I sign all public code repositories with my GPG key which you can download using the link below.

I use a Trezor-T device to perform GPG signing operations. Using a specialized hardware device to perform signing operations RATHER THAN a PGP certificate on your localhost helps reduce overall risk. I used these instructions to enable support for the Trezor-T on my Linux host.

There are other benefits to using Trezor-T. You can remotely login to VMs using the SSH protocol, for instance. It also supports FIDO U2F which is really nice. Using a Trezor is very natural in my opinion. Plus, as a user, you get more awareness when you're committing your name (and thus reputation) to something because the act of signing something is more explicit, requiring user interaction.

Did you know you can RECOVER GPG certificates AND ssh keys and your FIDO U2F keys from BIP39 seed words? Cool! This is a really underappreciated aspect of using BIP39. All keys are generated deterministically from the seed words.

Importing my Public Key into your System

If you're interested in downloading any software, you should generally VERIFY that the changes to the code have been signed by a trusted authority. I sign all git commits and git tags with my GPG private key (the associated public key is shown above).

This allows anyone to verify that software has been authored by me, Derek Smith. To perform this verification step, you first need to import the public key above into your system. Save the text above to a new file called derek_smith.gpg . Then run gpg --import derek_smith.gpg. You know you're successful when gpg --list-keys shows the following text:

pub   nistp256 1970-01-01 [SC]
      3CC6319316B613A46EEFDF778F1CD799CCA516CC
uid           [ultimate] Derek Smith <derek@farscapian.com>
sub   nistp256 1970-01-01 [E]

Next, you want to instruct your system to trust the certificate. This helps suppress certain warning messages. Run gpg --edit-key 3CC6319316B613A46EEFDF778F1CD799CCA516CC then press type trust, then press `5` , which sets your system to ultimately trust the public key. (You can decrease the trust level, but you will get warning messages). Finally, type quit to complete making changes to the certificate.

Verifying my git commits and git tags

Now that you have imported my certificate and trusted it, you can begin to verify my code commits. Do this by running git log --show-signature. The output will show somthing like this:

commit e2a3e6e50a56396bf4b6cc6ba0c1d08ae645bfdf (HEAD -> master, tag: v0.0.11)
gpg: Signature made Fri 17 Dec 2021 12:22:28 PM EST
gpg:                using ECDSA key 3CC6319316B613A46EEFDF778F1CD799CCA516CC
gpg: Good signature from "Derek Smith <derek@farscapian.com>" [uncertain]
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
Author: Derek Smith <derek@farscapian.com>
Date:   Fri Dec 17 12:22:28 2021 -0500

    Creating commit on Fri Dec 17 12:22:28 PM EST 2021.
    
    Signed-off-by: Derek Smith <derek@farscapian.com>
    
    

If it says Good signature from "Derek Smith <derek@farscapian.com> and the fingerprint ends with CCA516CC you can have reasonable assurance that I produced the commit!

How I create git commits and git tags

In most of my public git repos, I run the following script. It creates a signed git commit on the current repo. This script by default is ASSUMED to be in the same path as the git repo you expect to commit to.

#!/bin/bash

# this script will tag the repo then push it to origin
TAG_NAME=v0.0.12
COMIT_MESSAGE="Creating commit on $(date)."
TAG_MESSAGE="Creating tag $TAG_NAME on $(date)."

# create a git commit with staged changes.
git commit -m "$COMIT_MESSAGE" -s
git tag -a "$TAG_NAME" -m "$TAG_MESSAGE" -s

# optional; push to remote
git push --all
git push --tags

When I run the script above, my trezor lights up to enter the PIN Number (if locked), then prompts me to perform the GPG signature on the git commit and git tag. That's it! Git repo's are now signed with Trezor-backed PGP certificates.


Note that before running the above script, you should configure your git repo to use the specified GPG key. You can edit ~/.gitconfig with the following text:

[user]
	name = Derek Smith
	email = derek@farscapian.com
	signingkey = 3CC6319316B613A46EEFDF778F1CD799CCA516CC

[commit]
	gpgsign = true

Of course, if you're doing the git commits, you will want to update the information above to your own certificate information. It always helps when the information matches your GPG certificate!

Push changes (optional)

From there, you can optionally run git push --all and git push --tags to push commit and tags to the current git remote (run git remote).