Skip to content

Instantly share code, notes, and snippets.

@alcaeus

alcaeus/README.md

Last active April 19, 2021 14:26
Show Gist options
  • Save alcaeus/26b53192cfd1eca5419d662ab3044af0 to your computer and use it in GitHub Desktop.
Save alcaeus/26b53192cfd1eca5419d662ab3044af0 to your computer and use it in GitHub Desktop.
Download ZIP
Enable GPG for git commits
Raw
README.md

Enable GPG for git commits

Generate a key

  1. Install gpg and gpg-agent: brew install gpg gpg-agent
  2. Generate a new key: run gpg --gen-key and follow the instructions
  3. Write down the ID of the key. To do this, run gpg --list-keys. The output will look like this:
pub   4096R/E9468C9A 2016-04-20 [expires: 2016-07-19]
uid                  Andreas B. <[email protected]>
sub   4096R/D9035C79 2016-04-20 [expires: 2016-07-19]

In this case, the key is E9468C9A. I'll refer to this as <id>.

Tell others abour your key

  1. Add keyserver hkp://ipv4.pool.sks-keyservers.net (optional; you may want to use another key server). Note: on MacOS, you may get a No route to host error if you don't choose an IPv4 server.
  2. Send your key to a key server: gpg --send-keys <id>
  3. Export the key for use on GitHub: gpg --armor --export <id>
  4. Copy the block and paste it in your settings. For more information, see the official GitHub help page.
  5. Tell git to use this key: git config --global user.signingkey <id>

Sign commits

git is now configured to sign tags or commits. There are multiple options now:

  • To sign a commit, now run git commit -S.
  • To turn on commit signatures in a single repository, run git config commit.gpgsign true
  • To turn on commit signatures for all repositories, run git config --global commit.gpgsign true

Verifying commits

First you need to receive and trust your team members keys.

  1. Get their public key ID and fetch the key: gpg --recv-key <id>
  2. You might have to trust this key. To find out more about trusting keys, read the corresponding manual page.

Key signing

Sign somebody elses key

You need to receive and trust their key. Make sure you have verified it is their key before continuing!

  1. Sign their key. Run gpg --sign-key --ask-cert-level <id>. Answer the questions appropriately.
  2. Export the new signature and encrypt it: gpg -a --export <id> | gpg -a -e -r <id> -o "<id>_signed.asc"
  3. Send them the signature
  4. Delete their key from your keyring and reimport it: gpg --delete-key <id> followed by gpg --recv-key <id>

Importing and publishing a signature you received

  1. Run gpg -d <id>_signed.asc | gpg --import to import it
  2. Send the key to your default keyserver: gpg --send-key <id>

Read https://www.phildev.net/pgp/gpgsigning.html.

Extending your key when it expires

  1. Edit your key. Run gpg --edit-key <id>.
  2. Run expire and answer the questions
  3. Select the first subkey using key 1 and run expire again
  4. Run quit to exit edit mode
  5. Send your key to the keyserver: gpg --send-keys <id>.
@gruberro
Copy link

Worked like a charm!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment