nunogrl.com - githttps://nunogrl.com/2024-03-21T00:00:00+00:00Enforcing GPG-Signed Commits in Git2024-03-21T00:00:00+00:002024-03-21T00:00:00+00:00Nuno Leitaotag:nunogrl.com,2024-03-21:/articles/enforcing-gpg-signed-commits-git/<p class="first last">Learn how to enforce GPG-signed commits in Git to prevent commit impersonation and ensure code authenticity</p>
<div class="section" id="problem-solution">
<h2>🚀 Problem & Solution</h2>
<div class="section" id="context-backstory">
<h3>📌 <strong>Context / Backstory</strong></h3>
<p>In our collaborative development environment, we discovered that Git's flexibility allows commits under any name and email. This became a security concern when we realized that GitHub identifies users by email, not SSH keys.</p>
<div class="mermaid" id="mermaid-diagram--1710153734321077480">
sequenceDiagram
participant Alice
participant Bob
participant GitHub
Alice->>GitHub: Commit signed with alice@example.com (GPG signed)
GitHub->>GitHub: Shows "Verified" commit from Alice
Bob->>GitHub: Commit using alice@example.com (no signature)
GitHub->>GitHub: Shows commit as from "Alice" (Unverified)
Note over GitHub: GitHub matches commits by email, not by SSH or true identity.</div></div>
<div class="section" id="the-problem">
<h3>⚠️ <strong>The Problem</strong></h3>
<ul class="simple">
<li>Anyone with repository access can spoof another contributor's identity</li>
<li>Commit history could be manipulated without detection</li>
<li>No cryptographic proof of commit authenticity</li>
<li>GitHub's user identification relies solely on email addresses</li>
</ul>
</div>
<div class="section" id="the-solution">
<h3>💡 <strong>The Solution</strong></h3>
<p>We implemented mandatory GPG-signed commits, which:</p>
<ul class="simple">
<li>Cryptographically verify commit authenticity</li>
<li>Prevent identity spoofing</li>
<li>Create traceable commit history</li>
<li>Integrate with GitHub's verification system</li>
</ul>
</div>
<div class="section" id="who-this-helps">
<h3>👥 <strong>Who This Helps</strong></h3>
<ul class="simple">
<li>Security-conscious development teams</li>
<li>Open-source project maintainers</li>
<li>Regulated environments requiring audit trails</li>
<li>Organizations needing verified commit history</li>
</ul>
</div>
</div>
<div class="section" id="technical-implementation">
<h2>⚙️ Technical Implementation</h2>
<p>Let's visualize the GPG signing workflow:</p>
<div class="mermaid" id="mermaid-diagram-1440076246032696055">
flowchart LR
C[Commit] -->|Sign| G[GPG Key]
G -->|Verify| GH[GitHub]
subgraph "Local System"
C
G
end
subgraph "Remote"
GH
end
style GH fill:#f96,stroke:#333
style G fill:#9f6,stroke:#333</div><div class="section" id="setting-up-gpg-keys">
<h3>1️⃣ Setting Up GPG Keys</h3>
<div class="highlight"><pre><span></span><span class="c1"># Generate a new GPG key</span>
gpg<span class="w"> </span>--full-generate-key
<span class="c1"># List your keys</span>
gpg<span class="w"> </span>--list-secret-keys<span class="w"> </span>--keyid-format<span class="o">=</span>long
</pre></div>
</div>
<div class="section" id="configuring-git">
<h3>2️⃣ Configuring Git</h3>
<div class="highlight"><pre><span></span><span class="gp"># </span>Configure<span class="w"> </span>Git<span class="w"> </span>to<span class="w"> </span>use<span class="w"> </span>your<span class="w"> </span>GPG<span class="w"> </span>key
<span class="gp">$ </span>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>user.signingkey<span class="w"> </span><YOUR_KEY_ID>
<span class="gp">$ </span>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>commit.gpgsign<span class="w"> </span><span class="nb">true</span>
<span class="gp">$ </span>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>gpg.program<span class="w"> </span>gpg
</pre></div>
</div>
<div class="section" id="github-integration">
<h3>3️⃣ GitHub Integration</h3>
<ol class="arabic simple">
<li>Export your public GPG key:</li>
</ol>
<div class="highlight"><pre><span></span><span class="gp">$ </span>gpg<span class="w"> </span>--armor<span class="w"> </span>--export<span class="w"> </span><YOUR_KEY_ID>
</pre></div>
<ol class="arabic simple" start="2">
<li>Add the key to your GitHub account settings</li>
</ol>
</div>
<div class="section" id="enforcing-signed-commits">
