4 コミット 655361107b ... 83e2cc51c7

作者 SHA1 メッセージ 日付
  NerdRat 83e2cc51c7 Added new reference to README.md file. 2 年 前
  NerdRat f986731cf1 Added git commit signing tutorial. 2 年 前
  NerdRat 43d96e1b40 Added a new reference to README.md file. 2 年 前
  NerdRat 897698de55 Added git over ssh tutorial. 2 年 前
3 ファイル変更399 行追加1 行削除
  1. 3 1
      README.md
  2. 212 0
      git-commit-signing-with-gpg.md
  3. 184 0
      git-over-ssh.md

+ 3 - 1
README.md

@@ -5,4 +5,6 @@ This is the place where I save my notes on documentation I read, mostly while st
 ## Table of Contents
 
 1. [Info Cheatsheet](https://notabug.org/NerdRat/doc/src/master/info.md)
-2. [Emacs Cheatsheet](https://notabug.org/NerdRat/doc/src/master/emacs.md)
+2. [Emacs Cheatsheet](https://notabug.org/NerdRat/doc/src/master/emacs.md)
+3. [Git Over SSH Tutorial](https://notabug.org/NerdRat/doc/src/master/git-over-ssh.md)
+4. [Git Commit Signing with GPG Tutorial](https://notabug.org/NerdRat/doc/src/master/git-commit-signing-with-gpg.md)

