What is this PGP Thing, and How Can I Use it?

What is this PGP Thing, and How Can I Use it?

The need to keep your personal information, sensitive or nonsensitive, secure from prying eyes isn't new, but recent events have brought it back into the public eye.

In this workshop, we'll build and upload public keys, explore Git commit signing, and learn to sign others' PGP keys. If we have time, we'll exchange key fingerprints and show IDs, then discuss signing and verifying gems.

You'll need a photo ID and your own computer for this workshop.

Presented at RailsConf 2015. http://railsconf.com/program/labs#prop_903


Caleb Hearth

April 15, 2015


  1. What is this PGP thing… …and how can I use

  2. http://caleb.click/af0U

  3. https://robots.thoughtbot.com/ pgp-and-you

  4. Getting GPGTools • Download from https://gpgtools.org • Get from one

    of the USBs I’ve handed out
  5. Verify Package

  6. With Trusted GPG • Download GPG signature from https://gpgtools.org •

    Verify signature fingerprint • Import GPGTools developer key from https://gpgtools.org gpg --verify GPG_Suite-2015.03-b6.dmg.sig \ GPG_Suite-2015.03-b6.dmg
  7. Otherwise…

  8. Verify SHA of package against published website shasum GPG_Suite-2015.03-b6.dmg

  9. Mount .dmg

  10. Double Click Install and follow instructions

  11. Build Keypairs and Upload Public Keys

  12. Keypair?

  13. A keypair is composed of two parts

  14. Public key

  15. Private key

  16. More secure than single key algorithms

  17. None
  18. Sign Git Commits

  19. Configuration

  20. git config --global \ commit.gpgsign true

  21. git config --global \ user.signingkey \ "Caleb Thompson <caleb@calebthompson.io>"

  22. Using Git ~with~

  23. git log --show-signatures

  24. git show --show-signatures

  25. git tag --verify [tag]

  26. Why?

  27. Signed commit says I wrote this; here’s proof

  28. Signed tag says I released this; here’s proof

  29. Get your signature in as many places as possible •

    GPG can auto-download keys to verify sigs • More ways to establish trust
  30. It’s easy, so why not?

  31. Gems

  32. x

  33. Gem::Security

  34. Default no verification when installing gems

  35. Uses OpenSSL keys • Same sort of keys used for

    SSL / HTTPS keys • Unfortunately, same sort of keys used for SSL/HTTPS keys, which have no good distribution system
  36. Uses certificate authorities • Doesn’t take advantage of much larger

    PGP WoT • Requires you to trust a CA manually
  37. Private keys not encrypted

  38. Keys are self-signed

  39. Need Trust Path

  40. No Keyservers

  41. Can't specify system-wide trust

  42. Signatures included in gem pg-0.18.1.gem !"" checksums.yaml.gz !"" checksums.yaml.gz.sig !""

    data.tar.gz !"" data.tar.gz.sig !"" metadata.gz #"" metadata.gz.sig
  43. Required Reading • Signing gems on Gem::Security docs (formatted) •

    rubygems-developers mailing list thread on gem signing • rubygems-openpgp • We Need to Sign Ruby Gems! But How? • Nobody Cares About Signed Gems (archive.org)
  44. Who else?

  45. Manually

  46. Aptitude, Homebrew, etc. automate this • aptitude uses gpg to

    verify • Homebrew checks SHAs of installed packages • RVM distributes signature and automatically verifies during installation
  47. Need automatic verification before installation • Should verify signature •

    Should be configurable to verify trust • Should fail to install if unverifiable
  48. Need stronger Web of Trust connections throughout the community

  49. Need stronger Web of Trust connections throughout the community

  50. better tools support

  51. Rubygems

  52. GitHub commit 84d9f998dbbb514c6c127ba91e800c34e8885e35 gpg: Signature made Wed Jan 14 09:56:52

    2015 CST using RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson <caleb@calebthompson.io>" [ultimate] gpg: aka "Caleb Thompson <cjaysson@gmail.com>" [ultimate] gpg: aka "Caleb Thompson <caleb@thoughtbot.com>" [ultimate] Author: Caleb Thompson <caleb@calebthompson.io> Date: Wed Jan 14 09:55:45 2015 -0600 Connect A0ACE70A and @calebthompson
  53. Claim Social Accounts pub 2048R/A0ACE70A 2013-08-12 Key fingerprint = B432

    C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A uid [ultimate] Caleb Thompson <caleb@calebthompson.io> uid [ultimate] Caleb Thompson <cjaysson@gmail.com> uid [ultimate] Caleb Thompson <caleb@thoughtbot.com> uid [ultimate] @calebthompson (https://twitter.com/calebthompson/status/) uid [ultimate] @calebthompson (https://github.com/calebthompson/i-am) sub 2048R/545CA4DF 2013-08-12 sub 4096R/379AE326 2015-02-09
  54. Display verified commits by @username

  55. Signing Keys

  56. Like signing a message

  57. Has different semantic meaning:

  58. Assert that you’ve verified owner identity (driver’s licence, passport, etc.)

  59. Assert that you’ve verified that you have the right key

  60. Assert that you’ve verified ownership (can use private key)

  61. Assert that you’ve verified ownership (can use private key) •

    (It’s less common to actually do this step)
  62. Announces to the world that if they trust you to

    verify these things, they
  63. Fundamental to the Web of Trust

  64. None
  65. None
  66. Get the key • Mine is included on the USB

    • Usually you find it online as a .asc file someone points to, or on a keyserver
  67. None
  68. None
  69. B432 C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A

  70. None
  71. Upload to keyserver

  72. Exchange Key Fingerprints and Verify IDs