<h3>4️⃣ Enforcing Signed Commits</h3>
<p>In GitHub repository settings:</p>
<ol class="arabic simple">
<li>Navigate to Settings > Branches</li>
<li>Add branch protection rule</li>
<li>Enable "Require signed commits"</li>
</ol>
</div>
</div>
<div class="section" id="troubleshooting-debugging">
<h2>🛠️ Troubleshooting & Debugging</h2>
<ul class="simple">
<li><strong>GPG signing fails</strong>: Check <cite>gpg-agent</cite> configuration</li>
<li><strong>GitHub doesn't show "Verified"</strong>: Ensure GPG key is added to GitHub</li>
<li><strong>CI/CD issues</strong>: Set up proper <cite>GNUPGHOME</cite> environment</li>
<li><strong>Smart card/YubiKey</strong>: Verify proper card reader access</li>
</ul>
</div>
<div class="section" id="optimizations-best-practices">
<h2>🔁 Optimizations & Best Practices</h2>
<ul class="simple">
<li>Use GPG subkeys instead of master keys</li>
<li>Implement regular key rotation</li>
<li>Set up separate signing keys for different contexts</li>
<li>Use environment isolation in CI/CD pipelines</li>
<li>Consider hardware security keys (YubiKey) for key storage</li>
</ul>
</div>
<div class="section" id="conclusion-takeaways">
<h2>✅ Conclusion & Takeaways</h2>
<p>GPG-signed commits provide a robust security layer for Git workflows, ensuring:
- Verified commit authenticity
- Protected repository history
- Clear accountability
- Compliance with security best practices</p>
</div>
<div class="section" id="comments-next-steps">
<h2>💬 Comments & Next Steps</h2>
<p>How do you handle commit verification in your organization? Share your experience or ask questions below!</p>
</div>
Password Store with GPG and Git2024-03-21T00:00:00+00:002024-03-21T00:00:00+00:00Nuno Leitaotag:nunogrl.com,2024-03-21:/articles/password-store-gpg-git/<p class="first last">Learn how to set up a secure, Git-based password management system using password-store and GPG encryption</p>
<div class="section" id="problem-solution">
<h2>🚀 Problem & Solution</h2>
<div class="section" id="context-backstory">
<h3>📌 <strong>Context / Backstory</strong></h3>
<p>We needed a secure way to manage passwords and secrets across multiple servers and team members. Commercial password managers were either too complex, costly, or required external services we wanted to avoid.</p>
</div>
<div class="section" id="the-problem">
<h3>⚠️ <strong>The Problem</strong></h3>
<p>Managing secrets across systems and teams presents several challenges:</p>
<ul class="simple">
<li>Keeping passwords secure yet accessible</li>
<li>Tracking changes and maintaining history</li>
<li>Sharing secrets securely between team members</li>
<li>Avoiding dependency on external services</li>
</ul>
</div>
<div class="section" id="the-solution">
<h3>💡 <strong>The Solution</strong></h3>
<p>We implemented <cite>password-store</cite> with GPG encryption and Git integration, providing:</p>
<ul class="simple">
<li>Secure GPG encryption for all secrets</li>
<li>Git-based version control and distribution</li>
<li>Fully local operation with no external dependencies</li>
<li>Command-line interface for automation</li>
</ul>
</div>
<div class="section" id="who-this-helps">
<h3>👥 <strong>Who This Helps</strong></h3>
<ul class="simple">
<li>System administrators managing multiple servers</li>
<li>DevOps teams handling shared credentials</li>
<li>Security-conscious users wanting local password management</li>
<li>Teams needing version-controlled secrets</li>
</ul>
</div>
</div>
<div class="section" id="technical-implementation">
<h2>⚙️ Technical Implementation</h2>
<p>Let's visualize the password-store workflow:</p>
<div class="mermaid" id="mermaid-diagram--7232498932700614839">
flowchart LR
P[Password] -->|Encrypt| G[GPG]
G -->|Store| PS[password-store]
PS -->|Version| Git[Git Repository]
Git -->|Sync| T[Team Members]
subgraph "Local System"
P
G
PS
end
subgraph "Distribution"
Git
T
end</div><div class="section" id="generating-gpg-keys-in-batch-mode">
<h3>1️⃣ Generating GPG Keys in Batch Mode</h3>
<p>For automated environments:</p>
<div class="highlight"><pre><span></span>cat<span class="w"> </span>><span class="w"> </span>gpg-server-key.conf<span class="w"> </span><span class="s"><<EOF</span>
<span class="s">%no-protection</span>
<span class="s">Key-Type: default</span>
