Skip to content

Instantly share code, notes, and snippets.

@RichardoC

RichardoC/github-gpg-key-with-private-email.md

Forked from nitrocode/github-gpg-key-with-private-email.md
Last active August 8, 2024 10:36
Show Gist options
  • Save RichardoC/d53f421ed5be6822d586abe327577931 to your computer and use it in GitHub Desktop.
Save RichardoC/d53f421ed5be6822d586abe327577931 to your computer and use it in GitHub Desktop.
Download ZIP
Github "Verified" commits using GPG key with private email
Raw
github-gpg-key-with-private-email.md

Github "Verified" commits using GPG key with private email

It's nice to see a Verified message next to each commit for peace of mind.

Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source.

  1. Install latest gpg

    If using a mac use homebrew

    brew install gpg

    Verify version is greater than 2.1

    $ gpg --version
gpg (GnuPG) 2.3.6

  2. Create configuration file to cache creds

    mkdir -p ~/.gnupg
cat <<EOF > ~/.gnupg/gpg-agent.conf
default-cache-ttl 34560000
max-cache-ttl 34560000
EOF

    Restart gpg-agent

    # This kills the agent
gpgconf --kill gpg-agent
# This starts it but may not be needed. After 2.1, the agent should automatically start when the gpg command is run.
gpg-agent --daemon

  3. Create a key with a passphrase. Store the passphrase in password manager.

    gpg --full-generate-key

    Use the defaults.

    • For the real name use your username.
    • For the email use the <username>@users.noreply.github.com - This is on the settings page.
    • For the comment use GitHub key.

  4. Set the user.email used for the GPG key.

    git config --global user.email <username>@users.noreply.github.com

  5. Store the GPG key ID.

    GPG_KEY=$(gpg --list-secret-keys --keyid-format=long | grep users.noreply.github.com -B3 | grep sec | cut -d'/' -f2 | cut -d' ' -f1)

  6. Export the key. copy into Github.

    gpg --armor --export $GPG_KEY

  7. Copy key into Github. Verify that the email shows up in Github once the GPG key is added.

    The gh command can be used

    gh gpg-key add [<key-file>]

    Set the following global configs

    # Use signing key
git config --global user.signingkey $GPG_KEY
# Use gpg binary
git config --global gpg.program gpg
# Always sign commits
git config --global commit.gpgsign true

  8. Run this locally and add this to the shell profile to get the gpg passphrase prompt

    export GPG_TTY=$(tty)

  9. Force the passphrase prompt and enter the passphrase.

    echo "test" | gpg --clearsign

  10. Navigate to a repo, change something, add a commit.

  11. Check to see if your commit has been signed correctly.

    git log --show-signature -1

    The above should return a Good signature from gpg

    commit a47d1b8d8e6d44acdd4b3840fb49403b0646871e (HEAD -> example, origin/example)
gpg: Signature made Wed Oct 19 08:12:02 2022 CDT
gpg:                using EDDSA key 59A0ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
gpg: Good signature from "example-user (Github key) <[email protected]>" [ultimate]
Author: example-user <[email protected]>
Date:   Wed Oct 19 08:12:02 2022 -0500

  12. Push up your changes and check to see a "Verified" next to your new commit.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment