Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New article 016: Hot to use Git objects to store GPG pubic keys #52

Open
josecelano opened this issue Jun 17, 2022 Discussed in #24 · 1 comment
Open

New article 016: Hot to use Git objects to store GPG pubic keys #52

josecelano opened this issue Jun 17, 2022 Discussed in #24 · 1 comment
Labels
good first issue Good for newcomers

Comments

@josecelano
Copy link
Member

Discussed in #24

Originally posted by josecelano June 13, 2022
In the Git Pro book they mention that you can use Git Objects to distribute your public GPG keys:

Chapter: https://git-scm.com/book/en/v2/Distributed-Git-Maintaining-a-Project
Section: Tagging Your Releases

Content

If you do sign your tags, you may have the problem of distributing the public PGP key used to sign your tags. The maintainer of the Git project has solved this issue by including their public key as a blob in the repository and then adding a tag that points directly to that content. To do this, you can figure out which key you want by running gpg --list-keys:

$ gpg --list-keys
/Users/schacon/.gnupg/pubring.gpg
---------------------------------
pub   1024D/F721C45A 2009-02-09 [expires: 2010-02-09]
uid                  Scott Chacon <schacon@gmail.com>
sub   2048g/45D02282 2009-02-09 [expires: 2010-02-09]

Then, you can directly import the key into the Git database by exporting it and piping that through git hash-object, which writes a new blob with those contents into Git and gives you back the SHA-1 of the blob:

$ gpg -a --export F721C45A | git hash-object -w --stdin
659ef797d181633c87ec71ac3f9ba29fe5775b92
```s

_Now that you have the contents of your key in Git, you can create a tag that points directly to it by specifying the new SHA-1 value that the hash-object command gave you:_

```s
$ git tag -a maintainer-pgp-pub 659ef797d181633c87ec71ac3f9ba29fe5775b92

If you run git push --tags, the maintainer-pgp-pub tag will be shared with everyone. If anyone wants to verify a tag, they can directly import your PGP key by pulling the blob directly out of the database and importing it into GPG:

$ git show maintainer-pgp-pub | gpg --import

They can use that key to verify all your signed tags. Also, if you include instructions in the tag message, running git show will let you give the end user more specific instructions about tag verification.
@josecelano josecelano added the good first issue Good for newcomers label Jun 17, 2022
@da2ce7
Copy link
Contributor

da2ce7 commented Jun 17, 2022

@josecelano This is a great use of the git object store. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josecelano @da2ce7