From: AJ ONeal Date: Sun, 14 Nov 2021 08:12:25 +0000 (+0000) Subject: feature: add git-gpg-init X-Git-Url: https://git.josue.xyz/?a=commitdiff_plain;h=3da9f3e1c5dfe814dcacb165db7bd164c1ea64ff;p=webi-installers%2F.git feature: add git-gpg-init --- diff --git a/git-gpg-init/README.md b/git-gpg-init/README.md new file mode 100644 index 0000000..20d5504 --- /dev/null +++ b/git-gpg-init/README.md @@ -0,0 +1,192 @@ +--- +title: git-gpg-init +homepage: https://webinstall.dev/git-gpg-init +tagline: | + Get your GnuPG Public Key. +--- + +## Cheat Sheet + +> Although the latest git release allows you to sign with SSH Keys (and GitHub +> will implement this shortly if it hasn't already), most systems do not have +> the latest git release, and most verification systems are not updated with the +> newest verification techniques, so you may wish to sign your commits with GPG, +> as has been done for the last 20 years... + +Here we'll cover + +- How to [add a GPG key to Github](https://github.com/settings/gpg/new) +- How to cache the passphrase longer +- How to [create a GPG key](./gpg-pubkey) +- How to configure git with GPG signing +- Troubleshooting 'gpg failed to sign the data' + +Usage: + +```bash +git-gpg-init +``` + +Example output: + +```txt +GnuPG Public Key ID: CA025BC42F00BBBE + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGGQtKIBDAChxTT375fetQawLkyyDcz07uIEZVa9pvuip8goMqev7PkOIHi+ +j6PDtFmxgv8ZOFe8+1RfMC7eL5fYah0/OBxNm7pPvAPDWOX38FfUzoq9CALW2xPD +... +Yee+eokiC2mWIEkMwbqlnNmkX/wphS0zcCsEiHirmDxgY6YY9QRjlzUMY68OqjfJ +IFjFWv3R7eckM957wyR5BvdQNfGrW7cWefWhdZOzLEE7 +=GXEK +-----END PGP PUBLIC KEY BLOCK----- + +Successfully updated ~/.gitconfig for gpg commit signing + +How to verify signed commits on GitHub: + + 1. Go to 'Add GPG Key': https://github.com/settings/gpg/new + 2. Copy and paste the key above from the first ---- to the last ---- +``` + +### Files + +These are the files / directories that are created and/or modified with this +install: + +```txt +~/.config/envman/PATH.env +~/.local/bin/git-gpg-init +~/Downloads/YOU.KEY_ID.gpg.asc +``` + +### How to add your GPG Public Key to GitHub + +1. Go to your GitHub Profile () +2. Go to the SSH and GPG Keys () +3. Add GPG Key () +4. Paste the output of `gpg-pubkey` into the form + +### How to cache the Passphrase longer + +If you'd like the passphrase to be cached until your login session ends, just +set it to 400 days and call it good. + +`~/.gnupg/gpg-agent.conf`: + +```txt +default-cache-ttl 34560000 +max-cache-ttl 34560000 +``` + +You'll need to reload `gpg-agent` for this to take effect, or just logout and +login again. + +```bash +# kill gpg-agent dead +killall gpg-agent +gpgconf killall gpg-agent + +# start gpg-agent again (yes, 'bye' to start) +gpg-connect-agent --agent-program ~/.local/opt/gnupg/bin/gpg-agent /bye +``` + +Note: You may need to change or omit `--agent-program`, depending on how you +installed `gpg` (if you installed it with Webi, run it as shown above). + +### How to create a GPG Key + +See: + +- [gpg-pubkey](./gpg-pubkey) +- and [gpg](./gpg), if you want to do it "the hard way" + +### How to manually set up git commit gpg signing + +(this is what `git-gpg-init` does) + +Run [gpg-pubkey-id](./gpg-pubkey) to get your GnuPG Public Key ID and then +update your `~/.gitconfig` to sign with it by default: + +```bash +#!/bin/bash + +MY_KEY_ID="$( + gpg-pubkey-id +)" + +git config --global user.signingkey "${MY_KEY_ID}" +git config --global commit.gpgsign true +git config --global log.showSignature true +``` + +Or, for Windows users: + +```bash +#!