Use a YubiKey to sign commits and tags

This article is the fourth of a serie dealing with privacy on the Internet. I strongly recommend that you do the third part of this serie of articles (if you haven’t already done so) otherwise you will have a hard time following it. Technically it is not impossible but throughout these articles, the keys used will be the same (among others) and if you don’t have the same structure, it will be a real headache.

You can use YubiKey to sign commits and tags. It can also be used for SSH authentication, allowing you to push, pull, and commit without a password.

Information and requirements

These elements are to be taken into consideration to follow this article:

• Tools are installed and executed on Arch Linux.

Global configuration

First make sure that the basic configuration is done: user.name and user.email must be defined.

git config --global user.name "John Doe"
git config --global user.email john.doe@example.com

Make sure the user.email option matches the e-mail address associated with the PGP identity.

Server configuration

The following configurations must be made on the platform you are using (GitHub, Gitlab, Gitea or others).

To add a SSH key, I let you search for it on the Internet, if your wording is good, the first link will give you the solution.

To add a GPG key, list your subkeys.

gpg -k
/home/ap/.gnupg/pubring.kbx
---------------------------
pub   ed25519/0xB52326F13324098C 2020-10-11 [C]
      Key fingerprint = 0ED8 F486 1E57 693E C1E3  4EBE B523 26F1 3324 098C
uid                   [ultimate] John Doe <john.doe@example.com>
sub   ed25519/0x9B76AA52AF00EFEF 2020-10-11 [S] [expires: 2021-10-11]
sub   cv25519/0xE3AC01686E511A38 2020-10-11 [E] [expires: 2021-10-11]
sub   ed25519/0x2BA042FD767F18C1 2020-10-11 [A] [expires: 2021-10-11]

The subkey that interests us is the one to sign ([S]). Grab its ID and export it.

gpg --armor --export 0x9B76AA52AF00EFEF
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEX4MIRxYJKwYBBAHaRw8BAQdAwzk3djo4NsxaHdfqv39uxWA9uzQ4ckZ1/sHA
w8CCjUe0H0pvaG4gRG9lIDxqb2huLmRvZUBleGFtcGxlLmNvbT6IjgQTFgoANhYh
[...]

Copy the output of this command and paste it into your account. Once again I let you search on the Internet how to add a GPG key to your account depending on the platform used.

Client configuration

To add a GPG key into git, list your secret keys.

gpg -K
/home/ap/.gnupg/pubring.kbx
---------------------------
sec#  ed25519/0xB52326F13324098C 2020-10-11 [C]
      Key fingerprint = 0ED8 F486 1E57 693E C1E3  4EBE B523 26F1 3324 098C
uid                   [ultimate] John Doe <john.doe@example.com>
ssb>  ed25519/0x9B76AA52AF00EFEF 2020-10-11 [S] [expires: 2021-10-11]
ssb>  cv25519/0xE3AC01686E511A38 2020-10-11 [E] [expires: 2021-10-11]
ssb>  ed25519/0x2BA042FD767F18C1 2020-10-11 [A] [expires: 2021-10-11]

The subkey that interests us is the one to sign ([S]). Copy its ID.

Now give some information to git.

Enable GPG program

git config --global gpg.program gpg

Link the subkey

Paste the subkey ID.

git config --global user.signingkey 0x9B76AA52AF00EFEF

Enable signing for all commits

This feature is optional. If you don’t want to sign every commit, you can also do it with the -S flag in the git commit command.

git config --global commit.gpgsign true