GitHub GPG verification set-up macOS

gpg-agent.conf

# ~/.gnupg/gpg-agent.conf
#
# Connects gpg-agent to the OSX keychain via the brew-installed
# pinentry program from GPGtools. This is the OSX 'magic sauce',
# allowing the gpg key's passphrase to be stored in the login
# keychain, enabling automatic key signing.
pinentry-program /usr/local/bin/pinentry-mac

steps.txt

# based on steps at:
#   https://dev.to/wes/how2-using-gpg-on-macos-without-gpgtools-428f
#

brew install gpg2 pinentry-mac

# get the correct path for pinentry
which pinentry-mac

# add GPG agent conf to ~/.gnupg/gpg-agent.conf
echo 'pinentry-program <PINENTRY PATH>' > ~/.gnupg/gpg-agent.conf

# kill the gpg agent (VERY IMPORTANT!)
gpgconf --kill gpg-agent

# if no key yet, use at least 4096 length,
# match name and email to github account and
# enter passphrase and save to password manager
# (1password/keychain). If key already exists
# skip this step.
gpg --full-generate-key

# find the key id
gpg --list-secret-keys --keyid-format LONG
# (will be line matching: `sec   rsa4096/<KEY ID> 1970-01-01 [SC]`)

# generate public key
gpg --armor -export <KEY ID>
# add to github > settings > ssh and gpg keys

# configure git to use signing
git config --global user.signingkey <KEY ID>
git config --global commit.gpgsign true

# enter passphrase on first commit (probably best to use git CLI for this)