This is a bit of frustration post. I’m not a professional and some stuff is super confusing. And it might not even be programming only, as this seems to be a general issue when it comes to signing and security in computers. Every time I have to reinstall my operating system (its really only a few times in a decade), one of the things i fear most is signing into Github, signing keys and setting up local git on my Linux machine. I want the verified badge. Every time its a fight in understanding and doing the right steps, creating gpg keys and access tokens and such.
Am I the only one who struggles with this? Right now I have set it up and my test repository has the badge again. Do people care about this? Especially people like me who does a few little CLI and scripts and nothing else. Am I doing enterprise level security for the sake of an icon or is this really more secure? I do not have ANY professional background. As said I seem to have setup correctly now, so this is not asking for troubleshooting. Just wanted hear about your opinion and experience, and if any of you care.
Reinstalling your operating system once a decade seems a bit excessive. When you’re more experienced you’ll probably not want to do it that often.
While it is a good practice to create new PGP keys with some regularity, there’s absolutely no reason to do it at the same time as reinstalling your operating system, doing that is only an unnecessary complication. The normal thing to do is to copy the entire home directory (and at least the keyring) from the old installation to the new.
The purpose of PGP signing git commits is to make it possible for others to verify that a commit has been created by you and not by someone else pretending to be you
If there are other people who look at your commits and want to verify that they really were made by you then this matters a lot. If no-one does that with your commits, it doesn’t matter at all.
I don’t reinstall very often, usually use it for many years (its a rolling release). But even if I do, that should not be the problem here. As for the process to take over the old signed keys and reuse them, I didn’t know. I always thought the signing is for a specific set of hardware and current os installation. I have the directory .gnupg and the files .git-credentials and .gitconfig. Is there something else I have to copy?
Ah, no, PGP keys are intended for identifying people, not machines.
That’s all you need for GPG.
Why not copy your entire home directory?
I never take over entire home, only selected configurations. Usually my old drive is available as a backup, in case I forgot something important (but my last drive broke). If done correctly, this approach is much cleaner and not the actual problem, doing it since 2008. Just didn’t know I could reuse my existing .gnupg directory. I’ll add this dir to my regular backup routine, after everything is working as it should.
I can only test this years from now. Thank you for this advice, it will save me lot of trouble and nerves.