Creating your primary keypair

1. Initiate the keypair generation wizard

   gpg --full-generate-key --expert
   

2. Select option (9) ECC and ECC for the key type

3. Select option (1) Curve 25519 for the elliptic curve
4. Set a validity period of your choice, ideally less than 1 year
5. Specify real name and email address to associate with this keypair. The email address must match your verified Github email address or be set to your-github-username@users.noreply.github.com.
6. Type a passphrase (twice)

Create a signing keypair

1. Add a signing subkey

   gpg --expert --edit-key my@email.addr
   gpg> addkey
   

2. Select option (10) ECC (sign only) for the key type

3. Select option (1) Curve 25519 for the elliptic curve
4. Set a validity period of your choice, ideally less than 1 year
5. Accept the prompts and type a passphrase (twice)
6. Save and exit

   gpg> save
   

Create revocation certificate

gpg --output my_email_addr.gpg-revocation-certificate --gen-revoke my@email.addr

Back up your keypair

Export the primary keypair (put these somewhere very safe along with revocation certificate)

gpg --export-secret-keys --armor my@email.addr > my_email_addr.private.gpg-key
gpg --export --armor my@email.addr > my_email_addr.public.gpg-key

Remove the primary keypair from your keyring

1. Export all subkeys from the new keypair to a file

   gpg --export-secret-subkeys my@email.addr > $HOME/.gnupg/subkeys
   

2. Delete primary key from keyring - BE SURE TO BACK UP YOUR PRIMARY KEYPAIR FIRST!

   gpg --delete-secret-key my@email.addr
   

3. Re-import the previously exported keys

   gpg --import $HOME/.gnupg/subkeys
   

4. Look for sec# instead of sec in the output - pound sign means signing subkey is not in the keypair located in the keyring

   gpg --list-secret-keys $HOME/.gnupg/secring.gpg
   

Revoking a signing keypair

Find the primary keypair and import it (preferably into an ephemeral system like a liveUSB)

gpg --import /path/to/my_email_addr.public.gpg-key /path/to/my_email_addr.private.gpg-key
gpg --edit-key my@email.addr
gpg> revkey
[ passphrase twice ]
gpg> save

Renew an expired or expiring keypair

gpg --edit-key my@email.addr
[select a key]
gpg> expire
[specify an expiration]
gpg> save

Create a single signed git commit

git commit -S -m "my awesome signed commit"

Configure git to always sign commits with a specified key

$ gpg --list-secret-keys --keyid-format=long # grab the fingerprint from the 'sec' line
git config [--global] commit.gpgsign true
git config [--global] user.signingkey DEADB33FBAD1D3A

Configure VSCode to sign commits

# User or workspace setting
"git.enableCommitSigning": true

Upload your public key to a keyserver

gpg --keyserver pgp.mit.edu --send-keys 0xDEADB33FBAD1D3A

Verify your key has been published

gpg --keyserver pgp.mit.edu --search-key my@email.addr

References

OpenPGP Best Practices
Github: Signing Commits
Braincoke's Log: Create a GPG Key
Creating the Perfect GPG Keypair
Digital Neanderthal: Generate GPG Keys With Curve Ed25519

Additional Information

ContactDisclaimerLicense

If you have questions with respect to this content or to report concerns regarding the use or misuse content please do not hesitate to contact us at info@rockylinux.org.

Rocky Linux and the Rocky Enterprise Software Foundation (RESF) does not make any express or implied warranties, including but not limited to the warranties of non-infringement of any third party intellectual property rights. RESF does not warrant that any pending trademark applications for trademarks of RESF will result in any granted trademark protection. RESF shall not be liable for any claims relating to user's activities falling within the scope of the permission and user hereby agrees to indemnify, defend and hold RESF and its contributors harmless against any such claim.

This content is licensed under under Attribution-Share Alike 4.0 International license unless otherwise noted.

Author: Al Bowles