More Info:

GitHub GPG keys are used to cryptographically sign code commits and should be rotated every 180 days.

Risk Level

High

Address

Security

Compliance Standards

Remediation

Using Console

To remediate GPG Keys rotations for GitHub using the GitHub console, please follow the below steps:
  1. Login to your GitHub account and navigate to the repository where the GPG key rotation needs to be performed.
  2. Click on the “Settings” tab on the right-hand side of the repository.
  3. In the settings menu, select “Secrets” from the left-hand side navigation menu.
  4. Click on the “New repository secret” button to create a new secret.
  5. In the “Name” field, type “GPG_PRIVATE_KEY” and in the “Value” field, paste your GPG private key.
  6. Click on the “Add secret” button to save the new secret.
  7. Next, you need to update your workflows to use the new GPG key. To do this, navigate to the “.github/workflows” directory in your repository.
  8. Open the workflow file that needs to be updated and add the following lines at the beginning of the file: 
env:
  GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
  1. Save the workflow file and commit the changes to your repository.
  2. Your GPG key rotation is now complete and your workflows will use the new GPG key for signing commits and tags.
Note: It’s important to keep your GPG key secure and rotate it regularly to ensure the security of your code.

Using CLI

To remediate the GPG Keys rotation issue for GitHub using GitHub CLI, follow these steps:
  1. Open your terminal and ensure that you have the latest version of GitHub CLI installed.
  2. Login to your GitHub account using the command: 
    gh auth login
  3. Once you are logged in, navigate to the repository where you want to remediate the GPG Keys rotation issue.
  4. Generate a new GPG key using the command: 
    gpg --full-generate-key
    Follow the prompts to create a new GPG key. Make sure to use the same email address associated with your GitHub account.
  5. List your GPG keys using the command: 
    gpg --list-secret-keys --keyid-format LONG
    This will display a list of your GPG keys, including the key ID for your new key.
  6. Export your public key using the command: 
    gpg --armor --export <KEY_ID>
    Replace <KEY_ID> with the key ID for your new key.
  7. Copy the output of the command and navigate to your GitHub account settings.
  8. Click on “SSH and GPG keys” and then click “New GPG key”.
  9. Paste the output of the command into the “Key” field and click “Add GPG key”.
  10. Finally, update your Git configuration to use your new GPG key for signing commits using the command: 
    git config --global user.signingkey <KEY_ID>
    Replace <KEY_ID> with the key ID for your new key.
That’s it! You have successfully remediated the GPG Keys rotation issue for GitHub using GitHub CLI.

Using Python

To remediate the GPG Keys rotation misconfiguration for GitHub using Python, you can follow these steps:
  1. Install the PyGithub library, which allows you to interact with the GitHub API using Python. You can install it using pip by running pip install PyGithub.
  2. Create a personal access token in your GitHub account with the admin:public_key scope.
  3. Use the Github class from the PyGithub library to authenticate with your GitHub account using the personal access token. 
from github import Github

access_token = 'your_personal_access_token'
g = Github(access_token)
  1. Get a list of all the GPG keys in your GitHub account using the get_gpg_keys() method of the authenticated Github object.
gpg_keys = g.get_user().get_gpg_keys()
  1. Check the expiration date of each GPG key using the expiration_date attribute of the Github.GPGKey object. If the key has already expired or will expire soon, delete it using the delete() method.
import datetime

for key in gpg_keys:
    if key.expiration_date is not None:
        if key.expiration_date < datetime.datetime.now().date():
            key.delete()
  1. If any keys were deleted, generate a new GPG key using the create_gpg_key() method of the authenticated Github object. You can specify the key type, key length, and expiration date using the key_type, key_length, and expiration_date parameters.
if len(gpg_keys) == 0:
    g.create_gpg_key(key_type='rsa', key_length=4096, expiration_date=datetime.datetime.now().date() + datetime.timedelta(days=365))
  1. Commit and push the changes to your GitHub account using the commit() and push() methods of the Github.Git.Commit object.
repo = g.get_repo('your_repository_name')
branch = repo.get_branch('your_branch_name')
commit = branch.commit
commit.message = 'Updated GPG keys'
commit.author = {'name': 'your_name', 'email': 'your_email'}
commit.committer = {'name': 'your_name', 'email': 'your_email'}
commit.commit()
branch.edit(commit.sha)
These steps will remediate the GPG Keys rotation misconfiguration for GitHub using Python.

Additional Reading: