Skip to main content

Put PGP Keys into Git Repositories

You can store your public PGP key inside the git repository without relying on surrounding infrastructure. I am describing how you can ensure the availability of your key that way.

Goal

Using git you can sign tags and commits during development with your PGP key. Oftentimes the public key can be made available through GitLab, GitHub or BitBucket. That way other developers are able to verify the integrity of your submissions.

However, I do not want to rely on additional infrastructure surrounding the git repository. I want to make my PGP key available in the repository directly. The key being stored in the repository enables everyone who has a copy of the repository to verify my commits and tags in a direct manner, no matter how the repository has been received.

Requirements

Pushing and receiving tags that are not pointing to a commit of any branch requires special handling. Therefore, your team members must be aware of the additional information in the git repository in order to retrieve it.

Steps

  1. Export public PGP key to temporary file.

  2. Hash the file content, receive hash.

  3. Tag the hashed git object.

  4. Push the tag to the remote repository.

  5. Delete the temporary file.

Example

1. Export Public PGP Key

First, retrieve your PGP key in ASCII format. Using gpg this can be done by issuing

$ gpg --armor --export user@example.com > key.pub

Replace the email address with the one actually corresponds to the key you would like to share.

2. Hash the PGP Key

Next, hash the contents of the file containing your PGP key.

$ git hash-object -w key.pub
10f302a27fce4e3a38f1f3f805e07acd6bd23a74

You will receive the hash corresponding to the resulting git object.

3. Tag the Hashed git Object

Attach a tag to the hashed object. For that purpose, provide a tag name and the hash received earlier from git hash-object.

$ git tag -sa key-michael \
  10f302a27fce4e3a38f1f3f805e07acd6bd23a74

You might want to sign your tag using -s and annotate it using -a. In the tag message, you might want to explain the dedication of the key and how to retrieve the key from repository.

4. Push the Tag to Remote Repository

Now, make your key available for everyone by pushing it to the remote repository. An example would be

$ git push origin key-michael

Note that your tag is not attached to any branch. Therefore, you cannot use --follow-tags. Depending on your workflow the --tags option might be fine.

5. Remove Temporary File

At this point the contents of your temporary file have been written to the repository already. So, you are free to remove it from the file system.

$ rm key.pub

Retrieve the Key from Repository

From this point on the key is included in the repository for every new clone of it. However, if users have already cloned the repository, special handling is required to retrieve it.

Depending on your workflow, you need to attach --tags either to git pull or git fetch.

$ git fetch --tags

The tag would be also fetched from the repository supplying --all to any of the mentioned commands.

To print the actual contents of the tag, issue

$ git cat-file blob key-michael

Using the output, the key can be now included in your gpg keyring, for instance.

Conclusion

You can make your public PGP keys used for development available to everyone directly in the repository. This ensures that the public key remains available even if the git repository is retrieved outside the scope of surrounding infrastructure.

This might be less relevant in presence of GitLab, GitHub or BitBucket, but is a nice additional measure anyway to keep your key available.

Note that the same process can be applied to store any piece of information including images, videos, executables and signal traces.

Have fun with it.