Protocol to Declare and Share Developer GPG Key

A developer GPG key is a cryptographic key pair that serves as your digital identity in the software development ecosystem. This key enables:

• Authenticity: Verification that commits originated from you
• Integrity: Confirmation that your contributions remain untampered
• Security: Protection against impersonation attacks in your projects

Without commits and releases cryptographically signed, an attacker may do fake pull request, commits and releases that appear to originate from a legitimate developer, with a compromised contributor’s account (Github/Gitlab/Bitbucket).

This guide provides a step-by-step protocol for creating, configuring, and managing your developer GPG key. You can use this as a checklist when setting up your first key or updating an expired one.

1. Generate Your GPG Key

Create a key with 1-year expiration (recommended, never have indefinite keys)

gpg --batch --gen-key <<EOF
Key-Type: eddsa
Key-Curve: ed25519
Key-Usage: sign
Subkey-Type: ecdh
Subkey-Curve: cv25519
Subkey-Usage: encrypt
Name-Real: Martin Monperrus
Name-Email: martin.monperrus@gnieh.org
Expire-Date: 1y
%commit
EOF

Export your public key as ASCII-armored for sharing

gpg --export --armor YOUR_KEY_ID > public-key.asc

It is also recommended to directly create the revocation certificate: gpg --command-fd 0 --output output_file --gen-revoke key_id.

2. Configure Git to Use Your Key

Add to your .gitconfig:

[user]
    name = Your Name
    email = your.email@example.com
    signingkey = YOUR_KEY_ID

[commit]
    gpgsign = true

[tag]
    gpgsign = true

3. Publish Your Key to Public Servers

Distribute to multiple keyservers for redundancy and comparison.

gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_ID
gpg --keyserver hkps://keyserver.ubuntu.com --send-keys YOUR_KEY_ID

Note: keys.openpgp.org sends an automated email verification challenge to complete before the key becomes searchable.

Push your key to appropriate transparency logs such as rekord, see push_key_to_rekor.py (example key)

4. Add Your Key to Development Platforms

• GitHub:
  • Settings → SSH and GPG keys → New GPG key
  • Because the settings is not public, document it in your Github profile (eg in bio or Github profile page)
• GitLab: Preferences → GPG Keys → Add key
• Bitbucket: Personal settings → GPG keys → Add key

5. Announce Your Key

Share your key ID and fingerprint through:

• Professional social networks (LinkedIn, Twitter/X)
• Team communication channels (Slack, Discord, etc.)
• Email signature (optional)

Following this protocol establishes a verifiable digital identity, enhancing the security and trustworthiness of your contributions.

Appendix

• 21 April 2025: my 1-year key has expired, followed this protocol for my new key 9D91C939710507D65F2ADC785BE694BB2D59D0B0
• 23 April 2025: key rotation, new key is 7DB52BE852B47C0F2943C9405DE7D3DA459CD2E6