-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Committer Keys
This page lists the keys in use by Metasploit committers and can be used to verify merge commits made to https://github.com/rapid7/metasploit-framework.
Keybase.io is used by Metasploit as an easy way to verify identities of committers.
If you're a committer on metasploit-framework, and you need an invite, just ask.
Note, keybase.io does not require your private key to prove your GitHub identity. Actually sharing your private key with Keybase.io is a matter of contention -- here's the usual argument against, and here's one thoughtful argument for.
As all Metasploit Framework committers are quite comfortable with the command line, there should be no need to store your (encrypted) private key with a third party. So, please don't, unless you have amazingly good reasons (and a great local password).
In order to get @bcook-r7 to track your key, you alert him to its existence through some non-GitHub means, and verify your GitHub username. That's all there is to it.
It would be sociable to track him (and everyone else on this list) back. Tracking is essentially "trusting" and "verifying" -- see the much longer discussion here.
Contributors are encouraged to sign commits, while Metasploit committers are required to sign their merge commits. Note that the name and e-mail address must match the information on the signing key exactly. To begin:
- Generate a signing key, if you don't have one already, using your favorite PGP/GPG interface:
$ gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri 20 Dec 2019 01:38:11 PM CST
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"
Real name: Dade Murphy
Email address: [email protected]
Comment:
You selected this USER-ID:
"Dade Murphy <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
Enter passphrase: [...]
- Modify your
.git/config
file to enable signing commits and merges by default:
[user]
name = Your Name
email = [email protected]
signingkey = DEADBEEF # Must match name and email exactly!
[alias]
c = commit -S --edit
m = merge -S --no-ff --edit
Using git c
and git m
from now on will sign every commit with your DEADBEEF
key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use git c --amend
.
- Home Welcome to Metasploit!
- Using Metasploit A collection of useful links for penetration testers.
-
Setting Up a Metasploit Development Environment From
apt-get install
togit push
. - CONTRIBUTING.md What should your contributions look like?
- Landing Pull Requests Working with other people's contributions.
- Using Git All about Git and GitHub.
- Contributing to Metasploit Be a part of our open source community.
- Meterpreter All about the Meterpreter payload.