+ 212 - 0
git-commit-signing-with-gpg.md

@@ -0,0 +1,212 @@
+---
+title: "Git Commit Signing With GPG"
+date: 2020-07-26T20:08:14-05:00
+draft: true
+tags:
+  - git
+  - gpg
+  - privacy
+  - vcs
+  - howto
+---
+
+You can sign the changes you make to your repositories. This is done to verify that these changes come from a trusted source originally your signature. Repository services often mark these changes as verified or unverified.
+
+In order to sign your commits you need a digital signature. You can create this signature using the [GNU Privacy Guard](https://gnupg.org/).
+
+## Check installation
+
+To check if you have GPG installed, open a terminal in unix-like systems or the `cmd.exe` if you run windows and type:
+```bash
+$ gpg --version
+```
+
+If you don't have it installed (it says command not found or something similar), download it from the [official download site](https://www.gnupg.org/download/) or use your unix distribution [package manager](https://en.wikipedia.org/wiki/Package_manager).
+
+## Common key algoritms
+
+These are the most common key algoritms:
+
+* RSA
+* ElGamal
+* DSA
+* ECDH
+* ECDSA
+* EdDSA
+
+## Check for existing GPG keys
+
+Type this in the terminal to get the available GPG keys:
+```bash
+$ gpg --list-secret-keys --keyid-format LONG
+```
+
+> If you have gpg version 2 or greater you may write `gpg2 --list-secret-keys --keyid-format LONG` on some systems. If this is the case, configure git to use that version instead with `git config --global gpg.program gpg2`.
+
+After executing that command you should see the keys printed. If you don't want to use them to sign your commits or there are no keys available [generate a new GPG key](#generate-a-new-gpg-key). If you want to use the available keys to sign your commits then [add a key to your Git service account](#add-a-key-to-a-git-service).
+
+## Generate a new GPG key
+
+To generate a new gpg key, type the following commands on your terminal.
+
+For gpg version 2.1.17 or greater:
+```bash
+$ gpg --full-generate-key
+```
+
+You will be propmted to choose the kind of key you want, the key size and the expiration time (leave it empty if you don't want it to expire and press enter).
+
+If you have gpg lesser than 2.1.17 the previous command doesn't work, so type this instead:
+```bash
+$ gpg --default-new-key-algo rsa4096 --gen-key
+```
+
+This will generate specifically an RSA key with key size 4096.
+
+You will also be prompted to enter an email address. You must provide the same email address you use for your web git service. Be sure this email doesn't reply so the service keeps this email address private.
+
+Finally the command will prompt you to type a secure passphrase.
+
+You can now check again for existing GPG keys:
+```bash
+$ gpg --list-secret-keys --keyid-format LONG
+```
+
+You should see an output similar to this:
+```bash
+/home/user/.gnupg/secring.gpg
+------------------------------------
+sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
+uid                          user 
+ssb   4096R/42B317FD4BA89E7A 2016-03-10
+```
+
+## Configure git to use your GPG signing key
+
+To configure git to use your GPG signing key you must provide the key ID to your git configuration.
+
+Copy the key ID from the `gpg --list-secret-keys --keyid-format LONG` command output.
+```bash
+/home/user/.gnupg/secring.gpg
+------------------------------------
+sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
+uid                          user 
+ssb   4096R/42B317FD4BA89E7A 2016-03-10
+```
+
+For this example the key ID is `3AA5C34371567BD2`. Then you must paste it in the git command like this:
+```bash
+$ git config --global user.signingkey 3AA5C34371567BD2
+```
+
+Finally you need to add your GPG key to your shell profile:
+```bash
+$ test -r ~/.bash_profile && echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile
+$ echo 'export GPG_TTY=$(tty)' >> ~/.profile
+```
+
+> The previous command tries to add it to `.bash_profile`, if this fails it will add it to `~/.profile`.
+
