Ask HN: Do you use a GPG key with GitHub?
I've never worked any place that has required use of gpg. Nobody has ever asked me about gpg and GitHub.
https://help.github.com/articles/generating-a-new-gpg-key/
https://help.github.com/articles/generating-a-new-gpg-key/
35 comments
[ 1.4 ms ] story [ 73.4 ms ] threadI've read both that it can help with security, and that it doesn't help at all, but for the 5 minutes it took to setup I figured it can't hurt and the green verified check box is nice to see visually!
Nobody asked me to do so, but all my setup (SSH auth, encryption, password manager, mail signatures) is build around GPG, so it was easy to add the signing in my git config.
I use a RSA8192 key as master key so it can last for a while. Then I have RSA4096 subkeys for signature, encryption and authentication. All subkeys are on my Yubikey configured with touch to operate. So when I am on a computer, I plug my Yubikey in there, and whenever I want to do a SSH login, a git commit signing, a password access (pass), a mail signing or anything else GPG related I have to touch my Yubikey.
The setup of such system is not so trivial, but once it is done it is working really well. My digital identity is build around my GPG keys, and they are stored safely in my Yubikey, and to operate them I have to be physically there and press it, so it can not be used remotely if my computer is compromised.
(Same questions apply for everyone in this thread saying "yes")
For most of my usages (SSH, password manager, personal encryption) there is no need of a WOT. For the git commits signature, I have put my public key on Github so there is the "Verified" label aside my commits, but I don't think anybody has used this information yet. And for the email signatures, it is useless without a WOT, it is the reason why I do not bother to sign them anymore.
As someone else said in this thread: «I just like that little bit of extra “yes, this was me” onion layer of security.»
How do you handle, if at all, ssh/gpg on a mobile device?
Is it possible to have both yubikey based cert authentication for SSH/GPG in addition to normal password based cert auth on the same server/user?
Does this work on MacOS as well as Linux?
I run Linux but adapting his guide to what I use was the clearest path I found. Do note that only some of the Yubikeys support GPG. The cheaper ones (that you might be getting for free) are OTP only. Git signing is pretty straightforward once you have it set up for GPG.
I have not attempted mobile at all.
PS I’d love to get some shoved into my hand. Paid $100 for my pair.
with GitHub, with GitLab, on macOS commandline and Tower clients, very easy to setup!
I find it adds some trust to commits for public repositories. It's not very useful, more like a nice to have.
It's important that any builds pushed out to production are from signed sources.
For repositories where I want to sign my commits, I configure each local checkout individually:
That in mind, I'll say I'm not using it.
After adding your public key to your github account, you can set git to sign your commits by default.
You can do that in ~/.gitconfig (or /<repo>/.git/config for specific repos).
Then when you commit, it will try to sign the commit. When you push the commit to github, it will automatically show up as "verified" in the commit history.https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
https://help.github.com/articles/signing-commits/
Hahaha, that's also why I started using it :) Interesting how these kind of small badges work as incentives.
It's dead simple to setup, even on Windows.
(Note that merely signing the code with some key is not enough! You have to verify that that's the key of the person you think it is. Doing this properly is hard work.)
Why?
I just like that little bit of extra “yes, this was me” onion layer of security.
and https://github.com/naggie/dotfiles/blob/master/home/.functio... for various functions I use to get gpg-agent working remotely (and transparently with tmux) without locking anything up.
Thanks for asking this, I just finished setting it up.
For anyone reading this:
If:
1. you are on macOS,
2. you used brew to install GnuPG: brew install gnupg,
3. after generating your GPG key pair, these two commands fail...
...try adding this line to your bash profile:a quick guide if you need https://pedrorijo.com/blog/git-gpg/