search

BlockchainCommons / Secure-Development-Setup-macOS

Documentation & scripts for setting up secure developer tool environment for a macOS Catalina including git, github, gpg & ssh
Other
8 stars 8 forks source link

Getting GPG info from `gh` & GitHub #9

Open ChristopherA opened 3 years ago

ChristopherA commented 3 years ago

@namcios,

You might find these code snippets useful:

#!/bin/bash

if [[ $(command -v gh) == "" ]]; then

    printf "No \`gh\` Installed!\n"
    brew install gh
    printf "Installed \`gh\`.\n"
fi

if !(gh auth status --hostname "github.com" > /dev/null 2>&1); then
    printf "You are not logged into \`gh\`!\n"
    printf "Authenticate gh with GitHub using the Web and set ssh as default.\n"
    gh auth login
    printf "Logged into GitHub.\n"
fi

# Get the GitHub User Name from GitHub's `gh` cli config files
My_GitHub_User=$(cat <~/.config/gh/hosts.yml | grep -A0 user: | cut -d: -f2 | tr -d ' "')

printf "My_GitHub_User:\t$My_GitHub_User\t✅\n"

## Setup gnupg

## install gnupg if it is not already instealled
if [[ $(command -v gpg) == "" ]]; then
    printf "No GPG Installed!\n"
    brew install gpg2 pinentry-mac
    printf "Installing gpg & pinentry-mac\n"
fi

My_GPG_Key=$(curl https://github.com/$My_GitHub_User.gpg 2>/dev/null)
  if [ -z "$My_GPG_Key" ] ; then
    script_exit "ERROR: Unable to find $My_GPG_Key from https://github.com/$My_GitHub_User.gpg!\n" 1
  else
    printf "My_GPG_Key:\tRETREIVED\t✅\n"
  fi

export GPG_KEY=$My_GPG_Key

## Get GPG Fingerprint from $My_GPG_Key
# For instance https://github.com/ChristopherA.gpg
# $My_GPG_Key would equal "FDFE14A54ECB30FC5D2274EFF8D36C91357405ED"

My_GPG_KEY_Fingerprint=`echo $My_GPG_Key 2>/dev/null | gpg --with-colons --import-options show-only --import --fingerprint 2>/dev/null | awk -F: '$1 == "fpr" {print $10}' | head -1`

printf "My_GPG_KEY_Fingerprint:\t$My_GPG_Key_Fingerprint\t✅\n"
namcios commented 3 years ago

Thanks @ChristopherA

namcios commented 3 years ago

@ChristopherA currently in the script the user has to upload their public key block to github before being able to sign commits. Is there a way to do that for them, in the script? Otherwise I'm not sure I understand why I would want to grab their GPG key from github in the script if it wouldn't be there yet?

ChristopherA commented 3 years ago

A few different thoughts here.

If they already have a GPG key, you don't want to create a new one. You can download the key to the .gnupg folder and ask the user for the private key file.

I do presume that there is some way to upload a new gpg key, as gh does upload the ssh key it creates for you. Fortunately to do that the auth should be is available from gh as they have to have a token that is scoped to add that ssh public key.

You can also use this test at a different point in the process, which is to confirm that the GPG key is posted AND is the correct key. You will not get recognition that your posted commit is valid unless the commit is signed AND the matches the email address in the public key.

namcios commented 3 years ago

Got it. I presumed the script would mostly be for a fresh install and new keys. But those make sense and increase robustness. I'll work on it a bit today but mostly tomorrow. Will ping you if needed. Thanks