search

nautilus-cyberneering / secure-git-guide

A collections of articles about Git, GitHub and GPG focused on security.
https://secure-git.guide
8 stars 5 forks source link

New article 016: Hot to use Git objects to store GPG pubic keys #52

Open josecelano opened 2 years ago

josecelano commented 2 years ago

Discussed in https://github.com/Nautilus-Cyberneering/secure-git-guide/discussions/24

Originally posted by **josecelano** June 13, 2022 In the [Git Pro book](https://git-scm.com/book/en/v2/Distributed-Git-Maintaining-a-Project) they mention that you can use Git Objects to distribute your public GPG keys: Chapter: https://git-scm.com/book/en/v2/Distributed-Git-Maintaining-a-Project Section: Tagging Your Releases ### Content _If you do sign your tags, you may have the problem of distributing the public PGP key used to sign your tags. The maintainer of the Git project has solved this issue by including their public key as a blob in the repository and then adding a tag that points directly to that content. To do this, you can figure out which key you want by running gpg --list-keys:_ ```s $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 1024D/F721C45A 2009-02-09 [expires: 2010-02-09] uid Scott Chacon sub 2048g/45D02282 2009-02-09 [expires: 2010-02-09] ``` _Then, you can directly import the key into the Git database by exporting it and piping that through git hash-object, which writes a new blob with those contents into Git and gives you back the SHA-1 of the blob:_ ```s $ gpg -a --export F721C45A | git hash-object -w --stdin 659ef797d181633c87ec71ac3f9ba29fe5775b92 ```s _Now that you have the contents of your key in Git, you can create a tag that points directly to it by specifying the new SHA-1 value that the hash-object command gave you:_ ```s $ git tag -a maintainer-pgp-pub 659ef797d181633c87ec71ac3f9ba29fe5775b92 ``` _If you run git push --tags, the maintainer-pgp-pub tag will be shared with everyone. If anyone wants to verify a tag, they can directly import your PGP key by pulling the blob directly out of the database and importing it into GPG:_ ```s $ git show maintainer-pgp-pub | gpg --import ``` _They can use that key to verify all your signed tags. Also, if you include instructions in the tag message, running git show will let you give the end user more specific instructions about tag verification._
da2ce7 commented 2 years ago

@josecelano This is a great use of the git object store. 👍