv <SOME KEY>

Signing commits

First, get the signing key with gpg --list-keys --keyid-format long, then find your signing key. It'll look like this:

# ...
sub   rsa4096/<SIGNING_KEY_ID> 2019-09-30 [S] [expires: 2020-09-29] # <--- this one
# ...

Then use the value SIGNING_KEY_ID from above and add it to ~/.gitconfig like this:

[user]
  signingkey = "[SIGNING_KEY_ID]!"

Make sure there is a ! at the end to specify the signing key

Then add it to GitHub/GitLab after exporting it to a file called public.signing.key like so:

gpg --export --armor --output public.signing.key <SIGNING_KEY_ID>!

Import export

Moving keys between computers is pretty straight forward. Export the secret keys with:

gpg --export-secret-keys --armor $KEYID > secret.asc

Then on the new computer, import the key with:

gpg --import secret.asc

Finally, trust the key by using:

  1. gpg --edit-key $KEYID
  2. trust with desired trust level
  3. save

Huge diclaimer here. Put this file on an encrypted drive or a drive that you will immediately shred after copying to a new device. It's important to know how to treat your GPG secrets.

Signing someone elses key

Add more trust to someones key by signing it. This says that the key is genuine and belongs to the person identified by it.

Get the key in your keyring:

gpg --list-keys --keyid-format long # and choose the key if it exists

# or get the key from a keyserver
gpg --keyserver hkps://some.keyserver.com --recv THEIR_KEYID

Sign the key:

gpg --sign-key THEIR_KEYID

Export the key, encrypt it, write it to a file, and send it back to the owner:

gpg -a --export THEIR_KEYID | gpg -se -r THEIR_KEYID > THEIR_KEYID.asc.pgp

Then the person will decrypt and import the key into their keyring and push it back to their preferred keyservers.

gpg --decrypt THEIR_KEYID.asc.pgp > THEIR_KEYID.asc
gpg --import THEIR_KEYID.asc
gpg --send-keys THEIR_KEYID # or with --keyserver

Using GPG with SSH

  1. Add enable-ssh-support to ~/.gnupg/gpg-agent.conf.
  2. Get the keygrep ID for the authentication key with gpg -k --with-keygrip
  3. Add the keygrip id into ~/.gnupg/sshcontrol

Using the keychain package on Arch Linux, ensure this is present in your shell run commands:

export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

eval `keychain --eval --noask -q --agents gpg`

Kill the ssh-agent and restart the gpg agent (a reboot here works best because effort) then use ssh-add -L to get the ssh key generated by the gpg-agent. Add the output to your service of choice like any normal SSH key.

Links