[Signing commits using GPG (Ubuntu/Mac)] To use on GitHub, or any other git repository.

github_gpg_key.md

Signing commits using GPG (Ubuntu/Mac)

• Do you have an Github account? If not create one.
• Install required tool.
• Latest Git Client.
• gpg tools.

# Ubuntu
sudo apt-get install gpa seahorse
# Mac
brew install gpg
brew install pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf

• Generate a new gpg key

gpg --default-new-key-algo rsa4096 --gen-key

• Answer the questions asked

Note: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account.

• List generated key

gpg --list-secret-keys --keyid-format LONG

• Above command should return like this

/Users/username/.gnupg/pubring.kbx
-------------------------------
sec   rsa4096/<COPY_LONG_KEY> 2018-08-17 [SC] [expires: 2020-08-16]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                 [ultimate] Pongsakorn S. (Github GPG) <[email protected]>
ssb   rsa4096/XXXXXXXXXXXXXXXX 2018-08-17 [E] [expires: 2020-08-16]

• Note down your key COPY_LONG_KEY from above
• Export this (public) key

gpg --armor --export <PASTE_LONG_KEY_HERE>

• Copy your GPG key

• Add this key to GitHub

• Login to Github and goto profile settings

• Click New GPG Key and paste the beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- end ending with -----END PGP PUBLIC KEY BLOCK-----

• Tell git client to auto sign your future commits

• Run this command

gpg --list-keys

• Above command should return like this -

/home/username/.gnupg/pubring.gpg
-------------------------------
pub   4096R/<COPY_SHORT_KEY> 2016-08-11 [expires: 2018-08-11]
uid                  Your Name <[email protected]>
sub   4096R/EB61969F 2016-08-11 [expires: 2017-08-11]

• Copy the short key from above and use this in command below

git config --global user.signingKey <PASTE_SHORT_KEY_HERE>
git config --global gpg.program $(which gpg)
git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global tag.forceSignAnnotated true
test -r ~/.bash_profile && echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile
echo 'export GPG_TTY=$(tty)' >> ~/.profile

Note: If you don't have .bash_profile, this command adds your GPG key to .profile.

• You are done, next time when you commit changes; gpg will ask you the passphrase.

Make gpg remember your passphrase (tricky)

To make it remember your password, you can use gpg-agent

Edit your ~/.gnupg/gpg-agent.conf file and paste these lines

default-cache-ttl 28800
max-cache-ttl 28800

28800 seconds means 8 hours

If gpg-agent is not running you can start it with this command

gpg-agent --daemon

Change your key passphrase

gpg --edit-key <PASTE_YOUR_KEY_ID_HERE>

At the gpg prompt type:

passwd

Type in the current passphrase when prompted
Type in the new passphrase twice when prompted
Type:

save

Reference Links

• https://help.github.com/categories/gpg/
• http://nishanttotla.com/blog/signing-git-commits-gpg/
• https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
• https://news.ycombinator.com/item?id=7792026
• https://overflow.no/blog/2016/08/11/signed-commits-with-gpg-git-and-github-on-linux/
• http://stackoverflow.com/questions/10161198/is-there-a-way-to-autosign-commits-in-git-with-a-gpg-key
• http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html
• https://help.ubuntu.com/community/GnuPrivacyGuardHowto
• https://medium.com/@timmywil/sign-your-commits-on-github-with-gpg-566f07762a43#.aovevj80y
• https://blog.erincall.com/p/signing-your-git-commits-with-gpg