Skip to content

Instantly share code, notes, and snippets.

@bcomnes
Last active February 13, 2024 07:33
Show Gist options
  • Save bcomnes/647477a3a143774069755d672cb395ca to your computer and use it in GitHub Desktop.
Save bcomnes/647477a3a143774069755d672cb395ca to your computer and use it in GitHub Desktop.
my version of gpg on the mac
  1. brew install gnupg, pinentry-mac (this includes gpg-agent and pinentry)

  2. Generate a key: $ gpg --gen-key

  3. Take the defaults. Whatevs

  4. Tell gpg-agent to use pinentry-mac:

    $ vim ~/.gnupg/gpg-agent.conf 
    

    paste in

    # Connects gpg-agent to the OSX keychain via the brew-installed$
    # pinentry program from GPGtools. This is the OSX 'magic sauce',$
    # allowing the gpg key's passphrase to be stored in the login$
    # keychain, enabling automatic key signing.$
    pinentry-program /usr/local/bin/pinentry-mac
    # or for M1 macs
    # pinentry-program /opt/homebrew/bin/pinentry-mac
    

Also tell gpg to use the agent:

$ vim ~/.gnupg/gpg.conf

Paste in

use-agent
  1. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work. Here is my git gpg config: https://github.com/bcomnes/.dotfiles/blob/master/configs/gitconfig.d/gpg

    $ gpg --list-keys
    /Users/schacon/.gnupg/pubring.gpg
    ---------------------------------
    pub   2048R/0A46826A 2014-06-04
    uid                  Scott Chacon (Git signing key) <[email protected]>
    sub   2048R/874529A9 2014-06-04
    
    $ git config --global user.signingkey 0A46826A
    
  2. Tell git that you are using gpg

    $ git config --global gpg.program gpg
    
  3. Tell github about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/

  4. Restart maybe or kill any running gpg-agents. They will not work.

  5. Sign your commits

    $ git commit -S -m 'yolo'
    
  6. Consider signing all your commits. In ~/.gitconfig:

    [commit]
    	gpgsign = true
    

    or

    $ git config --global commit.gpgsign true
    
  7. Backup your keys to a password manager

gpg --export > public_keys.pgp
gpg --export-secret-keys > secret_keys.pgp

Store these in 1Password along with your password. You will lose this stuff otherwise.

They can be imported on a new system like so:

gpg --import < public_keys.pgp
gpg --import < private_keys.pgp

Other considerations:

  • Store your passwords in your system keychain. Pinentry-mac provides this for you. This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password. You're probably not edward snowden so the security implications are not a threat to your situation. You can always harden your arrangements as your needs for super duper security grows. Taking steps to use gpg every day is a massive improvement over what you were likely not doing before.
  • https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
  • https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.
  • Pick a primary system, laptop or not. Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen. Macs are a great option for this because they have FDE and 1Password. Generate master keypair taking the default setup on this primary system. Subkey out to other systems and devices. Back up your revocation cert. Remember to migrate your master key when you replace your primary system. This is a poorly documented process, so if you do go down this path eventually, write down what you did and leave a breadcrumb in the comment for others to learn 👍
  • https://www.gnupg.org/gph/en/manual.html
  • https://wiki.debian.org/Subkeys

Step 2:

UPDATE I HAVE NO IDEA IF THIS IS IS A GOOD WORKFLOW. IT DIDN'T REALLY WORK FOR ME

Creating a subkey for other systems:

List your keys:

 gpg --list-keys
/Users/bret/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2016-04-06 [SC]
      FDA5889C6500AC85C60486F53705F4634DC3A1AC
uid           [ultimate] Bret Comnes <[email protected]>
sub   rsa2048 2016-04-06 [E]

Edit your keyid

 gpg --edit-key FDA5889C6500AC85C60486F53705F4634DC3A1AC
 gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/3705F4634DC3A1AC
     created: 2016-04-06  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/D6CFDF18724163BB
     created: 2016-04-06  expires: never       usage: E   
[ultimate] (1). Bret Comnes <[email protected]>
>

Create a signing and encryption subkey with expiration dates

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed Feb 21 10:46:38 2018 PST
Is this correct? (y/N) y
Really create? (y/N) y  
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa2048/3705F4634DC3A1AC
     created: 2016-04-06  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/D6CFDF18724163BB
     created: 2016-04-06  expires: never       usage: E   
ssb  rsa2048/70B0BE3A1284E39F
     created: 2017-02-21  expires: 2018-02-21  usage: S   
[ultimate] (1). Bret Comnes <[email protected]>

gpg> addkey              
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed Feb 21 10:47:20 2018 PST
Is this correct? (y/N) y
Really create? (y/N) y  
                      
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa2048/3705F4634DC3A1AC
     created: 2016-04-06  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/D6CFDF18724163BB
     created: 2016-04-06  expires: never       usage: E   
ssb  rsa2048/70B0BE3A1284E39F
     created: 2017-02-21  expires: 2018-02-21  usage: S   
ssb  rsa2048/4BE4221F87387C35
     created: 2017-02-21  expires: 2018-02-21  usage: E   
[ultimate] (1). Bret Comnes <[email protected]>

SAVE YOUR KEY

gpg> save
$ gpg --list-keys
/Users/bret/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2016-04-06 [SC]
      FDA5889C6500AC85C60486F53705F4634DC3A1AC
uid           [ultimate] Bret Comnes <[email protected]>
sub   rsa2048 2016-04-06 [E]
sub   rsa2048 2017-02-21 [S] [expires: 2018-02-21]
sub   rsa2048 2017-02-21 [E] [expires: 2018-02-21]

You should now see your keys.

Create a copy of your ~/.gnupg folder:

cp ~/.gnupg ~/Downloads/subkeys

Figure out which keys you dont wan't on the other system:

gpg --with-keygrip --list-key FDA5889C6500AC85C60486F53705F4634DC3A1AC
pub   rsa2048 2016-04-06 [SC]
      FDA5889C6500AC85C60486F53705F4634DC3A1AC
      Keygrip = ****************************************
uid           [ultimate] Bret Comnes <[email protected]>
sub   rsa2048 2016-04-06 [E]
      Keygrip = ****************************************
sub   rsa2048 2017-02-21 [S] [expires: 2018-02-21]
      Keygrip = ****************************************
sub   rsa2048 2017-02-21 [E] [expires: 2018-02-21]
      Keygrip = ****************************************

where **************************************** coresponds to file names in the ~/.gnupg/private-keys-v1.d folder.

Delete the master signing key and master encryption subkey that don't expire in the copy you just made to your downloads folder. Zip/ecnrypt up the copied folder into an archive, and securly move it to a new host.

$ zip -er subkeys-only.zip ~/Downloads/subkeys

Extract the contents to the hosts's ~/.gnupg folder and fix any agent config settings specific to that host, like pinentry-mac or whatever.

GPG will not save us.

Step 3

THis seems like a good idea maybe

Publish any changes to the internet:

gpg --send-keys MASTERKEYID
@bcomnes
Copy link
Author

bcomnes commented Jul 25, 2017

Good to know!

@m0rjc
Copy link

m0rjc commented Jul 25, 2017

Thanks for the information.

This is working seamlessly with the GPG signing handled by a Yubikey, and PinEntry asking for the PIN for the key.

@bcomnes
Copy link
Author

bcomnes commented Aug 13, 2019

Updated the commands slightly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment