gpg 서명으로 git 사용하기

GPG?

• PGP : 90년대부터 쓰이는 사실상의 이메일 보안등의 표준
• GPG : 특허가 걸린 IDEA 암호화 알고리즘 사용하지 않음
• 배포와 제약사항 없이 문서암호화 및 전자서명 이용 가능
• 참조
  • 지원 암호 컨셉
  • GPG 가이드 : 찬찬히 읽어보면 공부가 많이 됨

key 생성

• WSL2로 우분투 20.04 LTS를 사용하고 있는데 거기선 ECDSA 암호화가 선택이 되지 않습니다
• 우분투에서 gpg 최신을 이용하기 위해선 gpg 소스를 빌드해야하는데 그럴 필요가 없습니다
• 윈도우에서 키 생성후 우분투에서 import하면 됩니다
• 기간 : 0을 누르면 유효기간 없는 키가 생성됩니다. 저는 2년을 설정했습니다
• 이메일 : 깃허브에서 제공하는 no-reply 주소를 사용했습니다
• 암호화 방식
  • 윈도우 기본값은 ECDSA이고 우분투 기본값은 RSA 3076입니다
  • RSA는 4096까지 설정 가능합니다
  • rsa VS ECDSA
    • 동일한 키 길이에선 ECC가 높은 성능
    • 동일 수준의 보안을 제공하기 위해서 ECC가 훨씬 짧은 키 길이를 요구합니다
    • 호환성은 RSA가 더 높음
    • 사실상 둘다 완전히 안전한 암호화 알고리즘
    • 사실 어차피 요새 나날이 발전해가는 양자 컴퓨터가 정립되면 한방에 깨짐

보안(비트)	필요한 RSA 키 길이(비트)	필요한 ECC 키 길이(비트)
80	1024	160-223
112	2048	224-255
128	3072	256-383
192	7680	384-511
256	15360	512+

PS C:\Users\user> cmd
Microsoft Windows [Version 10.0.22000.282]
(c) Microsoft Corporation. All rights reserved.

C:\Users\user>gpg --version
gpg (GnuPG) 2.3.3
libgcrypt 1.9.4
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\user\AppData\Roaming\gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

C:\Users\user>gpg --full-generate-key
gpg (GnuPG) 2.3.3; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection? 9
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection? 1
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at 2023-10-21 ���� 12:15:12 ���ѹα� ǥ�ؽ�
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: GeunChang Ahn
Email address: 13996827+rkaehdaos@users.noreply.github.com
Comment: GeunChang's Personal GitHub Account
You selected this USER-ID:
    "GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: AllowSetForegroundWindow(19040) failed: �׼����� �źεǾ����ϴ�.
gpg: AllowSetForegroundWindow(10180) failed: �׼����� �źεǾ����ϴ�.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 76C333DDD6D2889A marked as ultimately trusted
gpg: directory 'C:\\Users\\user\\AppData\\Roaming\\gnupg\\openpgp-revocs.d' created
gpg: revocation certificate stored as 'C:\\Users\\user\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\662093FE99C905D96A3BDDE876C333DDD6D2889A.rev'
public and secret key created and signed.

pub   ed25519 2021-10-21 [SC] [expires: 2023-10-21]
      662093FE99C905D96A3BDDE876C333DDD6D2889A
uid                      GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>
sub   cv25519 2021-10-21 [E] [expires: 2023-10-21]


C:\Users\user>gpg --armor --export 662093FE99C905D96A3BDDE876C333DDD6D2889A
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYXDbsBYJKwYBBAHaRw8BAQdA4Gxs3JFWnfw6dig7jhNgBQtSk6C9Eop3wZ+9
tlTyu1C0YUdldW5DaGFuZyBBaG4gKEdldW5DaGFuZydzIFBlcnNvbmFsIEdpdEh1
YiBBY2NvdW50KSA8MTM5OTY4MjcrcmthZWhkYW9zQHVzZXJzLm5vcmVwbHkuZ2l0
aHViLmNvbT6ImgQTFgoAQhYhBGYgk/6ZyQXZajvd6HbDM93W0oiaBQJhcNuwAhsD
BQkDwmcABQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRB2wzPd1tKImru7
AP9vEqj0etCuyx29sr2a86GUv9tyUUQf4rad56sGks+W4wD+Nu6DVgoM+fEwmvcR
1U1Q4W0nzTCSEe8ERlAquzhtrwu4OARhcNuwEgorBgEEAZdVAQUBAQdAhQmsXzxm
eBPs0ww2nYskTgOMcDm6mm17hUJP72tsvigDAQgHiH4EGBYKACYWIQRmIJP+mckF
2Wo73eh2wzPd1tKImgUCYXDbsAIbDAUJA8JnAAAKCRB2wzPd1tKImu9wAQChz2GA
RCgKb+d67Av65mTkkTSte1MO2butyapmgqHgWAEAjVP2ivKCg1iEssLWLP65XUKQ
6sZjtFSyCMSJUhe9lA8=
=X5uU
-----END PGP PUBLIC KEY BLOCK-----

