-
brew install gnupg2 pinentry-mac
(this includes gpg-agent and pinentry) -
Generate a key:
$ gpg2 --gen-key
-
Take the defaults. Whatevs
-
Tell gpg-agent to use pinentry-mac:
$ vim ~/.gnupg/gpg-agent.conf
paste in
# Connects gpg-agent to the OSX keychain via the brew-installed$ # pinentry program from GPGtools. This is the OSX 'magic sauce',$ # allowing the gpg key's passphrase to be stored in the login$ # keychain, enabling automatic key signing.$ pinentry-program /usr/local/bin/pinentry-mac
-
Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work. Here is my git gpg config: https://github.com/bcomnes/.dotfiles/blob/master/configs/gitconfig.d/gpg
gpg --export -a "Your Name" | cat
Paste into GitHub > Settings > GPG Keys > New GPG Key
$ gpg2 --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 2048R/0A46826A 2014-06-04 uid Scott Chacon (Git signing key) <schacon@gmail.com> sub 2048R/874529A9 2014-06-04 $ git config --global user.signingkey 0A46826A
-
Tell git that you are using gpg2 like a boss
$ git config --global gpg.program gpg2
-
Tell github about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
-
Restart maybe or kill any running gpg-agents. They will not work.
-
Sign your commits
$ git commit -S -m 'yolo'
-
Consider signing all your commits. In
~/.gitconfig
:[commit] gpgsign = true
or
$ git config --global commit.gpgsign true
Other considerations:
- Store your passwords in your system keychain. Pinentry-mac provides this for you. This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password. You're probably not edward snowden so the security implications are not a threat to your situation. You can always harden your arrangements as your needs for super duper security grows. Taking steps to use gpg every day is a massive improvement over what you were likely not doing before.
- https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
- https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.
- Pick a primary system, laptop or not. Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen. Macs are a great option for this because they have FDE and 1Password. Generate master keypair taking the default setup on this primary system. Subkey out to other systems and devices. Back up your revocation cert. Remember to migrate your master key when you replace your primary system. This is a poorly documented process, so if you do go down this path eventually, write down what you did and leave a breadcrumb in the comment for others to learn 👍
- https://www.gnupg.org/gph/en/manual.html