h759bkyo4/Documentation
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Fix gpg-key.md

Browse source
This commit is contained in:
Jeremy 2022-07-31 09:13:14 +12:00 committed by Gitea
parent fecb990686
commit d5ef600ae9
1 changed files with 22 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
content/security/gpg-key.md
View file

@ -7,34 +7,37 @@ eleventyNavigation:
--- ---
## What is a GPG keypair? ## What is a GPG keypair?
GPG is an open-source cryptographic software application that implements the [Open PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. With a GPG keypair, you can sign or encrypt a given text. Git allows you to sign your commits, so other collaborators can be assured it was you who created them.
GPG is an open-source cryptographic software application that implements the [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. With a GPG keypair, you can sign or encrypt text. Git allows you to sign your commits, so other collaborators can be assured it was you who created them.
## Checking for an Existing GPG keypair ## Checking for an Existing GPG keypair
If you have your public key in an easy-to-find location, great! You can skip to [adding it to your account](#adding-your-public-gpg-key-to-codeberg). If not, we will be using the [GnuPG software](https://gnupg.org/download/index.html#binary) to check. If you have your public key in an easy-to-find location, great! You can skip to [adding it to your account](#adding-your-public-gpg-key-to-codeberg). If not, we will be using the [GnuPG software](https://gnupg.org/download/index.html#binary) to check.
1. Download and install [GnuPG](https://gnupg.org/download/index.html#binary). 1. Download and install [GnuPG](https://gnupg.org/download/index.html#binary).
> If you are using a Linux distro, this might already be installed. Check by typing `gpg --version` in the terminal. > If you are using a Linux distro, this might already be installed. Check by typing `gpg --version` in the terminal.
2. Type `gpg --list-secret-keys --keyid-format LONG` into your terminal and it will list all the keys that you have both a public and a private key for. 2. Type `gpg --list-secret-keys --keyid-format LONG` into your terminal, and it will list all the keys that you have both a public and a private key for.
3. Look through the output for a key you want. Continue to [Generating a GPG key](#generating-a-gpg-keypair) if there are none or none that you want to use. If you wish to use one, go to [adding your GPG key to Codeberg](#adding-your-public-gpg-key-to-codeberg). 3. Look through the output for a key you want. Continue to [Generating a GPG key](#generating-a-gpg-keypair) if there are none or none that you want to use. If you wish to use one, go to [adding your GPG key to Codeberg](#adding-your-public-gpg-key-to-codeberg).
> **IMPORTANT** > **IMPORTANT**
> Be sure that your selected key uses the same email as your Codeberg account. > Be sure that your selected key uses the same email as your Codeberg account.
## Generating a GPG keypair ## Generating a GPG keypair
If you havent already, be sure to [install](https://gnupg.org/download/index.html#binary) GnuPG, as you will be using it to generate your keys. If you havent already, be sure to [install](https://gnupg.org/download/index.html#binary) GnuPG, as you will be using it to generate your keys.
1. Type `gpg --full-generate-key` into your terminal 1. Type `gpg --full-generate-key` into your terminal.
2. Type `1` and press enter to select `RSA and RSA` 2. Type `1` and press Enter to select `RSA and RSA`.
3. Enter your desired key size, we recommend 4096 bits, press enter to confirm 3. Enter your desired key size; we recommend 4096 bits. Press Enter to confirm.
4. Choose the amount of time you want it to be valid for, we recommend 1-2 years for increased security, however you can type 0 for it to never expire. Press enter to confirm. 4. Choose the amount of time you want it to be valid for; we recommend 1-2 years for increased security, however you can type 0 for it to never expire. Press Enter to confirm.
5. Verify your selections are correct, type `y` and press enter to confirm 5. Verify your selections are correct, then type `y` and press Enter to confirm.
6. Enter your information, be sure to use the same email as your Codeberg account 6. Enter your information; be sure to use the same email as your Codeberg account.
7. Type in a passphrase, make sure you write it down somewhere safe. You'll need it later to add your key to Git or revoke it if it is compromised 7. Type in a passphrase; make sure you write it down somewhere safe. You'll need it later to add your key to Git or revoke it if it is compromised.
## Adding your public GPG key to Codeberg ## Adding your public GPG key to Codeberg
1. Type `gpg --list-secret-keys --keyid-format LONG` into the terminal 1. Type `gpg --list-secret-keys --keyid-format LONG` into the terminal.
2. Select the key you would like to use (the one you just generated). In this example, the GPG key ID is `3AA5C34371567BD2`: 2. Select the key you would like to use (most likely the one you just generated). In this example, the GPG key ID is `3AA5C34371567BD2`:
```shell ```shell
$ gpg --list-secret-keys --keyid-format LONG $ gpg --list-secret-keys --keyid-format LONG
/home/knut/.gnupg/pubring.kbx /home/knut/.gnupg/pubring.kbx
@ -44,22 +47,24 @@ sec rsa4096/3AA5C34371567BD2 2021-06-06 [SC] [expires: 2022-06-06]
uid [ultimate] knut <knut@codeberg.org> uid [ultimate] knut <knut@codeberg.org>
ssb rsa4096/42B317FD4BA89E7A 2021-06-06 [E] [expires: 2022-06-06] ssb rsa4096/42B317FD4BA89E7A 2021-06-06 [E] [expires: 2022-06-06]
``` ```
3. Type `gpg --armor --export <GPG KEY ID>` into the terminal, this will output your public key. 3. Type `gpg --armor --export <GPG KEY ID>` into the terminal. This will output your public key.
4. Copy the output including the `-----BEGIN PGP PUBLIC KEY BLOCK-----` and `-----END PGP PUBLIC KEY BLOCK-----` 4. Copy the output beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending with`-----END PGP PUBLIC KEY BLOCK-----`.
5. Go to the [SSH/GPG Keys tab](https://codeberg.org/user/settings/keys) in your Codeberg settings. 5. Go to the [SSH/GPG Keys tab](https://codeberg.org/user/settings/keys) in your Codeberg settings.
6. Click __Add Key__ in the __Manage GPG Keys__ section, paste in your public key and click the __Add Key__ button. 6. Click __Add Key__ in the __Manage GPG Keys__ section, then paste in your public key and click the __Add Key__ button.
## Verifying your public GPG key ## Verifying your public GPG key
Anyone can add a random public key; fortunately, Codeberg provides a mechanism to verify that the key belongs to you.
Anyone can add a random public key; but fortunately, Codeberg provides a mechanism to verify that the key belongs to you.
Every keypair consists of a public and a private key that are connected to one another. Using this private key, you can sign the provided message. If the signed message is valid, Codeberg can confirm that the added key is yours. Every keypair consists of a public and a private key that are connected to one another. Using this private key, you can sign the provided message. If the signed message is valid, Codeberg can confirm that the added key is yours.
1. Go to the [SSH/GPG Keys tab](https://codeberg.org/user/settings/keys) in your Codeberg settings. 1. Go to the [SSH/GPG Keys tab](https://codeberg.org/user/settings/keys) in your Codeberg settings.
2. Click on the __Verify__ button by the GPG key you would like to verify. 2. Click on the __Verify__ button by the GPG key you would like to verify.
3. Codeberg will show a token, under the textbox you can copy the correct command and paste it into your terminal. 3. Codeberg will show a token. Under its text box you can copy the correct command, and paste it into your terminal.
4. Copy the output including the `-----BEGIN PGP SIGNATURE-----` and `-----END PGP SIGNATURE-----`. 4. Copy the output including the `-----BEGIN PGP SIGNATURE-----` and `-----END PGP SIGNATURE-----`.
5. Paste it into the large textbox and click the __Verify__ button. 5. Paste it into the large text box and click the __Verify__ button.
## Telling Git about your GPG key ## Telling Git about your GPG key
You will need to tell Git about your key and have it sign new commits for you. You will need to tell Git about your key and have it sign new commits for you.
1. Open your terminal 1. Open your terminal