Definitely, it worth the effort, but for a quick start, I suggest following the instructions in the following guide.Īs a best practice, it is suggested to create a key hierarchy with a master key and subkeys. The installation process is pretty straightforward, and after the installation, you can use the command line ‘gpg’ utility or graphical Kleopatra application.Īlthough the usage of GPG is well-documented, it requires considerable time to get familiar with all its basic concepts. In my case, as I work on Windows, Gpg4win contained all necessary software to work with the keys. For the majority of Linux distributives, it comes preinstalled, but for Windows of MacOS you need to download and install an appropriate binary release. Creating your signature with GPGįirst, you need GPG to be installed on your machine. So, let’s go through the setup process step-by-step and talk about creating your signature, storing the private part of a key pair on a YubiKey and configuring your Git account.
I chose GPG and now the result of my efforts looks like the following: Technically, you can use both GPG and X.509 (S/MIME) keys to sign your commits, and it is only a matter of preference using WOT or PKI for your identity verification. Still, I decided to put my YubiKey to work. Unfortunately, that algorithm is not yet supported by YubiKey firmware or any other popular cryptographic software. In the configuration process, I discovered that instead of using industry standards of digital signature algorithms, the Ukrainian government decided to use a custom variation of the ECC algorithm defined by DSTU 4145-2002 state standard. Initially, I intended to use a YubiKey as a hardware key for my digital signature that I use for signing my tax reports in Ukraine.
I hope this guide will be helpful for anyone who wants to start signing their Git commits and make it work with a security token like YubiKey. By signing your commits, you can let other people know that the changes come from a trusted source if, of course, people trust your digital identity. Last week I finally managed to get my hands on a YubiKey 5 NFC I ordered last Christmas and configured it to use for signing my commits on GitHub.
0 kommentar(er)
