FarhadBuilding a Smart Passkey Wallet from scratch with ZKsync Native AA
IntroductionSmart Contract wallets have become very popular with the rise of account abstraction. Account abstraction allows you implementing any signature verification method, enabling your smartphones and computers to become transaction signers, instead of 12-word seed phrases everyone used to have. Additionally, many other programmable features can be attached to build more complex features (e.g spending limits). In this article we are going to build a very simple smart account wallet on Z...
FarhadManaging Typescript projects with Monorepo
Building services with lots of code becomes a problematic issue when your application’s scale gets larger. Most of the projects suffer from difficulty of making changes to the codebase after some time, which causes instability of features. Therefore, your application components should be atomic and easily modifiable. There are several ways doing this and most of the big companies utilize these methods. Typescript has lots of advantages on implementing the modularity, since most of the written...
FarhadAutomating Pull Request Review Process with CodiumAI
1 - IntroductionThe pull request review review process is a must for building stable products. However, if you have a small engineering team, review process is always the blocker. In a small team, everyone should try to contribute to pull requests reviews, but it is sometimes difficult to understand the context, especially if the PR description lacks the necessary explanations. Therefore, some AI tools might help you to explain your changes to your teammates, get feedbacks for improvements an...
Software Engineer at Clave
FarhadBuilding a Smart Passkey Wallet from scratch with ZKsync Native AA
IntroductionSmart Contract wallets have become very popular with the rise of account abstraction. Account abstraction allows you implementing any signature verification method, enabling your smartphones and computers to become transaction signers, instead of 12-word seed phrases everyone used to have. Additionally, many other programmable features can be attached to build more complex features (e.g spending limits). In this article we are going to build a very simple smart account wallet on Z...
FarhadManaging Typescript projects with Monorepo
Building services with lots of code becomes a problematic issue when your application’s scale gets larger. Most of the projects suffer from difficulty of making changes to the codebase after some time, which causes instability of features. Therefore, your application components should be atomic and easily modifiable. There are several ways doing this and most of the big companies utilize these methods. Typescript has lots of advantages on implementing the modularity, since most of the written...
FarhadAutomating Pull Request Review Process with CodiumAI
1 - IntroductionThe pull request review review process is a must for building stable products. However, if you have a small engineering team, review process is always the blocker. In a small team, everyone should try to contribute to pull requests reviews, but it is sometimes difficult to understand the context, especially if the PR description lacks the necessary explanations. Therefore, some AI tools might help you to explain your changes to your teammates, get feedbacks for improvements an...
Software Engineer at Clave
Share Dialog
Share Dialog
Subscribe to Farhad
Subscribe to Farhad
<100 subscribers
<100 subscribers
Most of our time is spent on GitHub as developers and we keep contributing to various projects - both open and closed source. There are dozens of GitHub automations are happening in some repositories, sometimes releasing new public versions for applications and libraries. However, we might be having a malicious code injected to the codebase with an unauthorized access to our computers. Signing commits help us preventing impersonation attacks where someone might try to make unauthorized changes to the repository under your name, verifying that the commit is coming from a trusted authority. In this article, we are going to have a look at signing commits with GPG keys and show the required steps to take.
Before starting let’s have a look at the different scenario for Ledger Connect Kit hack that happened recently. We know that the hack happened due to unauthorized access to npmjs registry of a repository. To understand the big picture and what happened that day let’s have a look at to the unauthorized access to the npmjs by the attacker.
However, in an alternative scenario, this attack could also happen in the GitHub level (described below), which might also lead to the publish of malicious code for public usage.
Especially the front-end codes are quite open to these types of attacks. We all use cloud services, such as Vercel, to deploy our front-end services. Vercel’s automation for easy deployment is really helpful to ship web services immediately. However, it is important to control the access to the git repository to make sure that the automation will not result with an accident.
SSH and GPG keys are widely used to sign commits in GitHub. The advantage of GPG Keys is that these keys are managed using a more robust and flexible key management system compared to SSH keys. GPG supports features such as key expiration and revocation which enhance security.
Let’s take a look at the steps to create, register and use the GPG Keys in GitHub. I will show the example in macOS environment, which should also work for Ubuntu and other Linux distributions.
1 - Firstly you need to install required packages to create GPG Keys on your computer. For macOS you can basically use brew to install some packages:
2 - After installing the required packages, you can start the creation process:
First, run the following command in your terminal. It will ask you some questions about your GPG key.
gpg --full-generate-key
For the first question, GitHub supports RSA, ElGamal, DSA, ECDH, ECDSA and EdDSA algorithms. We will continue with RSA which is probably the most popular.
For the second question we will choose 4096 bit size for keys, which is considered very secure for most applications.
For the third question, you can choose the required validity time for your key. The recommended option is to keep key validity as short as possible. However, it will require you to update the keys in each expiration. I will choose 1y (1 year) for this example, but you are free to lower the duration based on your needs.
Then you will enter your personal information for the GPG key. Make sure that your entered email matches with your GitHub email.
Finally, it will ask you a passphrase to protect your GPG Key. You should choose a secure password to protect it.
