Nitrokey 3: Git

Previous posts:

• Nitrokey 3
• Nitrokey 3: GPG keys generation
• Nitrokey 3: Importing GPG keys
• Nitrokey 3: GPG and emails
• Nitrokey 3: SSH

When committing new code changes in a git repository, you can sign it to prove the identity of the commit author.

Using a PGP smart card here does not change anything.

List your keys:

$ gpg --list-secret-keys --keyid-format=long
/home/username/.gnupg/pubring.kbx
--------------------------------
sec#  rsa4096/0123456789ABCDEF 2023-01-01 [C]
uid                 [ultimate] Firstame Lastname <my-email@address.com>
uid                 [ultimate] Firstame Lastname <other-email@address.org>
ssb>  rsa4096/0011223344556677 2023-01-01 [S]
ssb>  rsa4096/8899AABBCCDDEEFF 2023-01-01 [E]
ssb>  rsa4096/FEDCBA9876543210 2023-01-01 [A]

Note what the signing sub-key fingerprint is (0011223344556677 in this example) and add it to git:

$ git config --global user.signingkey 0011223344556677!

The exclamation mark ! above is to tell that we are using a sub-key.

Now just add -S when doing a git commit to sign it.

Like for SSH, to make the key require to be touched to allow signing, configuring the User Interaction Flags is needed.

Next steps:

• Nitrokey 3: Login
• Nitrokey 3: Misc