Put PGP Keys into Git Repositories
You can store your public PGP key inside the git
repository without
relying on surrounding infrastructure. I am describing how you can ensure the
availability of your key that way.
Goal
Using git
you can sign tags and commits during development with your PGP
key. Oftentimes the public key can be made available through GitLab, GitHub or
BitBucket. That way other developers are able to verify the integrity of your
submissions.
However, I do not want to rely on additional infrastructure surrounding the
git
repository. I want to make my PGP key available in the repository
directly. The key being stored in the repository enables everyone who has
a copy of the repository to verify my commits and tags in a direct manner, no
matter how the repository has been received.
Requirements
Pushing and receiving tags that are not pointing to a commit of any branch
requires special handling. Therefore, your team members must be aware of the
additional information in the git
repository in order to retrieve it.
Steps
Export public PGP key to temporary file.
Hash the file content, receive hash.
Tag the hashed
git
object.Push the tag to the remote repository.
Delete the temporary file.
Example
1. Export Public PGP Key
First, retrieve your PGP key in ASCII format. Using gpg
this can be done
by issuing
$ gpg --armor --export user@example.com > key.pub
Replace the email address with the one actually corresponds to the key you would like to share.
2. Hash the PGP Key
Next, hash the contents of the file containing your PGP key.
$ git hash-object -w key.pub 10f302a27fce4e3a38f1f3f805e07acd6bd23a74
You will receive the hash corresponding to the resulting git
object.
3. Tag the Hashed git
Object
Attach a tag to the hashed object. For that purpose, provide a tag name and
the hash received earlier from git hash-object
.
$ git tag -sa key-michael \ 10f302a27fce4e3a38f1f3f805e07acd6bd23a74
You might want to sign your tag using -s
and annotate it using -a
. In
the tag message, you might want to explain the dedication of the key and how
to retrieve the key from repository.
4. Push the Tag to Remote Repository
Now, make your key available for everyone by pushing it to the remote repository. An example would be
$ git push origin key-michael
Note that your tag is not attached to any branch. Therefore, you cannot use
--follow-tags
. Depending on your workflow the --tags
option might be
fine.
5. Remove Temporary File
At this point the contents of your temporary file have been written to the repository already. So, you are free to remove it from the file system.
$ rm key.pub
Retrieve the Key from Repository
From this point on the key is included in the repository for every new clone of it. However, if users have already cloned the repository, special handling is required to retrieve it.
Depending on your workflow, you need to attach --tags
either to
git pull
or git fetch
.
$ git fetch --tags
The tag would be also fetched from the repository supplying --all
to any
of the mentioned commands.
To print the actual contents of the tag, issue
$ git cat-file blob key-michael
Using the output, the key can be now included in your gpg
keyring, for
instance.
Conclusion
You can make your public PGP keys used for development available to everyone
directly in the repository. This ensures that the public key remains available
even if the git
repository is retrieved outside the scope of surrounding
infrastructure.
This might be less relevant in presence of GitLab, GitHub or BitBucket, but is a nice additional measure anyway to keep your key available.
Note that the same process can be applied to store any piece of information including images, videos, executables and signal traces.
Have fun with it.