Keeping track of my GPG keys? #22352
-
Hi community! Short: Tips on knowing which GPG key is which on my Github settings page? Long: I’m reguarly switching computers. I have always two or more in the spin at a single time. (Home desktop, work desktop, work laptop…), and I develop on all of these. I’m in the habit of signing my work via GPG keys. Different keys for different computers (and yes different passphrases for each key, calm down). But my GPG settings page (https://github.com/settings/keys) gets very cluttered with my keys. And the list only specifies the Key ID and email address assigned. Problem arises when I want to remove an old key, from a computer I’ve already cleansed. “Which one of my keys was on that computer now again?” -not too regular of an occurence, but a huge annoyance when it does happen, for I have to use the exclusion method on all my keys on all my computers to determine which key it was, before I can finally remove it from my Github settings. My question is: Any goodie tips for avoiding this? Is it good/bad practice to move around the same key everywhere and not use different keys? (like via USB? is that possible?) Feels safer to use distinct keys and discarding them when finished, but Github doesn’t show the key comment in the settings page. 😦 Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
First of all, I am wondering why you are deleting your keys instead of securely destroying them? I always believed that the commits that are signed with a key that is not added to your account will show up as “unverified”. Personally, I think it’s a good idea to just use one key and move it around on some secure device like a YubiKey for example. But there are a lot of reasons why that wouldn’t be possible. Keeping a little spreadsheet/document with the key ID mapped to the description might be the best solution then. |
Beta Was this translation helpful? Give feedback.
-
Oh my! You’re totally right! I thought once verified commit, always verified commit. Now I have lots of repos with good size quantities of “Unverified” commits. Good job me. Yea I’m just gonna keep them instead of deleting them then, and spreadsheet the keys just in case I need to know which one’s which someday. |
Beta Was this translation helpful? Give feedback.
First of all, I am wondering why you are deleting your keys instead of securely destroying them? I always believed that the commits that are signed with a key that is not added to your account will show up as “unverified”.
Personally, I think it’s a good idea to just use one key and move it around on some secure device like a YubiKey for example.
But there are a lot of reasons why that wouldn’t be possible. Keeping a little spreadsheet/document with the key ID mapped to the description might be the best solution then.