@ -4,6 +4,102 @@ Updated: 2018-01-22
*Status: CURRENT*
### Table of contents
- [Protecting code integrity with PGP ](#protecting-code-integrity-with-pgp )
- [Table of contents ](#table-of-contents )
- [Target audience ](#target-audience )
- [Structure ](#structure )
- [Checklist priority levels ](#checklist-priority-levels )
- [Basic PGP concepts and tools ](#basic-pgp-concepts-and-tools )
- [Checklist ](#checklist )
- [Considerations ](#considerations )
- [Extremely Basic Overview of PGP operations ](#extremely-basic-overview-of-pgp-operations )
- [Encryption ](#encryption )
- [Signatures ](#signatures )
- [Combined usage ](#combined-usage )
- [Understanding Key Identities ](#understanding-key-identities )
- [Understanding Key Validity ](#understanding-key-validity )
- [Web of Trust (WOT) vs. Trust on First Use (TOFU) ](#web-of-trust-wot-vs-trust-on-first-use-tofu )
- [Installing OpenPGP software ](#installing-openpgp-software )
- [Installing GnuPG ](#installing-gnupg )
- [GnuPG 1 vs. 2 ](#gnupg-1-vs-2 )
- [Making sure you always use GnuPG v.2 ](#making-sure-you-always-use-gnupg-v2 )
- [Generating and protecting your master PGP key ](#generating-and-protecting-your-master-pgp-key )
- [Checklist ](#checklist-1 )
- [Considerations ](#considerations-1 )
- [Understanding the "Master" (Certify) key ](#understanding-the-%22master%22-certify-key )
- [Before you create the master key ](#before-you-create-the-master-key )
- [Primary identity ](#primary-identity )
- [Passphrase ](#passphrase )
- [Algorithm and key strength ](#algorithm-and-key-strength )
- [Generate the master key ](#generate-the-master-key )
- [Back up your master key ](#back-up-your-master-key )
- [Add relevant identities ](#add-relevant-identities )
- [Pick the primary UID ](#pick-the-primary-uid )
- [Generating PGP subkeys ](#generating-pgp-subkeys )
- [Checklist ](#checklist-2 )
- [Considerations ](#considerations-2 )
- [Create the subkeys ](#create-the-subkeys )
- [Upload your public keys to the keyserver ](#upload-your-public-keys-to-the-keyserver )
- [Upload your public key to GitHub ](#upload-your-public-key-to-github )
- [Set up a refresh cronjob ](#set-up-a-refresh-cronjob )
- [Moving your master key to offline storage ](#moving-your-master-key-to-offline-storage )
- [Checklist ](#checklist-3 )
- [Considerations ](#considerations-3 )
- [Back up your GnuPG directory ](#back-up-your-gnupg-directory )
- [Prepare detachable encrypted storage ](#prepare-detachable-encrypted-storage )
- [Back up your GnuPG directory ](#back-up-your-gnupg-directory-1 )
- [Remove the master key ](#remove-the-master-key )
- [Removing your master key ](#removing-your-master-key )
- [Remove the revocation certificate ](#remove-the-revocation-certificate )
- [Move the subkeys to a hardware device ](#move-the-subkeys-to-a-hardware-device )
- [Checklist ](#checklist-4 )
- [Considerations ](#considerations-4 )
- [The benefits of smartcards ](#the-benefits-of-smartcards )
- [Available smartcard devices ](#available-smartcard-devices )
- [Configuring your smartcard device ](#configuring-your-smartcard-device )
- [PINs don't have to be numbers ](#pins-dont-have-to-be-numbers )
- [Quick setup ](#quick-setup )
- [Moving the subkeys to your smartcard ](#moving-the-subkeys-to-your-smartcard )
- [Verifying that the keys were moved ](#verifying-that-the-keys-were-moved )
- [Verifying that the smartcard is functioning ](#verifying-that-the-smartcard-is-functioning )
- [Other common GnuPG operations ](#other-common-gnupg-operations )
- [Mounting your master key offline storage ](#mounting-your-master-key-offline-storage )
- [Updating your regular GnuPG working directory ](#updating-your-regular-gnupg-working-directory )
- [Extending key expiration date ](#extending-key-expiration-date )
- [Revoking identities ](#revoking-identities )
- [Using PGP with Git ](#using-pgp-with-git )
- [Checklist ](#checklist-5 )
- [Considerations ](#considerations-5 )
- [Understanding Git Hashes ](#understanding-git-hashes )
- [Tree hashes ](#tree-hashes )
- [Commit hashes ](#commit-hashes )
- [Hashing function ](#hashing-function )
- [Annotated tags and tag signatures ](#annotated-tags-and-tag-signatures )
- [Signed commits ](#signed-commits )
- [Signed pushes ](#signed-pushes )
- [Configure git to use your PGP key ](#configure-git-to-use-your-pgp-key )
- [How to work with signed tags ](#how-to-work-with-signed-tags )
- [How to verify signed tags ](#how-to-verify-signed-tags )
- [Verifying at pull time ](#verifying-at-pull-time )
- [Configure git to always sign annotated tags ](#configure-git-to-always-sign-annotated-tags )
- [How to work with signed commits ](#how-to-work-with-signed-commits )
- [How to verify signed commits ](#how-to-verify-signed-commits )
- [Verifying commits during git merge ](#verifying-commits-during-git-merge )
- [If your project uses mailing lists for patch management ](#if-your-project-uses-mailing-lists-for-patch-management )
- [Configure git to always sign commits ](#configure-git-to-always-sign-commits )
- [Configure gpg-agent options ](#configure-gpg-agent-options )
- [Bonus: Using gpg-agent with ssh ](#bonus-using-gpg-agent-with-ssh )
- [Protecting online accounts ](#protecting-online-accounts )
- [Checklist ](#checklist-6 )
- [Considerations ](#considerations-6 )
- [Two-factor authentication with Fido U2F ](#two-factor-authentication-with-fido-u2f )
- [Get a token capable of Fido U2F ](#get-a-token-capable-of-fido-u2f )
- [Enable 2-factor authentication on your online accounts ](#enable-2-factor-authentication-on-your-online-accounts )
- [Configure TOTP failover, if possible ](#configure-totp-failover-if-possible )
- [Further reading ](#further-reading )
### Target audience
This document is aimed at developers working on free software projects. It
salah3x
3 years ago
committed by
Konstantin Ryabitsev