gpg setup
Finally got my commit signing going.
---
There are a number of links backlinked to here - i should collect them into the useful bits to getting singing working through emacs on both linux and osx.
---
Pulled in most of the linked content, still not presentable, but the info is here in the roughest of forms.
some reading
https://github.com/tarsius/keychain-environment
https://emacs.stackexchange.com/questions/18514/how-to-automatically-sign-commits-with-magit
https://gist.github.com/mcattarinussi/834fc4b641ff4572018d0c665e5a94d3
git with gpg verification - i don't fully understand all the pieces, but i'm signing commits and not getting prompted every single time - should just be every once in a while.
have:
- zsh command for signing the ssh and gpg key
- zsh startup helper for ensuring both agents
- emacs m-x keychain-refresh helper for adding the agents to the env
creating the keys
following this: https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/
setting up 2 year expiration on the key, with sub keys expiring in 6 months
imported only the secret subkeys and public key to osx
(brew install gpg keychain)
revoked yesterday's gpg key - it had no expiration, which i did not like
https://stackoverflow.com/questions/59664526/how-the-correct-way-to-revoke-gpg-on-key-server
signing with the keys on osx
trying to get osx to hang on to the gpg passphrase a bit longer
does not seem to be working yet
nevermind! this works, I just forgot to restart gpg-agent first
osx now supports signing for my gpg key in a native prompt. Much better than pulling up a terminal to run a command after a failed commit in magit.
unconfirmed whether signing in emacs will prompt for
the same... but i think
pinentry-mac
is the key to that, could just figure out
the emacs side if we hit it.
extending the session length
~/.gnupg/gpg-agent.conf
an hour! better than ten minutes when working on something
and don't forget to kill/restart the agent
keychain --clearthen re-eval your ssh/gpg sessions
(* 60 60)subkeys expired? lets make new ones
- added new subkeys (for sign, encrypt, auth) with the same public key
following the subkey portion of this: https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/
- reexport to update github
gpg -a --export BE4E82EA1E04FFC9 > public_key.gpg # export public gpg key
cat public_key.gpg | xclip -selection clipboard -i # copy to clipboard (linux)- delete the gpg key on github and add the updated version (with more subkeys)
commits unverified while key is gone, but they'll verify again once you add the same public key (with new subkeys) back.
- update git 'signingkey'
on local machine (
/.gitconfig~)
git config --global user.signingkey 3FF04ACFC70CACD7! # update git gpg signing keyor just update the file manually. I'm not sure what
the !
is doing here...
- export secret subkeys
gpg -a --export-secret-subkeys BE4E82EA1E04FFC9 > secret_subkeys.gpg- add public key and secret subkeys to usb to share with laptop
mv -f public_key.gpg secret_subkeys.gpg /run/media/russ/587F-EF33/.
-f to overwrite
without interactive prompt, which doesn't seem to
work
- on laptop, import public and secret subkeys (copy from usb and then run gpg --import)
gpg --import public_key.gpg
gpg --import secret_subkeys.gpg
# update git gpg signing key
git config --global user.signingkey 3FF04ACFC70CACD7!
# remove files afterwards
rm public_key.gpg secret_subkeys.gpgafter that, everything seems fine? writing commits succeed, github marks them verified