GNU Privacy Guard

I use GPG with [[YubiKey]]'s smartcard functionality. You have to walk through fire to make it work. I followed [drduh's YubiKey guide](https://github.com/drduh/YubiKey-Guide). [ArchWiki is also pretty nice](https://wiki.archlinux.org/title/GnuPG). I haven't renewed my key yet. It requires access to the master key. GPG synergizes with [[Emacs]], [[YubiKey]] and [[pass]]. ## Practice To practice GPG operations, use [ephemeral home directories](https://www.gnupg.org/documentation/manuals/gnupg/Ephemeral-home-directories.html). I suspect you have to use [[Spaced repetition]] strategies to learn GPG by heart. Force yourself to create perfect keys 10 times, renew all of them, and you might get somewhere. A very simple example: ```bash mkdir ~/temp-gpg gpg --homedir temp-gpg --list-secret-keys ``` This will yield nothing. This is good. Let's try to import Hashicorp's key so we can verify a [[Terraform]] binary: ```bash gpg --homedir temp-gpg --keyserver keyserver.ubuntu.com --recv-keys 72D7468F ``` ```bash gpg: key 34365D9472D7468F: public key "HashiCorp Security (hashicorp.com/security) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 ``` Download the checksum and signature files: ``` curl -O 'https://releases.hashicorp.com/terraform/1.0.5/terraform_1.0.5_SHA256SUMS.sig' curl -O 'https://releases.hashicorp.com/terraform/1.0.5/terraform_1.0.5_SHA256SUMS' ``` Verify it: ```bash gpg --homedir temp-gpg --verify terraform_1.0.5_SHA256SUMS.sig ``` You should see `Good signature`: ```bash terraform_1.0.5_SHA256SUMS gpg: Signature made Wed 18 Aug 21:28:21 2021 CEST gpg: using RSA key B36CBA91A2C0730C435FC280B0B441097685B676 gpg: Good signature from "HashiCorp Security (hashicorp.com/security) ``` Now we know the SHA256SUMS file can be trusted and can use `shasum` to verify: ```bash shasum -a 256 -c terraform_1.0.5_SHA256SUMS ``` This means that you can use `mktemp` to script GPG verifications. ```bash #!/usr/bin/env bash set -euo pipefail export GNUPGHOME="$(mktemp -d)" base_url='https://releases.hashicorp.com' product='terraform' version='1.0.5' arch='darwin_amd64' url="${base_url}/${product}/${version}/${product}_${version}" gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 72D7468F curl -O "${url}_SHA256SUMS" curl -O "${url}_SHA256SUMS.sig" gpg --batch --verify "${product}_${version}_SHA256SUMS.sig" curl -O "${url}_${arch}.zip" shasum -a 256 -c "${product}_${version}_SHA256SUMS" ``` There is a more advanced version of this for [[asdf]] [here](https://github.com/asdf-community/asdf-hashicorp/blob/master/bin/install). Tactics like this can be seen in the [[Python]] [[Docker]] [images](https://github.com/docker-library/python/blob/master/3.9/buster/Dockerfile#L30) too. ## Moving keys Write about moving keys. https://www.phildev.net/pgp/gpg_moving_keys.html