gpg
Table of Contents
1. Create
1.1. Certificate/Master/Primary key [C]
When creating the cert key, we don't want it to expire as we'll store it elsewhere.
gpg --quick-generate-key 'Hrishikesh Barman <hrishi@geekodour.org>' ed25519 cert never set -l KEY_ID "8963 3907 AE52 C5B4 72A1 ABF3 CB46 502E A121 F97D" # certificate key FP gpg --quick-add-uid $KEY_ID 'Hrishikesh Barman <oss@geekodour.org>' gpg --quick-add-uid $KEY_ID 'Hrishikesh Barman <hi@geekodour.org>' gpg --quick-add-uid $KEY_ID 'Hrishikesh Barman <gigs@geekodour.org>'
1.2. Sub keys [S], [E], [A]
gpg --quick-add-key $KEY_ID cv25519 encr # [E], ed25519 is a signing scheme not a curve gpg --quick-add-key $KEY_ID ed25519 sign # [S]
2. List
gpg --list-keys gpg --list-secret-keys
3. Export
3.1. Exporting certificate key for offline storage
gpg --export-secret-key $KEY_ID | paperkey --output-type raw | qrencode --8bit --output secret-key.qr.png
- Now make sure to print it and write the passphrase along w it. You can use zbarcam to restore it later. (You'll need the public key)
3.2. Exporting public key
gpg --output primary_public.gpg --export $KEY_ID # binary gpg --armor --output primary_public.asc --export $KEY_ID # ascii armored
4. Delete
gpg --delete-key $KEY_ID # public key gpg --delete-secret-key $KEY_ID # private key gpg --delete-secret-and-public-key $KEY_ID # both
5. Revocation
- You cannot delete a key from a keyserver, you can only revoke it. See this.
- It needs to be stored somewhere safe because if someone gets access to this certificate he can use it to make your key unusable.
gpg --output [fp]_revoke.rev --gen-revoke [fp] # generate revoke cert, also generated automatically at creation time gpg --import [fp]_revoke.rev gpg --keyserver <key_server_url> --send-keys [fp]
6. Restoring
zbarimg -1 --raw -q -Sbinary secret-key.qr.png | paperkey --pubring public-key.gpg | gpg --import
- Once imported, you might have to add it to the
trustdb
usinggpg --edit-key
. See this.
7. Extend
gpg --quick-set-expire [fp] <never/1y>
8. Extra security
8.1. Removing and Backing up cert key
- We will not keep the certificate key in our home directory, we will move it offline. sub keys can stay for now till we get a physical key.
- First step is to completely backup the
~/.gnupg
directory to a local drive like a thumb drive. - Once that's done we do
gpg --with-keygrip --list-key <key_ID>
- keygrip: SHA-1 hash of the public key parameters expressed in a way depended on the algorithm.
cd ~/.gnupg/private-keys-v1.d
and then delete the cert key from there based on thekeygrip
- Then we also remove the revocation certificate for the
[C]
key as we backed that up already. - So our system is clean of
[C]
now.
9. Signing git commits
- git records the hash of the previous commit in each next commit's metadata, creating an unbreakable cryptographic chain of records.
- So if you sign the HEAD commit, you're essentially verifying entire branch history.
- Um, generally a good practice to PGP-sign commits. e.g. without commit signing Alice can fake a commit to pretend that it was actually authored by Bob
9.1. Signed tags
- PGP signed tags are just annotated tags(tag object) with the tag content wrapped with the PGP signature.
9.2. Signed commits
- Same as signed tags, just that signing happens on the commit object