Signing Your Work as a Developer

By: David Boland

Hero image with cartoon dog, as well as a contract with a signature on it

encryption

In the last post, I built a contact us form using PGP encryption. I wanted to follow up with another cool encryption feature, signing. I will be walking through how you can sign your git commits. As well as any files/packages you build.

Signing is a form of encryption authentication. When encrypting a message in PGP, you are able to sign it with your private key. The recipient could then verify that signature with your public key. This would allow them to verify the message was in fact sent by you.

This concept of signing applies to more than messaging. Even more than encryption itself. I wanted to give some examples of how you could start signing your work as a developer. This signing doesn't involve any encryption. It serves to allow others to verify items that you have signed as yours.

This post assumes you have gpg installed.

Key Management

To begin signing, you will need public and private keys. The private key would be for you to sign with. The public key can be used to verify that signature.

Generate Key

The first step will be generating your PGP key. Run the following command to generate.

gpg --gen-key

It will ask you to provide your name, email, and a password. It will spit out information about your newly generated key.

pub   rsa2048 2019-12-04 [SC] [expires: 2021-12-03]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                      David Boland <david.boland@protonmail.com>
sub   rsa2048 2019-12-04 [E] [expires: 2021-12-03]

You will need reference to your key going forward. To get the Id, run the command:

gpg --list-secret-keys --keyid-format LONG

It will spit out your keys as before, but in the specified key format:

sec   rsa2048/DFD20A3D39A1913 2019-12-04 [SC] [expires: 2021-12-03]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                 [ultimate] David Boland <david.boland@protonmail.com>
ssb   rsa2048/XXXXXXXXXXXXXXXX 2019-12-04 [E] [expires: 2021-12-03]

The data after "rsa2048/" in the sec section is the user Id for that key. So in our case DFD20A3D39A1913. I will use it as an example going forward. But you would use your key Id.

Export Key

To verify signatures, people will need access to your public key. To export it from gpg, run the following command:

gpg --armor --export DFD20A3D39A1913

Your key will start with -----BEGIN PGP PUBLIC KEY BLOCK----- and end with -----END PGP PUBLIC KEY BLOCK-----.

Signing Commits

To sign your commits, you need to configure git locally on your machine. You also need to provide Github with your public key so that they can verify the signature on the commits.

Configuring Git

In order to sign your commits, there are a couple configuration updates that need to be made in git. First, is specifying your key that was created previously.

git config --global user.signingkey DFD20A3D39A1913

the 'global' flag makes this setting global for the specified user.

Next you may need to specify to git the instance of gpg that you are using. After setting up I got the following error.

gpg: skipped "name <name@mail.com>": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object

You will get this error if you do not specify the user.signingkey. You will also get this if you have multiple gpg instances and git looks to the wrong one.

In my case I am using a console emulator, which ships with its own instance of gpg. So I needed to specify the path to my gpg instance.

git config --global gpg.program gpg

At this point you can sign your commits. When committing, you just need to add the -S flag.

You are able set up automatic signing without having to specify the flag. You can globally set the commit.gpgsign setting.

git config --global commit.gpgsign true

Configuring Github

In Github, navigate to your settings and there is an option for SSH and GPG keys. Your keys will be listed here.

screenshot of github settings where you can see the added GPG keys

In the GPG section, select New GPG key. In the text field provided, paste the public key you exported previously.

Once you push your commit, you will see it listed as "Verified" by Github.

screenshot of the commit entry in github that shows the commit as signed by the user

Signing Releases

PGP also provides a method for signing files. This is useful for signing release packages and executables. This allows users to verify the author and integrity of the package. Users may want this level of verification for security reasons. Especially if the package handles sensitive information.

There are three methods for signing with GPG. Signing, clear signing, and detached signing.

Standard signing and clear signing both effect the file itself. Standard signing is used with encryption. Clear signing wraps the input with plaintext signature. Since we don't want this type of modification, we will work with detached signature.

Detached signing creates a signature in a separate file. We can then provide the package, and provide the signature file from a trusted source. The user can then verify the package against it.

To create a signed file:

gpg --detach-sign --sign-with DFD20A3D39A1913 -o package.sig package.exe

The --detach-sign flag indicates that we want a detached signature.

The --sign-with flag allows you to provide the id of the key you want to sign with.

The final flag, -o allows you to specify the output file. Traditionally you use either a .sig or a .gpg extension.

And finally you specify the file you want to sign. In order to perform verification, you run the following command:

gpg --verify package.sig package.exe

Final Thoughts

The think the idea of signing is pretty awesome. As developers, we sometimes forget how much reach our work can have. As code/programs are shared online, it can be beneficial to verify its source.

This concept of signing isn't fool proof. Users can opt not to validate. Signers can loose their private keys. And the signature doesn't imply the code itself can be trusted. Signatures can only verify its source. But when done correctly, code signing can be useful.

As always, if you have any questions. Either about signing, or encryption in general, feel free to reach out.