Security is always our top priority at AWS, so I had to learn some new development best practices in this area. One of my colleagues, and Apache contributor @nknize has been signing his commits with GPG. I decided to add my work e-mail address to my existing GPG key, and setup git signing as well.
You can list keys with
gpg --list-secret-keys --keyid-format LONG and note the key ID.
In my example the key ID is
Backing up Keys
I export and store a copy of my GPG keys in Dropbox and store the private key passphrase in 1Password. The latter is required to export or import a private key (gpg will prompt you).
Adding my Work E-Mail
I only have one identity, but multiple e-mails. I decided to add my work e-mail to my GPG key (YMMV) as explained here.
My key now has both my personal and work e-mail addresses.
I then exported the public key with
gpg -a --export 3AA5C34371567BD2 and added it to my Github account.
Signing Git Commits
I wanted to enable commit signing globally to avoid having to constantly appenad
git commit, and added the following settings to my dotfiles.
Checking it Out
Commit signatures appear in
git log --show-signature.
And you can see a nice icon next to verified commits on GitHub!
Now, how do I get verified on Twitter?!
I find it annoying to have to re-enter the passphrase every few minutes. Put the following into
~/.gnupg/gpg-agent.conf to set the timeout to a day’s worth.
gpgconf --kill gpg-agent.
Import the key on a new computer.
If you get an error
gpg: no valid OpenPGP data found. and
gpg: Total number processed: 0, this is a very obtuse way for GPG to tell you the that contents of the file you’re trying to import is invalid. In my case
gpg --import ~/Dropbox/Personal/7C94E183.gpg was failing because the file was not synced to my local drive from Dropbox.
If you’re having trouble with gog, try
echo "test" | gpg --clearsign to get a better error. If it complains that
gpg-agent is not started, run
gpgagent and correct any errors.