SECURING YOUR GIT REPOSITORIES

(Setting up SSH & PGP For GIT)

This is PART-04 of the Yet Another GIT-Reference series.

Now it's time to learn how to secure your GIT repositories [& maybe even make version-control easier in the process].


Now before I proceed, let me say that while it is important to have a strong password for extra security, it's a generally good to configure two-factor authentication for your Version-Control/Source-Control account [Whether it be GitHub, GitLab, CodeBerg etc...] in case your password or device ever gets compromised. You can use these authenticator-apps:-

SETTING UP S.S.H

You’ll have 2 ways of cloning/pushing to your remote-repository. The default way is to input your username & password. But there’s a more hassle-free [& more secure] way of doing it while avoiding inputting usernames & passwords repeatedly & that is via SSH-Keys.
SSH [SSH = Secure-SHell] is a cryptographic-network protocol for operating network services securely over an unsecured networks.

  1. Generating SSH-Keys
    2. In order to use the keys, first you need to GENERATE them & the command to do that is as follows [you can use the “-C” OPTION to label your key, which’ll help in identifying your key]:-

    ssh-keygen -t ed25519 -a 100 -CLABEL_YOUR_KEY

    • This generates an SSH-Key; which is a Public+Private Cryptographic/Encrypted Key-Pair; The PRIVATE-Part of the "Key-Pair" should be kept safe & NEVER SHARED WITH ANYONE. While, the PUBLIC-Part of the Key-Pair can be shared.
    • Next; it’ll prompt you to name a file to save; you can just press ENTER instead, which’ll save your file in the DEFAULT-Location [Which is ".ssh/id_ed25519"].
    • Now; you will be also prompted to set a Password [Which is something you should definetly do] in order to protect your PRIVATE-KEY OR you could simply leave the prompt empty

  2. Adding Your SSH-Key
    3. Now we need to add the newly-generated SSH-Key to your Account [Here I’ll be using the GIT-Service “CODEBERG” as an example, since I use it].
    • Just navigate to the “SETTINGS” & then to the “SSH/GPG-Keys” TAB & click “Add Key” in the Manage SSH-Keys Section.
    • You need to Copy & Paste the PUBLIC-Key ONLY [And NOT the Private-Key]. On linux one of the the various command-line/terminal tools you can use to copy the Public-Key-ID is Xclip [If you don't have it already installed then install it via the package-manager in your terminal]:-

    xclip -selection clipboard < ~/.ssh/id_ed25519.pub

    You can use any other text-editors as well, just navigate to the hidden folder called .ssh in linux & copy the text in the Public-Key file [Any PGP/GPG-key with the file-extension .pub is a PUBLIC-KEY FILE, here it is "id_ed25519.pub"].
    • Now Paste your PUBLIC-KEY into Text-Box/Content-Field provided & give an appropriate name to your Key
    • Click the Add key button & now you have successfuly added your SSH-key.

  3. Verify the Added SSH-Key
    • Simply go to the “SSH/GPG-Keys” TAB in your “SETTINGS” & click on the VERIFY Button next to the SSH-Key that you just added.
    • Next; copy the command that is shown to your terminal & make sure to replace "/PATH_TO_YOUR_PRIVATE-KEY" with the ACTUAL location of your PRIVATE-KEY.
    • So now copy the OUTPUT of the command INCLUDING the "-----BEGIN SSH SIGNATURE-----” & the “-----END SSH SIGNATURE-----" texts as well & then paste it into the Text Box provided.
    • Now then click the VERIFY-Button again.

  4. Verifying SSH-Connection
    5. It is also VERY IMPORTANT that your SSH-Connection to your Remote-Repository is verified to prevent any Man-In-The-Middle-Attack. But first you need to test your connection first & for that use the command:

    ssh -T git@codeberg.org


    & the OUTPUT [Here we'll use CODEBERG, since I use it] will look like this:-

    Hi there, ____! You've successfully authenticated with the key named ____, but Forgejo does not provide shell access.
	If this is unexpected, please log in with password and setup Forgejo under another user.

    It means your SSH setup has gone smoothly, so congrats.

    Now as a protective measure SSH will ask you whether it should trust the server/connection or not when you connect for the first time using SSH. It’ll show you a FingerPrint [It could be RSA, ECDSA, ED25519. SHA256 or some other type] & It’ll look something like this as an example:-

    The authenticity of host 'codeberg.org (159.69.0.178)' can't be established.
ECDSA key fingerprint is SHA256:T9FYDEHELhVkulEKKwge5aVhVTbqCW0MIRwAfpARs/E.
 Are you sure you want to continue connecting (yes/no/[fingerprint])?


