Skip to content

Latest commit

 

History

History
113 lines (87 loc) · 4 KB

01-setup-workstation.md

File metadata and controls

113 lines (87 loc) · 4 KB
Raw

🎒 Exercise: Setup workstation

Setup workstation • Signing and verifying commits

Outcomes

In this exercise, the minimal necessary workstation setup for using SSH code signing is covered including:

  1. Checking and installing prerequisites
  2. Checking and generating sufficiently secure SSH certificates
  3. Minimal Git configuration for signing and verifying personal changes

Steps

  1. Confirm minimum versions of prerequisites; otherwise install accordingly

    git --version
ssh -V

    Afterwards, configure Git with your name and email address if necessary:

    git config --global user.name "Your Name"
git config --global user.email "your_email@example.com"

  2. Generate a new SSH key if an existing key does not exist:

    Warning Using a passphrase is strongly recommended to secure SSH keys. With SSH signing requiring use of the SSH agent, the SSH agent will ask once for the passphrase, reducing the need to enter it every time while the SSH agent is running.

    ssh-keygen -t ed25519 -C "your_email@example.com"
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

    Note If you are using a legacy system that doesn't support the Ed25519 algorithm, use 4096-bit RSA keys for this workshop:

    ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

  3. Start up SSH agent and add SSH private key

    eval `ssh-agent`
ssh-add ~/.ssh/id_ed25519

  4. Create file containing SSH public key for verifying signers

    awk '{ print $3 " " $1 " " $2 }' ~/.ssh/id_ed25519.pub >> ~/.ssh/allowed_signers

    Note This is a simple variant of a ssh-keygen allowed signers file for the purposes of the workshop.

    For information on more advanced variants, see ssh-keygen ALLOWED SIGNERS documentation.

  5. Create local repository for workshop purposes

    git init -b main simplify-signing-with-ssh-workspace
cd simplify-signing-with-ssh-workspace

  6. Configure SSH signing and verifying for workshop repository specifically:

    git config gpg.format ssh
git config user.signingkey "$(cat ~/.ssh/id_ed25519.pub)"
git config gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers

    Note To globally configure SSH signing and verifying, use the --global flag:

    git config --global gpg.format ssh
git config --global user.signingkey "$(cat ~/.ssh/id_ed25519.pub)"
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers

    For more information about these Git configuration options, see gpg.ssh.allowedSignersFile, user.signingKey, gpg.format.

Next: Signing and verifying commits