Configuring GPG & OpenSSH for Git on OpenBSD

GnuPG (The GNU Privacy Guard) is one of the standards that implements OpenPGP as defined by rfc4880. The purpose of GnuPG is to encrypt and sign data and communications, as well as manage system keys. GnuPG is also known as GPG, which refers to gpg as a CLI tool that facilitates integration with other applications and supports Secure Socket Shell (SSH).

Since 1997, GnuPG has been one of the free software programs that cares about user data privacy. GnuPG can be used freely, modified, and distributed under the GPL license.

Benefits of using GnuPG keys#

By using GnuPG keys, users will get the following three benefits.

• Data integrity: GnuPG keys ensure the integrity of digital content by creating digital signatures. This allows users to verify that the content has not been tampered with during transit or delivery.
• Authentication: GnuPG keys provide a mechanism for authenticating the source of digital content. Users can verify that the content originates from a trusted and verified entity.
• Secure communication: GnuPG keys facilitate secure communication by enabling encryption. This ensures that only authorized parties can access encrypted data.

In addition, GnuPG is very useful when working with Git. To implement it, users will enter a password into the pinentry or cli dialog for the purpose of providing authentic authentication. Then the username will appear in each commit with this command, which will show the digital signature validation in each marker with --gpg-sign.

git commit --gpg-sign -m "sign with gpg key"
# or
git commit -S -m "sign with gpg key"

Once successful, users can view the digital signature on each commit with the --show-signature parameter.

git show 1af04a6001 --show-signature
         # ^ hash code

It will look like this.

commit 1af04a60013c8df1b0107ef29755b70feca402da (HEAD -> main, sh/main)
gpg: Signature made Fri 14 Jun 2024 07:44:44 PM WIB
gpg:                using EDDSA key 5A131FCDDAC2876802F631D1D7B52C04D9B41849
gpg: Good signature from "Hervy Work Email (Test) <work@mail.org>" [ultimate]
Primary key fingerprint: 5A13 1FCD DAC2 8768 02F6  31D1 D7B5 2C04 D9B4 1849
Author: Hervy Work Email <work@mail.org>
Date:   Fri Jun 14 19:44:44 2024 +0700

Written Good signature from the original marker in the log header. Using GnuPG, Git, and OpenSSH is highly recommended because they can provide a written validation trail.

This article explains:

• GnuPG Key Configuration.
• SSH Key Configuration.
• Git Configuration.

This article was written using OpenBSD operating system, as the aim is to narrow the scope of the discussion so that it does not spread to all operating systems (the article could become pages long if written for multiple OS). The second reason is that currently, no operating system other than OpenBSD is installed.

However, please note that all the tools used in this article, including GnuPG, OpenSSH, and Git, are Open Source and can therefore be used on other operating systems such as Linux-based, Windows or MacOS. In this explanation, you can skip to the steps you need.

GnuPG Key Configuration#

Installing GnuPG#

GnuPG can be installed on various operating systems. Users can choose the guide based on the operating system they are currently using.

OpenBSD#

pkg_add gnupg

FreeBSD#

pkg install gnupg

Checking the GnuPG version#

The first thing to do after installing GnuPG is to check its version with gpg.

gpg --version

gpg (GnuPG) 2.4.5
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/hervyqa/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

For example, the version above uses version 2.4.5.

Creating a new GnuPG key#

If the version you are using is 2.1.17 or above, it is recommended to use this terminal command.

gpg --full-generate-key

Meanwhile, if the version is below 2.1.17, use --gen-key.

gpg --default-new-key-algo rsa4096 --gen-key

Selecting a key algorithm#

After running the command, a selection of key algorithm types to use will appear.

gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/hervyqa/.gnupg' created
Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection?

There are several options: 1, 2, 3, 4, 9, 10, 14. Just press {{< kbd Enter >}} to select number 9 ECC (sign and encrypt) as the default.

Next, select the type of elliptic curve to use.

Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection?

Press enter to select number 1 Curve 25519 as the default.

Selecting the GnuPG key expiration time limit#

Next, select the key expiration time. It is recommended to select 0 to choose no expiration time.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

Select 0 to choose number 0 key does not expire and select y to confirm.

Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N)

Enter GnuPG user data#

Next, enter the user’s GnuPG data. Enter the name, email address, and comments. For example:

• Real name: Hervy Work Email
• Email address: work@mail.org
• Comments: Test

Real name: Hervy Work Email
Email address: worka@mail.org
Comment: Test

The result of the GnuPG key user data will look like this.

You selected this USER-ID:
    "Hervy Work Email (Test) <work@mail.org>"

If you want to confirm, select o (okay).

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

Ensure that no errors appear in the terminal output. An example of successful output is shown below.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/hervyqa/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/home/hervyqa/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/hervyqa/.gnupg/openpgp-revocs.d/5A131FCDDAC2876802F631D1D7B52C04D9B41849.rev'
public and secret key created and signed.

pub   ed25519 2024-06-06 [SC]
      5A131FCDDAC2876802F631D1D7B52C04D9B41849
uid                      Hervy Work Email (Test) <work@mail.org>
sub   cv25519 2024-06-06 [E]

Viewing GnuPG key ID#

gpg --list-secret-keys --keyid-format long

/home/hervyqa/.gnupg/pubring.kbx
--------------------------------
sec   ed25519/D7B52C04D9B41849 2024-06-06 [SC]
      Key fingerprint = 5A13 1FCD DAC2 8768 02F6  31D1 D7B5 2C04 D9B4 1849
uid                 [ultimate] Hervy Work Email (Test) <work@mail.org>
ssb   cv25519/1CC5EEC8BDE8BC06 2024-06-06 [E]

It should be noted that the user keys are:

• ID key = D7B52C04D9B41849
• Fingerprint key = 5A13 1FCD DAC2 8768 02F6 31D1 D7B5 2C04 D9B4 1849

The GnuPG ID key can be integrated into the OpenSSH settings in the next step.

SSH Key Configuration#

OpenSSH (OpenBSD Secure Shell) is a tool for securing network protocols based on Secure Socket Shell. OpenSSH is integrated with several operating systems such as BSD, Windows, macOS, and most Linux distributions.

SSH has several contexts, including:

1. Refers to the Secure Socket Shell network protocol.
2. Refers to the OpenSSH software.
3. Refers to a commercial company called SSH.com.

For clarification, this article uses two contexts, namely numbers 1 and 2. Number 3 is not possible because it is not the subject of this article and is not a technical matter. To be clear, this article only uses these two contexts.

1. SSH as a network protocol, which refers to Secure Socket Shell. Therefore, SSH keys refer to the authentication keys used for the SSH network protocol.
2. The software that can manage, run, and generate SSH keys is OpenSSH software.

Installing OpenSSH#

Similar to GnuPG, OpenSSH can be installed on any platform, especially BSD or linux-based.

OpenBSD#

pkg_add openssh

FreeBSD#

pkg install openssh

Checking the OpenSSH version#

Each operating system may have a different version of OpenSSH. Users can view the Git version with this command.

ssh -V

OpenSSH_9.7p1, OpenSSL 3.0.13 30 Jan 2024

For example, the version above uses version 9.7p1.

Checking SSH Keys#

SSH keys are used for remote control authentication. They are most commonly used to log in to git forges such as sourcehut, github, or gitlab.

Before configuring, make sure there are no SSH keys in the ~/.ssh directory. You can check this with the following terminal command.

ls -al ~/.ssh

Permissions Size User    Date Modified Name
.rw-------   203 hervyqa 21 Mar 07:09  config
.rw-------   464 hervyqa 21 Mar 07:09  id_ed25519
.rw-------    99 hervyqa 21 Mar 07:09  id_ed25519.pub
.rw-------  3.6k hervyqa 21 Mar 07:09  known_hosts

Generally, there are three types of public key files:

• id_rsa.pub
• id_ecdsa.pub
• id_ed25519.pub

If it is still empty, you can proceed to the next step to create a new SSH key.