C:\Users\user>

gpg 키 복사해서 옮기기

기존 키 export

D:\dev\gpg_key>gpg --list-keys
C:\Users\user\AppData\Roaming\gnupg\pubring.kbx
-----------------------------------------------
pub   ed25519 2021-10-21 [SC] [expires: 2023-10-21]
      662093FE99C905D96A3BDDE876C333DDD6D2889A
uid           [ultimate] GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>
sub   cv25519 2021-10-21 [E] [expires: 2023-10-21]


D:\dev\gpg_key>gpg --list-secret-keys
C:\Users\user\AppData\Roaming\gnupg\pubring.kbx
-----------------------------------------------
sec   ed25519 2021-10-21 [SC] [expires: 2023-10-21]
      662093FE99C905D96A3BDDE876C333DDD6D2889A
uid           [ultimate] GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>
ssb   cv25519 2021-10-21 [E] [expires: 2023-10-21]


D:\dev\gpg_key>gpg --export 662093FE99C905D96A3BDDE876C333DDD6D2889A > public.key

D:\dev\gpg_key>gpg --export-secret-key 662093FE99C905D96A3BDDE876C333DDD6D2889A > private.key

D:\dev\gpg_key>dir
 Volume in drive D is data
 Volume Serial Number is 98BB-1646

 Directory of D:\dev\gpg_key

2021-10-21  오후 12:30    <DIR>          .
2021-10-21  오후 12:27    <DIR>          ..
2021-10-21  오후 12:30               660 private.key
2021-10-21  오후 12:29               494 public.key
               2 File(s)          1,154 bytes
               2 Dir(s)  632,178,692,096 bytes free

D:\dev\gpg_key>

key import

$ gpg --import public.key
gpg: key 76C333DDD6D2889A: public key "GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1


$ gpg --import private.key
gpg: key 76C333DDD6D2889A: "GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>" not changed
gpg: key 76C333DDD6D2889A: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

gpg trust

$ gpg --edit-key 662093FE99C905D96A3BDDE876C333DDD6D2889A
gpg (GnuPG) 2.2.29-unknown; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/76C333DDD6D2889A
     created: 2021-10-21  expires: 2023-10-21  usage: SC
     trust: unknown       validity: unknown
ssb  cv25519/7EA9FFA65B8C3F4B
     created: 2021-10-21  expires: 2023-10-21  usage: E
[ unknown] (1). GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>

gpg> trust
sec  ed25519/76C333DDD6D2889A
     created: 2021-10-21  expires: 2023-10-21  usage: SC
     trust: unknown       validity: unknown
ssb  cv25519/7EA9FFA65B8C3F4B
     created: 2021-10-21  expires: 2023-10-21  usage: E
[ unknown] (1). GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

sec  ed25519/76C333DDD6D2889A
     created: 2021-10-21  expires: 2023-10-21  usage: SC
     trust: ultimate      validity: unknown
ssb  cv25519/7EA9FFA65B8C3F4B
     created: 2021-10-21  expires: 2023-10-21  usage: E
[ unknown] (1). GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> save
Key not changed so no update needed.

$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-10-21
/c/Users/user/.gnupg/pubring.kbx
--------------------------------
pub   ed25519 2021-10-21 [SC] [expires: 2023-10-21]
      662093FE99C905D96A3BDDE876C333DDD6D2889A
uid           [ultimate] GeunChang Ahn (GeunChang's Personal GitHub Account) <13996827+rkaehdaos@users.noreply.github.com>
sub   cv25519 2021-10-21 [E] [expires: 2023-10-21]

$

Git 설정

git config --global user.signingkey 662093FE99C905D96A3BDDE876C333DDD6D2889A

비번 입력 줄이기

gpg-agent.conf

# ~/.gnupg/gpg-agent.conf

default-cache-ttl 3600
max-cache-ttl 3600

맥 설정

얼마전 맥에서 설정을 해본 부분 추가 정리

패키지 설치 : gpg

# gpg 패키지 설치
$ brew install gpg
# gpg 키 관리 프로그램인 GPG-SUITE 설치
$ brew cask install gpg-suite
# unknown command : cask 가 뜰 경우
$ brew install --cask gpg-suite

key 삭제

# secret key 부터 삭제
gpg --delete-secret-key 8499A0EA0CA83898563E0F0C9B0BE5FA7C1393A7
# 이후 pub key 삭제
gpg --delete-key 8499A0EA0CA83898563E0F0C9B0BE5FA7C1393A7

MAC에서 에러 나는 경우

44bit에서 보고 해결
맥북이 처음이다 보니 요새 맥북 종특 에러에서 시간과 노력을 엄청 잡아먹는다
암호를 묻는 화면이 나타나지 않고 Sign failed가 발생한다면?
GPG 키에 암호가 걸려 있을 때 환경변수 GPG_TTY 를 지정해 주지 않으면, 암호를 묻는 화면이 출력되지 않아 Sign failed 오류와 함께 커밋이 생성되지 않을 수 있습니다. 이때는 다음 명령을 통해 GPG_TTY 를 설정하면 문제가 해결됩니다.

$ export GPG_TTY=$(tty)

아예 vim ~/.zshrc 해서 저장해놓으면 편하다

Related POST