GitHub add support for GPG Signature Verification

It’s official, GitHub has announced (as of April 5th 2016) that they will now be supporting GPG-signed commit verification!

GitHub GPG Verified Commit Signature

A series of gpg-signed commits, showing the signature verification on GitHub

GitHub now shows signed git commits and tags with a green “Verified” button, not only indicating that the commit or tag is signed, but validating the GPG signature against the keys that are known to that user (set in your GitHub account settings)

The signature verification is also visible within Pull Requests, which is a great feature for large open-source projects to verify that code from trusted project members is really from the right people.

Why Signed Commits Are Important

Continue reading

Broken YubiKey (@Danw33)

I Destroyed The Indestructible (Borked YubiKey)

Hardware Authentication and Security tokens, like the YubiKey, are a great advance in IT Security; they’re accessibility for individuals and low price point makes it easy to secure your IT services, online accounts, and more using a hardware secure-element that is nearly immune to private key leak or theft.

I’ve been using a YubiKey NEO for nearly a month now and I use it daily, on both my MacBook and my mobile (via NFC). It’s smart-card (PIV/CCID) element has three keys on it, a signing key, encryption key, and authentication key which I use for code, email, and git commit signing, as well as secure-shell (SSH) authentication, and more.

The FIDO U2F component also integrates tightly with my digital world, acting as a second (or in some cases third) factor of authentication for all of my online accounts which support it (right now that’s GitHub, Google, and DropBox to name a few). In combination with the OTP modes available, the YubiKey is very powerful bit of kit!

Crush-Proof, Not Dan-Proof

Before I go on, don’t let me put you offYubiKey’s are awesome! I’m sure alternatives are too, but the YubiKey, and Yubico as whole seriously rocks – read on to find out why).

So there I am, finishing some changes to a large (and unfortunately proprietary) project. I always sign my git commits and outgoing mail, so I plug-in my YubiKey NEO, start the GPG-Agent service, and give my code a quick once-over before committing it.

Sweet! Code looks good, I’ll just grab a drink and then this commit is good to go!

This quickly becomes the story of how I destroyed my YubiKey Neo. I broke the unbreakable.
Nothing is Dan-Proof, something which has been proven time and again.

As I placed my MacBook on the seat of the sofa and began to get up, it slid off the edge, falling only a short distance onto its side. As my luck would have it, that side is the side which I just connected my YubiKey.

Mistakes were made!

Continue reading