3 - After creating your GPG Key, run the following command to list your keys with their IDs.
gpg --list-secret-keys --keyid-format=long
You will see output similar to example below:
sec rsa4096/5BF8B141D9B03F0A 2024-03-07 [SC] [expires: 2025-03-07]
YOUR LONG KEY ID HERE
4 - Copy the KEY ID from the output and run the following command to export your public key block. You should copy the output that starts with -----BEGIN PGP PUBLIC KEY BLOCK---- and ends with -----END PGP PUBLIC KEY BLOCK----
gpg --armor --export YOUR_KEY_ID_HERE
5 - Go to GitHub → Settings → SSH and GPG Keys. Then press the New GPG key button
6 - Paste your copied GPG Public Key block to the textbox and give a title to identify it. Then press Add GPG Key button to save your changes. You will see that the GPG key is added to your GitHub account.
7 - Finally, you need to configure the local git settings to sign the commits. Go to the repository path in your computer and run the following commands:
git config --local commit.gpgsign true
git config --local user.signingkey YOUR_KEY_ID_HERE
8 - This step is mostly required on macOS. Run export GPG_TTY=$(tty) to allow password prompt (You can add this line to your ~/.zshrc file to make sure that you don’t enter it on every computer restart).
9 - Now, you are good to go! You can try making a commit, and it will ask you the passphrase of created GPG Key. You will see the output like below with Verified label.
You are free to enforce commit signature verification on your repositories, to make sure that all contributions are coming from a trusted authority. To do this, you need to enable the following option from Branch Settings of your GitHub repository.
If you are more interested in the Commit Signature Verification in GitHub, feel free to check the official GitHub documentation.
Most of our time is spent on GitHub as developers and we keep contributing to various projects - both open and closed source. There are dozens of GitHub automations are happening in some repositories, sometimes releasing new public versions for applications and libraries. However, we might be having a malicious code injected to the codebase with an unauthorized access to our computers. Signing commits help us preventing impersonation attacks where someone might try to make unauthorized changes to the repository under your name, verifying that the commit is coming from a trusted authority. In this article, we are going to have a look at signing commits with GPG keys and show the required steps to take.
Before starting let’s have a look at the different scenario for Ledger Connect Kit hack that happened recently. We know that the hack happened due to unauthorized access to npmjs registry of a repository. To understand the big picture and what happened that day let’s have a look at to the unauthorized access to the npmjs by the attacker.
However, in an alternative scenario, this attack could also happen in the GitHub level (described below), which might also lead to the publish of malicious code for public usage.
Especially the front-end codes are quite open to these types of attacks. We all use cloud services, such as Vercel, to deploy our front-end services. Vercel’s automation for easy deployment is really helpful to ship web services immediately. However, it is important to control the access to the git repository to make sure that the automation will not result with an accident.
SSH and GPG keys are widely used to sign commits in GitHub. The advantage of GPG Keys is that these keys are managed using a more robust and flexible key management system compared to SSH keys. GPG supports features such as key expiration and revocation which enhance security.
Let’s take a look at the steps to create, register and use the GPG Keys in GitHub. I will show the example in macOS environment, which should also work for Ubuntu and other Linux distributions.
1 - Firstly you need to install required packages to create GPG Keys on your computer. For macOS you can basically use brew to install some packages:
2 - After installing the required packages, you can start the creation process:
First, run the following command in your terminal. It will ask you some questions about your GPG key.
gpg --full-generate-key
For the first question, GitHub supports RSA, ElGamal, DSA, ECDH, ECDSA and EdDSA algorithms. We will continue with RSA which is probably the most popular.
For the second question we will choose 4096 bit size for keys, which is considered very secure for most applications.
For the third question, you can choose the required validity time for your key. The recommended option is to keep key validity as short as possible. However, it will require you to update the keys in each expiration. I will choose 1y (1 year) for this example, but you are free to lower the duration based on your needs.
Then you will enter your personal information for the GPG key. Make sure that your entered email matches with your GitHub email.
Finally, it will ask you a passphrase to protect your GPG Key. You should choose a secure password to protect it.
3 - After creating your GPG Key, run the following command to list your keys with their IDs.
gpg --list-secret-keys --keyid-format=long
You will see output similar to example below:
sec rsa4096/5BF8B141D9B03F0A 2024-03-07 [SC] [expires: 2025-03-07]
YOUR LONG KEY ID HERE
4 - Copy the KEY ID from the output and run the following command to export your public key block. You should copy the output that starts with -----BEGIN PGP PUBLIC KEY BLOCK---- and ends with -----END PGP PUBLIC KEY BLOCK----
gpg --armor --export YOUR_KEY_ID_HERE
5 - Go to GitHub → Settings → SSH and GPG Keys. Then press the New GPG key button
6 - Paste your copied GPG Public Key block to the textbox and give a title to identify it. Then press Add GPG Key button to save your changes. You will see that the GPG key is added to your GitHub account.
7 - Finally, you need to configure the local git settings to sign the commits. Go to the repository path in your computer and run the following commands:
git config --local commit.gpgsign true
git config --local user.signingkey YOUR_KEY_ID_HERE
8 - This step is mostly required on macOS. Run export GPG_TTY=$(tty) to allow password prompt (You can add this line to your ~/.zshrc file to make sure that you don’t enter it on every computer restart).
9 - Now, you are good to go! You can try making a commit, and it will ask you the passphrase of created GPG Key. You will see the output like below with Verified label.
You are free to enforce commit signature verification on your repositories, to make sure that all contributions are coming from a trusted authority. To do this, you need to enable the following option from Branch Settings of your GitHub repository.
If you are more interested in the Commit Signature Verification in GitHub, feel free to check the official GitHub documentation.
No activity yet