jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity

Improved GPG key management experience (#29113)

Browse Source
This commit is contained in:
David Staheli
2022-07-19 06:25:03 -04:00
committed by GitHub
parent 063da9ddfe
commit ddb4d39e00
15 changed files with 93 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/images/help/settings/gpg-verified-with-expired-key.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 109 KiB

2
content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md
View File

@@ -70,7 +70,7 @@ To sign commits using GPG and have those commits verified on {% data variables.p
1. [Check for existing GPG keys](/articles/checking-for-existing-gpg-keys) 1. [Check for existing GPG keys](/articles/checking-for-existing-gpg-keys)
2. [Generate a new GPG key](/articles/generating-a-new-gpg-key) 2. [Generate a new GPG key](/articles/generating-a-new-gpg-key)
3. [Add a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account) 3. [Add a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)
4. [Tell Git about your signing key](/articles/telling-git-about-your-signing-key) 4. [Tell Git about your signing key](/articles/telling-git-about-your-signing-key)
5. [Sign commits](/articles/signing-commits) 5. [Sign commits](/articles/signing-commits)
6. [Sign tags](/articles/signing-tags) 6. [Sign tags](/articles/signing-tags)

72
content/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account.md Normal file
View File

@@ -0,0 +1,72 @@
---
title: Adding a GPG key to your GitHub account
intro: 'To configure your account on {% ifversion ghae %}{% data variables.product.product_name %}{% else %}{% data variables.product.product_location %}{% endif %} to use your new (or existing) GPG key, you''ll also need the key to your account.'
redirect_from:
- /articles/adding-a-gpg-key-to-your-github-account
- /github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
- /github/authenticating-to-github/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account
- /articles/updating-an-expired-gpg-key
- /authentication/troubleshooting-commit-signature-verification/updating-an-expired-gpg-key
- /github/authenticating-to-github/updating-an-expired-gpg-key
- /github/authenticating-to-github/troubleshooting-commit-signature-verification/updating-an-expired-gpg-key
- /authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account
versions:
fpt: '*'
ghes: '*'
ghae: '*'
ghec: '*'
topics:
- Identity
- Access management
shortTitle: Add a GPG key
---
## About addition of GPG keys to your account
To sign commits associated with your account on {% data variables.product.product_name %}, you can add a public GPG key to your personal account. Before you add a key, you should check for existing keys. If you don't find any existing keys, you can generate and copy a new key. For more information, see "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" and "[Generating a new GPG key](/articles/generating-a-new-gpg-key)."
You can add multiple public keys to your account on {% data variables.product.product_name %}. Commits signed by any of the corresponding private keys will show as verified. If you remove a public key, any commits signed by the corresponding private key will no longer show as verified.
{% ifversion upload-expired-or-revoked-gpg-key %}
To verify as many of your commits as possible, you can add expired and revoked keys. If the key meets all other verification requirements, commits that were previously signed by any of the corresponding private keys will show as verified and indicate that their signing key is expired or revoked.
![A verified commit whose key expired](/assets/images/help/settings/gpg-verified-with-expired-key.png)
{% endif %}
{% data reusables.gpg.supported-gpg-key-algorithms %}
When verifying a signature, {% data variables.product.product_name %} extracts the signature and attempts to parse its key ID. The key ID is then matched with keys added to {% data variables.product.product_name %}. Until a matching GPG key is added to {% data variables.product.product_name %}, it cannot verify your signatures.
## Adding a GPG key
{% data reusables.user-settings.access_settings %}
{% data reusables.user-settings.ssh %}
3. Click **New GPG key**.
![GPG Key button](/assets/images/help/settings/gpg-add-gpg-key.png)
4. In the "Key" field, paste the GPG key you copied when you [generated your GPG key](/articles/generating-a-new-gpg-key).
![The key field](/assets/images/help/settings/gpg-key-paste.png)
5. Click **Add GPG key**.
![The Add key button](/assets/images/help/settings/gpg-add-key.png)
6. To confirm the action, enter your {% data variables.product.product_name %} password.
{% ifversion upload-expired-or-revoked-gpg-key %}
{% else %}
## Updating an expired GPG key
When verifying a signature, {% data variables.product.product_name %} checks that the key is not revoked or expired. If your signing key is revoked or expired, {% data variables.product.product_name %} cannot verify your signatures.
If your key is expired, you must [update its expiration](https://www.gnupg.org/gph/en/manual.html#AEN329), export the new key, delete the expired key in your account on {% data variables.product.product_name %}, and add the new key to your account as described above. Your previous commits and tags will show as verified, as long as the key meets all other verification requirements.
If your key is revoked, use the primary key or another key that is not revoked to sign your commits.
If your key is invalid and you don't use another valid key in your key set, but instead generate a new GPG key with a new set of credentials, then your commits made with the revoked or expired key will continue to show as unverified. Also, your new credentials will not be able to re-sign or verify your old commits and tags.
{% endif %}
## Further reading
- "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
- "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
- "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
- "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
- "[Signing commits and tags using GPG keys](/articles/signing-commits-and-tags-using-gpg)"
- "[About commit signature verification](/articles/about-commit-signature-verification)"

