![]() Updating the GPG keyīefore you begin, I’m assuming you have Keybase installed and working via command line, and you have a GPG key already in your Keybase account. ![]() It turns out that Git needed it in there anyway, so it all works out nicely. Ultimately, I needed to export my key from Keybase into GPG so I could modify it directly. This seems like an oversight to me, but my understanding of this is limited, so there may be a good reason. I tried looking through the Keybase options, but couldn’t find any default way to modify the key and add email addresses. As a result, we need to do a few more things to get everything working. ![]() It also won’t match the email address in your commits. This isn’t a live email address and therefore GitHub will be unable to verify it. GitHub provides a settings page for setting your GPG key, however if you upload your raw GPG key from Keybase, it will likely contain a Keybase user reference. This won’t stop someone trying to spoof your commits, but it will provide assurance of your real commits so they can be properly verified. This allows GitHub to mark your commits as Verified when it can match your verified email to your GPG key. However, Git does support cryptographically signing commits using a GPG key. Unfortunately, there isn’t a way to stop someone from spoofing a commit with your name and email. However, from a security point of view, it’s a problem. This is due to the distributed nature of Git, which allows anyone to push anyone else’s commits around. So if you set the author on the commit to be a valid email address, it will look like they made the commit. Git will accept any name and email address as the commit author and so will GitHub. It may sound difficult, but it’s actually a very trivial process. Why should we sign Git commits?Ī few days ago, I was at NDC Security and saw a talk by Phil Haack where he spoofed a “malicious” commit to look like it was made by Troy Hunt (who was also speaking). I went from not having a GPG key installed locally through to seeing my commits marked as Verified on GitHub. This tutorial walks you though the process I took to set up Git commit signing with my Keybase GPG key. Then, once you’ve your commits are signed, GitHub provides a nice interface for verifying commits have been signed and by whom. If you’re a Keybase user, it’s pretty easy to use your Keybase GPG key for signing your Git commits. It uses the author’s GPG key to leave a signature in the commit that can be checked later. It is an optional feature that provides a way for the author of a commit to prove ownership. A relatively unknown and underused feature of Git is the ability to cryptographically sign commits.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |