Skip to content

Instantly share code, notes, and snippets.

@danieleggert
Last active October 27, 2024 11:07
Show Gist options
  • Save danieleggert/b029d44d4a54b328c0bac65d46ba4c65 to your computer and use it in GitHub Desktop.
Save danieleggert/b029d44d4a54b328c0bac65d46ba4c65 to your computer and use it in GitHub Desktop.
How to set up git to use the GPG Suite

GPG and git on macOS

Setup

No need for homebrew or anything like that. Works with https://www.git-tower.com and the command line.

  1. Install https://gpgtools.org -- I'd suggest to do a customized install and deselect GPGMail.
  2. Create or import a key -- see below for https://keybase.io
  3. Run gpg --list-secret-keys and look for sec, use the key ID for the next step
  4. Configure git to use GPG -- replace the key with the one from gpg --list-secret-keys
git config --global gpg.program /usr/local/MacGPG2/bin/gpg2
git config --global user.signingkey A6B167E1 
git config --global commit.gpgsign true 
  1. Optionally configure annotated tags to be GPG signed
git config --global tag.forceSignAnnotated true
  1. Add this line to ~/.gnupg/gpg-agent.conf
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
  1. Add this line to ~/.gnupg/gpg.conf
no-tty

Keybase.io

Import key to GPG on another host

% keybase pgp export
% keybase pgp export -q CB86A866E870EE00 | gpg --import
% keybase pgp export -q CB86A866E870EE00 --secret | gpg --allow-secret-key-import --import

Add public GPG key to GitHub

% open https://github.com/settings/keys
% keybase pgp export -q CB86A866E440EE00 | pbcopy

See Also

@nhooyr
Copy link

nhooyr commented Aug 8, 2016

why not just /usr/local/bin/pinentry-mac? And why which gpg? I think gpg on its own should suffice.

@osteslag
Copy link

osteslag commented Aug 8, 2016

why not just /usr/local/bin/pinentry-mac?

Because it’s not guaranteed to be there (it not on my set up, for example). /usr/local/MacGPG2/bin/gpg2 is guaranteed, because it’s in the GPG Suite app bundle which this whole Gist is centered around.

I think gpg on its own should suffice.

Only if /usr/local/MacGPG2/bin is in your search path (try echo $PATH in the Terminal) and there is no other gpg under an earlier search path. The GPG Suite installer seems to append the search path. But in Max’ and my case, it fails due to another gpg being installed as well (/usr/local/bin/ in my case).

By using the fully qualified executable path, it just works.

Copy link

ghost commented Aug 19, 2016

I'd tried following the @mbhatfield steps before and never got things quite right. This approach was much easier though I did need to incorporate the changes suggested by @osteslag. Thanks for putting this together!

@RichardBronosky
Copy link

Are you guys seriously living without homebrew? Why would you do that to yourself?

@danieleggert
Copy link
Author

@osteslag I’ve changed the line for gpg.program

@danieleggert
Copy link
Author

@RichardBronosky I’d never install homebrew on my system. It messes up my system. It adds a slew of security problems.

@shreyasminocha
Copy link

@danieleggert What security issues does homebrew open up?

@diego898
Copy link

For some reason this isn't working for me - I still get the:

error: gpg failed to sign the data
fatal: failed to write commit object

after trying to commit with auto-sign

@shal
Copy link

shal commented Jan 2, 2018

Thank you soooo much!

@LondonAppDev
Copy link

Excellent thank you!

@mu-hun
Copy link

mu-hun commented Mar 16, 2018

thank you :D

@KIVagant
Copy link

KIVagant commented May 3, 2018

Thanks

@ossareh
Copy link

ossareh commented May 9, 2018

@shreyasminocha if you use homebrew brew cask install gpg-suite will give you the same setup as installing the software from the site. In which case these steps work perfectly.

Thanks @danieleggert and @osteslag

@sarkis
Copy link

sarkis commented Jun 13, 2018

For anyone else having this issue after following the directions:

error: gpg failed to sign the data
fatal: failed to write commit object

You need to remember to restart the gpg-agent - running this will kill the agent and start next time it is needed:

$ gpgconf --kill gpg-agent

@mverleg
Copy link

mverleg commented Aug 4, 2018

@sarkis Thanks, restarting was the missing step for me

@mrchief
Copy link

mrchief commented Oct 17, 2018

Works like a charm! Thanks!

@tanguyantoine
Copy link

Thank you 👍

@RedHotMan
Copy link

Thanks a lot

@Miltonjacomini
Copy link

👍

@thsaravana
Copy link

@sarkis Thanks for the restart.

@41tair
Copy link

41tair commented Sep 25, 2019

👍

@dteok
Copy link

dteok commented Oct 9, 2019

Initially, brew install gpg. But I had to undo this.
Then I installed gpg as instructed above.
Works perfectly now. Thank you so much!

I wonder though... I never had this problem and I don't know git is complaining about 'cannot run gpg...'.
I remember the only thing I did differently before all these happened was that I configured my dotfiles to change the way my terminal looks -- github.com/mathiasbynens/dotfiles
Can anyone say to have done the same? Because in a new (factory reset) laptop and a fresh installed git I believe you won't run into this problem.

@Patrick-Kladek
Copy link

Thanks very much. This tutorial works flawlessly on 10.15.6 on a fresh install.
Now I can finally commit from Terminal, Fork & Xcode and everything is signed.

@carlocab
Copy link

If you use Homebrew, and prefer a leaner installation (GPG Suite comes with a bunch of tools you don't need), it suffices to run

brew install gpg
brew install pinentry-mac

If you have a standard Homebrew installation, and /usr/local/bin is on your PATH, then the only configuration options you need to do are

git config --global user.signingkey <key>
git config --global commit.gpgsign true

Then the line you need to add to ~/.gnupg/gpg-agent.conf is

pinentry-program /usr/local/bin/pinentry-mac

@henri-edward
Copy link

Those who are struggling after this command --> git config --global gpg.program /usr/local/MacGPG2/bin/gpg2 ,

  1. Try typing which gpg on command line to get the path like this:

/usr/local/bin/gpg

  1. Use output to re-run the command: git config --global gpg.program /usr/local/bin/gpg

@santiagomoneta
Copy link

thanks! works great (macOS big Sur / github desktop 2.6)

@gfortil
Copy link

gfortil commented Aug 11, 2021

gpgconf --kill gpg-agent

This works for me. I completely forgot about restarting it. Thanks :)

@jdsampayo
Copy link

It appears in Homebrew new directory is /opt/homebrew/bin/pinentry-mac

@ZeroDeth
Copy link

2. git config --global gpg.program /usr/local/bin/gpg

Working. Thanks

@rifont
Copy link

rifont commented Sep 17, 2023

If you have already followed the instructions on Git to Generate a new GPG key, and you now want to use GPGTools to manage your key in the keychain, you can use this command to export from gpg (which GnuPG uses) and into gpg2 (which GPGTools uses).

> gpg --list-secret-keys
[keyboxd]
---------
sec   rsa4096 2023-09-16 [SC]
      YOUR_SECRET_KEY_ID
uid           [ unknown] Joe Bloggs <[email protected]>

> gpg --export-secret-key <YOUR_SECRET_KEY_ID> | gpg2 --import

After running command you will see the key imported into GPG Keychain UI with type sec/pub. I was then able to sign commits automatically via pinentry without entering a password (such as on Github Desktop).

source: https://unix.stackexchange.com/questions/481939/how-to-export-a-gpg-private-key-and-public-key-to-a-file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment