david winter

Managing GPG with Keybase

GPG is a tool used for encryption. Similar to SSH, you have a GPG public and private key. Your private key you keep to yourself, and it is used to encrypt and decrypt messages based on a public key that you share with others.

I’ve always found it quite confusing to manage and setup, and to keep keys in sync amongst computers, however, with some more recent need to use it, I hope that I now have something I can use day-to-day without issue.

Keybase is a tool that has been around for a number of years now. Originally it had GPG at it’s heart, but has since moved to it’s own encryption protocol which aims to make encryption easier to use. However, it still supports GPG under the hood too.

At the end of this blog post, I’ll show you how you can sign your Git commits using GPG to add an extra layer of security for other users to ensure your work is from you. And in a later blog post, I’ll discuss how to use pass in a software project for managing and sharing secrets between your team.

You’ll want to make sure you have GPG and Keybase installed before proceeding.

Setting up Keybase and GPG

I’m using a Mac to do this, and most of these instructions should still work.

You’ll want to visit https://keybase.io/download and download the Keybase application for the platform you’re using. Once installed run the application and sign up. This should also add the keybase command line program too.

Run:

keybase login

Once you’re all logged in, and your first device has been added to your account, you’ll want to create your first GPG key. Out of the box, Keybase protocol for encryption, but it does support GPG too. And seeing as this is what we want to use for Github commit signing, and pass down the line too, we’ll go this route.

keybase pgp gen --multi

Follow the prompts and enter the answers to the various questions that you’re asked. When it gives the option of storing your private GPG key on Keybase, I opted for yes, as it makes using it on other devices and computers easier.

Great, you now have a GPG key!

Publishing your key outside of Keybase

While Keybase is a great solution, and it stores your public key for other users to find too, not everyone uses Keybase. GPG can be used outside of Keybase using the gpg tools. To make your key available to those users, you’ll want to publish your public key to some of the more popular GPG key servers. This way, other users can pull down your key and use it to verify and decrypt things from yourself.

Each GPG key you have is represented by a fingerprint. This is a 40 character hexadecimal string. To retrieve this, you can type:

gpg -K

You’ll see some output like:

sec   rsa4096 2019-04-17 [SC] [expires: 2035-04-13]
      3AB5D447C087FB4DD80E3FA40194134D61D5C337

Copy your own long fingerprint and use that in the following commands:

gpg --send-keys 3AB5D447C087FB4DD80E3FA40194134D61D5C337
gpg --keyserver pgp.mit.edu --send-keys 3AB5D447C087FB4DD80E3FA40194134D61D5C337
gpg --keyserver keyserver.ubuntu.com --send-keys 3AB5D447C087FB4DD80E3FA40194134D61D5C337

Along with the standard GPG keyserver, this will also upload it to the MIT and Ubuntu servers that are commonly used too.

Other users would then be able to retrieve your key by using:

gpg --recv-keys 3AB5D447C087FB4DD80E3FA40194134D61D5C337

Using your key on your other machines

If you have multiple computers, you’ll want to setup the key on other machines too. As you’re storing both your public and private key on Keybase, you can easily do this.

After you’ve installed Keybase and GPG on your additional machines, you can run:

keybase pgp export -q 3AB5D447C087FB4DD80E3FA40194134D61D5C337 | gpg --import
keybase pgp export -q 3AB5D447C087FB4DD80E3FA40194134D61D5C337 --secret | gpg --allow-secret-key-import --import

Signing your Git commits

Signing your Git commits is basically adding your own signature to each commit to let others know they have definitely come from you. This is quite important as anyone can configure Git to use your email address, but not everyone has your GPG private key.

If you visit your Github settings, then on the left hand side select SSH and GPG Keys, then click on New GPG key. You’ll want to paste in the public part of your GPG key. You can retrieve this by typing:

keybase pgp export

Once you’ve clicked on Add GPG key Github will be able to verify commits from you. Now you need to tell Git on your computer to use this key to sign commits.

Open up your Git config located at ~/.gitconfig and under the [user] section, you’ll want to add:

signingkey = 3AB5D447C087FB4DD80E3FA40194134D61D5C337

So it should look like:

[user]
  name = David Winter
  email = [email protected]
  signingkey = 3AB5D447C087FB4DD80E3FA40194134D61D5C337

This tells Git which key to use. To enable signing, add the following also:

[commit]
  gpgsign = true

All of your commits from now on will be signed by your GPG key.

2019-04-25

Questions? Comments? Your 2¢'s? → @davidwinter