How to use with git for signing commits and tags?

[balupton]

Github announced https://github.com/blog/2144-gpg-signature-verification today. Would be nice if there was a guide on the "help" section of the website for using keybase for such a thing.

From my understanding it works like so:

1. Add your keybase public key to github
2. Save your keybase private key to your computer somewhere, and add it to git via git config --global user.signingkey /Users/YOU/.keys/keybase where /Users/YOU/.keys/keybase is the private key location
3. Use -S flag with git commits and tags

[balupton]

Howewever, just doing the above on OSX produces:

$ git commit -S -am "the commit message"
error: cannot run gpg: No such file or directory
error: could not run gpg.
fatal: failed to write commit object

[balupton]

Related https://github.com/keybase/keybase-issues/issues/2181

[balupton]

https://yous.be/2014/07/17/using-keybase/ and https://github.com/blinkmobile/docs/wiki/Process:-Signed-Git-Tags have some instructions, however they have different gpg versions they tell you to install.

I've installed keybase via brew install keybase and it seems to be working fine.

[zQueal]

Not sure if #2181 is related at all. My key was generated by Keybase and I was able to successfully push this signed test commit. So I'm pretty sure that's bunked.

That aside; error: cannot run gpg: No such file or directory looks like git either can't find your gpg installation, or you simply don't have gpg installed.

If you're on Mac and don't already have gpg installed, install it via Brew;

brew install gnupg

then import your secret key to your keyring;

gpg --allow-secret-key-import --import private.asc

Ensure that an email address tied to one of your secret keys identities is validated on your Github account and try git commit -S again.

[q]

Just generated a key today and was never asked for a passphrase

$ keybase pgp gen
Enter your real name, which will be publicly visible in your new key: Doesnt Matter
Enter a public email address for your key: my@email.com
Enter another email address (or <enter> when done):
Push an encrypted copy of your new secret key to the Keybase.io server? [Y/n]
▶ INFO PGP User ID: Doesnt Matter <my@email.com> [primary]
▶ INFO Generating primary key (4096 bits)
▶ INFO Generating encryption subkey (4096 bits)
▶ INFO Generated new PGP key:
▶ INFO   user: Doesnt Matter <my@email.com>
▶ INFO   4096-bit RSA key, ID F53E3D3C3529184D, created 2016-04-06

After the fact, I had to: $ brew install gnupg $ keybase pgp export -s -o private.key $ gpg --allow-secret-key-import --import private.key

I'm unclear as to why I was never asked to set a passphrase on the key, nor am I ever asked by git to enter a passphrase, even though the commits get successfully signed. Is this intended? Feels like I'm missing something.

[zQueal]

I'm unclear as to why I was never asked to set a passphrase on the key

Don't quote me, but I'm almost positive that your key passphrase is also your Keybase passphrase when its generated this way.

[balupton]

@q thanks, following your instructions it seems to work

However, I do get this:

$ git log --show-signature
commit 9b522e58ee060672764c5530106f86521d022a9d
gpg: Good signature from "Benjamin Arthur Lupton <email>"
gpg:                 aka "Benjamin Arthur Lupton <email>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

[FrenchBen]

Getting a similar output after following a similar guide as @q posted before: https://github.com/pstadler/keybase-gpg-github

[zQueal]

Sorry for the late reply;

GPG is notifying you that the key coming from Ben Lupton isn't a trusted key. So if it's your key, you'll want to trust it via gpg. So for the case of Ben up there you would want to edit your key as follows;

$ gpg --edit-key 9FFC590EF9C17834

When prompted for a command, run trust on your own key and you'll be prompted as follows;

Please decide how far you trust this user to correctly
verify other users' keys (by looking at passports,
checking fingerprints from different sources...)?

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

For your own key, you'll want to use option 5. Run save at the prompt again. Once your key is trusted you should no longer see that warning. You can manually edit any key in your keyring like this, but you should never set ultimate trust to any key but your own.

[FrenchBen]

Exactly what I needed, thank you - It may be worth having a similar github-readme with the above steps and the GPG trust part

[zQueal]

I'm glad that worked.

I think the issue is the disconnect between the Keybase keyring and the gpg keyring. In the Keybase keyring, your key is already set to ultimate trust. (presumably?) So there would have been no issues there if you could use Keybase to author Git commits. But since you had to export your key from Keybase, then re import to gpg, the trust settings don't transfer. To be perfectly honest, this breaks functionality a little bit, especially when Git uses the gpg keyring and not the Keybase keyring.

NAME:
   keybase pgp export - Export a PGP key from keybase

USAGE:
   keybase pgp export [command options]

DESCRIPTION:
   "keybase pgp export" exports public (and optionally private) PGP keys
   from Keybase, and into a file or to standard output. It doesn't access
   the GnuGP keychain at all.

OPTIONS:
   -o, --outfile        Specify an outfile (stdout by default).
   -s, --secret         Export secret key.
   -q, --query          Only export keys matching that query.

should add;

OPTIONS:
   -o, --outfile        Specify an outfile (stdout by default).
   -s, --secret         Export secret key.
   -q, --query          Only export keys matching that query.
   -p, --preserve       Preserves key trust

then you could simply;

keybase pgp export -s -p | gpg --allow-secret-key-import --import --

and all would be well.

[balupton]

I think the issue is the disconnect between the Keybase keyring and the gpg keyring

@zQueal if the keybase keyring is api compatible with the gpg keyring, the gpg.program git config option may make this whole process a lot easier - ref

[balupton]

Would be nice if this became an official documentation or support page listed on the website.

[khatribharat]

So keybase help keyring tells me that my GPG secret keys are encrypted using Keybase's "Local Key Security" (LKS) system.

If I export my GPG secret keys to GPG's keyring, am I not losing the benefits of LKS? Is there a way to make git use Keybase's LKS-protected keyring instead?

I understand this might need support from Keybase as LKS also uses a "server mask" (synced with Keybase remote server) to encrypt all keys in its keyring.