Commit Signature Verification. GPG keys.

gpg_keys.md

Managing commit signature verification on Mac. The way to auto sign-commits.

Generating a new GPG key

1. Check if gpg2 is installed, run which gpg2 if the command outputs nothing, install GPG Keychain.
2. Using the GPG Keychain utility generate a new key pair.
3. In the GPG Keychain, export the public key, save it to your documents folder.
4. Login to your GitHub account and navigate to https://github.com/settings/keys.
5. Open the exported public key and copy its contents.
6. Get back to GitHub, press the "New GPG key" button and paste the copied key.
7. Run git config --global gpg.program gpg2, to make sure git uses gpg2 and not gpg.
8. Git needs to know which key it is signing with, for this run

   $ gpg --list-secret-keys --keyid-format LONG
    /Users/hubot/.gnupg/secring.gpg
    ------------------------------------
    sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
    uid                          Hubot 
    ssb   4096R/42B317FD4BA89E7A 2016-03-10
   

   Copy the key ID you'd like to use. In this example, the GPG key ID is3AA5C34371567BD2.
9. To set your GPG signing key in Git, paste the text below, substituting in the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2: git config --global user.signingkey 3AA5C34371567BD2.
10. Run git config --global commit.gpgsign true, this config option allows to sign all commits automatically.
11. Run git config --list and verify your settings.

Installing the GPG Keychain utility

Download it from https://gpgtools.org/ and follow the installation instructions.