krider2010 · November 29, 2017 06:13
diff --git a/.profile b/.profile
 # This would go into .bash_profile, .bashrc, .zshrc, etc.

 # Script to start the gpg-agent - in it's own file as it is also used when the machine starts up
 # Be sure to update the path to wherever you place this file!
 # Note, depending on shell you may not need this line enabling, if the global daemon is already running
 # OK. Some shells complain, others don't!
 ~/bin/startup-gpg-agent.sh

 # GPG
 if [ -f "${HOME}/.gpg-agent-info" ]; then
    . "${HOME}/.gpg-agent-info"
    export GPG_AGENT_INFO
    export SSH_AUTH_SOCK
 fi
 GPG_TTY=$(tty)
 export GPG_TTY
diff --git a/gpg-agent.conf b/gpg-agent.conf
 use-standard-socket
 pinentry-program /usr/local/bin/pinentry-mac
 enable-ssh-support
diff --git a/gpg.conf b/gpg.conf
 use-agent
 no-tty
diff --git a/Instructions b/Instructions
 # These steps were used to get everything working (eventually ;) )

 # 1) Install the dependencies
 brew install gnupg gpg-agent pinentry-mac
 brew install gpg2 gnupg21  # Optional depending on needs, gpg2 works best with the gpg-agent on current latest OSX/Brew

 # 2) Generate a GPG key, if you don't already have one, and add to your github (or bitbucket, gitlab, etc.) accounts
 # https://help.github.com/articles/generating-a-new-gpg-key/
 # Remember the public eight character GPG key id as you need it in the next step

 # 3) Configure git to automatically sign commits
 git config --global user.signingkey <YOUR-SIGNING-KEY-PUB-ID>
 git config --global commit.gpgsign true  # ONLY DO THIS IF YOU WANT TO SIGN ALL COMMITS
 git config --global gpg.program /usr/local/bin/gpg
 # Or if you are using gpg2 and don't want to use /usr/local/bin/gpg as a symlink to /usr/local/bin/gpg2
 # git config --global gpg.program /usr/local/bin/gpg2

 # 4) If you just want to sign specific repositories, then edit each repository .git/config to include the following
 [commit]
 	gpgsign = true
 	
 # 5) Configure the GPG components using the files in this gist (at least add those lines)
 #    ~/.gnupg/gpg.conf
 #    ~/.gnupg/gpg-agent.conf

 # 6) Create the agent start script (see elsewhere in this gist) and be sure to make it executable. Edit your profile (see elsewhere in this gist) to include it.
 #    Also cope the plist into ~/Library/LaunchAgents/org.gnupg.gpg-agent.plist to allow for OS to start it in future.

 # 7) Start the daemon to test signing. It will be fine to do this in your shell intially
 #    Also comment out `no-tty` in gpg.conf to get the password saved.
 #    Just source the appropriate .profile/.bashrc/etc file
 #    Make a change to the repo and add it. Try and commit.
 #    All being well the commit should prompt you for password entry via pinentry-mac, and you can save this to your keychain

 # 8) Ensure no-tty is put back into gpg.conf once things are working in step 5

 # 9) Run a GUI tool (and make a change to the repo) using `open -a "Name of app"`.
 #    e.g. open -a "Tower"
 #    This runs the app using your current shell environment and will allow you to test Tower (or GitHub, or others)

 # 10) If all this works, then a reboot should have the gpg-agent daemon started automatically and be available to GUI
 #    apps. You can now sign commits as if it was a plain commit :thumbsup:

 # Thanks to https://gist.github.com/sindresorhus/98add7be608fad6b5376a895e5a59972 for initial guidance, and various other web
 # sites for dealing with launchctl, environments, and most of all Sam at Tower Support for guiding me down the right path.
 # Tower: https://www.git-tower.com/

 # NB: My key expires, so once that happens I will have to setup things up for the new key, and use a tty/pinentry to get
 # the new password cached into the keychain. You will have to do the same if your key expires.
diff --git a/org.gnupg.gpg-agent.plist b/org.gnupg.gpg-agent.plist
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <!-- This needs to be placed at ~/Library/LaunchAgents/org.gnupg.gpg-agent.plist -->
 <plist version="1.0">
  <dict>
    <key>Label</key>
    <string>org.gnupg.gpg-agent</string>
    <key>ProgramArguments</key>
    <array>
      <!-- Be sure to set this path correctly! -->
      <string>/Users/yourusername/bin/start-gpg-agent.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
  </dict>
 </plist>
diff --git a/startup-gpg-agent.sh b/startup-gpg-agent.sh
 # Ensure that gpg can find the agent when needed
 if [ -f ~/.gnupg/.gpg-agent-info ] && [ -n "$(pgrep gpg-agent)" ]; then
    source ~/.gnupg/.gpg-agent-info
    export GPG_AGENT_INFO
 else
    eval $(gpg-agent --daemon --write-env-file ~/.gnupg/.gpg-agent-info)
 fi

 # This line is important for GUI tools to also find it
 launchctl setenv GPG_AGENT_INFO $GPG_AGENT_INFO
	# This would go into .bash_profile, .bashrc, .zshrc, etc.