+If your system runs windows refer to the [Setting up git+ssh+gpg on Windows](https://dev.to/qm3ster/setting-up-gitsshgpg-on-windows-5c85) tutorial.
+
+## Asociate an email with your GPG key
+
+Your GPG key must be asociated with the email you use to access your online git service. This email must match your commiter identity, this allows you to sign commits and tags.
+
+Use the `gpg --list-keys --keyid-format LONG` command once again and copy the key ID you would like to use. To add an email you must use the `--edit-key <GPG key ID>` flag like this:
+```bash
+$ gpg --edit-key 3AA5C34371567BD2
+```
+
+This will show the next prompt:
+```bash
+$ gpg>
+```
+
+You must type and run the command:
+```bash
+$ gpg> adduid
+```
+
+In the following prompt you must type a name, email address and comments depending on your selection. You can choose between the entries with the keys N, C, and E.
+```bash
+Real Name: SomeUser
+  Email address: example_mail@service.com
+  Comment: My service key
+  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
+```
+
+As you can see you must type O to save your selections. After that enter the passphrase that corresponds to your key. Once you finished this you can follow the process of [adding a key to your git service](#add-a-key-to-a-git-service)
+
+## Signing commits and tags
+
+Before you can sign commits and tags you must configure your git client.
+
+For git versions `2.0.0` and above you run:
+```bash
+$ git config commit.gpgsign true
+```
+
+If you want to sign all commits by default in any local repository on your system:
+```bash
+$ git config --global commit.gpgsign true
+```
+
+If you want to avoid typing you passphrase every time you sign a commit or a tag, you can use a key management agent. For MacOS there are the [GPG Tools](https://gpgtools.org/), for windows systems you can use [Gpg4win](https://www.gpg4win.org/), for linux based systems you can use [gpg-agent](http://linux.die.net/man/1/gpg-agent)
+
+If you have multiple keys and you want to use another identity you must [reconfigure git to use your signing key](#configure-git-to-use-your-gpg-signing-key) again.
+
+### Sign a commit
+
+When commiting changes to your local branch, add the `-S` flag to your git command to sign your commit:
+```bash
+$ git commit -S -m "Your commit message"
+```
+
+If you haven't configured your gpg agent you must type the passphrase for your key.
+
+When you are done with your commits, you can push them to your remote repository on your online git service.
+```bash
+$ git push
+```
+
+You can now go to your online service and see that your commits are now marked as verified.
+
+### Sign a tag
+
+To sign a tag you just add the `-s` (notice the lowercase) flag to your `git tag` command.
+```bash
+$ git tag -s <my-tag>
+```
+
+This creates a signed tag. To verify your signed tag  you can pass the `-v` flag to the `git tag` command.
+```bash
+$ git tag -v <my-tag>
+```
+
+## Add a key to a git service
+
+In order to add a key to your git service you need to copy the GPG key ID for the key you wan to use. You can copy this when you [check for existing GPG keys](#check-for-existing-gpg-keys).
+
+For the example key the id is shown first:
+```bash
+$ gpg --list-secret-keys --keyid-format LONG
+/home/user/.gnupg/secring.gpg
+------------------------------------
+sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
+uid                          user 
+ssb   4096R/42B317FD4BA89E7A 2016-03-10
+```
+
+You can see the key for this example is `3AA5C34371567BD2`. You must use this id in the following command to get the public key block:
+```bash
+$ gpg --armor --export 3AA5C34371567BD2
+```
+
+This will print out your GPG key. This is a block of text that begins with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ends with `-----END PGP PUBLIC KEY BLOCK-----`.
+
+Copy this block of text to your system clipboard and paste it on your git service's web interface. This may be under the settings page.
+
+References:
+[OpenPGP Message Format]: <https://www.ietf.org/rfc/rfc4880.txt>
+[Migrate GPG keys]: <http://www.koozie.org/blog/2014/07/migrating-gnupg-keys-from-one-computer-to-another/>