<span class="s">Subkey-Type: default</span>
<span class="s">Name-Real: Server Automation Key</span>
<span class="s">Name-Email: server@example.com</span>
<span class="s">Expire-Date: 0</span>
<span class="s">%commit</span>
<span class="s">EOF</span>
gpg<span class="w"> </span>--batch<span class="w"> </span>--generate-key<span class="w"> </span>gpg-server-key.conf
</pre></div>
</div>
<div class="section" id="setting-up-the-environment">
<h3>2️⃣ Setting Up the Environment</h3>
<div class="highlight"><pre><span></span><span class="nb">export</span><span class="w"> </span><span class="nv">PASSWORD_STORE_GPG_OPTS</span><span class="o">=</span><span class="s2">"--armor"</span>
<span class="nb">export</span><span class="w"> </span><span class="nv">GNUPGHOME</span><span class="o">=</span>/etc/password-store/.gnupg
<span class="nb">export</span><span class="w"> </span><span class="nv">PASSWORD_STORE_DIR</span><span class="o">=</span>/etc/password-store/store
</pre></div>
</div>
<div class="section" id="initializing-the-password-store">
<h3>3️⃣ Initializing the Password Store</h3>
<div class="highlight"><pre><span></span>mkdir<span class="w"> </span>-p<span class="w"> </span><span class="s2">"</span><span class="nv">$GNUPGHOME</span><span class="s2">"</span><span class="w"> </span><span class="s2">"</span><span class="nv">$PASSWORD_STORE_DIR</span><span class="s2">"</span>
chmod<span class="w"> </span><span class="m">700</span><span class="w"> </span><span class="s2">"</span><span class="nv">$GNUPGHOME</span><span class="s2">"</span><span class="w"> </span><span class="s2">"</span><span class="nv">$PASSWORD_STORE_DIR</span><span class="s2">"</span>
pass<span class="w"> </span>init<span class="w"> </span>server@example.com
</pre></div>
</div>
<div class="section" id="git-integration">
<h3>4️⃣ Git Integration</h3>
<div class="highlight"><pre><span></span><span class="nb">cd</span><span class="w"> </span><span class="s2">"</span><span class="nv">$PASSWORD_STORE_DIR</span><span class="s2">"</span>
git<span class="w"> </span>init
git<span class="w"> </span>add<span class="w"> </span>.
git<span class="w"> </span>commit<span class="w"> </span>-m<span class="w"> </span><span class="s2">"Initial password store"</span>
git<span class="w"> </span>remote<span class="w"> </span>add<span class="w"> </span>origin<span class="w"> </span>git@example.com:secrets.git
git<span class="w"> </span>push<span class="w"> </span>-u<span class="w"> </span>origin<span class="w"> </span>main
</pre></div>
</div>
</div>
<div class="section" id="troubleshooting-debugging">
<h2>🛠️ Troubleshooting & Debugging</h2>
<ul class="simple">
<li>Ensure proper GPG key permissions (700 for directories, 600 for files)</li>
<li>Verify GPG recipient when encryption fails</li>
<li>Check Git remote access rights for sync issues</li>
<li>Monitor Git conflicts when multiple users update simultaneously</li>
</ul>
</div>
<div class="section" id="optimizations-alternatives">
<h2>🔁 Optimizations & Alternatives</h2>
<ul class="simple">
<li>Consider using GPG agent for improved key handling</li>
<li>Implement Git hooks for pre-commit validation</li>
<li>Use Git branches for testing password updates</li>
<li>Consider <cite>pass</cite> extensions for additional features</li>
</ul>
</div>
<div class="section" id="conclusion-takeaways">
<h2>✅ Conclusion & Takeaways</h2>
<p>Using GPG with password-store provides a <strong>flexible, secure, and lightweight</strong> method for managing secrets across machines. With Git integration, you get version history, team sharing, and distributed backup—<strong>without compromising security</strong>.</p>
</div>
<div class="section" id="comments-next-steps">
<h2>💬 Comments & Next Steps</h2>
<p>How do you manage shared secrets in your infrastructure? Share your experience or ask questions below!</p>
</div>
Managing Multiple Git Configurations2020-08-31T10:00:00+01:002020-08-31T10:00:00+01:00Nuno Leitaotag:nunogrl.com,2020-08-31:/articles/git-config/<p class="first last">A guide to managing multiple Git configurations for different contexts (work, personal) using gitconfig</p>
<div class="section" id="introduction">
<h2>Introduction</h2>
