Prefer GPG(GnuPG) rather than SSH key to sign commits (#311)

* Start to manage GPG config * Ignore backup files from git * Fix filename * Add gpg-agent workaround for macos * Fix nix syntax * macOS is Werther's Original * Add an empty commit * Prefer subkey * Add note and update new subkey * Improve note * Keep passphrase cache longtime * Prefer pinentry-tty rather than default gtk2 * Add how to get pubkey in global May relate to kachick/kachick.github.io#93 * Prefer nix syntax sugar * Sync same gpg-agent config with macOS * Add comment for why GPG
kachick · Sep 12, 2023 · fec9d02 · fec9d02
1 parent e156873
commit fec9d02
Show file tree

Hide file tree

Showing 9 changed files with 91 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,5 @@ tmp/
 .DS_Store
 
 winget-pkgs-*-raw.json
+
+*.bak
diff --git a/home-manager/bash.nix b/home-manager/bash.nix
@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 
 {
+  services.gpg-agent.enableBashIntegration = true;
   programs.starship.enableBashIntegration = true;
   programs.direnv.enableBashIntegration = true;
   programs.zoxide.enableBashIntegration = true;

diff --git a/home-manager/darwin.nix b/home-manager/darwin.nix
@@ -17,6 +17,16 @@ lib.mkMerge [
       source ${pkgs.iterm2 + "/Applications/iTerm2.app/Contents/Resources/iterm2_shell_integration.zsh"}
     '';
 
+    # https://github.com/NixOS/nixpkgs/issues/240819#issuecomment-1616760598
+    # https://github.com/midchildan/dotfiles/blob/fae87a3ef327c23031d8081333678f9472e4c0ed/nix/home/modules/gnupg/default.nix#L38
+    xdg.dataFile."gnupg/gpg-agent.conf".text = ''
+      grab
+      default-cache-ttl 60480000
+      max-cache-ttl 60480000
+      pinentry-program ${pkgs.pinentry_mac}/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac
+    '';
+
+
     # Do not make plist symlinks, the update should be done iterm2 itself, so just keeping the backups
 
     # Just putting the refererenced file to easy import, applying should be done via GUI and saving to plist

diff --git a/home-manager/fish.nix b/home-manager/fish.nix
@@ -1,6 +1,7 @@
 { pkgs, ... }:
 
 {
+  services.gpg-agent.enableFishIntegration = true;
   programs.starship.enableFishIntegration = true;
   # Settled by default and readonly https://github.com/nix-community/home-manager/blob/8c731978f0916b9a904d67a0e53744ceff47882c/modules/programs/direnv.nix#L65-L68
   # programs.direnv.enableFishIntegration = true;

diff --git a/home-manager/git.nix b/home-manager/git.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ ... }:
 
 {
   # https://github.com/nix-community/home-manager/blob/master/modules/programs/git.nix
@@ -24,25 +24,29 @@
 
     extraConfig = {
       user = {
-        # https://stackoverflow.com/questions/48065535/should-i-keep-gitconfigs-signingkey-private
-        # TODO: Consider to replace with GPG key, see https://github.com/kachick/dotfiles/issues/289
-        signingkey = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
-      };
-
-      core = {
-        editor = "vim";
-        quotepath = false;
+        # - Visibility
+        #   - https://stackoverflow.com/questions/48065535/should-i-keep-gitconfigs-signingkey-private
+        #   - ANYONE can access the registered public key at `curl -s https://api.github.com/users/kachick/gpg_keys | jq -r '.[0].raw_key'`
+        # - Append `!` suffix for subkeys
+        signingkey = "9BE4016A38165CCB!";
       };
 
       gpg = {
-        format = "ssh";
+        # I prefer GPG sign rather than SSH key to consider revocation and expiration usecase.
+        # See https://github.com/kachick/dotfiles/issues/289 for detail.
+        format = "openpgp";
       };
 
       commit = {
         # https://stackoverflow.com/questions/10161198/is-there-a-way-to-autosign-commits-in-git-with-a-gpg-key
         gpgsign = true;
       };
 
+      core = {
+        editor = "vim";
+        quotepath = false;
+      };
+
       init = {
         defaultBranch = "main";
       };

diff --git a/home-manager/gpg.nix b/home-manager/gpg.nix
@@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+
+
+# ## FAQ - GPG
+#
+# - How to list keys?
+#   - 1. `gpg --list-secret-keys --keyid-format=long` # The `sec` first section displays same text as `pub` by `gpg --list-keys --keyid-format=long`
+# - How to add subkey?
+#   - 1. `gpg --edit-key PUBKEY`
+#   - 2. `addkey`
+#   - 3. `save`
+# - How to revoke subkey?
+#   - 1. `gpg --edit-key PUBKEY`
+#   - 2. `key n` n is the index of subkey
+#   - 3. `revkey`
+#   - 4. `save`
+#   - 5. Replace uploaded pubkey with new one, see https://github.com/kachick/dotfiles/pull/311#issuecomment-1715812324 for detail
+# - How to get pubkey to upload?
+#   - `gpg --armor --export PUBKEY | clip.exe`
+# - How to backup private key?
+#   - `gpg --export-secret-keys --armor > gpg-private.keys.bak`
+{
+  # https://github.com/nix-community/home-manager/blob/master/modules/services/gpg-agent.nix
+  services.gpg-agent = {
+    enable = if pkgs.stdenv.isDarwin then false else true;
+
+    # Update [darwin.nix](darwin.nix) if changed this section
+    #
+    # https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session
+    defaultCacheTtl = 60480000; # 700 days
+    maxCacheTtl = 60480000; # 700 days
+
+    pinentryFlavor = "tty";
+  };
+
+  # https://github.com/nix-community/home-manager/blob/master/modules/programs/gpg.nix
+
+  programs.gpg = {
+    enable = true;
+
+    # Preferring XDG_DATA_HOME rather than XDG_CONFIG_HOME from following examples
+    #   - https://wiki.archlinux.org/title/XDG_Base_Directory
+    #   - https://github.com/nix-community/home-manager/blob/5171f5ef654425e09d9c2100f856d887da595437/modules/programs/gpg.nix#L192
+    homedir = "${config.xdg.dataHome}/gnupg";
+
+    # - How to read `--list-keys` - https://unix.stackexchange.com/questions/613839/help-understanding-gpg-list-keys-output
+    # - Ed448 in GitHub is not yet supported - https://github.com/orgs/community/discussions/45937
+    settings = {
+      # https://unix.stackexchange.com/questions/339077/set-default-key-in-gpg-for-signing
+      default-key = "9BE4016A38165CCB";
+
+      personal-digest-preferences = "SHA512";
+    };
+  };
+}
diff --git a/home-manager/home.nix b/home-manager/home.nix
@@ -6,6 +6,7 @@
     ./bash.nix
     ./zsh.nix
     ./fish.nix
+    ./gpg.nix
     ./ssh.nix
     ./git.nix
     ./zellij.nix

diff --git a/home-manager/packages.nix b/home-manager/packages.nix
@@ -38,6 +38,9 @@
     lazygit
     gh
 
+    # GPG
+    gnupg
+
     dprint
     shellcheck
     shfmt
@@ -103,6 +106,9 @@
     [
       # https://github.com/NixOS/nixpkgs/commit/3ea22dab7d906f400cc5983874dbadeb8127c662#diff-32e42fa095503d211e9c2894de26c22166cafb875d0a366701922aa23976c53fL21-L33
       iterm2
+
+      # https://github.com/NixOS/nixpkgs/issues/240819
+      pinentry_mac
     ]
   );
 }
diff --git a/home-manager/zsh.nix b/home-manager/zsh.nix
@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 
 {
+  services.gpg-agent.enableZshIntegration = true;
   programs.starship.enableZshIntegration = true;
   programs.direnv.enableZshIntegration = true;
   programs.zoxide.enableZshIntegration = true;