##########################################################################################

       MISC-43: Set up to sign Github commits

##########################################################################################


Issue Type: Task 
-----------------------------------------------------------------------------------------

Issue Information
====================

Priority: Major					Status:      Closed
Resolution:  Done (2020-11-05 16:50:27)
Project: Miscellaneous (MISC)


Reported By: btasker					
Assigned To: btasker




Labels: Commits, Git, GnuPG, PGP, Signing, 

Time Estimate: 0 minutes
Time Logged:   0 minutes


-----------------------------------------------------------------------------------------

Issue Description
==================

I should really have set up to sign commits on Github (and other places) ages ago, but
have never quite gotten around to it.

Now seems as good a time as any to catch up

-----------------------------------------------------------------------------------------

Activity
==========

	
-----------------------------------------------------------------------------------------
2020-11-05 15:53:59              btasker
-----------------------------------------------------------------------------------------

For this I'm going to generate a new key to use for signing, and then sign that with my
main key (i.e. the one that has a public key published here -
https://www.bentasker.co.uk/about-me )
	
-----------------------------------------------------------------------------------------
2020-11-05 16:27:30              btasker
-----------------------------------------------------------------------------------------

I already have GNUPG installed, so it's just a case of creating and signing a key


-- BEGIN SNIPPET --

ben@milleniumfalcon:~$ gpg --gen-key

gpg: key 4C1EBA9B marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2024-08-27
pub   4096R/4C1EBA9B 2020-11-05
      Key fingerprint = EFDA 29FF 1E38 9DA3 55A1  2A16 8DC6 5217 4C1E BA9B
uid                  B Tasker (Code Signing Key) <github@<Domain Hidden>>
sub   4096R/9DBA26B6 2020-11-05

 -- END SNIPPET --

For further commands, want to capture the key ID

-- BEGIN SNIPPET --

ben@milleniumfalcon:~$ MY_KEY=$(gpg --list-secret-keys --keyid-format LONG | grep ^sec |
tail -1 | cut -f 2 -d "/" | cut -f 1 -d " ")

 -- END SNIPPET --

So, we want to sign the key with my main key


-- BEGIN SNIPPET --

ben@milleniumfalcon:~$ gpg --sign-key $MY_KEY

 -- END SNIPPET --

Send the signed key to keyservers so they can be verified outside of Github if needed

-- BEGIN SNIPPET --

ben@milleniumfalcon:~$ gpg --keyserver pgp.mit.edu --send-keys $MY_KEY
gpg: sending key 4C1EBA9B to hkp server pgp.mit.edu
ben@milleniumfalcon:~$ gpg --keyserver keyserver.ubuntu.com --send-keys $MY_KEY
gpg: sending key 4C1EBA9B to hkp server keyserver.ubuntu.com

 -- END SNIPPET --

Now export it

-- BEGIN SNIPPET --

ben@milleniumfalcon:~$ gpg --armor --export "${MY_KEY}" > signing_keys.txt

 -- END SNIPPET --

Added to Github here - https://github.com/settings/keys

Time to configure git and then do a test commit

-- BEGIN SNIPPET --

ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global
commit.gpgsign true
ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global
tag.gpgsign true
ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global
user.signingkey "${MY_KEY}"

 -- END SNIPPET --

Commit shows as verified -
https://github.com/bentasker/dns.bentasker.co.uk/commit/d12f725aa589ea16d1551cf8d4507cddbe307c22
	
-----------------------------------------------------------------------------------------
2020-11-05 16:27:47              
-----------------------------------------------------------------------------------------

btasker changed Project from 'Home LAN' to 'Miscellaneous'
	
-----------------------------------------------------------------------------------------
2020-11-05 16:27:47              
-----------------------------------------------------------------------------------------

btasker changed Key from 'LAN-177' to 'MISC-43'
	
-----------------------------------------------------------------------------------------
2020-11-05 16:39:42              btasker
-----------------------------------------------------------------------------------------

One change I have made - although I originally had GnuPG installed, it pushed a GUI prompt
every time my key needed unlocking - quite jarring.

So I've switched to it using a CLI based prompt

-- BEGIN SNIPPET --

sudo apt-get install pinentry-tty
sudo update-alternatives --config pinentry

 -- END SNIPPET --
	
-----------------------------------------------------------------------------------------
2020-11-05 16:48:15              btasker
-----------------------------------------------------------------------------------------

Key also uploaded to Gitlab - https://gitlab.com/-/profile/gpg_keys

Gitlab seem to have additional steps required, otherwise the GPG key shows up as
"Unverified" - need to have added the email address to the account (here:
https://gitlab.com/-/profile/emails)

Created a repo to act as a backup and pushed my DNS repo there, commit shows as verified -
https://gitlab.com/bentasker/dns.bentasker.co.uk/-/commit/d12f725aa589ea16d1551cf8d4507cddbe307c22
	
-----------------------------------------------------------------------------------------
2020-11-05 16:50:21              
-----------------------------------------------------------------------------------------

btasker added 'Commits Git GnuPG PGP Signing' to labels
	
-----------------------------------------------------------------------------------------
2020-11-05 16:50:27              
-----------------------------------------------------------------------------------------

btasker changed status from 'Open' to 'Resolved'
	
-----------------------------------------------------------------------------------------
2020-11-05 16:50:27              
-----------------------------------------------------------------------------------------

btasker added 'Done' to resolution
	
-----------------------------------------------------------------------------------------
2020-11-05 16:50:30              
-----------------------------------------------------------------------------------------

btasker changed status from 'Resolved' to 'Closed'
	
-----------------------------------------------------------------------------------------
2020-11-07 11:06:45              btasker
-----------------------------------------------------------------------------------------

I've created a repo to house copies of my keys so that the paranoid can validate for
themselves, there's a copy in both Github and Gitlab

- https://github.com/bentasker/pgp_public_keys
- https://gitlab.com/bentasker/pgp_public_keys

Which means they're ultimately also mirrored at
https://publicrepos.bentasker.co.uk/projects/pgp_public_keys.git/trees

Relevant Key IDs are

- 4C1EBA9B
- 6E08CD6F

With the following fingerprints

-- BEGIN SNIPPET --

pub   4096R/6E08CD6F 2014-08-30 B Tasker (Main Key) <ben@<Domain Hidden>>
 Primary key fingerprint: C01D 970B 3A24 1689 2C1E  D42F B7EF 7548 6E08 CD6F

pub   4096R/4C1EBA9B 2020-11-05 B Tasker (Code Signing Key) <github@<Domain Hidden>>
 Primary key fingerprint: EFDA 29FF 1E38 9DA3 55A1  2A16 8DC6 5217 4C1E BA9B

 -- END SNIPPET --