7. How to Create a Subkey for Signing

Published Apr 23, 2023

HEADER IMAGE

By default, when you create a new GPG key, what you create is a pair of keys:

  • The Primary Key
  • A subkey for encryption.

This is a sample output:

pub   rsa3072 2022-03-03 [SC]
      9DE3 32FB 25C8 A2D6 EDF9  DE8E B5B5 8E7C A8F5 6B98
uid           [ultimate] Test User <test.user@example.com>
sub   rsa3072 2022-03-03 [E]

As you can see, the primary key is valid for certification and signing. A much better approach is to use also a different subkey for signing. You can read a full explanation on why that’s a better solution in this article about GPG subkeys.

Git and GitHub official documentation promotes using the GPG keys the way they are created by default. If you want to sign commits and you do not know how to do it, you will probably end up reading Git or GitHub official documentation:

In those documents, they promote the use of the master or primary key. Or at least, it’s what they use. They probably do not want to overwhelm the reader with a lot of GPG technical stuff.

If you list one of your GPG keys you will see something like:

gpg --list-keys --fingerprint --with-keygrip --with-subkey-fingerprints 88966A5B8C01BD04F3DA440427304EDD6079B81C
pub   rsa4096 2021-11-19 [SC]
      8896 6A5B 8C01 BD04 F3DA  4404 2730 4EDD 6079 B81C
      Keygrip = 449972AC9FF11BCABEED8A7AE834C4349CC4DBFF
uid           [ultimate] A committer <committer@example.com>
sub   rsa4096 2021-11-19 [E]
      B1D4 A248 3D1D 2A02 416B  E077 5B6B DD35 BEDF BF6F
      Keygrip = 97D36F5B8F5BECDA8A1923FC00D11C7C438584F9

The meaning for the letters inside brackets are the GPG key capabilities:

Character Capability
S Sign
C Certify
E Encrypt
A Authentication

If you want to create a signing key, you can follow Debian’s post. If you do it the output would be something like:

gpg --edit-key 88966A5B8C01BD04F3DA440427304EDD6079B81C

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/27304EDD6079B81C
     created: 2021-11-19  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/5B6BDD35BEDFBF6F
     created: 2021-11-19  expires: never       usage: E
[ultimate] (1). A committer <committer@example.com>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (14) Existing key from card
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/27304EDD6079B81C
     created: 2021-11-19  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/5B6BDD35BEDFBF6F
     created: 2021-11-19  expires: never       usage: E
ssb  rsa4096/3F39AA1432CA6AD7
     created: 2021-11-26  expires: never       usage: S
[ultimate] (1). A committer <committer@example.com>

gpg> save

And this is the key including also keygrips:

gpg --list-keys --fingerprint --with-keygrip --with-subkey-fingerprints 88966A5B8C01BD04F3DA440427304EDD6079B81C
pub   rsa4096 2021-11-19 [SC]
      8896 6A5B 8C01 BD04 F3DA  4404 2730 4EDD 6079 B81C
      Keygrip = 449972AC9FF11BCABEED8A7AE834C4349CC4DBFF
uid           [ultimate] A committer <committer@example.com>
sub   rsa4096 2021-11-19 [E]
      B1D4 A248 3D1D 2A02 416B  E077 5B6B DD35 BEDF BF6F
      Keygrip = 97D36F5B8F5BECDA8A1923FC00D11C7C438584F9
sub   rsa4096 2021-11-26 [S]
      BD98 B3F4 2545 FF93 EFF5  5F7F 3F39 AA14 32CA 6AD7
      Keygrip = 00CB9308AE0B6DE018C5ADBAB29BA7899D6062BE

If for example, you want to use that subkey to sign git commits, you can replace your git config with:

[user]
        name = Your Name
        email = your@email.com
        signingkey = B29BA7899D6062BE

You should remove all the capabilities from the primary key except for “Certify” ([C]). You can do it by editing the primary key in expert mode. You have to use the option change-usage which is a “hidden” option (not listed with the help command)

gpg --expert --edit-key 88966A5B8C01BD04F3DA440427304EDD6079B81C
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/27304EDD6079B81C
     created: 2021-11-19  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/5B6BDD35BEDFBF6F
     created: 2021-11-19  expires: never       usage: E
ssb  rsa4096/3F39AA1432CA6AD7
     created: 2021-11-26  expires: never       usage: S
[ultimate] (1). A committer <committer@example.com>

gpg> change-usage
Changing usage of the primary key.

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? Q

sec  rsa4096/27304EDD6079B81C
     created: 2021-11-19  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/5B6BDD35BEDFBF6F
     created: 2021-11-19  expires: never       usage: E
ssb  rsa4096/3F39AA1432CA6AD7
     created: 2021-11-26  expires: never       usage: S
[ultimate] (1). A committer <committer@example.com>

gpg> save

After editing the key you should see only the [C] capability on the primary key.

gpg -k
/home/josecelano/.gnupg/pubring.kbx
-----------------------------------
pub   rsa4096 2021-11-19 [C]
      88966A5B8C01BD04F3DA440427304EDD6079B81C
uid           [ultimate] A committer <committer@example.com>
sub   rsa4096 2021-11-19 [E]
sub   rsa4096 2021-11-26 [S]

Back to home

Secure Git Guide © 2023