
Ask HN: Do you use a GPG key with GitHub? - jason_slack
I&#x27;ve never worked any place that has required use of gpg. Nobody has ever asked me about gpg and GitHub.<p>https:&#x2F;&#x2F;help.github.com&#x2F;articles&#x2F;generating-a-new-gpg-key&#x2F;
======
StreakyCobra
Yes.

Nobody asked me to do so, but all my setup (SSH auth, encryption, password
manager, mail signatures) is build around GPG, so it was easy to add the
signing in my git config.

I use a RSA8192 key as master key so it can last for a while. Then I have
RSA4096 subkeys for signature, encryption and authentication. All subkeys are
on my Yubikey configured with touch to operate. So when I am on a computer, I
plug my Yubikey in there, and whenever I want to do a SSH login, a git commit
signing, a password access (pass), a mail signing or anything else GPG related
I have to touch my Yubikey.

The setup of such system is not so trivial, but once it is done it is working
really well. My digital identity is build around my GPG keys, and they are
stored safely in my Yubikey, and to operate them I have to be physically there
and press it, so it can not be used remotely if my computer is compromised.

~~~
op00to
I have a literal stack of yubikeys after getting many of them shoved into my
hand at trade shows. I'd love to actually use them for anything but OTP. Can
you document this process? Care to share your setup?

How do you handle, if at all, ssh/gpg on a mobile device?

Is it possible to have both yubikey based cert authentication for SSH/GPG in
addition to normal password based cert auth on the same server/user?

Does this work on MacOS as well as Linux?

~~~
tempotemporary
Here’s a decent guide: [https://github.com/drduh/YubiKey-
Guide](https://github.com/drduh/YubiKey-Guide)

PS I’d love to get some shoved into my hand. Paid $100 for my pair.

------
diafygi
Yes, I use it all the time. We didn't require it at work, until one employee
started signing their commits, and everyone else thought the "verified" badge
for the commit on github looked cool, so everyone else started doing it. Now
mostly everyone does it at work.

After adding your public key to your github account, you can set git to sign
your commits by default.

You can do that in ~/.gitconfig (or /<repo>/.git/config for specific repos).

    
    
        [user]
            signingkey = DEADBEEF
        [commit]
            gpgsign = true
    

Then when you commit, it will try to sign the commit. When you push the commit
to github, it will automatically show up as "verified" in the commit history.

[https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work](https://git-
scm.com/book/en/v2/Git-Tools-Signing-Your-Work)

[https://help.github.com/articles/signing-
commits/](https://help.github.com/articles/signing-commits/)

~~~
dgellow
> everyone else thought the "verified" badge for the commit on github looked
> cool

Hahaha, that's also why I started using it :) Interesting how these kind of
small badges work as incentives.

------
Timpy
It might be that people who use it are more likely to engage this thread, and
those who don't are going to skim past the thread and not respond. A whole
bunch of yeses might not accurately represent the distribution of people using
it/people not using it.

That in mind, I'll say I'm not using it.

------
Klathmon
I do, but only because git and GitHub made it so easy to setup.

I've read both that it can help with security, and that it doesn't help at
all, but for the 5 minutes it took to setup I figured it can't hurt and the
green verified check box is nice to see visually!

------
mjlee
Yes, we enforce it at work. It's part of verifying the source of code running
in production.

------
acdha
I set it up when they launched but GPG’s instability using a Yubikey and the
general hassle of managing multiple keys meant that I disabled it since nobody
else ever checked. I’d really like a post-90s GPG with good support for
multiple hardware keys - we’ve talked about enabling it for work but I cringe
at the support burden GPG would add.

~~~
naggie
I've got it working reliably enough. See
[https://github.com/naggie/dotfiles/blob/master/etc/yubikey.m...](https://github.com/naggie/dotfiles/blob/master/etc/yubikey.md)
for a guide and

and
[https://github.com/naggie/dotfiles/blob/master/home/.functio...](https://github.com/naggie/dotfiles/blob/master/home/.functions.sh)
for various functions I use to get gpg-agent working remotely (and
transparently with tmux) without locking anything up.

~~~
acdha
I had no trouble getting if working but it regularly loses the ability to see
USB devices until I restart gpg-agent.

------
Hackbraten
It depends on the repository. Most of the time, I use Git for personal stuff
that isn’t ever going to be pushed anywhere.

For repositories where I want to sign my commits, I configure each local
checkout individually:

    
    
        git config commit.gpgsign true
        git config push.gpgsign false
        git config user.signingkey "${MY_FINGERPRINT?}"

------
pedrorijo91
I do :) Never had any problem where GPG would have helped me by certifying I
was the author, but we never know...

a quick guide if you need [https://pedrorijo.com/blog/git-
gpg/](https://pedrorijo.com/blog/git-gpg/)

------
zeroxfe
I do for my personal projects (which are public), but also everyone in my
company does for work stuff too. (We also require 2FA for all accounts in the
org.)

It's important that any builds pushed out to production are from signed
sources.

------
aaronmdjones
Yes, exclusively, and I enforce signed pushes on repositories where possible.

------
gregoriol
Yes

with GitHub, with GitLab, on macOS commandline and Tower clients, very easy to
setup!

I find it adds some trust to commits for public repositories. It's not very
useful, more like a nice to have.

------
ricardbejarano
Now, yes.

Thanks for asking this, I just finished setting it up.

For anyone reading this:

If:

1\. you are on macOS,

2\. you used brew to install GnuPG: brew install gnupg,

3\. after generating your GPG key pair, these two commands fail...

    
    
        $ git commit -S
        $ echo "test" | gpg --clearsign
    
    

...try adding this line to your bash profile:

    
    
        export GPG_TTY="$(tty)"

------
pjc50
No. The only system I've ever encountered that required source-code-signing is
Debian, who've done it for years.

(Note that merely signing the code with some key is not enough! You have to
verify that that's the key of the person you think it is. Doing this properly
is hard work.)

~~~
dylanpyle
If you're using GitHub, it does this fairly nicely — you just upload your
public key and it provides a green "verified" badge next to commits indicating
that they were signed by a key attached to your profile.

------
sulami
Yes, but it's not required at work. Though I do a fair bit of OSS, too.

------
zaarn
Yup. I think about 3 years ago I setup automatic signing of all my commits.
I've been too lazy to disable it and I dislike not being verified in any
manner, so I upload my public GPG key everywhere.

------
actionowl
Yes, and it's required for all of the developers that work at our company. We
used GPG signed commits before we even moved to Github (we previously used
Bitbucket).

It's dead simple to setup, even on Windows.

------
gempir
No. I started to set it up but ran into some problem I can't remember and I
didn't bother continuing. But I certainly see the value in it.

------
mikroskeem
I do, but GitHub unverifies my e-mail all the time - thus rendering all my GPG
signatures there "Unverified" :(

------
rurban
Sure. I need to sign tags, commits and releases. When you maintain a GNU
package it's mandatory to sign releases.

------
an_d_rew
Yep, both GitHub and the internal corporate (private) BitBucket server.

Why?

I just like that little bit of extra “yes, this was me” onion layer of
security.

------
jamieweb
Yes, on GitLab. It works really well and helps to ensure that commits in my
name and email are actually by me.

------
SuddsMcDuff
Yes, for OSS projects and for work. At work there's only a handful of us
signing our commits.

------
samgranieri
Yes. I was required to do it at work, and it's fairly seamless to set up.

------
Artemix
Yes, especially since my e-mails are also signed through GPG.

------
deca6cda37d0
Yes

