Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ricsanfre/git-pat-gpg
Guide to automate the use Github Personal Access Token credentials with GPG and git cli.
https://github.com/ricsanfre/git-pat-gpg
git github-config gpg token-based-authentication
Last synced: 23 days ago
JSON representation
Guide to automate the use Github Personal Access Token credentials with GPG and git cli.
- Host: GitHub
- URL: https://github.com/ricsanfre/git-pat-gpg
- Owner: ricsanfre
- Created: 2021-08-13T09:20:02.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2021-08-13T09:53:32.000Z (over 3 years ago)
- Last Synced: 2024-11-27T21:41:24.551Z (3 months ago)
- Topics: git, github-config, gpg, token-based-authentication
- Language: Shell
- Homepage:
- Size: 3.91 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# How to Use of GitHub's Personal Access Token (PAT) with git cli and GPG
In Linux GPG encryption can be used to encrypt/decrypt passwords and tokens data using a GPG key-pair
GnuPG is a free software implementation of the OpenPGP standard that allows you to encrypt and sign your data and communications using GPG encryptions
GnuPG can be used as cross-platform password manager, including GIT HTTPS credetials.
## GnuPG Installation and configuration
### Step 1. Install GnuPG packet
sudo apt install gnupg
Check it is installed
gpg --help
### Step 2. Generating Your GPG Key Pair
GPG key-pair consist on a public and private key used for encrypt/decrypt
gpg –-gen-key
The output of the command is like this:
```
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: Ricardo
Email address: [email protected]
You selected this USER-ID:
"Ricardo "
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/ansible/.gnupg/trustdb.gpg: trustdb created
gpg: key D59E854B5DD93199 marked as ultimately trusted
gpg: directory '/home/ansible/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/ansible/.gnupg/openpgp-revocs.d/A4745167B84C8C9A227DC898D59E854B5DD93199.rev'
public and secret key created and signed.
pub rsa3072 2021-08-13 [SC] [expires: 2023-08-13]
A4745167B84C8C9A227DC898D59E854B5DD93199
uid Ricardo
sub rsa3072 2021-08-13 [E] [expires: 2023-08-13]
```
During the generation process you will be prompted to provide a passphrase.
## Exporting Your Public Key
If you need to export and share your public key to others, you run the commands below… The public key is used to authenticate that the content encrypted by you actually came from you…
It is also used to decrypt the content you encrypted…
gpg --armor --export [email protected] > public_key.asc
You can also use the commands below to export the key into a readable text file…
gpg --armor --output key.txt --export [email protected]
You can then send the public key file to those who should get it..
## Git PAT encryption and usage
First you need to obtain a valid authentication token for GitHub. See procedure how to obtain a [personal accesss token](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token)
### Step 1. Encrypt GitHub PAT token with GPG
To encrypt token(password) run:
gpg -e -o [PATH_TO_ENCRYPTED_TOKEN] -r "[GPG_KEY_USER_ID]"
gpg -e -o $HOME/git_pat_gpg -r [email protected]
type the token (or copy-paste it) then press Ctrl+D for ending input, or use file name with this token.
### Step 2. Make a custom git credential helper:
Create bash file with name `git-credential-gpgpat` (without .sh extension) in $HOME
```
#!/bin/bash
token=`gpg -d -r "[GPG_KEY_USER_ID]" [PATH_TO_ENCRYPTED_TOKEN] 2>/dev/null`
echo protocol=https
echo host=[YOUR_HOST]
echo username=[YOUT_GIT_USER_NAME]
echo password=$token
```
### Step 3. Check script
Execute the script and checks that is outputing the unencrypted password
### Step 3. Add the git credential helper
git config --global credential.helper [ABSOLUTE_PATH_TO_BASH_SCRIPT ]
git config --global credential.helper $HOME/git_credential_gpgpat
git will try to get the credentials from this helper and it would use it for every push/pull/clone.
### Step 4. Add GPG_TTY env variable to user profile
Since gpg passphrase need to be prompted to the same tty session where git commands are executed `GPG_TTY` variable need to be set to the actual tty session opened. This will avoid messages of type "gpg: public key decryption failed: Inappropriate ioctl for device":
Add to `.bashrc`
export GPG_TTY=$(tty)