Created
December 15, 2022 15:57
-
-
Save james-see/4229c8d010a11bd7e2285790785c2320 to your computer and use it in GitHub Desktop.
doing gpg right with github
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ brew install gnupg | |
| $ gpg --full-generate-key --expert | |
| # Select ECC (sign only) | |
| # Select Curve 25519 | |
| # Use 0 for key does not expire | |
| # Use your real name | |
| # Importantly, for GitHub.com verified GPG commit signitures you MUST use | |
| # an email address associated with your GitHub.com account. Unless you enjoy | |
| # spam you should likely use GitHub's "no-reply" email feature documented at | |
| # https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address | |
| # | |
| # For example, C Smoke' csmoketm account is: | |
| # [email protected] | |
| # Verify your key exists | |
| $ gpg --list-secret-keys | |
| /Users/chri/.gnupg/pubring.kbx | |
| ------------------------------- | |
| pub ed25519 2022-12-14 [C] | |
| 3832058A52E0BAF58B55533811C6DEE80C7949E8 | |
| uid [ unknown] Chris Smok (GitHub.com key) <[email protected]> | |
| # This means we have a new signing only (this is what "[C]" means) | |
| # master public/private key. | |
| # We are now going to create a subkey from this primary key. | |
| # Use the public key above - 3832058A52E0BAF58B55533811C6DEE80C7949E8 | |
| $ gpg --expert --edit-key 3832058A52E0BAF58B55533811C6DEE80C7949E8 | |
| gpg> addkey | |
| # Select ECC (sign only) | |
| # Select Curve 25519 | |
| # Use 0 for key does not expire | |
| gpg> save | |
| # There is now a signing only subkey available from a master key. Let's | |
| # backup the master public and private keys and then create a revokation key. | |
| $ gpg --export -a 3832058A52E0BAF58B55533811C6DEE80C7949E8 > master-public.txt | |
| $ gpg --export-secrets -a 3832058A52E0BAF58B55533811C6DEE80C7949E8 > master-private.txt | |
| # Now let's create a revokation certificate for the master key | |
| $ gpg --gen-revoke 3832058A52E0BAF58B55533811C6DEE80C7949E8 > master-revocation-certificate.asc | |
| # At this point please back up these files: | |
| # * master-public.txt | |
| # * master-private.txt | |
| * * master-revocation-certificate.asc | |
| # Now we should wipe the master key's private key off the laptop. | |
| # You only need the master key's private key when generating new subkeys or | |
| # changing identities. | |
| $ gpg --list-keys --with-keygrip | |
| pub ed25519 2022-12-14 [C] | |
| 3832058A52E0BAF58B55533811C6DEE80C7949E8 | |
| Keygrip = 0AD842C98163D2935195BE2D520E9C16D098872D | |
| uid [ unknown] Ch(GitHub.com key) <[email protected]> | |
| sub ed25519 2022-12-14 [S] | |
| Keygrip = 57E6FC91F3251304A0C762532CC5A19475EB056A | |
| # The keygrip files are the private key files under ~/.gnupg/private-keys-v1.d | |
| # In this case the keygrip for my master key is 0AD842C98163D2935195BE2D520E9C16D098872D | |
| $ rm -i ~/.gnupg/private-keys-v1.d/0AD842C98163D2935195BE2D520E9C16D098872D.key | |
| # Let's export the subkey to an ascii string we can paste into GitHub.com's UI | |
| # First we have to find the subkey's specific key | |
| $ gpg --list-keys --with-subkey-fingerprints | |
| pub ed25519 2022-12-14 [C] | |
| 3832058A52E0BAF58B55533811C6DEE80C7949E8 | |
| uid [ unknown] Christ (GitHub.com key) <[email protected]> | |
| sub ed25519 2022-12-14 [S] | |
| 82AE8369754194A46D4F97FA23835C13ED0B4635 | |
| # The subkey id is 82AE8369754194A46D4F97FA23835C13ED0B4635 above. | |
| # Export the subkey and use the output in GitHub.com's UI. | |
| $ gpg --export -a 82AE8369754194A46D4F97FA23835C13ED0B4635 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment