Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Do you use a GPG key with GitHub?
30 points by jason_slack 35 days ago | hide | past | web | favorite | 34 comments
I've never worked any place that has required use of gpg. Nobody has ever asked me about gpg and GitHub.



Nobody asked me to do so, but all my setup (SSH auth, encryption, password manager, mail signatures) is build around GPG, so it was easy to add the signing in my git config.

I use a RSA8192 key as master key so it can last for a while. Then I have RSA4096 subkeys for signature, encryption and authentication. All subkeys are on my Yubikey configured with touch to operate. So when I am on a computer, I plug my Yubikey in there, and whenever I want to do a SSH login, a git commit signing, a password access (pass), a mail signing or anything else GPG related I have to touch my Yubikey.

The setup of such system is not so trivial, but once it is done it is working really well. My digital identity is build around my GPG keys, and they are stored safely in my Yubikey, and to operate them I have to be physically there and press it, so it can not be used remotely if my computer is compromised.

I have a literal stack of yubikeys after getting many of them shoved into my hand at trade shows. I'd love to actually use them for anything but OTP. Can you document this process? Care to share your setup?

How do you handle, if at all, ssh/gpg on a mobile device?

Is it possible to have both yubikey based cert authentication for SSH/GPG in addition to normal password based cert auth on the same server/user?

Does this work on MacOS as well as Linux?

Here’s a decent guide: https://github.com/drduh/YubiKey-Guide

PS I’d love to get some shoved into my hand. Paid $100 for my pair.

What you need to do is a bit platform-dependent, but Trammell's guide for MacOS is good: https://trmm.net/Yubikey

I run Linux but adapting his guide to what I use was the clearest path I found. Do note that only some of the Yubikeys support GPG. The cheaper ones (that you might be getting for free) are OTP only. Git signing is pretty straightforward once you have it set up for GPG.

I have not attempted mobile at all.

Who did you get to sign your keys? Are you using keybase or some other PKI/WOT system?

(Same questions apply for everyone in this thread saying "yes")

I have only one friend who signed it, my only friend nerdy enough to use GPG.

For most of my usages (SSH, password manager, personal encryption) there is no need of a WOT. For the git commits signature, I have put my public key on Github so there is the "Verified" label aside my commits, but I don't think anybody has used this information yet. And for the email signatures, it is useless without a WOT, it is the reason why I do not bother to sign them anymore.

As someone else said in this thread: «I just like that little bit of extra “yes, this was me” onion layer of security.»

Yes, I use it all the time. We didn't require it at work, until one employee started signing their commits, and everyone else thought the "verified" badge for the commit on github looked cool, so everyone else started doing it. Now mostly everyone does it at work.

After adding your public key to your github account, you can set git to sign your commits by default.

You can do that in ~/.gitconfig (or /<repo>/.git/config for specific repos).

        signingkey = DEADBEEF
        gpgsign = true
Then when you commit, it will try to sign the commit. When you push the commit to github, it will automatically show up as "verified" in the commit history.



> everyone else thought the "verified" badge for the commit on github looked cool

Hahaha, that's also why I started using it :) Interesting how these kind of small badges work as incentives.

It might be that people who use it are more likely to engage this thread, and those who don't are going to skim past the thread and not respond. A whole bunch of yeses might not accurately represent the distribution of people using it/people not using it.

That in mind, I'll say I'm not using it.

I do, but only because git and GitHub made it so easy to setup.

I've read both that it can help with security, and that it doesn't help at all, but for the 5 minutes it took to setup I figured it can't hurt and the green verified check box is nice to see visually!

Yes, we enforce it at work. It's part of verifying the source of code running in production.

I set it up when they launched but GPG’s instability using a Yubikey and the general hassle of managing multiple keys meant that I disabled it since nobody else ever checked. I’d really like a post-90s GPG with good support for multiple hardware keys - we’ve talked about enabling it for work but I cringe at the support burden GPG would add.

I've got it working reliably enough. See https://github.com/naggie/dotfiles/blob/master/etc/yubikey.m... for a guide and

and https://github.com/naggie/dotfiles/blob/master/home/.functio... for various functions I use to get gpg-agent working remotely (and transparently with tmux) without locking anything up.

I had no trouble getting if working but it regularly loses the ability to see USB devices until I restart gpg-agent.

It depends on the repository. Most of the time, I use Git for personal stuff that isn’t ever going to be pushed anywhere.

For repositories where I want to sign my commits, I configure each local checkout individually:

    git config commit.gpgsign true
    git config push.gpgsign false
    git config user.signingkey "${MY_FINGERPRINT?}"

I do :) Never had any problem where GPG would have helped me by certifying I was the author, but we never know...

a quick guide if you need https://pedrorijo.com/blog/git-gpg/

I do for my personal projects (which are public), but also everyone in my company does for work stuff too. (We also require 2FA for all accounts in the org.)

It's important that any builds pushed out to production are from signed sources.

Yes, exclusively, and I enforce signed pushes on repositories where possible.


with GitHub, with GitLab, on macOS commandline and Tower clients, very easy to setup!

I find it adds some trust to commits for public repositories. It's not very useful, more like a nice to have.

Now, yes.

Thanks for asking this, I just finished setting it up.

For anyone reading this:


1. you are on macOS,

2. you used brew to install GnuPG: brew install gnupg,

3. after generating your GPG key pair, these two commands fail...

    $ git commit -S
    $ echo "test" | gpg --clearsign

...try adding this line to your bash profile:

    export GPG_TTY="$(tty)"

No. The only system I've ever encountered that required source-code-signing is Debian, who've done it for years.

(Note that merely signing the code with some key is not enough! You have to verify that that's the key of the person you think it is. Doing this properly is hard work.)

If you're using GitHub, it does this fairly nicely — you just upload your public key and it provides a green "verified" badge next to commits indicating that they were signed by a key attached to your profile.

Yes, but it's not required at work. Though I do a fair bit of OSS, too.

Yup. I think about 3 years ago I setup automatic signing of all my commits. I've been too lazy to disable it and I dislike not being verified in any manner, so I upload my public GPG key everywhere.

Yes, and it's required for all of the developers that work at our company. We used GPG signed commits before we even moved to Github (we previously used Bitbucket).

It's dead simple to setup, even on Windows.

No. I started to set it up but ran into some problem I can't remember and I didn't bother continuing. But I certainly see the value in it.

I do, but GitHub unverifies my e-mail all the time - thus rendering all my GPG signatures there "Unverified" :(

Sure. I need to sign tags, commits and releases. When you maintain a GNU package it's mandatory to sign releases.

Yep, both GitHub and the internal corporate (private) BitBucket server.


I just like that little bit of extra “yes, this was me” onion layer of security.

Yes, on GitLab. It works really well and helps to ensure that commits in my name and email are actually by me.

Yes, for OSS projects and for work. At work there's only a handful of us signing our commits.

Yes. I was required to do it at work, and it's fairly seamless to set up.

Yes, especially since my e-mails are also signed through GPG.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact