grenade · November 9, 2024 20:40 · cassie-nahar · Dec 1, 2020 · tornikesharia · Feb 14, 2021
diff --git a/01-generate-ed25519-ssh-key.sh b/01-generate-ed25519-ssh-key.sh
 #!/bin/bash

 # generate new personal ed25519 ssh keys
 ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "rob thijssen <[email protected]>"
 ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_robtn -C "rob thijssen <[email protected]>"

 # generate new host cert authority (host_ca) ed25519 ssh key
 # used for signing host keys and creating host certs
 ssh-keygen -t ed25519 -f manta_host_ca -C manta.network

 eval "$(ssh-agent -s)"
 ssh-add ~/.ssh/id_ed25519

 # set local file permissions
 chmod 700 ~/.ssh
 chmod 644 ~/.ssh/authorized_keys
 chmod 644 ~/.ssh/known_hosts
 chmod 644 ~/.ssh/config
 chmod 600 ~/.ssh/id_ed25519
 chmod 644 ~/.ssh/id_ed25519.pub
 chmod 600 ~/.ssh/id_robtn
 chmod 644 ~/.ssh/id_robtn.pub

 # add key(s) to git/github
 git config --global core.sshCommand "ssh -i ~/.ssh/id_robtn -F /dev/null"
 # sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
 # sudo dnf install gh
 gh ssh-key add ~/.ssh/id_ed25519.pub
 gh ssh-key add ~/.ssh/id_robtn.pub
diff --git a/02-backup-gpg-key.sh b/02-backup-gpg-key.sh
 #!/bin/bash

 # usage
 # $ curl -sL https://gist.github.com/grenade/6318301/raw/02-backup-gpg-key.sh?$(uuidgen) | bash

 backup_dir=${HOME}/key-backup

 # backup old gpg key
 key_name="Rob Thijssen (https://grenade.github.io) <[email protected]>"
 key_fingerprint=$(if [[ $(gpg --list-keys "${key_name}") =~ ([A-F0-9]{40}) ]]; then echo ${BASH_REMATCH[1]}; fi)
 if [ -n "${key_fingerprint}" ]; then
  timestamp=$(date -u --iso-8601)
  mkdir -p ${backup_dir}/${timestamp}/${key_fingerprint}
  gpg --export --armor ${key_fingerprint} > ${backup_dir}/${timestamp}/${key_fingerprint}/public.asc
  gpg --export-secret-keys --armor ${key_fingerprint} > ${backup_dir}/${timestamp}/${key_fingerprint}/private.asc
  gpg --export-secret-subkeys --armor ${key_fingerprint} > ${backup_dir}/${timestamp}/${key_fingerprint}/subkeys.private.asc
  gpg --export-ownertrust > ${backup_dir}/${timestamp}/${key_fingerprint}/ownertrust.txt
  tar -C ~/ -zcvf ${backup_dir}/${timestamp}/${key_fingerprint}/.gnupg.tar.gz .gnupg
 fi
diff --git a/03-generate-ed25519-gpg-key.sh b/03-generate-ed25519-gpg-key.sh
 #!/bin/bash

 # references:
 # - https://blog.josefsson.org/tag/ed25519/
 # - https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html

 # use a new and unique key name.
 # it will be necessary to have both old and new keys while transitioning.
 # eg: for password-store re-encryption.
 old_key_name="Rob Thijssen (https://grenade.github.io) <[email protected]>"
 new_key_name="rob thijssen <[email protected]>"

 # generate ed25519 master key with no expiration
 gpg --quick-generate-key "${new_key_name}" ed25519 sign 0

 old_key_fingerprint=$(if [[ $(gpg --list-keys "${old_key_name}") =~ ([A-F0-9]{40}) ]]; then echo ${BASH_REMATCH[1]}; fi)
 new_key_fingerprint=$(if [[ $(gpg --list-keys "${new_key_name}") =~ ([A-F0-9]{40}) ]]; then echo ${BASH_REMATCH[1]}; fi)

 if [ -n "${new_key_fingerprint}" ]; then
  # generate elyptic curve encryption sub-key with no expiration
  gpg --quick-add-key ${new_key_fingerprint} cv25519 encr 0

