Lines Matching +full:- +full:- +full:commits
12 Linux Foundation. Please read that document for more in-depth discussion
15 .. _`Protecting Code Integrity`: https://github.com/lfit/itpol/blob/master/protecting-code-integrit…
22 communication channels between developers via PGP-signed email exchange.
26 - Distributed source repositories (git)
27 - Periodic release snapshots (tarballs)
35 - git repositories provide PGP signatures on all tags
36 - tarballs provide detached PGP signatures with all downloads
41 -------------------------------------------
64 ----------------------
70 $ gpg --version | head -n1
76 Configure gpg-agent options
84 - ``default-cache-ttl`` (seconds): If you use the same key again before
85 the time-to-live expires, the countdown will reset for another period.
87 - ``max-cache-ttl`` (seconds): Regardless of how recently you've used
88 the key since initial passphrase entry, if the maximum time-to-live
93 edit your ``~/.gnupg/gpg-agent.conf`` file to set your own values::
96 default-cache-ttl 1800
97 max-cache-ttl 7200
101 It is no longer necessary to start gpg-agent manually at the
120 -------------------------
122 A PGP key rarely consists of a single keypair -- usually it is a
127 - **[S]** keys can be used for signing
128 - **[E]** keys can be used for encryption
129 - **[A]** keys can be used for authentication
130 - **[C]** keys can be used for certifying other keys
147 subkey). All subkeys are fully independent -- a message encrypted to
157 - add or revoke other keys (subkeys) with S/E/A capabilities
158 - add, change or revoke identities (uids) associated with the key
159 - add or change the expiration date on itself or any subkey
160 - sign other people's keys for web of trust purposes
164 - One subkey carrying both Certify and Sign capabilities (**[SC]**)
165 - A separate subkey with the Encryption capability (**[E]**)
168 is what you will have. You can verify by running ``gpg --list-secret-keys``,
171 sec ed25519 2022-12-20 [SC] [expires: 2024-12-19]
174 ssb cv25519 2022-12-20 [E] [expires: 2024-12-19]
176 The long line under the ``sec`` entry is your key fingerprint --
177 whenever you see ``[fpr]`` in the examples below, that 40-character
181 --------------------------------
191 $ gpg --change-passphrase [fpr]
194 --------------------------------
200 $ gpg --quick-addkey [fpr] ed25519 sign
210 ----------------------------------------------
225 $ gpg --export-secret-key [fpr] | paperkey -o /tmp/key-backup.txt
231 used to be when you had created the backup -- *guaranteed*.
233 Put the resulting printout and the hand-written passphrase into an envelope
234 and store in a secure and well-protected place, preferably away from your
241 your passphrase, printing out even to "cloud-integrated" modern
245 ----------------------------------
253 disaster-level preparedness we did with ``paperkey``. You will also rely
254 on these external copies whenever you need to use your Certify key --
260 -- refer to your distro's documentation on how to accomplish this.
265 Once the encryption process is over, re-insert the USB drive and make
269 $ cp -a ~/.gnupg /media/disk/foo/gnupg-backup
273 $ gpg --homedir=/media/disk/foo/gnupg-backup --list-key [fpr]
277 need to use a random USB drive, and put in a safe place -- but not too
283 ----------------------------------------
288 - by accident when making quick homedir copies to set up a new workstation
289 - by systems administrator negligence or malice
290 - via poorly secured backups
291 - via malware in desktop apps (browsers, pdf viewers, etc)
292 - via coercion when crossing international borders
296 shoulder-surfing, or any number of other means. For this reason, the
308 $ gpg --with-keygrip --list-key [fpr]
312 pub ed25519 2022-12-20 [SC] [expires: 2022-12-19]
316 sub cv25519 2022-12-20 [E] [expires: 2022-12-19]
318 sub ed25519 2022-12-20 [S]
325 $ cd ~/.gnupg/private-keys-v1.d
334 $ cd ~/.gnupg/private-keys-v1.d
337 Now, if you issue the ``--list-secret-keys`` command, it will show that
340 $ gpg --list-secret-keys
341 sec# ed25519 2022-12-20 [SC] [expires: 2024-12-19]
344 ssb cv25519 2022-12-20 [E] [expires: 2024-12-19]
345 ssb ed25519 2022-12-20 [S]
350 If you don't have the "private-keys-v1.d" directory
353 If you do not have a ``~/.gnupg/private-keys-v1.d`` directory, then your
357 ``secring.gpg`` format to use ``private-keys-v1.d`` instead.
379 --------------------------
387 backup purposes -- while that USB device is plugged in and mounted, the
391 smartcard-capable device.
394 ---------------------------
400 - `Nitrokey Start`_: Open hardware and Free Software, based on FSI
403 resistance to tampering or some side-channel attacks).