46
content/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account.md
View File

@@ -1,46 +0,0 @@
---
title: Adding a new GPG key to your GitHub account
intro: 'To configure your account on {% ifversion ghae %}{% data variables.product.product_name %}{% else %}{% data variables.product.product_location %}{% endif %} to use your new (or existing) GPG key, you''ll also need the key to your account.'
redirect_from:
- /articles/adding-a-new-gpg-key-to-your-github-account
- /github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
- /github/authenticating-to-github/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account
versions:
fpt: '*'
ghes: '*'
ghae: '*'
ghec: '*'
topics:
- Identity
- Access management
shortTitle: Add a new GPG key
---
Before adding a new GPG key to your account on {% ifversion ghae %}{% data variables.product.product_name %}{% else %}{% data variables.product.product_location %}{% endif %}, you should have:
- [Checked for existing GPG keys](/articles/checking-for-existing-gpg-keys)
- [Generated and copied a new GPG key](/articles/generating-a-new-gpg-key)
You can add multiple public keys to your GitHub account. Commits signed by any of the corresponding private keys will show as verified. If you remove a public key, any commits signed by the corresponding private key will no longer show as verified.
{% data reusables.gpg.supported-gpg-key-algorithms %}
When verifying a signature, we extract the signature and attempt to parse its key-id. We match the key-id with keys uploaded to {% data variables.product.product_name %}. Until you upload your GPG key to {% data variables.product.product_name %}, we cannot verify your signatures.
## Adding a GPG key
{% data reusables.user-settings.access_settings %}
{% data reusables.user-settings.ssh %}
3. Click **New GPG key**.
![GPG Key button](/assets/images/help/settings/gpg-add-gpg-key.png)
4. In the "Key" field, paste the GPG key you copied when you [generated your GPG key](/articles/generating-a-new-gpg-key).
![The key field](/assets/images/help/settings/gpg-key-paste.png)
5. Click **Add GPG key**.
![The Add key button](/assets/images/help/settings/gpg-add-key.png)
6. To confirm the action, enter your {% data variables.product.product_name %} password.
## Further reading
* "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
* "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
* "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
* "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
* "[Signing commits and tags using GPG keys](/articles/signing-commits-and-tags-using-gpg)"

4
content/authentication/managing-commit-signature-verification/associating-an-email-with-your-gpg-key.md
View File

@@ -50,13 +50,13 @@ If you're using a GPG key that matches your committer identity and your verified
$ gpg --armor --export <em>3AA5C34371567BD2</em> $ gpg --armor --export <em>3AA5C34371567BD2</em>
# Prints the GPG key, in ASCII armor format # Prints the GPG key, in ASCII armor format
``` ```
11. Upload the GPG key by [adding it to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account). 11. Upload the GPG key by [adding it to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account).
## Further reading ## Further reading
- "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" - "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
- "[Generating a new GPG key](/articles/generating-a-new-gpg-key)" - "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
- "[Using a verified email address in your GPG key](/articles/using-a-verified-email-address-in-your-gpg-key)" - "[Using a verified email address in your GPG key](/articles/using-a-verified-email-address-in-your-gpg-key)"
- "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)" - "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
- "[Signing commits](/articles/signing-commits)" - "[Signing commits](/articles/signing-commits)"
- "[Signing tags](/articles/signing-tags)" - "[Signing tags](/articles/signing-tags)"

4
content/authentication/managing-commit-signature-verification/checking-for-existing-gpg-keys.md
View File

@@ -32,12 +32,12 @@ shortTitle: Existing GPG keys
$ gpg --armor --export <em>3AA5C34371567BD2</em> $ gpg --armor --export <em>3AA5C34371567BD2</em>
# Prints the GPG key ID, in ASCII armor format # Prints the GPG key ID, in ASCII armor format
``` ```
You can then [add your GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account). You can then [add your GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account).
## Further reading ## Further reading
* "[Generating a new GPG key](/articles/generating-a-new-gpg-key)" * "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
* "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)" * "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
* "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)" * "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
* "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)" * "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
* "[Signing commits](/articles/signing-commits)" * "[Signing commits](/articles/signing-commits)"