Creating a new SSH key#

ssh-keygen -t ed25519 -C "work@mail.com"

If it doesn’t work, and you get an invalid format or feature not supported error, then there is hardware security that requires the use of the ecdsa-sk algorithm.

ssh-keygen -t ecdsa-sk -C "work@mail.com"

Just press enter to select the default directory location.

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/hervyqa/.ssh/id_ed25519): (ENTER)
Created directory '/home/hervyqa/.ssh'.

Next, enter the user’s secret password.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

If successful, the output will look like this.

Your identification has been saved in /home/hervyqa/.ssh/id_ed25519
Your public key has been saved in /home/hervyqa/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:KUfzOkl2FyOf5/30nIEH60jrdNV2HafUCl8fdjgVBL8 work@mail.com
The key's randomart image is:
+--[ED25519 256]--+
|             .ooo|
|              .+ |
|        o . + +==|
|       . + o B.=X|
|      . S o +.=E*|
|       = + . o=o.|
|        +  o +.oo|
|         .o = .o=|
|          .+ . .+|
+----[SHA256]-----+

Please note, based on the output above, there are two files that you need to know about:

• The private/secret key is located at: ~/.ssh/id_ed25519.
• The public key is located at: ~/.ssh/id_ed25519.pub.

The key that can be shared is id_ed25519.pub because it is public.

Changing the SSH Email#

If you want to change the old SSH email name, you can use the following command.

ssh-keygen -c -f ~/.ssh/id_ed25519 -C "newusername@mail.com"

• -c replaces the comment in the private and public keys.
• -f is the name of the private key file.
• -C is the comment name of the generated key.

Adding SSH Keys to ssh-agent#

By adding SSH keys to ssh-agent, if you are working with git/gitui/lazygit in a terminal environment, you only need to enter your password once. When git push/git pull with SSH, the command will be executed directly without entering a password in the future. Therefore, ssh-agent is very useful and convenient for users.

The following is the command to run ssh-agent in the background.

eval "$(ssh-agent -s)"

Then add the private key with ssh-add.

ssh-add ~/.ssh/id_ed25519

Git Configuration#

Installing Git#

Git can also be installed on any platform, especially BSD.

OpenBSD#

pkg_add git

FreeBSD#

pkg install git

Checking the Git version#

Each operating system may have a different Git version. Users can view the Git version with this command.

git --version

git version 2.44.1

For example, the version above uses version 2.44.1.

Adding Username and Email#

Add an active username and email. The username uses a name from a git forge account such as Sourehut, Github, Gitlab, Codeberg, or others. For example, we will use hervyqa and work@mail.com.

git config --global user.name 'hervyqa'
git config --global user.email 'work@mail.org'

Adding GnuPG Key ID to Git#

Next, add the GnuPG key ID to the Git configuration. The ID can be found in how to view GnuPG key ID in the previous step.

git config --global user.signingkey D7B52C04D9B41849

If you don’t want to add --gpg-sign manually, you can add this configuration.

git config --global commit.gpgsign true

At the same time, if you want to create a tag without manually adding --gpg-sign.

git config --global tag.gpgsign true

Additional settings to change the branch name from master to main.

git config --global init.defaultBranch main

Viewing All Git Configurations#

If you want to view the configurations that have been set previously, you can use the command below.

git config --global --list

The configuration can also be viewed in the ~/.config/git directory. The configuration looks something like this.

cat ~/.config/git/config

[commit]
        gpgSign = true

[init]
        defaultBranch = "main"

[tag]
        gpgSign = true

[user]
        email = "work@mail.org"
        name = "Hervy Work Email"
        signingKey = "D7B52C04D9B41849"

In conclusion#

Thus, the explanation above uses the CLI, which takes longer and is not instantaneous. Users can use GUI (Client) software for managing GnuPG, OpenSSH, and Git. However, that is not the purpose here. The hope is that readers will understand the CLI process and commands so that they can better understand the process. Of course, increasing literacy in the use of OpenSSH and Git is very helpful for software development and programming processes.