this post was submitted on 10 Jan 2025
28 points (100.0% liked)

Programming

17771 readers
336 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi
28
Little frustrated with Github, gpg keys, access tokens and correct setup (beehaw.org)
submitted 15 hours ago by thingsiplay@beehaw.org to c/programming@programming.dev
24 comments fedilink hide all child comments
 

This is a bit of frustration post. I'm not a professional and some stuff is super confusing. And it might not even be programming only, as this seems to be a general issue when it comes to signing and security in computers. Every time I have to reinstall my operating system (its really only a few times in a decade), one of the things i fear most is signing into Github, signing keys and setting up local git on my Linux machine. I want the verified badge. Every time its a fight in understanding and doing the right steps, creating gpg keys and access tokens and such.

Am I the only one who struggles with this? Right now I have set it up and my test repository has the badge again. Do people care about this? Especially people like me who does a few little CLI and scripts and nothing else. Am I doing enterprise level security for the sake of an icon or is this really more secure? I do not have ANY professional background. As said I seem to have setup correctly now, so this is not asking for troubleshooting. Just wanted hear about your opinion and experience, and if any of you care.

top 24 comments
sorted by: hot top controversial new old
[–] Sickday@kbin.earth 4 points 2 hours ago

In my work organization, we don't allow pushes from users that have not signed their commits. We also frequently make use of git blame along with git verify-commit. For this reason, we have most new developers at any level create a GPG key and add it to their GitHub profile shortly after they join or organization. We're a medium-sized FinTech organization though, so it's very important we keep track of who is touching what.

That said, I can't see it being all that important to an individual unless they're very security-focused. For me personally, I have multiple yubikeys and one is meant specifically for SSH authentication and GPG operations including signing commits. Since I use NixOS and home-manager, I use the programs.git module to setup automatic signing and key selection. I really haven't touched it at all in years now. It was very "set it and forget it" for me.

[–] asudox@discuss.tchncs.de 3 points 5 hours ago (1 children)

Why not use SSH keys? Imo they are much easier to manage.

[–] thingsiplay@beehaw.org 2 points 5 hours ago (1 children)

Someone else suggested SSH instead too. I will have this in mind for the next time when I struggle with gpg. I also learned that I can reuse my existing gpg setup, so maybe I do not need SSH.

[–] MajorHavoc@programming.dev 1 points 2 hours ago

maybe I do not need SSH.

Heh. FYI, I've heard those words paired later with "fuck, I should have just used SSH", fairly often.

[–] darklamer@lemmy.dbzer0.com 3 points 8 hours ago (1 children)

Every time I have to reinstall my operating system (its really only a few times in a decade),

Reinstalling your operating system once a decade seems a bit excessive. When you're more experienced you'll probably not want to do it that often.

creating gpg keys

While it is a good practice to create new PGP keys with some regularity, there's absolutely no reason to do it at the same time as reinstalling your operating system, doing that is only an unnecessary complication. The normal thing to do is to copy the entire home directory (and at least the keyring) from the old installation to the new.

Am I doing enterprise level security for the sake of an icon or is this really more secure?

The purpose of PGP signing git commits is to make it possible for others to verify that a commit has been created by you and not by someone else pretending to be you

If there are other people who look at your commits and want to verify that they really were made by you then this matters a lot. If no-one does that with your commits, it doesn't matter at all.

[–] thingsiplay@beehaw.org 1 points 7 hours ago (1 children)

I don't reinstall very often, usually use it for many years (its a rolling release). But even if I do, that should not be the problem here. As for the process to take over the old signed keys and reuse them, I didn't know. I always thought the signing is for a specific set of hardware and current os installation. I have the directory .gnupg and the files .git-credentials and .gitconfig. Is there something else I have to copy?

[–] darklamer@lemmy.dbzer0.com 3 points 7 hours ago (1 children)

I always thought the signing is for a specific set of hardware and current os installation.

Ah, no, PGP keys are intended for identifying people, not machines.

I have the directory .gnupg

That's all you need for GPG.

Is there something else I have to copy?

Why not copy your entire home directory?

