Jerrylou's Notes

labor for reward

0%

开启GPG对提交Commit签名

发表于 更新于 分类于 阅读次数:

GPG全名GnuPG,是一个加密软件,用于加密、签名通信内容及管理非对称密码学的密钥。它有很多用途,今天要说的是使用GPG为git提交进行签名,防止他人冒名提交。

目前Github和Gitlab都支持GPG,下面是我Github添加的签名。让我们开始操练起来吧!

安装GPG

官网下载安装比较繁琐,建议使用brew进行安装(MacOS系统)。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ brew install gpg

$ gpg --version
gpg (GnuPG) 2.2.21
libgcrypt 1.8.6
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/luoji/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

生成密钥

  1. 生成GPG密钥对

选择RSA 输入Enter,下一步输入密钥长度,这里只是4096。接着选择密钥过期时间,最后输入你的电子邮件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ gpg --full-generate-key
gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: luoji
Email address: luoji@example.com
Comment:
You selected this USER-ID:
    "luoji <luoji@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

输入密码后,最终一个关于luoji@example.com的密钥对

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key A1A16F22BC02D78C marked as ultimately trusted
gpg: revocation certificate stored as '/Users/luoji/.gnupg/openpgp-revocs.d/BCC2217487CD7D65C124967BA1A16F22BC02D78C.rev'
public and secret key created and signed.

pub   rsa4096 2021-01-06 [SC]
      BCC2217487CD7D65C124967BA1A16F22BC02D78C
uid                      luoji <luoji@example.com>
sub   rsa4096 2021-01-06 [E]
  1. 查看所有密钥对, GPG密钥ID是:A1A16F22BC02D78C
    1
    2
    3
    4
    5
    $ gpg --list-secret-keys --keyid-format LONG
    sec   rsa4096/A1A16F22BC02D78C 2021-01-06 [SC]
          BCC2217487CD7D65C124967BA1A16F22BC02D78C
    uid                 [ultimate] luoji <luoji@example.com>
    ssb   rsa4096/D5473502EE9CEE25 2021-01-06 [E]
  2. 使用GPG密钥ID是A1A16F22BC02D78C 导出密钥
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    $ gpg --armor --export A1A16F22BC02D78C
    -----BEGIN PGP PUBLIC KEY BLOCK-----

