I sign all public code repositories with my GPG key which you can download using the link below.
I use a Trezor-T device to perform GPG signing operations. Using a specialized hardware device to perform signing operations RATHER THAN a PGP certificate on your localhost helps reduce overall risk. I used these instructions to enable support for the Trezor-T on my Linux host.
There are other benefits to using Trezor-T. You can remotely login to VMs using the SSH protocol, for instance. It also supports FIDO U2F which is really nice. Using a Trezor is very natural in my opinion. Plus, as a user, you get more awareness when you're committing your name (and thus reputation) to something because the act of signing something is more explicit, requiring user interaction.
Did you know you can RECOVER GPG certificates AND ssh keys and your FIDO U2F keys from BIP39 seed words? Cool! This is a really underappreciated aspect of using BIP39. All keys are generated deterministically from the seed words.
Importing my Public Key into your System
If you're interested in downloading any software, you should generally VERIFY that the changes to the code have been signed by a trusted authority. I sign all
git commits and
git tags with my GPG private key (the associated public key is shown above).
This allows anyone to verify that software has been authored by me, Derek Smith. To perform this verification step, you first need to import the public key above into your system. Save the text above to a new file called
derek_smith.gpg . Then run
gpg --import derek_smith.gpg. You know you're successful when
gpg --list-keys shows the following text:
pub nistp256 1970-01-01 [SC] 3CC6319316B613A46EEFDF778F1CD799CCA516CC uid [ultimate] Derek Smith <firstname.lastname@example.org> sub nistp256 1970-01-01 [E]
Next, you want to instruct your system to trust the certificate. This helps suppress certain warning messages. Run
gpg --edit-key 3CC6319316B613A46EEFDF778F1CD799CCA516CC then press type
trust, then press `5` , which sets your system to ultimately trust the public key. (You can decrease the trust level, but you will get warning messages). Finally, type
quit to complete making changes to the certificate.
Verifying my git commits and git tags
Now that you have imported my certificate and trusted it, you can begin to verify my code commits. Do this by running
git log --show-signature. The output will show somthing like this:
commit e2a3e6e50a56396bf4b6cc6ba0c1d08ae645bfdf (HEAD -> master, tag: v0.0.11) gpg: Signature made Fri 17 Dec 2021 12:22:28 PM EST gpg: using ECDSA key 3CC6319316B613A46EEFDF778F1CD799CCA516CC gpg: Good signature from "Derek Smith <email@example.com>" [uncertain] gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u Author: Derek Smith <firstname.lastname@example.org> Date: Fri Dec 17 12:22:28 2021 -0500 Creating commit on Fri Dec 17 12:22:28 PM EST 2021. Signed-off-by: Derek Smith <email@example.com>
If it says
Good signature from "Derek Smith <firstname.lastname@example.org> and the fingerprint ends with
CCA516CC you can have reasonable assurance that I produced the commit!
How I create git commits and git tags
In most of my public git repos, I run the following script. It creates a signed git commit on the current repo. This script by default is ASSUMED to be in the same path as the git repo you expect to commit to.
#!/bin/bash # this script will tag the repo then push it to origin TAG_NAME=v0.0.12 COMIT_MESSAGE="Creating commit on $(date)." TAG_MESSAGE="Creating tag $TAG_NAME on $(date)." # create a git commit with staged changes. git commit -m "$COMIT_MESSAGE" -s git tag -a "$TAG_NAME" -m "$TAG_MESSAGE" -s # optional; push to remote git push --all git push --tags
When I run the script above, my trezor lights up to enter the PIN Number (if locked), then prompts me to perform the GPG signature on the
git commit and
git tag. That's it! Git repo's are now signed with Trezor-backed PGP certificates.
Note that before running the above script, you should configure your git repo to use the specified GPG key. You can edit
~/.gitconfig with the following text:
[user] name = Derek Smith email = email@example.com signingkey = 3CC6319316B613A46EEFDF778F1CD799CCA516CC [commit] gpgsign = true
Of course, if you're doing the git commits, you will want to update the information above to your own certificate information. It always helps when the information matches your GPG certificate!
Push changes (optional)
From there, you can optionally run
git push --all and
git push --tags to push commit and tags to the current git remote (run