[–] thingsiplay@beehaw.org 1 points 7 hours ago

I never take over entire home, only selected configurations. Usually my old drive is available as a backup, in case I forgot something important (but my last drive broke). If done correctly, this approach is much cleaner and not the actual problem, doing it since 2008. Just didn't know I could reuse my existing .gnupg directory. I'll add this dir to my regular backup routine, after everything is working as it should.

I can only test this years from now. Thank you for this advice, it will save me lot of trouble and nerves.

[–] qweertz@programming.dev 3 points 8 hours ago* (last edited 8 hours ago)

yk you can backup your passphrase-protected gpg keys in one simple copy/paste command?

[–] barf@vegantheoryclub.org 5 points 12 hours ago (1 children)

GPG keys

There’s your problem right there. Like, really. Use SSH keys for this, it is infinitely easier to deal with.

[–] Dragonish@lemmy.dbzer0.com 4 points 11 hours ago (1 children)

That has been my experience as well. Signing with SSH keys has been way easier to maintain over time than GPG. Plus you can use the same key to sign that you use for authentication to simplify system setup.

[–] thingsiplay@beehaw.org 2 points 7 hours ago

@barf Hmm, I will try SSH next time then.

[–] zbyte64@awful.systems 7 points 15 hours ago

The badge lets others know you're a masochistic

[–] zero_spelled_with_an_ecks@programming.dev 3 points 13 hours ago

How often are you reinstalling your OS? Maybe that's where your frustration should go.

[–] cherrykraken@lemmy.ca 3 points 14 hours ago (1 children)

Regarding access tokens, there's a third party credential helper for Linux that uses OAuth. I recently found it and started using it a month ago. Works pretty much the same as Git + Windows Credential Manager. In case you are running headless, there is a device mode flag that will allow you to login with the GitHub app on your phone.

https://github.com/hickford/git-credential-oauth

(And if you layer a timed cache helper before the OAuth helper... well you shouldn't have to reauthenticate every time!)

Otherwise, the Git manual lists some other credential helpers that interface with some password managers.

https://git-scm.com/doc/credential-helpers

[–] thingsiplay@beehaw.org 0 points 13 hours ago

My goal is to use git only. The problem for me is, this application "git-credential-oauth" is not in the official repository of my distribution. Which is a huge no-no for security related stuff in my opinion.

[–] MajorHavoc@programming.dev 3 points 15 hours ago

This is my moment to shine. I hire developers specifically for their Cybersecurity qualifications, and I always look at their GitHub profiles.

So... There's like a security badge you can get? Neat.

But no, I guess I don't care about that.

[–] GBU_28@lemm.ee 1 points 14 hours ago (1 children)

Huh? Gh auth login

[–] thingsiplay@beehaw.org 1 points 14 hours ago (1 children)

I don't use githubs program, but the regular git. Process is explained here: https://docs.github.com/en/authentication/managing-commit-signature-verification

[–] GBU_28@lemm.ee 1 points 14 hours ago

Yep. The gh utility fixes all that

[–] Flamekebab@piefed.social 0 points 13 hours ago* (last edited 5 hours ago) (1 children)

It's one of several reasons I moved to another platform. The amount of faff wasn't worth it for the few projects I fiddle with.

[–] Aatube@kbin.melroy.org 1 points 13 hours ago (1 children)

this is a security thing, not a taft thing. you don’t need to sign commits to push them

plus gitlab and sourcehut are so much better

[–] Flamekebab@piefed.social 1 points 5 hours ago (1 children)

OP asked for:

Just wanted hear about your opinion and experience, and if any of you care.

I found the level of security required for basic functionality to be a hindrance. For small personal projects it felt like squashing a fly with a sledgehammer. A remote repo that is too much hassle to use is functionally the same as not using one.

plus gitlab and sourcehut are so much better

I think I'll just edit out a mention of the platform I moved to. I wasn't advocating for it. To be a bit more constructive - what makes those alternatives better?

[–] Aatube@kbin.melroy.org 1 points 1 hour ago

Commit signing is not required for any functionality, unless you opt-in to some repository setting which you have to find for yourself first.

These alternatives have vastly better UI that also layout the screen much more efficiently and have more features. I find it much easier to locate information on platforms that aren't Forgejo/Codeberg. Sourcehut's federation through email also just works.