Skip to content

Committer Keys

Jump to bottom
Brent Cook edited this page Jun 13, 2018 · 119 revisions

This page lists the keys in use by Metasploit committers and can be used to verify merge commits made to https://github.com/rapid7/metasploit-framework.

Keybase.io identities

Keybase.io is used by Metasploit as an easy way to verify identities of committers.

If you're a committer on metasploit-framework, and you need an invite, just ask.

Github Username Keybase.io Username
@acammack-r7 acammackr7
@asoto-r7 asoto_r7
@bcoles bcoles
@busterb busterb
@bpatterson-r7 bpatterson
@bwatters-r7 bwatters
@chiggins chiggins
@egypt egypt
@FireFart firefart
@h00die h00die
@jbarnett-r7 jmbarnett
@jhart-r7 jhart
@jmartin-r7 jmartinr7
@jrobles-r7 jroblesr7
@lsato-r7 louissato
@Meatballs1 meatballs
@mkienow-r7 inokii
@mubix mubix
@OJ oj
@scriptjunkie scriptjunkie
@sgonzalez-r7 essgee
@tdoan-r7 doanosaur
@timwr timwr
@todb-r7 todb
@void-in void_in
@wchen-r7 wchenr7
@wvu-r7 wvu
@zeroSteiner zerosteiner

Note, keybase.io does not require your private key to prove your GitHub identity. Actually sharing your private key with Keybase.io is a matter of contention -- here's the usual argument against, and here's one thoughtful argument for.

As all Metasploit Framework committers are quite comfortable with the command line, there should be no need to store your (encrypted) private key with a third party. So, please don't, unless you have amazingly good reasons (and a great local password).

Tracking criteria

In order to get @bcook-r7 to track your key, you alert him to its existence through some non-GitHub means, and verify your GitHub username. That's all there is to it.

It would be sociable to track him (and everyone else on this list) back. Tracking is essentially "trusting" and "verifying" -- see the much longer discussion here.

Signing HOWTO

Signing merges and commits is easy and fun. Generate a signing key, if you don't have one already, using your favorite PGP/GPG interface (I use gpg --gen-key). Then add this to your $HOME/.gitconfig:

[user]
  name = Your Name
  email = [email protected]
  signingkey = DEADBEEF # Must match name and email exactly!
[alias]
  c = commit -S --edit
  m = merge -S --no-ff --edit

Using git c and git m from now on will sign every commit with your DEADBEEF key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use git c --amend.

Metasploit Wiki Pages

Clone this wiki locally