Mainframe systems, which serve as the backbone for storing critical business data and running essential applications, are celebrated for their reliability. However, the growing demand for stronger security measures highlights the importance of reinforcing these systems with additional layers of defence.

GnuPG (GNU Privacy Guard) is one such cryptographic software suite, now available in IBM Open Enterprise Foundation on z/OS, 1.1.0.4 provides robust security features, including:

• Data encryption to ensure confidentiality of sensitive information.
• Digital signing to verify the authenticity and integrity of files and communications, including git commits.
• Key management for creating, importing, exporting, and revoking cryptographic keys.
• Support for OpenPGP standards, ensuring compatibility across platforms.
• Secure file sharing by encrypting files for specific recipients.
• Integration capabilities with various tools and workflows to enhance overall security.

On z/OS, GPG complements the existing security features by offering:

• ·     Cross-platform compatibility :

o   Seamlessly integrate encryption processes across diverse platforms.

o   Ensure compatibility when exchanging encrypted files with external systems.

o   Use uniform tools across development, testing, and production environments.

• ·     Open source flexibility :

o   Easily adapt and modify GPG to suit specific workflows.

o   Continuous community updates allowing to stay in forefront of technology.
(Newer algorithms, performance improvements, new use cases - like integrating with DevOps pipelines)

• ·     Developer ecosystem and tooling :

                    o    Key management tools, like gpg-agent and gpgconf, offer fine-grained control over how keys are handled.

                    o    It integrates seamlessly with modern software like git for signing commits, curl for secure communication,
                          and various DevOps tools for encrypting and signing artifacts.

                    o    Securely interact with those teams without needing to modify existing workflows.

Most commonly used GPG-commands and their practical applications are:

• Generate GPG keys :

                    a.   When you need to encrypt, sign files, or securely communicate with others we need to use GPG keys. 
                          Command to generate new GPG key pair (public and private key):
                          gpg --full-generate-key
                          You will be prompted to select key type, key size, and expiration date. Once completed, your key pair will be generated.

• List all keys :

a.   List all public keys in your keyring:

gpg --list-keys

b.   List all secret (private) keys :

gpg -- list-secret-keys

•  Export keys (Public & Private) :

a.   To share your public key with others:

gpg --export -a "your-email@example.com" > public_key.asc

b.   Creating a backup of your private key in case of system failure:

             gpg --export-secret-keys -a "your-email@example.com" > private_key.asc

• Encrypt and decrypt a file :

a.   Encrypt a file:

      gpg --encrypt --recipient "recipient@example.com" file.txt

b.   Decrypt a file:

      gpg --decrypt file.txt.gpg > file.txt

• Sign and verify a signed file :

                     a.   Sign a file:

                            gpg --sign file.txt

b.    For a detached signature:

 gpg --detach-sign file.txt

This creates file.txt.sig, which can be used to verify the integrity of file.txt.

c.    Verify signed file:

                            gpg --verify file.txt.sig file.txt

                            If the signature is valid and the file has not been tampered with, GPG will confirm it.

Enhancing Repository Security with Signed Git Commits

Configure GitHub with your previously generated public GPG key and use it to sign commits on a server.

a.  Add your GPG key to GitHub :

                                         i.  Retrieve your public GPG key

                                              gpg --armor --export YOUR_KEY_ID

b.    Copy the output and add it to GitHub :

                                         i.  Go to GitHub → Settings → SSH and GPG keys

                                         ii. Click New GPG key, paste the key, and save it

c.     Configure Git to use your GPG key on the server :

                                         i.  git config --global user.signingkey YOUR_KEY_ID

                                         ii. git config --global commit.gpgsign true

     This ensures all commits are signed by default

d.    Sign a commit and push :

                                         i. Create a signed commit

                                             git commit -S -m "Signed commit"

                                             git push origin main

e.     Verify the commit signature :

                                          i. git log --show-signature -1

     This confirms that your commit is correctly signed and verified on GitHub.

These are just a few of the generally used workflows. Other use cases include signing and verifying container images, and securing software distribution—critical in modern development workflows.