DEV Community

Sebastian Korotkiewicz
Sebastian Korotkiewicz

Posted on

My GPG setup for developing and more

Generating a new GPG key

If you don't have your own GPG key yet, it's time to generate one for yourself, you can find a great guide on the GitHub website.

Enter a valid email address!

$ gpg --full-generate-key

Telling Git about your GPG key

Git supports signing your commits with GPG, we already have our generated key, so we can add it to our Git client so that every new commit is signed with our key.

We must first check our GPG key ID, in our case, our key has an ID EC9494C3BEC89171

$ gpg --list-secret-keys --keyid-format LONG
sec   rsa4096/EC9494C3BEC89171 2020-07-18 [SC]
uid                 [ultimate] Gnu Exampler (My GPG Key) <example@example.com>
ssb   rsa4096/98E78B644E6D2336 2020-07-18 [E]

Now we can add our GPG key ID to Git.

$ git config --global user.signingkey EC9494C3BEC89171

From that moment on, each of our new commits will be signed with our GPG key.

Adding a new GPG key to your GitHub/GitLab/Gitea account

GitHub, GitLab or Gitea support displaying signed commits, just add your PUBLIC GPG key to GitHub, GitLab or Gitea.

To display your public key:

$ gpg --export -a "EC9494C3BEC89171"

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFR7CqsBEAC8PymJ5IrL3ZFgPtFXdrzwVa1fsKQ51/vaxQbPdamIyIzxRGH8
...
-----END PGP PUBLIC KEY BLOCK-----

To add a public GPG key to the GitHub/GitLab/Gitea you need to enter your account settings and click on the SSH and GPG keys tab.

Your Git is ready to use GPG!

More...

But it's not over, you can do even more with GPG e.g. encrypt Mail or XMPP messages! Or sign your own posts, for example on a blog posts.

  • I use the Mail Thunderbird client with the free Enigmail plugin to encrypt/decrypt emails.
  • For chat I use PSI+ communicator to encrypt messages on XMPP, but almost every XMPP communicator already has GPG support, (such as Dino and Gajim).

Here you can see more interesting programs that support GPG encryption, Software.

Confirmation of identity

We live in an era where we have many accounts, where everyone can steal our identity, but with GPG, this problem can also be solved.
For example, Keyoxide can come to your support, where you can easily create your trusted profile and confirm that the accounts belongs to you.

Nobody without your private key is able to add anything to your public key.

First, we need to get to know our GPG fingerprint:

$ gpg -k "EC9494C3BEC89171"
pub   rsa4096 2020-07-18 [SC]
      367EE902C81248482C3214DFEC9494C3BEC89171
sec                 [ultimate] 2020-07-18 [SC]
uid                 [ultimate] Gnu Exampler (My GPG Key) <example@example.com>
ssb                 [ultimate] 2020-07-18 [E]

In our case, it's 367EE902C81248482C3214DFEC9494C3BEC89171.

But step by step, e.g. we have our Twitter account, we want to confirm that only this account belongs to us.

To do this, go to Keyoxide Twitter page and open a guide on how to confirm your Twitter account and step by step do what is written in the guide! :)

1) Post a Twitter proof message

2) Log in to twitter.com and compose a new tweet with the following text (make sure to replace FINGERPRINT):

This is an OpenPGP proof that connects my OpenPGP key to this Twitter account. For details check out https://keyoxide.org/guides/openpgp-proofs

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]

3) After posting, copy the link to the tweet.

4) First, edit the key (make sure to replace FINGERPRINT):

$ gpg --edit-key FINGERPRINT

5) Add a new notation:

notation

6) Enter the notation (make sure to update with the link to the tweet copied above):

proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891

7) Save the key:

save

8) Upload the key to the server (make sure to replace FINGERPRINT):

$ gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT

And you're done! Go to your profile page, https://keyoxide.org/FINGERPRINT it should now show a verified Twitter account.

Remember to use Keyoxide you must first send your GPG public key to the key server (keys.openpgp.org) and verify the email!

Here is my trusted profile on Keyoxide.org

Top comments (2)

Collapse
 
juicy1nonly profile image
JUIC#801

For as much as I deal with gpg, one would think I wouldn't have to lookup how to use it every SINGLE time I use it. I can never remember the how to properly use the right commands.

I have never heard of keyoxide.com. sounds kinda similar to keybase.io. I'm curious to check it out when I'm not on mobile.

Fantastic article by the way!

Collapse
 
rndacp profile image
Allan Puks

Just a heads up, from thunderbird ver 78 enigmail will be discontinued in favour of built in GPG support