Last week I joined the OpenSearch Team at AWS, a community-driven, open source fork of Elasticsearch and Kibana (read more about it here).
Security is always our top priority at AWS, so I had to learn some new development best practices in this area. One of my colleagues, and Apache contributor @nknize has been signing his commits with GPG. I decided to add my work e-mail address to my existing GPG key, and setup git signing as well.
Generating Keys
If you don’t already have a key, install gpg2 (e.g. brew install gpg
), and follow the instructions in this doc. It will tell you to run gpg --full-generate-key
.
You can list keys with gpg --list-secret-keys --keyid-format LONG
and note the key ID.
In my example the key ID is 75BF031B7C94E183
.
Backing up Keys
I export and store a copy of my GPG keys in Dropbox and store the private key passphrase in 1Password. The latter is required to export or import a private key (gpg will prompt you).
Adding my Work E-Mail
I only have one identity, but multiple e-mails. I decided to add my work e-mail to my GPG key (YMMV) as explained here.
My key now has both my personal and work e-mail addresses.
I then exported the public key with gpg -a --export 3AA5C34371567BD2
and added it to my Github account.
Signing Git Commits
I wanted to enable commit signing globally to avoid having to constantly appenad -S
to git commit
, and added the following settings to my dotfiles.
Checking it Out
Commit signatures appear in git log --show-signature
.
And you can see a nice icon next to verified commits on GitHub!
Now, how do I get verified on Twitter?!
Passphrase
I find it annoying to have to re-enter the passphrase every few minutes. Put the following into ~/.gnupg/gpg-agent.conf
to set the timeout to a day’s worth.
Restart gpgagent
with gpgconf --kill gpg-agent
.
New Computer
Import the key on a new computer.
If you get an error gpg: no valid OpenPGP data found.
and gpg: Total number processed: 0
, this is a very obtuse way for GPG to tell you the that contents of the file you’re trying to import is invalid. In my case gpg --import ~/Dropbox/Personal/7C94E183.gpg
was failing because the file was not synced to my local drive from Dropbox.
Troubleshooting
If you’re having trouble with gog, try echo "test" | gpg --clearsign
to get a better error. If it complains that gpg-agent
is not started, run gpgagent
and correct any errors.