+ 184 - 0
git-over-ssh.md

@@ -0,0 +1,184 @@
+---
+title: "Git Over SSH"
+date: 2020-07-26T20:10:21-05:00
+draft: true
+tags:
+  - git
+  - ssh
+  - shell
+  - login
+  - security
+  - howto
+---
+
+SSH protocol is intended to authenticate and connect to remote servers and services. If you have an account on a remote git service ssh is very useful if you want to avoid typing a username and password on each `git push`, git `git pull` or `git fetch`.
+
+## Check for existing ssh keys
+
+First you must check your system to see if you have any ssh key available, if so you can use it to connect with your remote service. You must type this on a terminal (for unix systems).
+
+```bash
+# This list your ~/.ssh directory to see if SSH keys exist.
+$ ls -al ~/.ssh
+```
+
+If you already have ssh keys you should see a file listing with similar extensions: 
+
+```bash
+id_rsa.pub
+id_ecdsa.pub
+id_ed25519.pub
+```
+If you want to use them to authenticate to a git service read [add SSH key to the ssh-agent](#add-ssh-key-to-the-ssh-agent). If you don't want to use those to authenticate, you may want to [generate a new SSH key](#generate-a-new-ssh-key).
+
+If the previous command fails, either by non existing directory or there are no files inside it you need to [generate a new SSH key](#generate-a-new-ssh-key).
+
+## Generate a new SSH key
+
+To generate a new ssh key the general format for the command is:
+
+```bash
+$ ssh-keygen -t <dsa | ecdsa | ecdsa-sk | ed25519 | ed25529-sk | rsa> -b <bits> -C <comment>
+```
+
+According to the [OpenSSH manual](https://www.openssh.com/manual.html), you must provide a type of key to create after the `-t` flag. The possible values are:
+
+* [dsa]: Digital Signature Algorithm
+* [ecdsa]: Elliptic Curve Digital Signature Algorithm
+* [ecdsa-sk]: Elliptic Curve Digital Signature Algorithm with support for FIDO/U2F hardware authenticators.
+* [ed25519]: Edwards-curve Digital Signature Algorithm
+* [ed25519-sk]: Edwards-curve Digital Signature Algorithm with support for FIDO/U2F hardware authenticators.
+* [rsa]: Rivest–Shamir–Adleman Algorithm
+
+With the `-b` flag you specify the number of bits in the key to create. For RSA, the minimmum size is 1024 and by default is 3072 ibts. For ECDSA keys `-b` specifies the key length. You can select from three elliptic curve sizes: 256, 384 or 521 bits. This flag is ignored for ECDSA-SK, Ed25519 and Ed25519-SK because they have fixed length.
+
+The `-C` flag is to provide a comment, usualy you provide your email address or other comment that serves as an asociation comment.
+
+### Example:
+
+Open a terminal and type:
+
+```bash
+$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
+```
+This will output:
+```bash
+> Generating public/private rsa key pair.
+```
+
+Enter a file where you want to save the key, usually inside the `~/.ssh` directory.
+
+```bash
+> Enter a file in which to save the key (/home/user/.ssh/id_rsa): [press enter]
+```
+
+Enter a passphrase. This will be asked when you add the key to the agent.
+
+```bash
+> Enter passphrase (empty for no passphrase): [type a passphrasse]
+> Enter same passphrase again: [type a passphrase]
+```
+
+Generally you must follow the instructions when you type the command, with different options the instructions may vary.
+
+## Add SSH key to the SSH agent
+
+Once you have your SSH key, you need to add it to the `ssh-agent`.
+
+Start the `ssh-agent` in the background:
+
+```bash
+$ eval "$(ssh-agent -s)"
+```
+
+This will output:
+```bash
+> Agent pid 23872
+```
+
+Add the SSH private key to the `ssh-agent`. If you typed a different name for the file you must provide that.
+  
+```bash
+$ ssh-add ~/.ssh/id_rsa
+```
+
+Type the passphrase you typed when you created the key.
+
+```bash
+Enter passphrase for /home/user/.ssh/id_rsa:
+```
+
+This will print:
+```bash
+Identity added: /home/user/.ssh/id_rsa (your_email@example.com)
+```
+
+You can confirm your addition with:
+```bash
+$ ssh-add -l
+```
+
+This will print:
+```bash
+4096 SHA256:<some rsa signature> your_email@example.com (RSA)
+```
+
+You always can view the keys added with `ssh-add -l`. Be sure the `ssh-agent` is running otherwise you won't be able to authenticate to your service.
+
+## Test SSH connection
+
+If you want to test if you are able to authenticate try this command:
+
+```bash
+$ ssh -T git@git.service.com
+```
+
+Where the `git@git.service.com` must be the service you want to authenticate, this is just an example.
+
+You should recieve a welcome message without shell access. This proves you can now work with ssh authentication enabled.
+
+## Add the SSH key to your git service account
+
+Git hosting services often offer a web interface dashboard where you can add your public keys that will authenticate your activities on repositories.
+
+First you need to copy your SSH public key to your system clipboard using [xclip](https://linux.die.net/man/1/xclip) or with a text editor.
+
+```bash
+$ xclip -sel clip < ~/.ssh/id_rsa.pub
+```
+
+Once you have the public key in your clipboard you must access your service web interface and paste it on the dashboard. You may search in the settings page as SSH and GPG keys, click on add new ssh key or add ssh key button, add a description and paste the key from your clipboard to the key text field on your settings dashboard.
+
+## SSH key passphrases
+
+A passphrase is a method to add an extra layer of security to your keys. To add or change a passphrase for your ssh key you can use the `ssh-agent` to securely save your passphrase and avoid typing it each time you want to authenticate.
+
+### Add or change passphrase
+
+To change a passphrase for an existing private key without regenerating the key pair, type:
+```bash
+$ ssh-keygen -p
+```
+
+This command will prompt you with the following:
+```bash
+# Start the ssh key creation process
+> Enter file in which the key is (/home/user/.ssh/id_rsa): [hit enter or specify the file name]
+> Key has comment '/home/user/.ssh/id_rsa'
+> Enter new passphrase (empty for no passphrase): [Type a new passphrase]
+> Enter same passphrase again: [Type the passphrase again]
+> Your identification has been saved with the new passphrase.
+```
+
+If your key already had a passphrase you will need to enter it in order to change it.
+
+You can visit [using ssh-agent], on how to configure `ssh-agent` to passwordless logins.
+
+References:
+[dsa]: <https://www.ietf.org/rfc/rfc3279.txt>
+[ecdsa]: <https://tools.ietf.org/html/rfc6605>
+[ecdsa-sk]: <https://www.openssh.com/txt/release-8.2>
+[ed25519]: <https://tools.ietf.org/html/rfc8032>
+[ed25519-sk]: <https://www.openssh.com/txt/release-8.2>
+[rsa]: <https://tools.ietf.org/html/rfc8017>
+[using ssh-agent]: <http://mah.everybody.org/docs/ssh>