I use PGP to sign all code that I author. Find out how I do this and how you can verify that the code you download was authored by me, Derek Smith.

I sign all public code repositories with my GPG key below (key id: 77A10B652328FCBECEF26DA8B443E530A14E1C90).



I use a Trezor-T device to perform GPG signing operations. Using a specialized hardware device to perform signing operations rather than a PGP certificate on your localhost helps reduce overall risk. I used these instructions to enable support for the Trezor-T on my host.

There are other benefits to using Trezor-T. You can remotely login to VMs using the SSH protocol, for instance. It also supports FIDO U2F which is nice. Using a Trezor is very natural in my opinion. Plus, as a user, you get more awareness when you're committing your name (and thus reputation) to something because the act of signing something is more explicit, requiring user interaction.

Did you know you can RECOVER GPG certificates AND SSH keys and your FIDO U2F keys from BIP39 seed words? Cool! This is an underappreciated aspect of using BIP39. All keys are generated deterministically from the seed words. 

Importing my Public Key into your System

If you're interested in downloading any software, you should generally VERIFY that the changes to the code have been signed by a trusted authority. I sign all git commits and git tags with my GPG private key (the associated public key is shown above).

This allows anyone to verify that the software has been authored by me, Derek Smith. To perform this verification step, you first need to import the public key above into your system. Save the text above to a new file called derek_smith.gpg . Then run gpg --import derek_smith.gpg. You know you're successful when gpg --list-keys shows the following text:

ubuntu@ss-mgmt:~$ gpg --list-keys
pub   nistp256 1970-01-01 [SC]
uid           [ultimate] Derek Smith <derek@farscapian.com>
sub   nistp256 1970-01-01 [E]

Next, you want to instruct your system to trust the certificate. This helps suppress certain warning messages. Run gpg --edit-key 77A10B652328FCBECEF26DA8B443E530A14E1C90 then type trust, then press 5, which sets your system to ultimately trust the public key. (You can decrease the trust level, but you will get warning messages). Finally, type quit to complete making changes to the certificate.

Verifying my git commits and git tags

Now that you have imported my certificate and trusted it, you can begin to verify my code commits. Do this by running git log --show-signature. The output will show something like this:

commit ecd6b3a77de3c48b83013894e77b033deecfaf1c
gpg: Signature made Mon 06 Mar 2023 05:53:51 PM UTC
gpg:                using ECDSA key 77A10B652328FCBECEF26DA8B443E530A14E1C90
gpg: Good signature from "Derek Smith <derek@farscapian.com>" [uncertain]
Author: Derek Smith <derek@farscapian.com>
Date:   Mon Mar 6 12:53:51 2023 -0500

    Remove root .gitignore.

If it says Good signature from "Derek Smith <derek@farscapian.com> and the fingerprint ends with A14E1C90 you can have reasonable assurance that I produced the commit!