
Setup Keybase.io, GPG and Git to sign commits on GitHub - phedoreanu
https://github.com/pstadler/keybase-gpg-github
======
matt4077
Note that you don't need keybase.io to sign your commits:
[https://help.github.com/articles/signing-commits-using-
gpg/](https://help.github.com/articles/signing-commits-using-gpg/)

~~~
ex_amazon_sde
...with the added security benefit of not uploading your private key on
Keybase!

~~~
OJFord
You can use Keybase with GPG without letting it handle your private key. (I
do.)

~~~
pigeons
You can but last time I used it the first option you were presented with was
giving keybase your key. I don't know if that's changed years later because I
closed the app at that point, I wasn't interested in using or encouraging
others to use such a thing. The guy pointing this out was downvoted and I
frequently see the fact that its possible to not give them your key presented
as somehow making it acceptable that they ask for it.

------
MikkoFinell
Linus Torvalds, the creator of Git, says that signing every commit is stupid.

[http://git.661346.n2.nabble.com/GPG-signing-for-git-
commit-t...](http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-
td2582986.html)

~~~
andrewstuart2
And as noted nearly every time this 7-year-old comment by Torvalds is
mentioned, this is of course technically correct due to the properties of
git's Merkle tree, but completely impractical as far as the human
implications.

Consider: You've just written 20 lines of code, and you're creating a commit.
Can you validate that all 20 lines were created by you before you commit?

Now, consider that you're looking to create a tag for version 2.0, coming from
1.4, with a net 4,000 new lines of code. Can you quickly and confidently
validate that all 4,000 lines of code are as expected?

Clearly, the frequent, small validations are much simpler than infrequently
signing huge releases. When integrity matters and humans are involved, small
batches win.

~~~
MikkoFinell
If you autosign every commit then you aren't validating anything anyway. All
that means is you have another mindless process running automatically in the
background. So what's your point?

~~~
viraptor
You're talking about two different threats / attacks:

1\. Someone got access allowing them to push commits.

2\. Someone got access allowing them to push commits and also got unrestricted
access to the trusted PGP key.

In the first case, auto-signing will expose the issue. In the second, not. But
in the second case, you're likely screwed in many other ways.

------
pstadler
Thanks for posting this here.

Please note that this was initially written as a reference for myself, being
relatively inexperienced with the keybase client and gpg tooling in general.
There are certainly different ways to accomplish the same and you don't have
to use keybase, but I wanted to. Please keep this in mind.

Ironically, only the first commit is signed.

~~~
underyx
>Ironically, only the first commit is signed.

Yeah, and even though I had set this up myself just a few minutes before I
submitted PR #3, I ended up committing on the web UI as well, with no
signature :D

------
rietta
But what do you do with the signatures on the signed commits? It is of some,
limited value, to GPG sign because it does provide a little bit more of "John
Hancock" for a release, but how does this work in a continuous integration
environment? Does the CI server reject commits that are not properly signed?
Does the server refuse to run unsigned or incorrectly signed Git deployed
code?

~~~
mi100hael
It provides a confirmation that the person who's name & email are on a commit
actually made the commit. I can configure my instance of git to make commits
as "Linus Torvalds <torvalds@linux-foundation.org>", but only the real Linus
can sign them with a publicly-verifiable GPG key.

------
Dowwie
This is timely, considering Ken's recent hack attempt on his github account.

Does anyone know what happens when commit signatures don't match?

~~~
Rafert
For those out of the loop: [http://www.kennethreitz.org/essays/on-
cybersecurity-and-bein...](http://www.kennethreitz.org/essays/on-
cybersecurity-and-being-targeted)

~~~
eridius
Thanks! That post just prompted me to check what password is on my DNS
account, and it turns out to be an insecure one, so I'm fixing that right now.

