We started signing commits at work and as soon as I started generating the first key (GitHub guide), I realized I would be taking extra steps. I don't use my default GitHub email for work commits, I use my work email address. The instructions for setting up commit-signing describe how to make signing automatic, but I wouldn't want to sign my non-work commits with my work key…
So.
Using @sabbour's Quick and easy way to setup signed GitHub commits on MacOS as a starting point, these are the modifications I made so that I could assign a specific GPG key just to my work repos on my machine[1].
-
When generating a new GPG key, I generated 2: 1 for my default GitHub email address; 1 for my work email address
- I saved the passphrase for each key in my password manager
-
I use
zsh
(made the switch w/ the update to macOS Catalina), notbash
anymore, but the point about adding anexport
statement stands. So I added the following to my~/.zshrc
, quit & restarted Terminal, and it works as expected:export GPG_TTY=$(tty)
-
I do, in fact, want to sign every work commit, however: what I don't want is to have to remember to add
-S
every time I typegit commit
(I type it a lot every day)[2]. Ugh, no thanks.-
I enabled signing on every commit with:
git config --global commit.gpgsign true
-
In each of my work repos, I told Git about my signing key with:
git config --local user.signingkey KEYID
-
The IDs for keys can be found with:
gpg --list-secret-keys --keyid-format LONG
And the bit you want--and that I used in the above command (
KEYID
) is after4096R/
-
-
And that's it! It just… it just worked! 🎉
I did have to enter the key's passphrase on the first commit, but after that it was smooth sailing. (See below for how I made the credential-timeout longer than the default of 10 minutes.)
- Quick and easy way to setup signed GitHub commits on MacOS
- Generating a new GPG key, GitHub Docs
- Telling Git about your signing key
- Yes, my personal machine is also my work machine. 🤷🏽♀️Normally this is not the way, but! I had the machine first and for Reasons™ I didn't mind adding work to it.
- I have very few aliases for Terminal. I used to have tons, but 4-5 years ago I decided I'd prefer to type out the commands I use heavily so that when I switch machines or I'm pairing, I won't be stymied by missing shortcuts.