    mQINBF/11pABEAClSHDndvl8yUVzhVDigc1lgyeiW2N4ayqM//QayC+a6V2dAHJN
    u+HOsxzc/LyczWRTFe5ovGGNiDZ4/zClZj1YqRGfZb9HSswmAuOTL/6tkgfyuuP+
    ICn9LNuSUK3ZxaEEPfh8hIcqfh3ffBy2nA5kC/Xj/70OS2GeHIJv6xprfAuo+EPd
    dLxD84OYh1Vc9mIO2cSnsnHk/JndZD5EEdJ8FYSShJ3DndAb1W76cHAlIDkrmGPn
    /qLVBnkq7HvHnxfl2EoQOycCqMnFWyEK+tS7Z5RxxOs1wfDQTyxd1UcqOTRwdNfC
    RvUwBcRNZxRXPKyLLNbYv+03Qn11FFbRELPqDdES20meDOLd7PSRKgJeKgsXw1A+
    w4aqkCGKNfWYrNYk0b93TAw6HFqWXOUcAF8/vW+ktlS8QyPpJFYliKEjBAV7/y0S
    I+WBHbzxswMnCeqqA/sy2SL8feO2C3/I7nIjreLbawX8EP5WUuFQX6A+14mU/B5P
    UlqUSmMB815HKb6r2yNOhdbSjdgnlcRFqPfNS5jahhloZkrChdXSEdDNVtKkxwpo
    v/VQDF/kOsEuVv92d59vwL96z9mM0W0Tzj3Hyldm69mAKJp2F6cZuu3a1+qSvk9D
    k+N1phd6v0Q0mEvEj7yf7BtOE4XRpwlKGlEujMvlcxq+Reet0Ks4/tbxfwARAQAB
    tBlsdW9qaSA8bHVvamlAZXhhbXBsZS5jb20+iQJOBBMBCAA4FiEEvMIhdIfNfWXB
    JJZ7oaFvIrwC14wFAl/11pACGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ
    oaFvIrwC14ybuhAAipXJv/QDPzz626oIGvVLDvOi8IgPKx7EofFFNLmm1BiOEjKR
    eK/KCz0tv6eRyOFcq7PuX/uDdSN9YXkZm5nRQO/s0vw7J/s+lMYJJbI/Fe5e5MQe
    Ps0pAB85tQqAigFiwwmtHBN/OHeqU8pog4vKOC1d0EMH7lKUETf6nGDMRP5nqYSc
    9FbGIcAzs4LWOvyi2+KgVSdzrS3r6TqZBmDrj4i0699/sN0VaLfXHC8jw3I9Y1RK
    hlKcxGtIhH33ZgwDBrNEjT26GyePbMzf1TaxJsu4Ym30CpvfdDt1NDfqJ7PKTaT/
    W08M0uGkcbvEexLhOkwNmGkA0Mzkwr6dKToGqZaD1BAlRw8VMJGR4O2ifMcCjpst
    o+4Nm8sOMhrbIkIYRKfjfkyUq/k9Bo0KdRBIBa7RFfJxn8lSCvebdwbE4qD+iFHB
    wUpaOrrwQqL7Yst7yQrAIxXSsWEBoxz6+u6YmKvH596MA+pdQTVM6vhj+oBu9q9v
    IObjW7WWks/9qEdw4Xtq9kMTEhA79GGJC13ctW2rMs/9Gu0M59emyo7GrszJScSR
    KHVHvKLbG04VA1xAv5RrklFWJOHRr7HtESBoULRcTJIe5JC7xsqVW0TJUNsb/hJO
    AQapUyesebKhCI2jv7WmRcSCTCocqcF+jT6ty2jtMILT0nKWmRAtn7MK4si5Ag0E
    X/XWkAEQAL0FWdODT7e9d0shMKrnYm+GLhds8JjjeMtIBwKuTT7GSBPkgtzme5Jc
    a/pQoGE+LOi1/QgA3gVYBJqbFRhQhCZyE3DeWDDncIkjXO7JNPrM2f6TUGMM8KVZ
    CUk33bqShjvFPiCCTtMDaQqQ2xkluRA39fq65KgQyZ5kV2X9UZLuUSUa9DQIJedf
    6g+3S0hzSY9lNtmDNHT1vvhpv8f836KJtWu14DUxxW2BH/tkiHFNtIGFKMwJmvfJ
    vM7HYosXa+DR1hYxoSxLBt8eq5Ha8C5EjmGwliQRYA7VH+sy2V6935CnBY199B6g
    9jNevDI0U6h9O7aQd/6AH8YhEMlcci2R7WZs9TJ69Zv+ce8nf5igrbJ7tyFZgppz
    NpMfE12vcl7lv1yXFG8qYD9bUfUR/z1barA24aWT9DseL0+93I7J03D9zakh6vOT
    OpDjF772M0nwmvsWEyuOi46bv+A/7lhDo00SFwtl4aOiPECTX5CZQrv6YpmQK8IQ
    OrflC2RwQlFCbFzKixQOf3qinjs2AiGj0oFS/9g5mWgfEXQMEt/zAXf+MpzxWjE4
    PkCwM+WbbUBCwSjNPhAiRPIwQUJuu6avTO3oJyhZTqz5zDyl+ufZzXr9MEauU1xJ
    CwshTqepmHQjVQ1Nj1dCnA+kA/M77erqHqAsR+2Zdh4To8a/fmTlABEBAAGJAjYE
    GAEIACAWIQS8wiF0h819ZcEklnuhoW8ivALXjAUCX/XWkAIbDAAKCRChoW8ivALX
    jJJzD/9TpurUiain8DKR9uTyiCCIdrs32nq70cQapN4Nl6dSxCFDf4GgL5y6JDOL
    Hc717BnZnSO1Fx69yG9iAasxTzoSNTY6DYhwJ56bmVj6bshewy0GEupb0pvInbNM
    0iJRX+wJJF8bppWAAAuxvzWZSAPX+5c/68WMMYUsGVWniSxyaYQjAKdEnlkE3U5k
    tbGDfFxtmOv0OLdSvEj2NDUI8VNO5CT00c0ZhsSuhMUmacxpieg6TknT5IWkR9f7
    vO+0+BmZ/rqMqJpeIoxuc2jaHDAtSLBUL+jHYNbnye7W3dTpp8TVOuv504mBcm1/
    N90px6aKr2lzm1iPVa+IrvutKMFgku19hh45492+zF8EEzfIaNU99AYDkd9okVdQ
    ud+5R2xu28BL8XjCItYVqrIb3maC/r2VBmAyFuSwjifoU34/hzQI+3tt808gh526
    oiR9P5BtA+9ELQYUPQsHA/Vuet9CYCb6zPMGsdNTJZeyB4YISMmK8+gzOn72uqlH
    0d9zMZwbrNEaxG6jqsxrYFILLM+zWQJsRiBgPvI0+l38D+ZtFQ8s1Fqj4rtcWVBw
    z3xercisx8hDDK0W7yDWGAVn0uNHGHarwvGXRDyeorRTEgcUu+W0BqDmJpYI/bdx
    jzaR61fn9g5aZGVUs2HfQPOi84J42ShfwLB4ia7yaK2MF4DqEQ==
    =JYRy
    -----END PGP PUBLIC KEY BLOCK-----

    添加GPG到Github

    复制上面的密钥,包括-----BEGIN PGP PUBLIC KEY BLOCK----------END PGP PUBLIC KEY BLOCK-----


配置密钥到Git

1
2
3
$ git config --global user.signingkey A1A16F22BC02D78C

$ echo 'export GPG_TTY=$(tty)' >> ~/.profile

我使用的zsh,命令为echo 'export GPG_TTY=$(tty)' >> ~/.zshrc

签名提交

1
$ git commit -S -m "your commit message"

删除GPG

最后删除用于测试的GPG

1
2
3
4
5
6
7
8
9
10
$ gpg --delete-secret-keys A1A16F22BC02D78C
gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  rsa4096/A1A16F22BC02D78C 2021-01-06 luoji <luoji@example.com>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ gpg --list-keys
pub   rsa4096 2021-01-06 [SC]
      BCC2217487CD7D65C124967BA1A16F22BC02D78C
uid           [ultimate] luoji <luoji@example.com>
sub   rsa4096 2021-01-06 [E]

$ gpg --delete-keys BCC2217487CD7D65C124967BA1A16F22BC02D78C
gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/A1A16F22BC02D78C 2021-01-06 luoji <luoji@example.com>

Delete this key from the keyring? (y/N) y