  # generate ed25519 authentication sub-key with no expiration
  gpg --quick-add-key ${new_key_fingerprint} ed25519 auth 0

  # generate ed25519 signing sub-key with no expiration
  gpg --quick-add-key ${new_key_fingerprint} ed25519 sign 0
  
  # sign the new key with the old key
  gpg --default-key ${old_key_fingerprint} --sign-key ${new_key_fingerprint}
  # optionally sign the old key with the new key
  # gpg --default-key ${new_key_fingerprint} --sign-key ${old_key_fingerprint}
  
  # wip. don't use this.
  # touch transition-statement.md
  # gpg --digest-algo SHA512 --default-key ${new_key_fingerprint} --clearsign transition-statement.md
  
  # tell git about signing key
  # https://docs.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key
  new_signing_key_id=$(if [[ $(gpg --list-secret-keys --keyid-format LONG ${new_key_fingerprint}) =~ ed25519/([A-F0-9]{16})[[:space:]]202[1-9]-[01][0-9]-[0-3][0-9][[:space:]]\[S\] ]]; then echo ${BASH_REMATCH[1]}; fi)
  git config --global user.signingkey ${new_signing_key_id}
 fi
diff --git a/notes.md b/notes.md
diff --git a/z-deprecated-rsa-generate-ssh-key.sh b/z-deprecated-rsa-generate-ssh-key.sh
 ssh-keygen -t rsa -b 4096 -N '' -C "[email protected]" -f ~/.ssh/id_rsa
 ssh-keygen -t rsa -b 4096 -N '' -C "[email protected]" -f ~/.ssh/github_rsa
 ssh-keygen -t rsa -b 4096 -N '' -C "[email protected]" -f ~/.ssh/mozilla_rsa
diff --git a/z-deprecated-rsa-ssh-key-add.sh b/z-deprecated-rsa-ssh-key-add.sh
 eval "$(ssh-agent -s)"
 ssh-add ~/.ssh/id_rsa
 ssh-add ~/.ssh/github_rsa
 ssh-add ~/.ssh/mozilla_rsa
diff --git a/z-deprecated-ssh-key-permissions.sh b/z-deprecated-ssh-key-permissions.sh
 chmod 700 ~/.ssh
 chmod 644 ~/.ssh/authorized_keys
 chmod 644 ~/.ssh/known_hosts
 chmod 644 ~/.ssh/config
 chmod 600 ~/.ssh/id_rsa
 chmod 644 ~/.ssh/id_rsa.pub
 chmod 600 ~/.ssh/github_rsa
 chmod 644 ~/.ssh/github_rsa.pub
 chmod 600 ~/.ssh/mozilla_rsa
 chmod 644 ~/.ssh/mozilla_rsa.pub
	#!/bin/bash

	# generate new personal ed25519 ssh keys
	ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "rob thijssen <[email protected]>"
	ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_robtn -C "rob thijssen <[email protected]>"

	# generate new host cert authority (host_ca) ed25519 ssh key
	# used for signing host keys and creating host certs
	ssh-keygen -t ed25519 -f manta_host_ca -C manta.network

	eval "$(ssh-agent -s)"
	ssh-add ~/.ssh/id_ed25519

	# set local file permissions
	chmod 700 ~/.ssh
	chmod 644 ~/.ssh/authorized_keys
	chmod 644 ~/.ssh/known_hosts
	chmod 644 ~/.ssh/config
	chmod 600 ~/.ssh/id_ed25519
	chmod 644 ~/.ssh/id_ed25519.pub
	chmod 600 ~/.ssh/id_robtn
	chmod 644 ~/.ssh/id_robtn.pub

	# add key(s) to git/github
	git config --global core.sshCommand "ssh -i ~/.ssh/id_robtn -F /dev/null"
	# sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
	# sudo dnf install gh
	gh ssh-key add ~/.ssh/id_ed25519.pub
	gh ssh-key add ~/.ssh/id_robtn.pub
	#!/bin/bash

	# usage
	# $ curl -sL https://gist.github.com/grenade/6318301/raw/02-backup-gpg-key.sh?$(uuidgen) \| bash

	backup_dir=${HOME}/key-backup

	# backup old gpg key
	key_name="Rob Thijssen (https://grenade.github.io) <[email protected]>"
	key_fingerprint=$(if [[ $(gpg --list-keys "${key_name}") =~ ([A-F0-9]{40}) ]]; then echo ${BASH_REMATCH[1]}; fi)
	if [ -n "${key_fingerprint}" ]; then
	timestamp=$(date -u --iso-8601)
	mkdir -p ${backup_dir}/${timestamp}/${key_fingerprint}
	gpg --export --armor ${key_fingerprint} > ${backup_dir}/${timestamp}/${key_fingerprint}/public.asc
	gpg --export-secret-keys --armor ${key_fingerprint} > ${backup_dir}/${timestamp}/${key_fingerprint}/private.asc
	gpg --export-secret-subkeys --armor ${key_fingerprint} > ${backup_dir}/${timestamp}/${key_fingerprint}/subkeys.private.asc
	gpg --export-ownertrust > ${backup_dir}/${timestamp}/${key_fingerprint}/ownertrust.txt
	tar -C ~/ -zcvf ${backup_dir}/${timestamp}/${key_fingerprint}/.gnupg.tar.gz .gnupg
	fi
	#!/bin/bash

	# references:
	# - https://blog.josefsson.org/tag/ed25519/
	# - https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html

	# use a new and unique key name.
	# it will be necessary to have both old and new keys while transitioning.
	# eg: for password-store re-encryption.
	old_key_name="Rob Thijssen (https://grenade.github.io) <[email protected]>"
	new_key_name="rob thijssen <[email protected]>"

	# generate ed25519 master key with no expiration
	gpg --quick-generate-key "${new_key_name}" ed25519 sign 0

	old_key_fingerprint=$(if [[ $(gpg --list-keys "${old_key_name}") =~ ([A-F0-9]{40}) ]]; then echo ${BASH_REMATCH[1]}; fi)
	new_key_fingerprint=$(if [[ $(gpg --list-keys "${new_key_name}") =~ ([A-F0-9]{40}) ]]; then echo ${BASH_REMATCH[1]}; fi)

	if [ -n "${new_key_fingerprint}" ]; then
	# generate elyptic curve encryption sub-key with no expiration
	gpg --quick-add-key ${new_key_fingerprint} cv25519 encr 0

	# generate ed25519 authentication sub-key with no expiration
	gpg --quick-add-key ${new_key_fingerprint} ed25519 auth 0

	# generate ed25519 signing sub-key with no expiration
	gpg --quick-add-key ${new_key_fingerprint} ed25519 sign 0

	# sign the new key with the old key
	gpg --default-key ${old_key_fingerprint} --sign-key ${new_key_fingerprint}
	# optionally sign the old key with the new key
	# gpg --default-key ${new_key_fingerprint} --sign-key ${old_key_fingerprint}

	# wip. don't use this.
	# touch transition-statement.md
	# gpg --digest-algo SHA512 --default-key ${new_key_fingerprint} --clearsign transition-statement.md

	# tell git about signing key
	# https://docs.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key
	new_signing_key_id=$(if [[ $(gpg --list-secret-keys --keyid-format LONG ${new_key_fingerprint}) =~ ed25519/([A-F0-9]{16})[[:space:]]202[1-9]-[01][0-9]-[0-3][0-9][[:space:]]\[S\] ]]; then echo ${BASH_REMATCH[1]}; fi)
	git config --global user.signingkey ${new_signing_key_id}
	fi
	ssh-keygen -t rsa -b 4096 -N '' -C "[email protected]" -f ~/.ssh/id_rsa
	ssh-keygen -t rsa -b 4096 -N '' -C "[email protected]" -f ~/.ssh/github_rsa
	ssh-keygen -t rsa -b 4096 -N '' -C "[email protected]" -f ~/.ssh/mozilla_rsa
	eval "$(ssh-agent -s)"
	ssh-add ~/.ssh/id_rsa
	ssh-add ~/.ssh/github_rsa
	ssh-add ~/.ssh/mozilla_rsa