/usr/bin/env pwsh + +$my_key_id = gpg-pubkey-id + +git config --global user.signingkey "$my_key_id" +git config --global commit.gpgsign true +git config --global log.showSignature true +``` + +Or, if you prefer to edit the text file directly: + +`~/.gitconfig` + +```txt +[user] + signingkey = CA025BC42F00BBBE +[commit] + gpgsign = true +[log] + showSignature = true +``` + +In some cases you may also want to prevent conflicts between different installed +versions of gpg, like so: + +```bash +git config --global gpg.program ~/.local/opt/gnupg/bin/gpg +``` + +```txt +[gpg] + program = /Users/me/.local/opt/gnupg/bin/gpg +``` + +### Troubleshooting 'gpg failed to sign the data' + +`gpg` is generally expected to be used with a Desktop client. On Linux servers +you may get this error: + +```txt +error: gpg failed to sign the data +fatal: failed to write commit object +``` + +Try to load the `gpg-agent`, set `GPG_TTY`, and then run a clearsign test. + +```bash +gpg-connect-agent /bye +export GPG_TTY=$(tty) +echo "test" | gpg --clearsign +``` + +If that works, update your `~/.bashrc`, `~/.zshrc`, and/or +`~/.config/fish/config.fish` to include the following: + +```bash +gpg-connect-agent /bye +export GPG_TTY=$(tty) +``` + +If this is failing on Mac or Windows, then `gpg-agent` is not starting as +expected on login (for Mac the above may work), and/or the `pinentry` command is +not in the PATH. + +If you just installed `gpg`, try closing and reopening your Terminal, or +possibly rebooting. diff --git a/git-gpg-init/git-gpg-init.sh b/git-gpg-init/git-gpg-init.sh new file mode 100644 index 0000000..3b38745 --- /dev/null +++ b/git-gpg-init/git-gpg-init.sh @@ -0,0 +1,36 @@ +#!/bin/bash +set -e +set -u + +export PATH="$HOME/.local/opt/gnupg/bin:$PATH" +export PATH="$HOME/.local/opt/gnupg/bin/pinentry-mac.app/Contents/MacOS:$PATH" + +# TODO check for public key without gpg-pubkey? +if ! command -v gpg-pubkey; then + webi gpg-pubkey +else + gpg-pubkey +fi + +MY_KEY_ID="$( + gpg-pubkey-id +)" + +echo -n "Enabling automatic git commit signing... + git config --global user.signingkey ${MY_KEY_ID} + git config --global commit.gpgsign true + git config --global log.showSignature true +" + +git config --global user.signingkey "${MY_KEY_ID}" +git config --global commit.gpgsign true +git config --global log.showSignature true + +echo "" +echo "Successfully updated ~/.gitconfig" +echo "" +echo "How to verify signed commits on GitHub:" +echo "" +echo " 1. Go to 'Add GPG Key': https://github.com/settings/gpg/new" +echo " 2. Copy and paste the key above from the first ---- to the last ----" +echo "" diff --git a/git-gpg-init/install.sh b/git-gpg-init/install.sh new file mode 100644 index 0000000..691954d --- /dev/null +++ b/git-gpg-init/install.sh @@ -0,0 +1,34 @@ +#!/bin/bash +set -e +set -u + +function __install_git_gpg_init() { + MY_CMD="git-gpg-init" + + rm -f "$HOME/.local/bin/$MY_CMD" + webi_download "$WEBI_HOST/packages/$MY_CMD/$MY_CMD.sh" "$HOME/.local/bin/$MY_CMD" + chmod a+x "$HOME/.local/bin/$MY_CMD" +} + +function __check_gpg_pubkey_exists() { + if ! command -v gpg; then + webi gpg-pubkey + export PATH="$HOME/.local/opt/gnupg/bin:$PATH" + export PATH="$HOME/.local/opt/gnupg/bin/pinentry-mac.app/Contents/MacOS:$PATH" + fi +} + +function __check_gpg_exists() { + if ! command -v gpg; then + webi gpg + export PATH="$HOME/.local/opt/gnupg/bin:$PATH" + export PATH="$HOME/.local/opt/gnupg/bin/pinentry-mac.app/Contents/MacOS:$PATH" + fi +} + +__install_git_gpg_init +__check_gpg_pubkey_exists +__check_gpg_exists + +# run the command +"$HOME/.local/bin/$MY_CMD"