Warning
This is an incomplete work-in-progress document
- Install GPG command line tool for Mac OS X using
brew install gnupgor an equivalent. You can install all of GPG Suite, but you don't necessarily need more than the Homebrew package. - Following the tutorial from Github, generate a 4096 bit RSA key (this is probably the default option); use your GDS email address
- For GDS users, if you used a non-GDS email address change the email on your key to GDS email
- Export the key in the terminal, using
gpg --export -a <key_id> - Copy the key (the whole thing, beginning with
-----BEGIN PGP PUBLIC KEY BLOCK-----and ending with-----END PGP PUBLIC KEY BLOCK-----) - Add to your GitHub account -> Profile -> Settings -> SSH and GPG keys -> New GPG key
- Set git to sign commits automatically — you’ll be prompted to sign your commits instead of having to use
-severy time:git config --global commit.gpgsign true - On a new throwaway branch, make an insignificant edit — adding a full-stop to a README.md file or something. It should prompt you for your passphrase.
- Check that your commit was signed, using
git log --show-signature; your commit should look something likecommit fe971081c36839f27b071ce8a86557aaac61cff1 gpg: Signature made Fri 26 Jan 10:52:45 2024 GMT gpg: using RSA key B5AXXXXXC44341A146ABCA1AE7E7BAA3A4C0345D gpg: Good signature from "Owen Blacker <[email protected]>" [ultimate] gpg: aka "Owen Blacker <[email protected]>" [ultimate] Author: Owen Blacker <[email protected]> Date: Thu Jan 25 15:53:33 2024 +0000 Update triggers to pushes instead of releases - Push the change up to Github and you'll see the commit shows up as Verified:
- Now you can delete the throwaway branch you committed to.