Keybase will be a public directory of publicly auditable public keys. All paired, for convenience, with unique usernames.
I just created my Keybase. You can see my PGP public key on keybase.io/yous and get the key via
https://keybase.io/yous/key.asc. Anyone can encrypt messages using my public key and then I could decrypt it using my private key and see the message with safety. All of these can be done in browser, in Keybase.
Keybase provides several ways to prove own identity of a Twitter account, a GitHub account, websites and a bitcoin address. Still it can be done on the browser, also you can use command line for it. I proved my GitHub by keybase.md and this site by keybase.txt. Also you can check it with command line like:
$ keybase id yous ✔ public key fingerprint: 1BF1 AFE8 682E 45A2 11FF 2C0E 891B 7A9E 1D5A 400A ✔ "yous" on github: https://gist.github.com/149b0775d2ff02eac323 ✔ admin of yous.be via HTTP: http://yous.be/keybase.txt
Command line program of Keybase provides
dir command to sign or verify directory. First you should install command line, see the installation docs. If you already have an account, just run
keybase login. You can also signup with
keybase signup in terminal.
At first, you should change directory to sign:
~ $ cd Dropbox/Public ~/Dropbox/Public $ keybase dir sign info: Success! Wrote SIGNED.md from 224 found items
~/Dropbox/Public/SIGNED.md is generated. On same directory, veryfing directory is also possible with:
~/Dropbox/Public $ keybase dir verify info: Valid signature from keybase user yous ✔ public key fingerprint: 1BF1 AFE8 682E 45A2 11FF 2C0E 891B 7A9E 1D5A 400A ✔ "yous" on github: https://gist.github.com/149b0775d2ff02eac323 ✔ admin of yous.be via HTTP: http://yous.be/keybase.txt info: Signed 4 minutes ago (Fri Jul 18 2014 20:06:31 GMT+0900 (KST)) info: Success! 1 signature(s) verified; 224 items checked
When you create public key on Keybase, default UID has name as
keybase.io/<username> and email as
<username>@keybase.io. You can add UID with your real name and regular email. From One GnuPG/PGP key pair, two emails?:
$ gpg --edit-key <username>@keybase.io gpg> adduid Real name: <name> Email address: <email> Comment: <comment or Return to none> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o Enter passphrase: <passphrase> gpg> uid <uid> gpg> trust Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y gpg> save
All the crypto of Keybase is performed with GPG, you can sign your tags and your commits. To setup your signing key, you need to get your key id by:
$ gpg --list-secret-keys | grep "^sec" sec 4096R/1D5A400A 2014-07-16
1D5A400A part is your key id. Then simply you can set your signing key by:
$ git config --global user.signingkey 1D5A400A
$ git config --global commit.gpgsign true
makes Git to sign every commits:
$ mkdir tmp && cd tmp $ git init $ echo foo > foo $ git add foo $ git commit -m "Test commit of foo" You need a passphrase to unlock the secret key for user: "John Doe <email@example.com>" 2048-bit RSA key, ID E79FBC2D, created 2014-07-16 (main key ID 1D5A400A) [master (root-commit) 6cdfc26] Test commit of foo 1 file changed, 1 insertion(+) create mode 100644 foo
After adding signed commits, you can see the signature of commits by using
$ git log --show-signature commit 6cdfc26eb2273fed14181fe4a09b6240323b8930 gpg: Signature made 금 7/18 21:29:24 2014 KST using RSA key ID E79FBC2D gpg: Good signature from "John Doe <firstname.lastname@example.org>" gpg: aka "keybase.io/jdoe <email@example.com>" Author: John Doe <firstname.lastname@example.org> Date: Fri Jul 18 21:29:14 2014 +0900 Test commit of foo foo | 1 + 1 file changed, 1 insertion(+)
For more information, see A Git Horror Story: Repository Integrity With Signed Commits by Mike Gerwitz.