使用 GPG 签名提交数据上 GitHub

GPG

GNU Privacy Guard(GnuPG 或 GPG)是一种加密软件,它是PGP加密软件的满足 GPL 的替代物。

GPG 安装

详细安装,请看 GPG官网,内有详细介绍。

注意:要使用 GPG 签名推送数据上 GitHub,要使用 2.0 版本以上的 Git

安装 rng-tools

  • 因 GPG 在生成密钥时会出现 Not enough random bytes available.,需要安装随机工具,给足 GPG 生成密钥时所需的随机数,以便生成密钥

  • 安装方法:

    • Debian and Ubuntu: sudo apt-get install rng-tools
    • Red Hat Enterprise Linux, Fedora, and CentOS: yum install -y rng-tools (or rng-utils on older systems)

创建 GPG 密钥并查看密钥

  • 创建 GPG 密钥

    ubuntu@VM-ubuntu:~$ gpg --gen-key
    gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
    Your selection? 1
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048) 4096
    Requested keysize is 4096 bits
    Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
    Key is valid for? (0) 0
    Key does not expire at all
    Is this correct? (y/N) y
    
    You need a user ID to identify your key; the software constructs the user ID
    from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
    
    Real name: bequt
    Email address: bequt@qq.com
    Comment: 
    You selected this USER-ID:
    "bequt <bequt@qq.com>"
    
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    You need a Passphrase to protect your secret key.
    
    gpg: gpg-agent is not available in this session
    You don't want a passphrase - this is probably a *bad* idea!
    I will do it anyway.  You can change your passphrase at any time,
    using this program with the option "--edit-key".
    
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    ...............+++++
    .......................+++++
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    ..........................+++++
    .............+++++
    gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
    gpg: key 7CDD32B7 marked as ultimately trusted
    public and secret key created and signed.
    
    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
    pub   4096R/7CDD32B7 2018-01-29
      Key fingerprint = 2474 FD76 5A6D 5580 7A6B  D6C1 C74B 56FB 7CDD 32B7
    uid                  bequt <bequt@qq.com>
    sub   4096R/1CF998FB 2018-01-29
    
  • 查看 GPG 密钥

    ubuntu@VM-253-176-ubuntu:~$ gpg --list-keys
    /home/ubuntu/.gnupg/pubring.gpg
    -------------------------------
    pub   4096R/7CDD32B7 2018-01-29
    uid                  bequt <bequt@qq.com>
    sub   4096R/1CF998FB 2018-01-29
    
  • 第一行:GPG密钥放置的位置

  • 第二行:公钥特征(4096位,Hash字符串和生成时间)

  • 第三行:用户ID;//导出密钥时候用

  • 第四行:私钥特征(4096位,Hash字符串和生成时间)

GPG 密钥管理

  • 导出密钥(公钥和私钥)

    • 公钥

      gpg --armor --output public-key --export [用户 ID]
      
    • 私钥

      gpg --armor --output private-key --export-secret-keys [用户 ID]
      
  • 导入密钥(公钥和私钥)

    gpg --import [密钥文件]
    
  • 删除密钥(公钥和私钥)

    若公钥和私钥都需要删除,先删除私钥再删公钥。

    gpg --delete-secret-keys [用户 ID]  //删除私钥
    gpg --delete-key [用户 ID]  //删除公钥
    

设置 Git 利用 GPG 推送数据到 GitHub

  • 设置 Git 默认的加密密钥

    $git config --global user.signingkey [用户 ID]
    
  • 设置 Git 全局使用该 GPG 密钥加密

    git config --global commit.gpgsign true
    

此时你推送数据到GitHub就会有一个好看的 verified 标志。

1-github-verified-logo

All content under CC BY-NC-ND 4.0