Rick's Dev Notes

Version 0.3.3

Dev notes you can use

Last updated on Wed, 31 May 2023 21:15 UTC

Github

1Password Integration

Each repo must be informed of what GitHub account to use to properly authenticate and verify signatures. See here.

git remote set-url origin <host>:<workplace>/<repo>.git
# example:
git remote set-url origin rickdgray:rickdgray/notes.git

See here for actually signing the commits. You can use the same ssh key for both auth and signing.

So the short answer to set up a newly clone repo is

git clone <repo>.git
git remote set-url origin rickdgray:rickdgray/<repo>.git
cd <repo>
git config -e #local config for repo specific commit signing

Paste this in the config:

[user]
  email = rickdgray@outlook.com
  signingkey = ssh-ed25519 #redacted key; get from 1password
[gpg]
  format = ssh
[gpg "ssh"]
  program = "C:/Users/rickdgray/AppData/Local/1Password/app/8/op-ssh-sign.exe"
[commit]
  gpgsign = true

Then as long as your SSH key is added to GitHub you’re good.

Verified Commits from Linux

  1. Install git and pass
sudo apt install git pass
  1. Install Git Credential Manager Core (GCM Core).
    1. Download the latest .deb file.
    2. Install the .deb file.
    sudo dpkg -i <path-to-package>
    1. Initialize GCM Core.
    git-credential-manager configure
  2. Create a new identity. The “Real Name” you choose here will be your “user id” in step 5. If you decide to set a passphrase, it will need to be entered for every commit.
gpg --gen-key
  1. Add the public key of your newly created gpg identity to your github keys so that github can verify your locally signed commits.
    1. Find your newly created identity.
    gpg --list-secret-keys --keyid-format=long
    In the example print out below, the gpg id is “9794C0815DD517AC”. 
    sec   rsa3072/9794C0815DD517AC 2022-08-23 [SC] [expires: 2024-08-22]
      C3E518D31EDC2F2055036E4C9794C0815DD517AC
uid                 [ultimate] John Doe <jdoe@contoso.com>
ssb   rsa3072/CA147602C62ED40C 2022-08-23 [E] [expires: 2024-08-22]
    1. Print the public key.
    gpg --armor --export 9794C0815DD517AC
    1. Copy the public key and add it to your github keys.
  2. Initialize pass with the gpg identity’s user id.
pass init "John Doe"
  1. Tell git to use gpg identities for credential storage, to use your newly created key, and to sign your commits with the private gpg key.
git config --global credential.credentialStore gpg
git config --global user.signingkey 9794C0815DD517AC
git config --global commit.gpgsign true
  1. Don’t forget to set name and email in the git configuration if you haven’t yet.
git config --global user.name "John Doe"
git config --global user.email jdoe@contoso.com
  1. Append this line to the end of your “~/.bashrc” file.
export GPG_TTY=$(tty)
  1. Now try to clone a private repo or some other privileged access action. GCM will then ask for authentication via either your browser or a personal access token (PAT). Either will work.

After this initial authorization, GCM will store your authentication in the password store (pass). Now, when doing any privileged git operations, git will automatically use your gpg identity -> password store (pass) -> stored authentication. If you set up a passphrase on your gpg identity, you will only have to remember that to decrypt the gpg key. If not, it will be entirely automatic.

Github Actions

You can impersonate the github actions bot with this name and email:

git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"