Signing my Git commits: Part 2
A couple of days ago I started signing my git commits (at least, the ones I make on my laptop), but it started to get old pretty quick. I’ve been signing with my primary Keybase key, which requires a really long password to be entered every single time. That’s sub-optimal in two ways: a) I’m signing with the main key, which if it’s stolen I have no way to bootstrap re-authenticating myself and b) copy+pasting a really long password sucks.
So I created a sub-key under the main key, and pushed it to Keybase (while I was at it, I pushed the updated keyring with my email address in it as well). I then threw away the secret for the main key so that I only had my git commit signing key present on the laptop (and uninstalled keybase so I don’t accidentally clobber it).
I then spent far longer than I reasonably should have trying to get gpg-agent
working with .xsession, before learning that once I’d added the stuff to ~/.gnupg/gpg-agent.conf
on my Debian machine, all I had to do was re-login and the agent would be running for me (that’s handy).
I experimented with several GPG pinentry programs, none of which would function correctly and let me paste the secret in, but I probably don’t want to be using my Keybase passphrase anyway, so I replaced it with one that I can remember, and I can just type it into the pinentry window when it pops up (I could also add it to the gnome keyring so it’s unlocked when I log in, but I’m not sure if I want to go that far, I am still pretty paranoid).