<p>When working with Git across different contexts (personal projects, work repositories), it's crucial to maintain separate configurations to ensure commits are made with the correct identity and settings. This guide demonstrates how to set up and manage multiple Git configurations effectively.</p>
<object data="https://nunogrl.com/images/dotfiles/dotfiles.svg" style="width: 100%;" type="image/svg+xml">"My dotfiles"</object>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">Using incorrect Git credentials can lead to commits being associated with the wrong identity,
which may expose personal email addresses in work repositories or vice versa.</p>
</div>
</div>
<div class="section" id="configuration-structure">
<h2>Configuration Structure</h2>
<div class="mermaid" id="mermaid-diagram-5689537300094488405">
flowchart TD
A[~/.gitconfig] --> B[~/.gitconfig-personal]
A --> C[~/.gitconfig-work]
B --> D[Personal Repos]
C --> E[Work Repos]</div></div>
<div class="section" id="primary-configuration">
<h2>Primary Configuration</h2>
<p>The main <tt class="docutils literal"><span class="pre">~/.gitconfig</span></tt> file serves as the entry point for Git's configuration:</p>
<div class="highlight"><pre><span></span><span class="k">[includeIf "gitdir:~/src/*"]</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">~/.gitconfig-work</span>
<span class="k">[includeIf "gitdir:~/src/sandbox/*"]</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">~/.gitconfig-personal</span>
<span class="k">[includeIf "gitdir:~/Documents/*"]</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">~/.gitconfig-personal</span>
<span class="k">[includeIf "gitdir:~/src/"]</span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">~/Documents/git-work-precommit</span>
<span class="k">[commit]</span>
<span class="w"> </span><span class="na">gpgsign</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span>
<span class="k">[alias]</span>
<span class="w"> </span><span class="na">lg1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">log </span>\
<span class="w"> </span><span class="s">--graph </span>\
<span class="w"> </span><span class="s">--abbrev-commit </span>\
<span class="w"> </span><span class="s">--decorate </span>\
<span class="w"> </span><span class="s">--format=format:'%C(bold blue)%h%C(reset) - </span>\
<span class="w"> </span><span class="s">%C(bold green)(%ar)%C(reset) </span>\
<span class="w"> </span><span class="s">%C(white)%s%C(reset) %C(dim white)- </span>\
<span class="w"> </span><span class="s">%an%C(reset)%C(bold yellow)%d%C(reset)' </span>\
<span class="w"> </span><span class="s">--all</span>
<span class="w"> </span><span class="na">lg2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">log </span>\
<span class="w"> </span><span class="s">--graph </span>\
<span class="w"> </span><span class="s">--abbrev-commit </span>\
<span class="w"> </span><span class="s">--decorate </span>\
<span class="w"> </span><span class="s">--format=format:'%C(bold blue)%h%C(reset) - </span>\
<span class="w"> </span><span class="s">%C(bold cyan)%aD%C(reset) </span>\
<span class="w"> </span><span class="s">%C(bold green)(%ar)%C(reset)%C(bold yellow)%d%C(reset)%n''</span>\
<span class="w"> </span><span class="s">%C(white)%s%C(reset) %C(dim white)- %an%C(reset)' </span>\
<span class="w"> </span><span class="s">--all</span>
<span class="w"> </span><span class="na">lg</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">!"git lg1"</span>
<span class="w"> </span><span class="na">diffc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">diff --color-words=.</span>
<span class="w"> </span><span class="na">meld</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">difftool --tool=meld -y</span>
<span class="w"> </span><span class="na">meldd</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">difftool --dir-diff --tool=meld</span>
<span class="w"> </span><span class="na">meldbase</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">!git meld $(git merge-base origin/master HEAD)</span>
<span class="w"> </span><span class="na">review</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">!git fetch $1 $2 && git checkout FETCH_HEAD && git meldbase && true</span>
<span class="k">[core]</span>
<span class="w"> </span><span class="na">editor</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">vim</span>
