I use PGP to sign all code that I author. Find out how I do this and how you can verify that the code you download was authored by me, Derek Smith.
I sign all public code repositories with my GPG key below (key id: 77A10B652328FCBECEF26DA8B443E530A14E1C90).
-----BEGIN PGP PUBLIC KEY BLOCK-----
mFIEAAAAABMIKoZIzj0DAQcCAwQ3hQeRT8HLyQEtKJ5C3dKilfWhSpqkPFtfuE0I
i+MNLavAM7tL9gShij7tEcyZe0Iy2hc38TizSlQJciIdgtHUtCJEZXJlayBTbWl0
aCA8ZGVyZWtAZmFyc2NhcGlhbi5jb20+iIAEExMIABwFAgAAAAACCwkCGwMEFQgJ
CgQWAgMBAheAAh4BABYJELRD5TChThyQCxpUUkVaT1ItR1BHXMcA/2k4QtiV0eNQ
299XW4Wvoac1Be6+WTPRIaC/PYnd0pR7AP4hi5ou6uyKtqkfhLtRQHN/9ny3MBEG
whGxb/bCIzOdILhWBAAAAAASCCqGSM49AwEHAgMEI0VBpCTeIpfdH2UcWiSPYGAJ
Z1Rsp0uKf6HzZnpGRAdCTNgCh+pVBibP0Cz0pNdM7IfHSfS+OP4/Lb1B5N9BSAMB
CAeIbQQYEwgACQUCAAAAAAIbDAAWCRC0Q+UwoU4ckAsaVFJFWk9SLUdQRxM4AQCw
m24svH13uNAebQurOloy/1qZgNdXANBQQ05oi1tEyAD/eGFFVdgs5L6Hpg/GJLvo
X8bd1+1sa2d9TldbgfNfRA0=
=vZGY
-----END PGP PUBLIC KEY BLOCK-----
I use a Trezor-T device to perform GPG signing operations. Using a specialized hardware device to perform signing operations rather than a PGP certificate on your localhost helps reduce overall risk. I used these instructions to enable support for the Trezor-T on my host.
There are other benefits to using Trezor-T. You can remotely login to VMs using the SSH protocol, for instance. It also supports FIDO U2F which is nice. Using a Trezor is very natural in my opinion. Plus, as a user, you get more awareness when you're committing your name (and thus reputation) to something because the act of signing something is more explicit, requiring user interaction.
Importing my Public Key into your System
If you're interested in downloading any software, you should generally VERIFY that the changes to the code have been signed by a trusted authority. I sign all git commits and git tags with my GPG private key (the associated public key is shown above).
This allows anyone to verify that the software has been authored by me, Derek Smith. To perform this verification step, you first need to import the public key above into your system. Save the text above to a new file called derek_smith.gpg . Then run gpg --import derek_smith.gpg. You know you're successful when gpg --list-keys shows the following text:
ubuntu@ss-mgmt:~$ gpg --list-keys
/home/ubuntu/.gnupg/pubring.kbx
-------------------------------
pub nistp256 1970-01-01 [SC]
77A10B652328FCBECEF26DA8B443E530A14E1C90
uid [ultimate] Derek Smith <derek@farscapian.com>
sub nistp256 1970-01-01 [E]
Next, you want to instruct your system to trust the certificate. This helps suppress certain warning messages. Run gpg --edit-key 77A10B652328FCBECEF26DA8B443E530A14E1C90 then type trust, then press 5, which sets your system to ultimately trust the public key. (You can decrease the trust level, but you will get warning messages). Finally, type quit to complete making changes to the certificate.
Verifying my git commits and git tags
Now that you have imported my certificate and trusted it, you can begin to verify my code commits. Do this by running git log --show-signature. The output will show something like this:
commit ecd6b3a77de3c48b83013894e77b033deecfaf1c
gpg: Signature made Mon 06 Mar 2023 05:53:51 PM UTC
gpg: using ECDSA key 77A10B652328FCBECEF26DA8B443E530A14E1C90
gpg: Good signature from "Derek Smith <derek@farscapian.com>" [uncertain]
Author: Derek Smith <derek@farscapian.com>
Date: Mon Mar 6 12:53:51 2023 -0500
Remove root .gitignore.
If it says Good signature from "Derek Smith <derek@farscapian.com> and the fingerprint ends with A14E1C90 you can have reasonable assurance that I produced the commit!