You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+40Lines changed: 40 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,6 +40,46 @@ you when you enable GitHub Actions. To learn more about how it works, read
40
40
["Authenticating with the GITHUB\_TOKEN"](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)
41
41
in the GitHub Docs.
42
42
43
+
### Setting up GPG keys
44
+
45
+
#### Using a subkey from an existing GPG key
46
+
47
+
First open your master key for editing `gpg --edit-key "<YOUR MASTER KEY ID>"` type `addkey` and select signing or s for
48
+
capabilities. RSA key type is recommended for greatest compatibility. Type `save` to persist the new subkey to your
49
+
master key. Make a note of the Key ID as you will need it in the next step.
50
+
51
+
Next export the new sub key `gpg --output private.key --armor --export-secret-subkeys "<SubKey ID>!"` this will be exported to
52
+
the file private.key the ! at the end is important as it limits the export to just the sub key
53
+
**Delete the file once you are done and don't share it with anyone else**
54
+
55
+
If your master key is password protected, you will need to remove the password from the subkey before you can add it into
56
+
github settings, you can skip this if your master key is not password protected.
57
+
58
+
To remove the password from the subkey create a ephemeral gpg home directory `mkdir /tmp/gpg` and ensure that it works with gpg
59
+
`gpg --homedir /tmp/gpg --list-keys` You can ignore the warning about unsafe directory permissions.
60
+
Import your subkey `gpg --homedir /tmp/gpg --import private.key` and enter edit mode `gpg --homedir /tmp/gpg --edit-key <SubKey ID>`
61
+
type `passwd` entering your current password and then set the password to "" to remove it.
62
+
Type `save` to exit edit mode and reexport your subkey `gpg --homedir /tmp/gpg --output private.key --armor --export-secret-subkeys "<SubKey ID>!"`.
63
+
Finally, remove the ephemeral directory: `rm --rf /tmp/gpg`
64
+
65
+
You will now need to do `gpg --output public.key --armor --export <YOUR MASTER KEY ID>` to export your master public key
66
+
with the new subkey public key to the file `public.key`. Then republish it to anywhere that you currently publish your public keys
67
+
68
+
#### Using a new key
69
+
70
+
To generate a new GPG key use the following command `gpg2 --full-generate-key` Pick option 4, then type 4096 for key size, select your desired expiry.
71
+
Fill out the user information and leave the password blank.
72
+
73
+
Once generated it will output something like `gpg: key <Key ID> marked as ultimately trusted` take a note of this Key Id to use in the next step.
74
+
75
+
`gpg --output private.key --armor --export-secret-key <Key ID>` This will output the key to the file `private.key` in the correct format to put into the environment
76
+
variable required for setup. **Delete the file once you are done and don't share it with anyone else**
77
+
78
+
Optionally you can use `gpg --output public.key --armor --export <Key ID>` to export the corresponding public key to the file `public.key`.
79
+
You can publish this key on your project webpage to allow users to verify your signed releases.
80
+
81
+
You could sign this new key with your personal key and the keys of other project maintainers to establish its provenance.
82
+
43
83
## Usage
44
84
45
85
Assuming your project has Github Actions enabled, each time you [**close**](https://developer.github.com/webhooks/event-payloads/#milestone)
0 commit comments