Project management seven SSH, GPG key generation steps, deployment Github, Gitee and use effect

  Recently, there is a need to configure SSH and GPG on Github, so the process is recorded to form this article. Nothing technical, just a record. The host environment I use here is Ubuntu 22.04 LTS and Windows 22H2 build 22621.1.

  Both SSH and GPG are applications of cryptography (encoding). Furthermore, they both use asymmetric encryption. I don't know much about encryption. Here are some common concepts:

• Symmetric encryption: the same key is used for encryption and decryption
• Asymmetric encryption: The encryption algorithm requires two keys for encryption and decryption, the two keys are the public key (public key, referred to as the public key) and the private key (private key, referred to as the private key)
• CA : Certificate Authority, Certificate Authority Center/Electronic Certification Service Agency, a third-party organization trusted by the public and authoritative enough to manage and issue certificates.
• CA certificate = digital certificate : A certificate certified by CA, including the information of the visa authority , the information of the certificate owner , the public key of the certificate owner , the signature of the authority , and the validity period .
• Fingerprint = Digest = Hash = Hash
• key capability = key usage

SSH

  SSH is the abbreviation of Secure Shell (although there is a Shell in the name, it is not actually a Shell), a network protocol developed by the Network Working Group of the Internet Engineering Task Force (IETF).

  The classic use of SSH is to log into a remote computer to execute commands. In addition, SSH also supports tunneling protocols, port mapping, and X11 connections. SSH can also transfer files using the SFTP or SCP protocols.

For a detailed introduction to SSH, refer to: Network Six SSH, SSL, OpenSSH, OpenSSL, LibreSSL

  SSH is just a protocol, and several implementations exist, both commercial and open source. Currently, OpenSSH is the most popular open source implementation of SSH, and it's a default component of a large number of operating systems. SSH2 usually refers to the proprietary software name for version 2 of the SSH protocol implemented by SSH Communications Security, Inc. (http://www.ssh.com).

Install

  At present, SSH has become a standard component of Unix-like systems. You can directly enter in the Ubuntu terminal ssh -Vto view the version of the ssh client that comes with Ubuntu; similarly, starting from Windows 10 version 1803, Microsoft also provides the OpenSSH tool, which can be directly installed on Windows Enter in Terminal (CMD) ssh -Vto view the SSH version in the current system.

  By default, both Ubuntu and Windows do not provide SSH servers. If you need a server, you need to install it yourself. Ubuntu: sudo apt-get install openssh-server; Windows: 设置 → 应用 →可选功能 → openssh-server, specific reference: Network VI SSH, SSL, OpenSSH, OpenSSL, LibreSSL .

Generate KEY

  The process of generating the KEY is no different between Ubuntu and Linux. It should be noted that there are several encryption algorithms supported by SSH, just choose an appropriate one according to your needs. In addition, Github recommends ssh-keygen -t ed25519 -C "[email protected]", but some old systems do not support the ed25519 algorithm. I choose to use RSA here.

  The storage location of the generated KEY is generally the default, just press Enter (if you want to generate multiple KEYs, you can specify different names here to distinguish them). As for the password, depending on personal needs, you can choose to press Enter directly, so as not to set a password. Then, SSH will list the KEY file we generated.

  The Linux system has a built-in Keyring mechanism, which makes it easy to view our SSH keys. General desktops have corresponding GUI programs, KDE has KDE wallet , and GNOME and other desktops are called passwords and keys .

Keyring reference: https://zhuanlan.zhihu.com/p/128133025?from_voters_page=true

Deploy GITHUB and GITEE

After the KEY is generated above, there will be and these two text files id_rsain  the directory we specified . id_rsa.pubAmong them, the former is the private key, which needs to be kept well, and the latter is the public key, which can be added to GITHUB and GITEE.

Note that when adding KEY to GITHUB or GITEE, we need to verify our corresponding GITHUB or GITEE account password.

Use and effect

  After configuring the SSH public key we generated, you can choose to use the SSH method of the corresponding warehouse to access the warehouse. It should be noted that for the first SSH connection, there will be a similar prompt: "The authenticity of host 'github.com (20.205.243.166)' can't be established.ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.This key is Not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])?". Select yes here.

  Every time the local Commit code is pushed to the Github warehouse or Gitee warehouse, the SSH configuration page will show whether we have used it recently.

GPG

  GPG, also known as GnuPG, full name GNU Privacy Guard, is a software for encryption, digital signature and authentication that complies with the OpenPGP protocol. It is an open source implementation of PGP (Pretty Good Privacy), which is Symantec's proprietary software.

For a detailed introduction to GPG, refer to: Using GPG Key to build a signature, encryption, and authentication system and Concise GPG concepts

  In the digital world, we often need to perform operations such as email encryption, digital signature, or login authentication. GPG is such a key management tool that can not only facilitate our management of public and private keys, but also meet our needs at any time. GPG is much more versatile than SSH login keys.

abbreviation	Capability/Usage	illustrate
[C]	Certificating	Authenticate and sign other keys. Similar to SSL/TLS root certificates
[S]	Signing	sign. For example, adding digital signatures to files, email signatures, git commit signatures
[A]	Authenticating	Authentication, authentication, e.g. SSH login
[E]	Encrypting	encryption. For example, message encryption, file encryption

  Unlike TLS, which is based on a "centralized" trust chain, GPG is not centralized. Although there are many [public key server pools] (Web of Trust) composed of GPG public servers in the open source world, GPG will trust or not The decision is left to the user. The open public key server pool address provided by OpenPGP is https://keys.openpgp.org/, and users can freely upload their own public keys for others to know.

There are two key trust systems in the world:

1. GPG: Trust what you trust (Web of Trust). To put it simply, everyone puts their public key on the Internet (for example, https://keys.openpgp.org/ provided by GPG), so that others can know themselves. In this way, when the two parties communicate, the identity of the other party can be confirmed as long as the verification information of the other party's public key is passed.
2. TLS: trust authority (CA). The root certificate of the CA is generally built into the operating system or browser, and the root certificate is unconditionally trusted. Because the root certificate is trusted, other certificates certified by the root certificate are also trusted.

Install

  For most Linux system distributions, online installation options are provided by default, such as Ubuntu: sudo apt-get install gnupg, choosing online installation is the easiest; for other systems, the GnuPG official website provides precompiled binary files for multiple platforms, and the download address is https: //www.gnupg.org/download/.

  For Windows users, you can choose GUI. I prefer the simplicity of the command line, so I chose to install the pure command line. Note that the latest version is 2.x, do not choose the old version, because their parameters are not compatible with each other. After installation, gpg --versionyou can view the corresponding version.

For the GUI version on the Windows system, netizens wrote a detailed process https://blog.csdn.net/u011174139/article/details/120139497

Generate KEY

  The process of generating the KEY is no different between Ubuntu and Linux. It should be noted that there are many encryption algorithms supported by GPG, but not all of them are supported by GITHUB and GITEE. Github supports RSA, ElGamal, DSA, ECDH, ECDSA, EdDSA; Gitee did not find an official description. I choose to use RSA here (GitHub recommends using 4096-bit and above KEYs with the RSA protocol).

  The Linux system has a built-in Keyring mechanism, which makes it easy to view our GPG keys. General desktops have corresponding GUI programs, KDE has KDE wallet , and GNOME and other desktops are called passwords and keys .

Keyring reference: https://zhuanlan.zhihu.com/p/128133025?from_voters_page=true

  The reason why a GPG key pair can have so many capabilities is that it is essentially a collection of several key pairs, but they are encapsulated together. The validity of all subkeys comes from the authentication of the master key. Subkeys can be used on their own without a master key.

• The master private key must have the capability of authentication [C], and this capability can only belong to the master private key.
• The master private key can have three capabilities of authentication [C], signature [S] and identity verification [A] at the same time .
• The sub-private key can have both signature [S]] and identity verification [A] .
• GPG's proposal creates independent sub-private keys useful for cryptographic [E]capabilities.
• Only the subkey can be revoked if the subkey is compromised. The subkey can be used on its own, but, for either purpose, it is signed by the master key and transmitted at the same time. This practice allows subkeys to be revoked themselves while keeping the master key alive.

Deploy GITHUB and GITEE

1. View the secret key. Use the command gpg --list-secret-keys --keyid-format=longto list the names of the keys we created earlier.
   
2. View the specific content of the public key. Use the command gpg --armor --export 上面的 KEY 名to view the specific content of the public key.
   
3. Add the above public key ( -----BEGIN PGP PUBLIC KEY BLOCK-----and -----END PGP PUBLIC KEY BLOCK-----and the KEY content between them) to Github and Gitee. The way to add is very simple. In their personal account settings interface, there is a special place to add KEY.
   
   Note that when adding KEY to GITHUB or GITEE, we need to verify our corresponding GITHUB or GITEE account password.

configure git

1. Configure Git to check commit signatures using public keys. Global configuration command: git config --global user.signingkey GPG-KEY-ID, where GPG-KEY-ID is the name of the KEY gpg --list-secret-keys --keyid-format=longlisted in .

2. Turn on automatic signing. Global configuration command: git config --global commit.gpgsign true, for a single warehouse command (to be executed in the warehouse directory): git config commit.gpgsign true. If not configured here, you need to use the parameter to specify the signature git commitwhen -s.

3. Configure the GPG program. Global configuration command: git config --global gpg.program "C:\Program Files (x86)\gnupg\bin\gpg.exe". If it is not configured here, an error will be reported when Commit code: gpg: skipped "xxxxx": No secret key. Pay attention to replace the above command with your own installation path.

Use and effect

  After configuring the above GIT normally, every time we commit the code locally, GIT will automatically call GPG to sign my Commit, and we don't feel any changes from before.

  When we normally deploy KEY in GITHUB and GITEE and configure GIT, each time the local Commit code is pushed to the Github warehouse or Gitee warehouse, the corresponding Commit (viewed in the Commit list of GITHUB or GITEE) will display a verification label .

gpg: can’t connect to the agent: IPC connect call failed

  When submitting the code today, I was prompted gpg: can't connect to the agent: IPC connect call failed. This is caused by gpg-agent not starting normally. According to the official website, when we use gpg, gpg-agent will start automatically, but I don't have it here, I don't know why. The solution is also very simple, just start gpg-agent manually: gpg-agent --daemon --verbose.

SSH vs. GPG

• SSH (Secure Shell) is used for security during interactive communication and is bidirectional.
• GPG (GNU Privacy Guard) can be used for both encryption and signature, which are one-way.
• A private key is called a private key in SSH and a secret key in GPG. The public key is called public key.
• Generally speaking, only your server knows the SSH public key, and no one else needs to know it. GPG's public key is eager for the world to know, telling everyone "Look for this certificate and beware of counterfeiting!"
• For SSH, it is recommended to use one key per station, so that it is easy to deal with if it is lost. For GPG, one master key + multiple subkeys are enough. It is perfectly fine to use GPG's subkey [A] for SSH logins.

reference

1. https://blog.csdn.net/u011174139/article/details/120139497
2. https://zhuanlan.zhihu.com/p/481900853
3. https://zhuanlan.zhihu.com/p/137801979
4. https://docs.github.com/cn/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
5. https://www.codercto.com/a/49711.html