404 - `Nitrokey Pro 2`_: Similar to the Nitrokey Start, but more
405 tamper-resistant and offers more security features. Pro 2 supports ECC
407 - `Yubikey 5`_: proprietary hardware and software, but cheaper than
408 Nitrokey Pro and comes available in the USB-C form that is more useful
422 .. _`Nitrokey Start`: https://shop.nitrokey.com/shop/product/nitrokey-start-6
423 .. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nkpr2-nitrokey-pro-2-3
424 .. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/
425 .. _Gnuk: https://www.fsij.org/doc-gnuk/
426 .. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-…
429 -------------------------------
434 $ gpg --card-status
443 there are no convenient command-line switches::
445 $ gpg --card-edit
452 Please make sure to record and store these in a safe place -- especially
473 ----------------------------------
479 $ gpg --edit-key [fpr]
484 created: 2022-12-20 expires: 2024-12-19 usage: SC
487 created: 2022-12-20 expires: never usage: E
489 created: 2017-12-07 expires: never usage: S
494 Using ``--edit-key`` puts us into the menu mode again, and you will
498 First, let's select the key we'll be putting onto the card -- you do
547 If you perform ``--list-secret-keys`` now, you will see a subtle
550 $ gpg --list-secret-keys
551 sec# ed25519 2022-12-20 [SC] [expires: 2024-12-19]
554 ssb> cv25519 2022-12-20 [E] [expires: 2024-12-19]
555 ssb> ed25519 2022-12-20 [S]
562 $ cd ~/.gnupg/private-keys-v1.d
563 $ strings *.key | grep 'private-key'
565 The output should contain ``shadowed-private-key`` to indicate that
574 $ echo "Hello world" | gpg --clearsign > /tmp/test.asc
575 $ gpg --verify /tmp/test.asc
578 show "Good signature" after you run ``gpg --verify``.
584 -----------------------------
596 $ export GNUPGHOME=/media/disk/foo/gnupg-backup
597 $ gpg --list-secret-keys
613 $ gpg --quick-set-expire [fpr] 1y
618 $ gpg --quick-set-expire [fpr] 2025-07-01
622 $ gpg --send-key [fpr]
630 $ gpg --export | gpg --homedir ~/.gnupg --import
633 Using gpg-agent over ssh
636 You can forward your gpg-agent over ssh if you need to sign tags or
637 commits on a remote system. Please refer to the instructions provided
640 - `Agent Forwarding over SSH`_
652 One of the core features of Git is its decentralized nature -- once a
654 project, including all of its tags, commits and branches. However, with
666 tag, while signed commits make it nearly impossible for someone to
669 .. _`nothing to do with it`: https://github.com/jayphelps/git-blame-someone-else
672 ---------------------------------
679 $ git config --global user.signingKey [fpr]
682 ----------------------------
684 To create a signed tag, simply pass the ``-s`` switch to the tag
687 $ git tag -s [tagname]
696 To verify a signed tag, simply use the ``verify-tag`` command::
698 $ git verify-tag [tagname]
726 $ git config --global tag.forceSignAnnotated true
728 How to work with signed commits
729 -------------------------------
731 It is easy to create signed commits, but it is much more difficult to
736 this reason, most kernel developers don't bother signing their commits
737 and will ignore signed commits in any external repositories that they
742 then the recommendation is that you sign all your git commits even if
750 2. If you ever need to re-clone your local repository (for example,
753 3. If someone needs to cherry-pick your commits, this allows them to
756 Creating signed commits argument
759 To create a signed commit, you just need to pass the ``-S`` flag to the
760 ``git commit`` command (it's capital ``-S`` due to collision with
763 $ git commit -S
765 Configure git to always sign commits argument
768 You can tell git to always sign commits::
770 git config --global commit.gpgSign true
774 Make sure you configure ``gpg-agent`` before you turn this on.
780 -------------------------------
784 (PGP-Mime or PGP-inline) tend to cause problems with regular code
787 headers (a-la DKIM):
789 - `Patatt Patch Attestation`_
802 the git-send-email hook in the repository you want::
804 patatt install-hook
806 Now any patches you send with ``git send-email`` will be automatically
816 $ b4 am 20220720205013.890942-1-broonie@kernel.org
819 ---
823 ---
838 Signing tags and commits is easy, but how does one go about verifying
842 Configure auto-key-retrieval using WKD and DANE
843 -----------------------------------------------
847 on key auto-discovery and auto-retrieval. GnuPG can piggyback on other
854 auto-key-locate wkd,dane,local
855 auto-key-retrieve
857 DNS-Based Authentication of Named Entities ("DANE") is a method for
862 respectively, before adding auto-retrieved public keys to your local
867 auto-retrieve the keys for Linus Torvalds and Greg Kroah-Hartman (if you
870 $ gpg --locate-keys torvalds@kernel.org gregkh@kernel.org
878 ------------------------------------------------
890 "the SSH-like approach to trust." With SSH, the first time you connect
902 ``trust-model`` setting in ``~/.gnupg/gpg.conf``::
904 trust-model tofu+pgp
907 --------------------------------------------
914 - `Kernel developer PGP Keyring`_