------
therealmarv
Somebody please explain to me: What's the point in signing on github when I
can set the key on github itself (e.g. account gets compromised). A simple
flag (on github's server) that is showing that my email on commit is the same
as on the account would also do the job. What if my key is compromised and set
a new one on github? What happens with my old signed commits? Another
question: We are mostly no airplane mechanics which need to sign everything of
our work. Why would you give up deniability of doing something (with your
signed key) without thinking about the consequences? I'm thinking of legal
cases here (hey you signed your commit!).

~~~
mcpherrinm
Github can't verify you actually committed a change unless it's signed. You
can set whatever email address you want on any commit.

They could verify who _pushed it_ to github, since that action is
authenticated, but restricting pushing other people's commits would break many
workflows (eg, a bot pushing from a local git server), or a reviewer pushing
code sent to a mailing list, or resolving conflicts in a merge locally.

You can also verify the GPG key independently of Github. Perhaps your CI
system could verify all commits it builds are signed, and your deployment
system could too. There's no need to use Github as the authoritative source
for that sort of thing.

------
quchen
If anyone wants in, here are 5 invite links.

[Edit: all used up.]

Each works for only one signup, so hurry up :-)

By the way, most users get around 20 free invites shortly after signing up. If
one of the links above opened your account, why not share five of your own
invites afterwards?

~~~
Vendan
here's some more:

[https://keybase.io/inv/e2d4bf61e4](https://keybase.io/inv/e2d4bf61e4)

[https://keybase.io/inv/c04b18c7c3](https://keybase.io/inv/c04b18c7c3)

[https://keybase.io/inv/e0f10b0fea](https://keybase.io/inv/e0f10b0fea)

[https://keybase.io/inv/ab432f0ab7](https://keybase.io/inv/ab432f0ab7)

[https://keybase.io/inv/923f343c20](https://keybase.io/inv/923f343c20)

[https://keybase.io/inv/27a2dbe5ee](https://keybase.io/inv/27a2dbe5ee)

[https://keybase.io/inv/6dc9197192](https://keybase.io/inv/6dc9197192)

~~~
Vendan
only 1 left of these:
[https://keybase.io/inv/c04b18c7c3](https://keybase.io/inv/c04b18c7c3)

~~~
Vendan
All gone, sorry folks :)

------
akerro
Is keybase.io still mostly useless because it is not compatible with other
key-exchange servers and can't be easily added to Enigma in Thunderbird?

~~~
snassar
I don't really get what keybase.io is supposed to solve, but it doesn't get in
the way of importing keys into Enigmail.

If you are in Enigmail's Keymanager you can import from a URL when the content
is well-formatted.

Examples that work:

[https://keybase.io/snassar/key.asc](https://keybase.io/snassar/key.asc)
[https://pgp.samirnassar.com](https://pgp.samirnassar.com)
[http://keys.gnupg.net/pks/lookup?op=get&search=0x69A75542488...](http://keys.gnupg.net/pks/lookup?op=get&search=0x69A75542488B4A1A)

It would be nice if Keybase made the URL more easily "gettable" instead of
hiding it behind 2 clicks.

~~~
WorldMaker
«I don't really get what keybase.io is supposed to solve»

Keybase was built to solve the "web of trust" bootstrap problem [1] by
leveraging the web of social media profiles a user typically has with simple
replicable proofs of social media identity.

[1] Arguably the hardest problem in PKI: how do you get user to trust that a
public key is for the right person? In the classic PGP/GPG web of trust you do
things like "key signing parties" and physical in real life interactions and
deciding your threshold for how far you trust the friend of my friend signed
this key. In the Keybase model you can see that the key (or family of keys)
are tied to a certain combo of Twitter, Facebook, HN, et al accounts/profiles
and generally trust that the person with all those accounts is the person you
are trying to communicate with.

~~~
snassar
Fair enough, when it comes to coming up with creative ways to solve the web of
trust problem.

I still do not know what problem keybase.io solves when they allow uploading
of private keys.

~~~
WorldMaker
That would be the second hardest problem in PKI: key escrow and key
management. The answers to the questions most average users have like: What do
I do if I lose my machine? If I'm logged in from the library or work or my
friend's PC? If I use multiple machines every day?

When the "right" answer includes "Print out this long thing, put it in a safe
deposit box, and pray you never have to type in this long string of numbers",
you immediately lose a lot of potential users; it doesn't quite fit the
"Grandparent test" (could your Grandparent use it?).

Absolutely there's a trade-off in trusting a 3rd Party key escrow, but there's
an immense usability benefit to average users that want something easier to do
and "some security" really can be better than "no security", even if a lot of
hard-line paranoid wonks have good reason to believe otherwise.

~~~
dublinben
My grandparents don't even use email. I don't think we should be setting them
as the lowest common denominator for security. Some things that are worth
doing require a little bit of effort.

~~~
WorldMaker
You have have to consider the lowest common denominator in security. You're
security it's only as good as your weakest link. Say you have an emergency and
your grandparents need to email your PII to a hospital. Can they do it
securely? You need to email some PII to them. Can you do it securely? Some
security for all is better than no security for most, hence the "grandparent
test".

~~~
dublinben
I think it would be even better if we could design systems where it isn't even
necessary for a family member to "email your PII" to anyone. That's a terrible
idea in almost any situation, regardless of your security.

------
diemscott
Here are some invites if you are interested. (added more, replaced some used
ones)

16 used, here are more

    
    
      https://keybase.io/inv/b24a826ad7
      https://keybase.io/inv/6875c4bf5a

~~~
leemac
Thanks for the invite! I'll reply here with a bunch when mine are available.

~~~
leemac
Here are a couple I received, a few co-workers took the rest :^)

[https://keybase.io/inv/172ce0cd26](https://keybase.io/inv/172ce0cd26)

[https://keybase.io/inv/84129b0e36](https://keybase.io/inv/84129b0e36)

~~~
leemac
and they're gone!

------
danieleggert
You don't need to have home brew. And most of this can be done a lot simpler:
[https://gist.github.com/danieleggert/b029d44d4a54b328c0bac65...](https://gist.github.com/danieleggert/b029d44d4a54b328c0bac65d46ba4c65)

~~~
sambe
The Homebrew steps seem simpler to me, especially if you already use it. Also
easy to update - does the suite auto-update?

Why don't you like Homebrew?

------
sleepychu
># Push an encrypted copy of your new secret key to the Keybase.io server?
[Y/n] Y

What's the purpose of this? What attack vectors does it expose?

~~~
benmanns
You can use it to do actions on the Keybase site by typing in your decryption
password. Attack vectors: Keybase site code gets replaced with something
malicious, now they have your key password and decrypted private key.

You can also do everything on the command line without trusting Keybase's
server or their frontend JS.

~~~
acdha
Another problem: if their storage or a backup is compromised, the attackers
can brute-force passwords offline without rate-limiting.

In some ways that's worse than actively trojaning their JavaScript since
there's no possible way for the target to know that's happened whereas the
fronted at least has the low but non-zero chance of someone noticing the
malicious code.

------
Walkman
I also have a couple of keybase.io invitations:

[https://keybase.io/inv/23d5ce3afc](https://keybase.io/inv/23d5ce3afc)

[https://keybase.io/inv/bb28df44d6](https://keybase.io/inv/bb28df44d6)

[https://keybase.io/inv/bb9c4fffa8](https://keybase.io/inv/bb9c4fffa8)

[https://keybase.io/inv/471c1f67b7](https://keybase.io/inv/471c1f67b7)

[https://keybase.io/inv/44968be986](https://keybase.io/inv/44968be986)

[https://keybase.io/inv/cd6c91d01e](https://keybase.io/inv/cd6c91d01e)

[https://keybase.io/inv/cdc45eb48f](https://keybase.io/inv/cdc45eb48f)

[https://keybase.io/inv/41d268d0d6](https://keybase.io/inv/41d268d0d6)

[https://keybase.io/inv/b74615140f](https://keybase.io/inv/b74615140f)

[https://keybase.io/inv/d90ac04ed3](https://keybase.io/inv/d90ac04ed3)

~~~
olltre
So do I :)

[https://keybase.io/inv/8cc6068c31](https://keybase.io/inv/8cc6068c31)

[https://keybase.io/inv/345f0dd4e2](https://keybase.io/inv/345f0dd4e2)

[https://keybase.io/inv/2d06418590](https://keybase.io/inv/2d06418590)

[https://keybase.io/inv/73fd612897](https://keybase.io/inv/73fd612897)

[https://keybase.io/inv/1e9acdc815](https://keybase.io/inv/1e9acdc815)

[https://keybase.io/inv/d5ae0a4b0c](https://keybase.io/inv/d5ae0a4b0c)

~~~
eric_bullington
Invites:

[https://keybase.io/inv/4c100c57c9](https://keybase.io/inv/4c100c57c9)

[https://keybase.io/inv/89cb21a5a6](https://keybase.io/inv/89cb21a5a6)

~~~
moonka
More Invites:

[https://keybase.io/inv/34fda59c6f](https://keybase.io/inv/34fda59c6f)

[https://keybase.io/inv/27f71dd95c](https://keybase.io/inv/27f71dd95c)

[https://keybase.io/inv/0ba37842db](https://keybase.io/inv/0ba37842db)

[https://keybase.io/inv/105ba8ef1e](https://keybase.io/inv/105ba8ef1e)

[https://keybase.io/inv/070ed67897](https://keybase.io/inv/070ed67897)

[https://keybase.io/inv/b5f6094a85](https://keybase.io/inv/b5f6094a85)

[https://keybase.io/inv/5f77883740](https://keybase.io/inv/5f77883740)

[https://keybase.io/inv/0cec6fa3d9](https://keybase.io/inv/0cec6fa3d9)

~~~
moonka
Only one left:
[https://keybase.io/inv/070ed67897](https://keybase.io/inv/070ed67897)

~~~
fowl2
thanks!

------
fphilipe
I'm not sure keybase does this by default, but make sure to upload your key to
a keyserver such as MIT's ([https://pgp.mit.edu](https://pgp.mit.edu)).
Otherwise, git will complain that the signature is invalid when doing `git log
--show-signature`.

~~~
libeclipse
Github doesn't complain for me, so I can only assume that it does this itself.
What I did was grab my key from keybase and inserted that into my local
keyring, then uploaded that to my github.

~~~
fphilipe
GitHub is happy as long as you upload the public key to GitHub. Git though
uses pgp key servers to verify the signature.

------
zeveb
Displaying the signature in the web UI is actually the only feature from
GitHub I miss when using GitLab. It's not a huge deal, but it gives me a warm-
and-fuzzy.

~~~
mi100hael
It's on their roadmap: [https://gitlab.com/gitlab-org/gitlab-
ce/issues/4232](https://gitlab.com/gitlab-org/gitlab-ce/issues/4232)

------
aestetix
When does keybase plan to do nightly keydumps like SKS offers?

------
mwksl
To continue the chain of invites, I have 22 available. You can contact me at
matthew at leaguer [dot] io

------
jbondo
This setup seems a little simpler (doesn’t require Homebrew, for example):
[https://gist.github.com/danieleggert/b029d44d4a54b328c0bac65...](https://gist.github.com/danieleggert/b029d44d4a54b328c0bac65d46ba4c65)

------
pklausler
Usage note: "setup" is a noun, "set up" is a verb.

------
csubj
Invites:

[https://keybase.io/inv/369352fa18](https://keybase.io/inv/369352fa18)

[https://keybase.io/inv/63ab4d212a](https://keybase.io/inv/63ab4d212a)

------
diego898
I have 22 invites left if anyone would like let me know!

------
koolba
Why would I want to sign all (any?) of my commits? Releases sure, but every
single one? What's the point?

Tangentially on topic, when did keybase get that terrible logo? It looks like
it'd be the mascot for an off-brand bag of potato chips.

~~~
cyphar
Only signing releases is equivalent to saying "every bit of code I just
released I trust and so should you". This means that you have to have reviewed
every change to make sure someone didn't dupe you into signing a commit you
didn't mean to.

Signing every commit is a much easier guarantee to make: "this change was made
by me and I trust this change". In aggregate it's much better than just having
signed releases (though of course you should sign releases in addition to
this).

------
jefffan241
I have 5 keybase invites free if anyone wants to take them.

Edit: All invites taken

------
ithkuil
Anybody here got invitation codes for keybase ?

~~~
akerro
You don't need keybase to sign your commits. Any standard and key-exchange
compatible pgp/gpg client will do. By using keybase you're just adding more
work for everyone.

[https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work](https://git-
scm.com/book/en/v2/Git-Tools-Signing-Your-Work)

~~~
csubj
I think the cooler part of keybase.io is that it provides a platform for
authenticating your separate social accounts (reddit,twitter, etc...) along
with websites and github. That's pretty neat, and I can't say I've seen
something like it before.

