Skip to content

GPG Keys

GPG keys are a way to verify who you are online.
They can be integrated with git and dev tools such as Jetbrain's IDE's

SSH

Signing commits using a ssh key is my goto method now.
Its far easier to get set up than GPG and its easier to regenerate them if needs be.

Setup

Most Systems

Gitlab has really good instructions on how to set it up:
https://docs.gitlab.com/user/project/repository/signed_commits/ssh/

NixOS

For anyone on NixOS ye can take a look at my (@silver) config
It uses home manager so its not for everyone.

Verify on Forgejo

Once ye have the key set up,locally ye can verify it with Forgejo to get teh nice green lock on yer commits.
Instructions can be found here:
https://docs.codeberg.org/security/ssh-key

GPG

Command Line

This site is a good site for info.
https://gock.net/blog/2020/gpg-cheat-sheet

GUI tools

I use Kleopatra as a GUI tool.
It has Windows and Linux versions (including NixOS)

Security

{Add section on keeping keys secure ehre, such as only using subkeys on devices}

Open Governance Signing

{add stuff about open governance signing here}

Troubleshooting

Forgejo GPG verification failure

If you are trying to verify a gpg key on Forgejo and it keeps failing it may be because your key has more than one subkey.
The solution is:

  1. Make a backup of your gpg key.
  2. Delete all but one subkey
    • This key must be a signing key
  3. Run the command Forgejo gives ye
  4. Restore the original key (if ye desire)