	# Script to start the gpg-agent - in it's own file as it is also used when the machine starts up
	# Be sure to update the path to wherever you place this file!
	# Note, depending on shell you may not need this line enabling, if the global daemon is already running
	# OK. Some shells complain, others don't!
	~/bin/startup-gpg-agent.sh

	# GPG
	if [ -f "${HOME}/.gpg-agent-info" ]; then
	. "${HOME}/.gpg-agent-info"
	export GPG_AGENT_INFO
	export SSH_AUTH_SOCK
	fi
	GPG_TTY=$(tty)
	export GPG_TTY
	use-standard-socket
	pinentry-program /usr/local/bin/pinentry-mac
	enable-ssh-support
	# These steps were used to get everything working (eventually ;) )

	# 1) Install the dependencies
	brew install gnupg gpg-agent pinentry-mac
	brew install gpg2 gnupg21 # Optional depending on needs, gpg2 works best with the gpg-agent on current latest OSX/Brew

	# 2) Generate a GPG key, if you don't already have one, and add to your github (or bitbucket, gitlab, etc.) accounts
	# https://help.github.com/articles/generating-a-new-gpg-key/
	# Remember the public eight character GPG key id as you need it in the next step

	# 3) Configure git to automatically sign commits
	git config --global user.signingkey <YOUR-SIGNING-KEY-PUB-ID>
	git config --global commit.gpgsign true # ONLY DO THIS IF YOU WANT TO SIGN ALL COMMITS
	git config --global gpg.program /usr/local/bin/gpg
	# Or if you are using gpg2 and don't want to use /usr/local/bin/gpg as a symlink to /usr/local/bin/gpg2
	# git config --global gpg.program /usr/local/bin/gpg2

	# 4) If you just want to sign specific repositories, then edit each repository .git/config to include the following
	[commit]
	gpgsign = true

	# 5) Configure the GPG components using the files in this gist (at least add those lines)
	# ~/.gnupg/gpg.conf
	# ~/.gnupg/gpg-agent.conf

	# 6) Create the agent start script (see elsewhere in this gist) and be sure to make it executable. Edit your profile (see elsewhere in this gist) to include it.
	# Also cope the plist into ~/Library/LaunchAgents/org.gnupg.gpg-agent.plist to allow for OS to start it in future.

	# 7) Start the daemon to test signing. It will be fine to do this in your shell intially
	# Also comment out `no-tty` in gpg.conf to get the password saved.
	# Just source the appropriate .profile/.bashrc/etc file
	# Make a change to the repo and add it. Try and commit.
	# All being well the commit should prompt you for password entry via pinentry-mac, and you can save this to your keychain

	# 8) Ensure no-tty is put back into gpg.conf once things are working in step 5

	# 9) Run a GUI tool (and make a change to the repo) using `open -a "Name of app"`.
	# e.g. open -a "Tower"
	# This runs the app using your current shell environment and will allow you to test Tower (or GitHub, or others)

	# 10) If all this works, then a reboot should have the gpg-agent daemon started automatically and be available to GUI
	# apps. You can now sign commits as if it was a plain commit :thumbsup:

	# Thanks to https://gist.github.com/sindresorhus/98add7be608fad6b5376a895e5a59972 for initial guidance, and various other web
	# sites for dealing with launchctl, environments, and most of all Sam at Tower Support for guiding me down the right path.
	# Tower: https://www.git-tower.com/

	# NB: My key expires, so once that happens I will have to setup things up for the new key, and use a tty/pinentry to get
	# the new password cached into the keychain. You will have to do the same if your key expires.
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<!-- This needs to be placed at ~/Library/LaunchAgents/org.gnupg.gpg-agent.plist -->
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>org.gnupg.gpg-agent</string>
	<key>ProgramArguments</key>
	<array>
	<!-- Be sure to set this path correctly! -->
	<string>/Users/yourusername/bin/start-gpg-agent.sh</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	</dict>
	</plist>
	# Ensure that gpg can find the agent when needed
	if [ -f ~/.gnupg/.gpg-agent-info ] && [ -n "$(pgrep gpg-agent)" ]; then
	source ~/.gnupg/.gpg-agent-info
	export GPG_AGENT_INFO
	else
	eval $(gpg-agent --daemon --write-env-file ~/.gnupg/.gpg-agent-info)
	fi

	# This line is important for GUI tools to also find it
	launchctl setenv GPG_AGENT_INFO $GPG_AGENT_INFO