I sign all public code repositories with my GPG key below (key id:
-----BEGIN PGP PUBLIC KEY BLOCK----- mFIEAAAAABMIKoZIzj0DAQcCAwQ3hQeRT8HLyQEtKJ5C3dKilfWhSpqkPFtfuE0I i+MNLavAM7tL9gShij7tEcyZe0Iy2hc38TizSlQJciIdgtHUtCJEZXJlayBTbWl0 aCA8ZGVyZWtAZmFyc2NhcGlhbi5jb20+iIAEExMIABwFAgAAAAACCwkCGwMEFQgJ CgQWAgMBAheAAh4BABYJELRD5TChThyQCxpUUkVaT1ItR1BHXMcA/2k4QtiV0eNQ 299XW4Wvoac1Be6+WTPRIaC/PYnd0pR7AP4hi5ou6uyKtqkfhLtRQHN/9ny3MBEG whGxb/bCIzOdILhWBAAAAAASCCqGSM49AwEHAgMEI0VBpCTeIpfdH2UcWiSPYGAJ Z1Rsp0uKf6HzZnpGRAdCTNgCh+pVBibP0Cz0pNdM7IfHSfS+OP4/Lb1B5N9BSAMB CAeIbQQYEwgACQUCAAAAAAIbDAAWCRC0Q+UwoU4ckAsaVFJFWk9SLUdQRxM4AQCw m24svH13uNAebQurOloy/1qZgNdXANBQQ05oi1tEyAD/eGFFVdgs5L6Hpg/GJLvo X8bd1+1sa2d9TldbgfNfRA0= =vZGY -----END PGP PUBLIC KEY BLOCK-----
I use a Trezor-T device to perform GPG signing operations. Using a specialized hardware device to perform signing operations RATHER THAN a PGP certificate on your localhost helps reduce overall risk. I used these instructions to enable support for the Trezor-T on my host.
There are other benefits to using Trezor-T. You can remotely login to VMs using the SSH protocol, for instance. It also supports FIDO U2F which is really nice. Using a Trezor is very natural in my opinion. Plus, as a user, you get more awareness when you're committing your name (and thus reputation) to something because the act of signing something is more explicit, requiring user interaction.
Did you know you can RECOVER GPG certificates AND ssh keys and your FIDO U2F keys from BIP39 seed words? Cool! This is a really underappreciated aspect of using BIP39. All keys are generated deterministically from the seed words.
Importing my Public Key into your System
If you're interested in downloading any software, you should generally VERIFY that the changes to the code have been signed by a trusted authority. I sign all
git commits and
git tags with my GPG private key (the associated public key is shown above).
This allows anyone to verify that software has been authored by me, Derek Smith. To perform this verification step, you first need to import the public key above into your system. Save the text above to a new file called
derek_smith.gpg . Then run
gpg --import derek_smith.gpg. You know you're successful when
gpg --list-keys shows the following text:
ubuntu@ss-mgmt:~$ gpg --list-keys /home/ubuntu/.gnupg/pubring.kbx ------------------------------- pub nistp256 1970-01-01 [SC] 77A10B652328FCBECEF26DA8B443E530A14E1C90 uid [ultimate] Derek Smith <firstname.lastname@example.org> sub nistp256 1970-01-01 [E]
Next, you want to instruct your system to trust the certificate. This helps suppress certain warning messages. Run
gpg --edit-key 77A10B652328FCBECEF26DA8B443E530A14E1C90 then press type
trust, then press `5` , which sets your system to ultimately trust the public key. (You can decrease the trust level, but you will get warning messages). Finally, type
quit to complete making changes to the certificate.
Verifying my git commits and git tags
Now that you have imported my certificate and trusted it, you can begin to verify my code commits. Do this by running
git log --show-signature. The output will show somthing like this:
commit ecd6b3a77de3c48b83013894e77b033deecfaf1c gpg: Signature made Mon 06 Mar 2023 05:53:51 PM UTC gpg: using ECDSA key 77A10B652328FCBECEF26DA8B443E530A14E1C90 gpg: Good signature from "Derek Smith <email@example.com>" [uncertain] Author: Derek Smith <firstname.lastname@example.org> Date: Mon Mar 6 12:53:51 2023 -0500 Remove root .gitignore.
If it says
Good signature from "Derek Smith <email@example.com> and the fingerprint ends with
A14E1C90 you can have reasonable assurance that I produced the commit!