...
| Code Block |
|---|
$ git log --show-signature -1
commit 8beed807e820d34cc7a35a0d69e9913bed7b1b03 (HEAD -> master)
gpg: Signature made Sun May 17 01:44:55 2020 UTC
gpg: using RSA key 674CB45A
gpg: Good signature from "ItalyPaleAle-demo <43508+ItalyPaleAle@users.noreply.github.com>" [ultimate]
Author: ItalyPaleAle-demo <43508+ItalyPaleAle@users.noreply.github.com>
Date: Sun May 17 01:44:55 2020 +0000
Making my first signed commit |
Configure Visual Studio Code for signing commits
If you’re using VS Code, you can configure it to sign your Git commits with the “Git: Enable commit signing” flag ( git.enableCommitSigning).
...
Using hardware tokens
Your GPG secret key is now stored (encrypted) in your GPG keyring inside your laptop. While this should provide enough protection for most users, it is still possible to export it and thus steal it. Given that the key is encrypted with a passphrase, your key is as safe as the passphrase (choose it wisely!).
Additionally, having a private key in a file leaves open questions of how to (securely) back it up and possibly sync it across multiple devices. This Q&A on Stack Exchange Information Security contains various ideas, although it’s a bit dated. Services like Keybase can help store your secret keys on a dedicated cloud service.
A safer alternative, however, is to use a hardware token, for example security keys such as a YubiKey. This is what I use too. Among the various technologies a YubiKey supports, it can store a GPG key in a secure enclave, from where it cannot be extracted.
Setting up a YubiKey for its various functions, including storing a GPG key (and using that for signing Git commits or for connecting to a SSH server), takes a bit of time. If you just got a YubiKey and want to know how to best set it up, I highly recommend this guide from @drduh published on GitHub.