Damian Mee

Signing git commits using Keybase

screenshot-main

Signing git commits has been a great idea since forever. A great unpopular idea. Luckily, that changes with the recent Github announcement. This is a quick guide on how to set it up with your keybase.io account.

Keybase

Jump to the git stuff, I already have Keybase.

Create keybase.io account

Keybase is still not publicly available, but you can ask me or anyone on Keybase for an invite.

Add a PGP key

After you create the account, you’ll have an option to either generate the key via the online interface or just add your already existing key. If you choose the former make sure to add at least one of the emails you have confirmed on your Github account. It will save you time later.

Add identities (optional)

The more of your online identities you add the more trustworthy your profile becomes. I suggest adding as many as possible, but you can also add them later and/or via the app or terminal client.

Track people (optional)

Tracking people makes their profiles more trustworthy, by providing an auditable authenticity proof of their identity. To understand more how it works, head here.

“But whom should I track?”, you might ask puzzled. And if you do, scroll down to the handy list that can get you started.

Keybase app

Keybase really shines only when you also utilize its command line interface. GUI app is still in works.

Install mac, linux & other.

# OSX
$ brew install keybase

# 64-bit Debian:
$ curl -O https://dist.keybase.io/linux/deb/keybase-latest-amd64.deb && \
  sudo dpkg -i keybase-latest-amd64.deb

# Other
## All contributions welcome ;)

Login

$ keybase login

Follow the steps and make sure to save your paper wallet somewhere safe.

Keys

To make any of it possible you need your Keybase keys locally.

Public

To import your public key just run:

# replace with your username where appropriate
$ curl https://keybase.io/<your-username>/key.asc | gpg --import

Private

Now it’s time for the private key. Open your Keybase profile, and…

screenshot-main

Confirm password, copy everything from the popup and save it as ex. keybase-private.key.

Then:

$ gpg --allow-secret-key-import --import keybase-private.key

Git

Once you’re all set with your Keybase stuff, you need to teach your git how to crypto.

Get your key ID

Go to https://keybase.io/<your-username> and copy 8 last characters of your key fingerprint from there.

screenshot-main

Alternatively, run gpg --list-keys, and locate your keybase key on the list there, ex:

$ gpg --list-keys
[…]

pub   4096R/A809CB18 2014-05-09
uid       [ultimate] Damian Mee (https://meedamian.com) <[email protected]>
uid       [ultimate] keybase.io/meedamian <[email protected]>
sub   2048R/6560B337 2014-05-09 [expires: 2022-05-07]
sub   2048R/15276EF8 2014-05-09 [expires: 2022-05-07]

[…]

From there, copy your key ID (in the example above, it’s A809CB18).

Add email to your key (optional)

If your key, for any reason¹, doesn’t have any overlapping email addresses with your Github account, this step is necessary.

¹ - Ex. you forgot to add it during key generation, or you have an old key that has <your-username>@keybase.io as an email

First, run:

$ gpg --edit-key <your-username>@keybase.io

You’ll be presented with an interactive prompt, there:

  • type adduid followed by enter,
  • provide your publicly recognizable name,
  • input any of the email addresses you have on Github,
  • a “Comment” field can hold your website address,
  • press o (as in “okay”), followed by enter,
  • type trust, select 5 and confirm with y to grant ultimate trust to your identity,
  • Finally type save and confirm with enter.

Once you’re done, re-sync your key with Keybase, with:

# for newer keybase cli
$ keybase pgp select --multi

# for older keybase cli
$ keybase push --update

You might be asked to choose the key to be synced. Make sure to select the Keybase one.

When it finishes you might want to wait a short while, before proceeding to the next step.

Add public key to Github

Copy everything from https://keybase.io/<your-username>/key.asc and paste it as a new “GPG key” in here.

Set git defaults

# Use `git commit -S` by default for all commits
$ git config --global commit.gpgsign true

# Set default key
$ git config --global user.signingkey <key-id>

Go on the committing spree

All you commit now should be automagically signed with your Keybase key. If everything went well, you should see a “Verified” badge by all your new commits on Github.

Signed commit tooltip

People worth stalking

     
koush   Brilliant Android engineer, who blocked his mom’s number
chris & max   They’re to blame for Keybase and OkCupid
vitalik   The founder of Ethereum
moot   All 4chan posts are by him
codinghorror   Has a cool blog and founded Stack Exchange
aikordek   Bitcoin & Startup girl
mpj   Shares great tweets and videos
authy   The 2FA app you should be using instead of Google Authenticator
robpike   Co-creator of Go
sindresorhus   The guy who wrote all npm packages
jakewharton   Cool Android dev
matthewdgreen   He knows a lot of security thingies
oleganza   Shares good UX and security content
meedamian   The original creator of this list

KeyBase File System

This one is quite off-topic, but I think it’s amazing and worth including here. Keybase is working on a seamless, fully encrypted and synced /keybase/{public,private}/ folder. Make sure to check it out. If you need an invite hit me up.