Skip to content

Instantly share code, notes, and snippets.

@iainsmith

iainsmith/git-gpg.md

Forked from bcomnes/git-gpg.md
Last active November 3, 2021 09:31
Show Gist options
  • Save iainsmith/716b46ee292b19a55a07a50386e61f80 to your computer and use it in GitHub Desktop.
Save iainsmith/716b46ee292b19a55a07a50386e61f80 to your computer and use it in GitHub Desktop.
Download ZIP
my version of gpg on the mac
Raw
git-gpg.md
  1. brew install gnupg pinentry-mac (this includes gpg-agent and pinentry)
  2. Generate a key: gpg --full-generate-key
  • Use the same user.email & user.name that you use in your git config

  1. Tell gpg-agent to use pinentry-mac:

    $ vi ~/.gnupg/gpg-agent.conf

    paste in

    # Connects gpg-agent to the OSX keychain via the brew-installed$
# pinentry program from GPGtools. This is the OSX 'magic sauce',$
# allowing the gpg key's passphrase to be stored in the login$
# keychain, enabling automatic key signing.$
pinentry-program /usr/local/bin/pinentry-mac
# or for M1 macs
# pinentry-program /opt/homebrew/bin/pinentry-mac

Also tell gpg to use the agent:

$ echo "use-agent" >> ~/.gnupg/gpg.conf

  1. Configure git with your key: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work.

    git config --global user.signingkey "`git config --global --get user.name` <`git config --global --get user.email`>"

Alternatively, use the key id found from running gpg --list-keys

  1. Tell git that you are using gpg

    git config --global gpg.program gpg
git config --global commit.gpgsign true

  2. Tell github about your new key https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/

  3. Restart gpg-agent killall gpg-agent

  4. Sign your commits

    $ git branch testing && touch hello && git add hello && git commit -S -m 'testing signing'

  5. Sign all your commits. In ~/.gitconfig:

    $ git config --global commit.gpgsign true

  6. Backup your keys to a password manager

gpg --export > public_keys.pgp
gpg --export-secret-keys > secret_keys.pgp

Store these in 1Password along with your password. You will lose this stuff otherwise.

They can be imported on a new system like so:

gpg --import < public_keys.pgp
gpg --import < private_keys.pgp

Other considerations:

  • Store your passwords in your system keychain. Pinentry-mac provides this for you. This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password. You're probably not edward snowden so the security implications are not a threat to your situation. You can always harden your arrangements as your needs for super duper security grows. Taking steps to use gpg every day is a massive improvement over what you were likely not doing before.
  • https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
  • https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.
  • Pick a primary system, laptop or not. Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen. Macs are a great option for this because they have FDE and 1Password. Generate master keypair taking the default setup on this primary system. Subkey out to other systems and devices. Back up your revocation cert. Remember to migrate your master key when you replace your primary system. This is a poorly documented process, so if you do go down this path eventually, write down what you did and leave a breadcrumb in the comment for others to learn 👍
  • https://www.gnupg.org/gph/en/manual.html
  • https://wiki.debian.org/Subkeys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment