feature: add git-gpg-init
authorAJ ONeal <aj@therootcompany.com>
Sun, 14 Nov 2021 08:12:25 +0000 (08:12 +0000)
committerAJ ONeal <aj@therootcompany.com>
Sun, 14 Nov 2021 08:18:32 +0000 (08:18 +0000)
git-gpg-init/README.md [new file with mode: 0644]
git-gpg-init/git-gpg-init.sh [new file with mode: 0644]
git-gpg-init/install.sh [new file with mode: 0644]

diff --git a/git-gpg-init/README.md b/git-gpg-init/README.md
new file mode 100644 (file)
index 0000000..20d5504
--- /dev/null
@@ -0,0 +1,192 @@
+---
+title: git-gpg-init
+homepage: https://webinstall.dev/git-gpg-init
+tagline: |
+  Get your GnuPG Public Key.
+---
+
+## Cheat Sheet
+
+> Although the latest git release allows you to sign with SSH Keys (and GitHub
+> will implement this shortly if it hasn't already), most systems do not have
+> the latest git release, and most verification systems are not updated with the
+> newest verification techniques, so you may wish to sign your commits with GPG,
+> as has been done for the last 20 years...
+
+Here we'll cover
+
+- How to [add a GPG key to Github](https://github.com/settings/gpg/new)
+- How to cache the passphrase longer
+- How to [create a GPG key](./gpg-pubkey)
+- How to configure git with GPG signing
+- Troubleshooting 'gpg failed to sign the data'
+
+Usage:
+
+```bash
+git-gpg-init
+```
+
+Example output:
+
+```txt
+GnuPG Public Key ID: CA025BC42F00BBBE
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGGQtKIBDAChxTT375fetQawLkyyDcz07uIEZVa9pvuip8goMqev7PkOIHi+
+j6PDtFmxgv8ZOFe8+1RfMC7eL5fYah0/OBxNm7pPvAPDWOX38FfUzoq9CALW2xPD
+...
+Yee+eokiC2mWIEkMwbqlnNmkX/wphS0zcCsEiHirmDxgY6YY9QRjlzUMY68OqjfJ
+IFjFWv3R7eckM957wyR5BvdQNfGrW7cWefWhdZOzLEE7
+=GXEK
+-----END PGP PUBLIC KEY BLOCK-----
+
+Successfully updated ~/.gitconfig for gpg commit signing
+
+How to verify signed commits on GitHub:
+
+    1. Go to 'Add GPG Key': https://github.com/settings/gpg/new
+    2. Copy and paste the key above from the first ---- to the last ----
+```
+
+### Files
+
+These are the files / directories that are created and/or modified with this
+install:
+
+```txt
+~/.config/envman/PATH.env
+~/.local/bin/git-gpg-init
+~/Downloads/YOU.KEY_ID.gpg.asc
+```
+
+### How to add your GPG Public Key to GitHub
+
+1. Go to your GitHub Profile (<https://github.com/settings/profile>)
+2. Go to the SSH and GPG Keys (<https://github.com/settings/keys>)
+3. Add GPG Key (<https://github.com/settings/gpg/new>)
+4. Paste the output of `gpg-pubkey` into the form
+
+### How to cache the Passphrase longer
+
+If you'd like the passphrase to be cached until your login session ends, just
+set it to 400 days and call it good.
+
+`~/.gnupg/gpg-agent.conf`:
+
+```txt
+default-cache-ttl 34560000
+max-cache-ttl 34560000
+```
+
+You'll need to reload `gpg-agent` for this to take effect, or just logout and
+login again.
+
+```bash
+# kill gpg-agent dead
+killall gpg-agent
+gpgconf killall gpg-agent
+
+# start gpg-agent again (yes, 'bye' to start)
+gpg-connect-agent --agent-program ~/.local/opt/gnupg/bin/gpg-agent /bye
+```
+
+Note: You may need to change or omit `--agent-program`, depending on how you
+installed `gpg` (if you installed it with Webi, run it as shown above).
+
+### How to create a GPG Key
+
+See:
+
+- [gpg-pubkey](./gpg-pubkey)
+- and [gpg](./gpg), if you want to do it "the hard way"
+
+### How to manually set up git commit gpg signing
+
+(this is what `git-gpg-init` does)
+
+Run [gpg-pubkey-id](./gpg-pubkey) to get your GnuPG Public Key ID and then
+update your `~/.gitconfig` to sign with it by default:
+
+```bash
+#!/bin/bash
+
+MY_KEY_ID="$(
+  gpg-pubkey-id
+)"
+
+git config --global user.signingkey "${MY_KEY_ID}"
+git config --global commit.gpgsign true
+git config --global log.showSignature true
+```
+
+Or, for Windows users:
+
+```bash
+#!/usr/bin/env pwsh
+
+$my_key_id = gpg-pubkey-id
+
+git config --global user.signingkey "$my_key_id"
+git config --global commit.gpgsign true
+git config --global log.showSignature true
+```
+
+Or, if you prefer to edit the text file directly:
+
+`~/.gitconfig`
+
+```txt
+[user]
+  signingkey = CA025BC42F00BBBE
+[commit]
+  gpgsign = true
+[log]
+  showSignature = true
+```
+
+In some cases you may also want to prevent conflicts between different installed
+versions of gpg, like so:
+
+```bash
+git config --global gpg.program ~/.local/opt/gnupg/bin/gpg
+```
+
+```txt
+[gpg]
+  program = /Users/me/.local/opt/gnupg/bin/gpg
+```
+
+### Troubleshooting 'gpg failed to sign the data'
+
+`gpg` is generally expected to be used with a Desktop client. On Linux servers
+you may get this error:
+
+```txt
+error: gpg failed to sign the data
+fatal: failed to write commit object
+```
+
+Try to load the `gpg-agent`, set `GPG_TTY`, and then run a clearsign test.
+
+```bash
+gpg-connect-agent /bye
+export GPG_TTY=$(tty)
+echo "test" | gpg --clearsign
+```
+
+If that works, update your `~/.bashrc`, `~/.zshrc`, and/or
+`~/.config/fish/config.fish` to include the following:
+
+```bash
+gpg-connect-agent /bye
+export GPG_TTY=$(tty)
+```
+
+If this is failing on Mac or Windows, then `gpg-agent` is not starting as
+expected on login (for Mac the above may work), and/or the `pinentry` command is
+not in the PATH.
+
+If you just installed `gpg`, try closing and reopening your Terminal, or
+possibly rebooting.
diff --git a/git-gpg-init/git-gpg-init.sh b/git-gpg-init/git-gpg-init.sh
new file mode 100644 (file)
index 0000000..3b38745
--- /dev/null
@@ -0,0 +1,36 @@
+#!/bin/bash
+set -e
+set -u
+
+export PATH="$HOME/.local/opt/gnupg/bin:$PATH"
+export PATH="$HOME/.local/opt/gnupg/bin/pinentry-mac.app/Contents/MacOS:$PATH"
+
+# TODO check for public key without gpg-pubkey?
+if ! command -v gpg-pubkey; then
+    webi gpg-pubkey
+else
+    gpg-pubkey
+fi
+
+MY_KEY_ID="$(
+    gpg-pubkey-id
+)"
+
+echo -n "Enabling automatic git commit signing...
+    git config --global user.signingkey ${MY_KEY_ID}
+    git config --global commit.gpgsign true
+    git config --global log.showSignature true
+"
+
+git config --global user.signingkey "${MY_KEY_ID}"
+git config --global commit.gpgsign true
+git config --global log.showSignature true
+
+echo ""
+echo "Successfully updated ~/.gitconfig"
+echo ""
+echo "How to verify signed commits on GitHub:"
+echo ""
+echo "    1. Go to 'Add GPG Key': https://github.com/settings/gpg/new"
+echo "    2. Copy and paste the key above from the first ---- to the last ----"
+echo ""
diff --git a/git-gpg-init/install.sh b/git-gpg-init/install.sh
new file mode 100644 (file)
index 0000000..691954d
--- /dev/null
@@ -0,0 +1,34 @@
+#!/bin/bash
+set -e
+set -u
+
+function __install_git_gpg_init() {
+    MY_CMD="git-gpg-init"
+
+    rm -f "$HOME/.local/bin/$MY_CMD"
+    webi_download "$WEBI_HOST/packages/$MY_CMD/$MY_CMD.sh" "$HOME/.local/bin/$MY_CMD"
+    chmod a+x "$HOME/.local/bin/$MY_CMD"
+}
+
+function __check_gpg_pubkey_exists() {
+    if ! command -v gpg; then
+        webi gpg-pubkey
+        export PATH="$HOME/.local/opt/gnupg/bin:$PATH"
+        export PATH="$HOME/.local/opt/gnupg/bin/pinentry-mac.app/Contents/MacOS:$PATH"
+    fi
+}
+
+function __check_gpg_exists() {
+    if ! command -v gpg; then
+        webi gpg
+        export PATH="$HOME/.local/opt/gnupg/bin:$PATH"
+        export PATH="$HOME/.local/opt/gnupg/bin/pinentry-mac.app/Contents/MacOS:$PATH"
+    fi
+}
+
+__install_git_gpg_init
+__check_gpg_pubkey_exists
+__check_gpg_exists
+
+# run the command
+"$HOME/.local/bin/$MY_CMD"