How to share GPG key from remote host to local host without writing the key to a file
The errors you're receiving (error receiving key from agent: Inappropriate ioctl for device - skipped
) indicate that your secret key is passphrase protected and that your GPG passphrase agent isn't compatible through SSH, which most aren't.
Three options come to mind:
- Initiate the export from the source host (to facilitate interactive passphrase entry);
- Leverage
--passphrase
/--pinentry
switches (as suggested in the post your reference); e.g.,stty -echo && ssh "$host" "gpg --batch --passphrase-fd 0 --pinentry loopback -a --export-secret-key '$key'" | gpg --import; stty echo
; or, - Remove passphrase protection from the key (not necessarily desirable).
How do you approach signing git commits on many machines?
Should I separately generate all keys for all computers
This is considered as a best practice, namely because:
- you can see from where you did your commits, based on the particular key used
- you can revoke a key (and update it) without invalidating all others.
If you want all your projects to:
- be on the same path
company-x
- using the same global config (with different keys per machine)
You might consider, with Git 2.23+ using different branches name, one per machine (main-machine1
, main-machine2
, ...), each one pushing to the regular remote tracking origin/main
of their respective repo.
That is because a conditional config file can also use the branch name for its includeIf
directive.
Is there any way to set up an SSH config profile to perform GPG signing automatically?
SSH and GIT/GPG have nothing to do with each other, so you cannot configure which PGP key to use for signing commits in your .ssh/config
. If you want to set up a PGP key to be used to sign commits you will have to configure git
to do so.
You can set this up globally like this:
git config --global gpg.program gpg
git config --global commit.gpgsign true
git config --global user.signingkey <KEY-FINGERPRINT-HERE>
Where <KEY-FINGERPRINT-HERE>
is the fingerprint of the key you want to use, which has to be already imported in gpg
(see gpg --edit-key <your-mail>
for the fingerprint).
You can also omit --global
to configure different settings only for the current GIT repository that you are working on.
Is there a way to autosign commits in Git with a GPG key?
Note: if you don't want to add -S
all the time to make sure your commits are signed, there is a proposal (branch 'pu
' for now, December 2013, so no guarantee it will make it to a git release) to add a config which will take care of that option for you.
Update May 2014: it is in Git 2.0 (after being resend in this patch series)
See commit 2af2ef3 by Nicolas Vigier (boklm):
Add the commit.gpgsign
option to sign all commits
If you want to GPG sign all your commits, you have to add the
-S
option all the time.
Thecommit.gpgsign
config option allows to sign all commits automatically.
commit.gpgsign
A boolean to specify whether all commits should be GPG signed.
Use of this option when doing operations such as rebase can result in a large number of commits being signed. It may be convenient to use an agent to avoid typing your GPG passphrase several times.
That config is usually set per repo (you don't need to sign your private experimental local repos):
cd /path/to/repo/needing/gpg/signature
git config commit.gpgsign true
You would combine that with user.signingKey
used as a global setting (unique key used for all repo where you want to sign commit)
git config --global user.signingkey F2C7AB29!
^^^
As ubombi suggests in the comments (and explain in "GPG Hardware Key and Git Signing", based on "How to Specify a User Id")
When using gpg an exclamation mark (
!
) may be appended to force using the specified primary or secondary key, and not to try and calculate which primary or secondary key to use.
Note that Rik adds in the comments:
If you're using something like a YubiKey (as recommended) you don't need to worry about the exclamation point because the only signing key(s) you should have available for a primary key-pair are:
- the primary key itself, which should have a
#
after it indicating it's not available,- and the secret subkey with a
>
after it indicating it's a stub that points to the YubiKey as the only available signing key in its applet.Only if you keep all your private keys available on your system (bad practice), then probably it would be a good idea to prevent auto-selection between available signing keys
user.signingKey
was introduced in git 1.5.0 (Jan. 2007) with commit d67778e:
There shouldn't be a requirement that I use the same form of my name in
my git repository and my gpg key.
Further I might have multiple keys in my keyring, and might want to use one that doesn't match up with the address I use in commit messages.
This patch adds a configuration entry "
user.signingKey
" which, if present, will be passed to the "-u" switch for gpg, allowing the tag signing key to be overridden.
This is enforced with commit aba9119 (git 1.5.3.2) in order to catch the case where If the user has misconfigured user.signingKey
in their .git/config
or just doesn't have any secret keys on their keyring.
Notes:
- By convention, since git 2.4.0 March 2015, it is
signingKey
, notsigningkey
, even though thegit config
keys are case insensitive. That would matter only if you dogit config --get-regexp
, which is case sensitive, otherwise, it is only a readability convention; - If you want the git server to check the signature for each push, you will need git 2.2+ (Oct. 2014) at least (commit b945901), as
git push --signed
failed to consider theuser.signingKey
config value; - git 2.9 (June 2016) will use
user.signingKey
to force signing annotated tags as well as commits: commit 61c2fe0.
How to use GPG on Windows to authenticate to Github for SSH?
To authenticate to GitHub over SSH, you can only use the SSH keys. GPG keys are used to sign the commits so that people know that the commit was made by you, not someone else.
Here's the scenario:
You use SSH on your PC to pull/push to GitHub. But one day, someone finds out your password, somehow. Now, that person can also push and pull to GitHub through your account. This way, it will be hard for others to know which commit was made by the real you, and which one was made by an imposter.
But if you have a GPG key authenticated to your GitHub account for your PC that you use to make the commits over SSH, the commits will be signed. Now, even if someone got your password and could commit something, somehow, others will know that the commit wasn't made by you. Why? Because it wasn't signed using your GPG key.
GPG keys are like virtual signatures/fingerprint used to identify what belongs (authorized) to you and what doesn't. Just like an SSH key that is used to verify your identity for easier access.
So, NO, you can't use GPG keys to push/pull to/from GitHub.
GPG sign not using keys from gpg-connect-agent
You need to import your public key to WSL.
As stated here https://wiki.gnupg.org/AgentForwarding:
It is important to note that to work properly GnuPG on the remote system still needs your public keys.
Steps:
- On Windows, export your public key with
gpg --export -a 'mail@none.com' > public.key
; - On WSL, import your public key with
gpg --import public.key
.
Use gpg to sign git commits in eclipse
It seems to be a missing feature of EGit, you should probably suggest this enhancement to http://bugs.eclipse.org .
Related Topics
Graphing The Dag Generated by Make
Git: Can't Push (Strange Config Issue)
Apache Cgi in User Directory "End of Script Output Before Headers"
How to Take Advantage of The Vdso Object with Your Own Programming Language
How to Execute Shell Builtin from Scala
How to Add an Icon to The Bash Prompt
Receiving Multicast on a Server with Multiple Interfaces (Linux)
List Directory Entries in The Svn Repository
Getting Android Sdk Tools to Work on Raspberry Pi
Linux: Disable Using Loopback and Send Data via Wire Between 2 Eth Cards of One Comp
Vs Code Ssh Remote Connection Issues
How to Install Google Test on Ubuntu Without Root Access
How to Allow Jenkins to Access The Files That Only Root or Some Specific Programs Have Access To
Append to /Etc/Apt/Sources.List
Angular Cli App Not Running When Deploying to Linux App Service
Substituting a String in Place of Variable in Shell
Replace System Call in Linux Kernel 3
How to Open Another File in Background Vim from Bash Command-Line