6
content/authentication/managing-commit-signature-verification/generating-a-new-gpg-key.md
View File

@@ -37,7 +37,7 @@ topics:
``` ```
4. At the prompt, specify the kind of key you want, or press `Enter` to accept the default. 4. At the prompt, specify the kind of key you want, or press `Enter` to accept the default.
5. At the prompt, specify the key size you want, or press `Enter` to accept the default. Your key must be at least `4096` bits. 5. At the prompt, specify the key size you want, or press `Enter` to accept the default. Your key must be at least `4096` bits.
6. Enter the length of time the key should be valid. Press `Enter` to specify the default selection, indicating that the key doesn't expire. 6. Enter the length of time the key should be valid. Press `Enter` to specify the default selection, indicating that the key doesn't expire. Unless you require an expiration date, we recommend accepting this default.
7. Verify that your selections are correct. 7. Verify that your selections are correct.
8. Enter your user ID information. 8. Enter your user ID information.
@@ -56,12 +56,12 @@ topics:
# Prints the GPG key ID, in ASCII armor format # Prints the GPG key ID, in ASCII armor format
``` ```
11. Copy your GPG key, beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending with `-----END PGP PUBLIC KEY BLOCK-----`. 11. Copy your GPG key, beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending with `-----END PGP PUBLIC KEY BLOCK-----`.
12. [Add the GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account). 12. [Add the GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account).
## Further reading ## Further reading
* "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" * "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
* "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)" * "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
* "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)" * "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
* "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)" * "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
* "[Signing commits](/articles/signing-commits)" * "[Signing commits](/articles/signing-commits)"

2
content/authentication/managing-commit-signature-verification/index.md
View File

@@ -19,7 +19,7 @@ children:
- /displaying-verification-statuses-for-all-of-your-commits - /displaying-verification-statuses-for-all-of-your-commits
- /checking-for-existing-gpg-keys - /checking-for-existing-gpg-keys
- /generating-a-new-gpg-key - /generating-a-new-gpg-key
- /adding-a-new-gpg-key-to-your-github-account - /adding-a-gpg-key-to-your-github-account
- /telling-git-about-your-signing-key - /telling-git-about-your-signing-key
- /associating-an-email-with-your-gpg-key - /associating-an-email-with-your-gpg-key
- /signing-commits - /signing-commits

2
content/authentication/managing-commit-signature-verification/signing-commits.md
View File

@@ -54,7 +54,7 @@ If you have multiple keys or are attempting to sign commits or tags with a key t
* "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" * "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
* "[Generating a new GPG key](/articles/generating-a-new-gpg-key)" * "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
* "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)" * "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
* "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)" * "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
* "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)" * "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
* "[Signing tags](/articles/signing-tags)" * "[Signing tags](/articles/signing-tags)"

2
content/authentication/managing-commit-signature-verification/signing-tags.md
View File

@@ -33,7 +33,7 @@ topics:
- "[Viewing your repository's tags](/articles/viewing-your-repositorys-tags)" - "[Viewing your repository's tags](/articles/viewing-your-repositorys-tags)"
- "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" - "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
- "[Generating a new GPG key](/articles/generating-a-new-gpg-key)" - "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
- "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)" - "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
- "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)" - "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)"
- "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)" - "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
- "[Signing commits](/articles/signing-commits)" - "[Signing commits](/articles/signing-commits)"

