Security is always our top priority at AWS, so I had to learn some new development best practices in this area. One of my colleagues, and Apache contributor @nknize has been signing his commits with GPG. I decided to add my work e-mail address to my existing GPG key, and setup git signing as well.
You can list keys with
gpg --list-secret-keys --keyid-format LONG and note the key ID.
In my example the key ID is
Backing up Keys
I export and store a copy of my GPG keys in Dropbox and store the private key passphrase in 1Password. The latter is required to export or import a private key (gpg will prompt you).
Adding my Work E-Mail
I only have one identity, but multiple e-mails. I decided to add my work e-mail to my GPG key (YMMV) as explained here.
My key now has both my personal and work e-mail addresses.
I then exported the public key with
gpg -a --export 3AA5C34371567BD2 and added it to my Github account.
Signing Git Commits
I wanted to enable commit signing globally to avoid having to constantly appenad
git commit, and added the following settings to my dotfiles.
Checking it Out
Commit signatures appear in
git log --show-signature.
And you can see a nice icon next to verified commits on GitHub!
Now, how do I get verified on Twitter?!
I find it annoying to have to re-enter the passphrase every few minutes. Put the following into
~/.gnupg/gpg-agent.conf to set the timeout to a day’s worth.
gpgconf --kill gpg-agent.
If you’re having trouble with gog, try
echo "test" | gpg --clearsign to get a better error. If it complains that
gpg-agent is not started, run
gpgagent and correct any errors.