</pre></div>
</div>
<div class="section" id="personal-git-configuration">
<h2>Personal Git Configuration</h2>
<p>Create <tt class="docutils literal"><span class="pre">~/.gitconfig-personal</span></tt> for personal projects:</p>
<div class="highlight"><pre><span></span><span class="k">[user]</span>
<span class="w"> </span><span class="na">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">Nuno Leitao</span>
<span class="w"> </span><span class="na">email</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">example@example.com</span>
<span class="w"> </span><span class="na">signingkey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">1234ABCD</span>
</pre></div>
</div>
<div class="section" id="work-git-configuration">
<h2>Work Git Configuration</h2>
<p>Create <tt class="docutils literal"><span class="pre">~/.gitconfig-work</span></tt> for work-related projects:</p>
<div class="highlight"><pre><span></span><span class="k">[user]</span>
<span class="w"> </span><span class="na">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">Nuno Leitao</span>
<span class="w"> </span><span class="na">email</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">example@acme.com</span>
<span class="w"> </span><span class="na">signingkey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">1234ABCD</span>
</pre></div>
</div>
<div class="section" id="gpg-key-configuration">
<h2>GPG Key Configuration</h2>
<p>The same GPG key can be used for both configurations:</p>
<div class="highlight"><pre><span></span><span class="gp"> $ </span>gpg<span class="w"> </span>-K
<span class="go"> /home/nuno/.gnupg/pubring.kbx</span>
<span class="go"> -----------------------------</span>
<span class="go"> sec rsa4096 2018-05-09 [SC] [expires: 2022-05-09]</span>
<span class="hll"><span class="go"> 123456789ABCDEFG56780000123456781234ABCD</span>
</span><span class="go"> uid [ultimate] Nuno Leitao <example@example.com></span>
<span class="go"> uid [ultimate] Nuno Leitao <example@acme.com></span>
<span class="go"> uid [ultimate] [jpeg image of size 10099]</span>
<span class="go"> ssb rsa4096 2018-05-09 [E] [expires: 2022-05-09]</span>
</pre></div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The GPG key is associated with multiple email addresses, allowing it to sign
commits for both personal and work accounts.</p>
</div>
</div>
<div class="section" id="key-considerations">
<h2>Key Considerations</h2>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<ul class="last simple">
<li>Always verify the active Git configuration before starting work on a new repository</li>
<li>Use <tt class="docutils literal">git config <span class="pre">--list</span></tt> to check current settings</li>
<li>Consider adding repository-specific configurations for special cases</li>
</ul>
</div>
</div>
<div class="section" id="common-issues">
<h2>Common Issues</h2>
<ol class="arabic">
<li><p class="first"><strong>Wrong Email in Commits</strong></p>
<p>If you notice commits with incorrect email:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>git<span class="w"> </span>commit<span class="w"> </span>--amend<span class="w"> </span>--author<span class="o">=</span><span class="s2">"Nuno Leitao <correct@email.com>"</span>
$<span class="w"> </span>git<span class="w"> </span>push<span class="w"> </span>--force<span class="w"> </span><span class="c1"># Use with caution!</span>
</pre></div>
</li>
<li><p class="first"><strong>Verifying Configuration</strong></p>
<p>Check active configuration:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>git<span class="w"> </span>config<span class="w"> </span>--list<span class="w"> </span>--show-origin
</pre></div>
</li>
</ol>
</div>
<div class="section" id="further-reading">
<h2>Further Reading</h2>
<ul class="simple">
<li><a class="reference external" href="https://git-scm.com/docs/git-config">Git Config Documentation</a></li>
<li><a class="reference external" href="https://stackoverflow.com/questions/1057564/pretty-git-branch-graphs">Pretty Git Branch Graphs</a></li>
<li><a class="reference external" href="https://mikegerwitz.com/2012/05/a-git-horror-story-repository-integrity-with-signed-commits">A Git Horror Story: Repository Integrity with Signed Commits</a></li>
</ul>
</div>