GPG: Difference between revisions

GPG

gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>

gpg --import <your-file>.gpg

gpg --receive-keys A9C5DF4D22E99998D9875A5110C01C5A2F6059E7

gpg --verify apache-tomcat-9.0.16-windows-x64.zip.asc

ref: [1]

Show Keys

List public keys:

gpg --list-public-keys
gpg --list-keys
gpg -k

List secret keys:

gpg --list-secret-keys
gpg -K

GitHub GPG

Generating a new GPG key - GitHub Docs
https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Generate GpG Key

gpg --full-generate-key

List Keys

gpg --list-secret-keys --keyid-format=long

Export Key

gpg --armor --export [long_key]

Sign Commit

Manually:

git commit -S -m "YOUR_COMMIT_MESSAGE"

Automatic for current local repository

git config commit.gpgsign true

Automatic for all repositories:

git config --global commit.gpgsign true

ref: [2]

Show Log Signatures

git log --show-signature

Example:

commit dceb035ce7a3de3dc49e62ce61061efd86XXXXXX (HEAD -> ci)
gpg: Signature made Fri 09 Jun 2023 05:12:54 PM PDT
gpg:                using RSA key 6827A8ADAF633B8B03286E15C4D210675xxxxxxx
gpg:                issuer "name@example.com"
gpg: Good signature from "Name <name@example.com>" [ultimate]
Author: Name <name@example.com>

Share Key

gpg --keyserver certserver.pgp.com --send-key blake@cyb.org

ref: [3]

Unknown Trust

ultimate vs unknown

You can edit your trust of a key:

gpg --edit-key user@useremail.com
edit
#  (trust level 1-5)
quit

gpg --edit-key user@useremail.com

gpg> trust

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5

ref: [4]

keywords