2
content/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key.md
View File

@@ -108,7 +108,7 @@ If you have multiple GPG keys, you need to tell Git which one to use.
- "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" - "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)"
- "[Generating a new GPG key](/articles/generating-a-new-gpg-key)" - "[Generating a new GPG key](/articles/generating-a-new-gpg-key)"
- "[Using a verified email address in your GPG key](/articles/using-a-verified-email-address-in-your-gpg-key)" - "[Using a verified email address in your GPG key](/articles/using-a-verified-email-address-in-your-gpg-key)"
- "[Adding a new GPG key to your GitHub account](/articles/adding-a-new-gpg-key-to-your-github-account)" - "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)"
- "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)" - "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)"
- "[Signing commits](/articles/signing-commits)" - "[Signing commits](/articles/signing-commits)"
- "[Signing tags](/articles/signing-tags)" - "[Signing tags](/articles/signing-tags)"

1
content/authentication/troubleshooting-commit-signature-verification/index.md
View File

@@ -15,7 +15,6 @@ topics:
- Access management - Access management
children: children:
- /checking-your-commit-and-tag-signature-verification-status - /checking-your-commit-and-tag-signature-verification-status
- /updating-an-expired-gpg-key
- /using-a-verified-email-address-in-your-gpg-key - /using-a-verified-email-address-in-your-gpg-key
shortTitle: Troubleshoot verification shortTitle: Troubleshoot verification
--- ---

24
content/authentication/troubleshooting-commit-signature-verification/updating-an-expired-gpg-key.md
View File

@@ -1,24 +0,0 @@
---
title: Updating an expired GPG key
intro: 'When verifying a signature, {% data variables.product.product_name %} checks that the key is not revoked or expired. If your signing key is revoked or expired, {% data variables.product.product_name %} cannot verify your signatures. If your key is revoked, use the primary key or another key that is not revoked to sign your commits.'
redirect_from:
- /articles/updating-an-expired-gpg-key
- /github/authenticating-to-github/updating-an-expired-gpg-key
- /github/authenticating-to-github/troubleshooting-commit-signature-verification/updating-an-expired-gpg-key
versions:
fpt: '*'
ghes: '*'
ghae: '*'
ghec: '*'
topics:
- Identity
- Access management
shortTitle: Update expired GPG key
---
If your key is expired, you must [update the expiration](https://www.gnupg.org/gph/en/manual/c235.html#AEN328), export the new key, delete the expired key in your GitHub account, and [upload the new key to GitHub](/articles/adding-a-new-gpg-key-to-your-github-account/). Your previous commits and tags will show as verified, as long as the key meets all other verification requirements.
If your key is invalid and you don't use another valid key in your key set, but instead generate a new GPG key with a new set of credentials, then your commits made with the revoked or expired key will continue to show as unverified. Also, your new credentials will not be able to resign or verify your old commits and tags.
## Further reading
- "[About commit signature verification](/articles/about-commit-signature-verification)"

8
data/features/upload-expired-or-revoked-gpg-key.yml Normal file
View File

@@ -0,0 +1,8 @@
# Issue: 7123
# Description: Allow adding expired and revoked GPG keys for verifying commit and tag signatures
# Usage: {% ifversion upload-expired-or-revoked-gpg-key %} ... {% endif %}
versions:
fpt: '*'
ghec: '*'
ghes: '>=3.6'
ghae: 'issue-7123'

2
data/reusables/enterprise_site_admin_settings/add-key-to-web-flow-user.md
View File

@@ -5,7 +5,7 @@
``` ```
1. Copy your PGP key, beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending with `-----END PGP PUBLIC KEY BLOCK-----`. 1. Copy your PGP key, beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending with `-----END PGP PUBLIC KEY BLOCK-----`.
1. Sign into {% data variables.product.prodname_ghe_server %} as the `web-flow` user. 1. Sign into {% data variables.product.prodname_ghe_server %} as the `web-flow` user.
1. Add the public PGP key to the user's profile. For more information, see "[Adding a new GPG key to your {% data variables.product.prodname_dotcom %} account](/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account)." 1. Add the public PGP key to the user's profile. For more information, see "[Adding a GPG key to your {% data variables.product.prodname_dotcom %} account](/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account)."
{% note %} {% note %}