    Now please do notice the FINGERPRINT-TYPE [Here, ECDSA is the FINGERPRINT-TYPE] & the SHA256-FingerPrint itself [Here, T9FYDEHELhVkulEKKwge5aVhVTbqCW0MIRwAfpARs/E is the SHA256-FINGERPRINT itself]. As you will have to Cross-Check with the ones published by your respective GIT-Service. Only choose “YES” when the FingerPrints Match, if they do not, then DO NOT ACCEPT the connection.

    Now there you have it, you have now successfully setup a SSH-Key for your Account/Repository.


SETTING UP G.P.G

OpenPGP [PGP = Pretty-Good-Privacy] is an open source Cryptography standard used to encrypt & decrypt stuff; here, it is used to sign commits & pushes. While "GPG" is the encryption-TOOL that uses the OpenPGP-Standard, so technically it's a GPG-Key, eventhough it could also be called a PGP-KEY. This standard helps people verify that the commits were actually made by the same person & not someone else pretending to be the developer.
There are several softwares that utilize GPG, if you are on windows then use Gpg4Win. In Linux it’s already installed [We’ll proceed as if we’re on Linux]

  1. Generating PGP/GPG-Keys
    2. Now to generate the the GPG-Keys you need to type the command:-

    gpg --full-generate-key


    Now, it’ll give you a series of prompts & eventhough you can answer those prompts in any way you can based on the options it provides; I’ll give you the recommended responses in sequence:-
    1. 1
    2. RSA & RSA
    3. 4096
    4. 1 [This is the Validity of the key in YEARS, (there’s months as well) you can type "0" for it to "not expire" if you wanted to]

    Now, simply re-check your responses/entries & then ENTER. You will be now asked to add your Email [make sure it’s the one that you use for your GIT-Service] & Password as well. [You’ll need it to revoke your keys & add the GPG-keys to your GIT-Services]
    This generates an GPG-Key; which is ALSO a Public+Private Cryptographic Key-Pair. The PRIVATE-Part should be kept safe & NEVER SHARED WITH ANYONE; While the PUBLIC-Part can be shared with anyone.

  2. Adding Your PGP/GPG-Keys
    3. Now in order to add your GPG-Key to your User-Account just simply the steps taken are similar to what you did when adding your SSH-Keys, the difference being; now you add the key to the Manage GPG-Keys Section instead.
    But to do that you are going to need the ID of your newly-created GPG-Key & the command to achieve that is as follows:-

    gpg --list-secret-keys --keyid-format LONG


    The OUTPUT will look something like this:- 
    /home/USER/.gnupg/pubring.kbx
--------------------------
sec   rsa4096/3AA5C34371567BD2 2021-06-06 [SC] [expires: 2022-06-06]
      6CD8F2B4F3E2E8F08274B563480F8962730149C7
uid                 [ultimate] USERNAME < EMAIL >
ssb   rsa4096/42B317FD4BA89E7A 2021-06-06 [E] [expires: 2022-06-06]


    The GPG-Key-ID will be needed when obtaining your PUBLIC-KEY. Use the command below with the GPG-Key-ID you just obtained [Here, "3AA5C34371567BD2" is your GPG-Key-ID] in your terminal:-

    gpg --armor --export PGP-KEY-ID


    • Now first navigate to “SETTINGS” & then to the “SSH/GPG-Keys” TAB.
    • Now copy the OUTPUT of the command INCLUDING the "----BEGIN PGP PUBLIC KEY BLOCK-----” & the “-----END PGP PUBLIC KEY BLOCK-----" texts as well & then paste it into the Text-Box/Content-Field provided in the "Manage GPG-Keys" Section.
    • Now then click the Add Key Button.

  3. Verifying the Added PGP/GPG-Keys
    • To Verify the GPG-key simply go to the “SSH/GPG-Keys” section in your “SETTINGS” & click on the VERIFY Button next to the GPG-Key that you just added.
    • Next copy the command that appears to your terminal [But not before replacing /PATH_TO_YOUR_PRIVATE-KEY with the ACTUAL location of your PRIVATE-KEY].
    • Then just copy the output INCLUDING THE “----BEGIN PGP SIGNATURE----” & "----END PGP SIGNATURE----" texts & then paste it into the Text-Box/Content-Field provided.
    • Now then click the VERIFY-Button to verify the GPG/PGP-key.

  4. Integrating Your PGP/GPG-Keys With GIT (OPTIONAL)
    5. You may also need to integrate your newly-created PGP/GPG-keys with GIT in order to have it sign new commits for you & In order to achieve that simply use these commands in your terminal:-

    git config --global user.signingkey PGP/GPG-KEY-ID
    
  AND
    
git config --global commit.gpgsign true

Now there you have it, you have now successfully setup a PGP/GPG-Key for your Account/Repository.