Skip to content

Instantly share code, notes, and snippets.

@sergiofbsilva
Forked from webframp/keybase.md
Last active February 10, 2022 11:09
Show Gist options
  • Save sergiofbsilva/2539b0df895dea48334d045701d91642 to your computer and use it in GitHub Desktop.
Save sergiofbsilva/2539b0df895dea48334d045701d91642 to your computer and use it in GitHub Desktop.
Signing git commits on github using keybase.io gpg key

Probably one of the easiest things you'll ever do with gpg

Install Keybase: https://keybase.io/download and Ensure the keybase cli is in your PATH

Generate the key using keybase

keybase pgp gen --multi

List all keys

keybase pgp list

First get the public key

keybase pgp export | gpg --import

If multiple keys exist:

keybase pgp export -q <key-id> | gpg --import

<key-id> is the PGP Fingerprint when running keybase pgp list

Next get the private key

keybase pgp export --secret | gpg --allow-secret-key --import

Verify progress:

gpg --list-secret-keys

Looks for something like

sec   4096R/C9D8E1A1 2017-02-16 [expires: 2033-02-12]
uid                  Sean Escriva <[email protected]>
ssb   4096R/CC67212E 2017-02-16

The email address should match your Github email.

The C9D8E1A1 part is what you need next. By default this key is untrusted, so we'll fix that. To edit trust:

$ gpg --edit-key C9D8E1A1
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

There are many levels of trust so choose what you're comfortable with.

$ git config --global user.signingkey C9D8E1A1
$ git config --global commit.gpgsign true

Now add it to your Github profile:

gpg --armor --export C9D8E1A1 | xclip

Add it to your GitHub profile under Settings/SSH and GPG keys. Replace xclip with clip or pbcopy for your current platform.

Use gpg agent if you don't want to enter the password every time.

View signed commits with : git log --show-signature -1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment