Install GnuPG and GitHub official CLI tool. Instructions:
- GitHub CLI https://github.com/cli/cli#installation
- GnuPG https://gnupg.org
# If you're using macOS and Homebrew
brew update && brew upgrade
brew install gnupg gh
gh auth login
# Follow remaining steps to auth GitHub CLI
Generate gpg key
gpg --full-generate-key
Options I selected:
-
Select
1
-
4096
bits long -
Expires in:
1y
__
- name: YOUR GITHUB NAME (important)
- email: YOUR GITHUB EMAIL (important)
- Comment: optional (I didn't add anything)
- Passphrase (optional but you should)
Get your public key info info
gpg --list-secret-keys --keyid-format=long
sec rsa4096/[THIS_KEY_ID] 2021-07-07 [SC]
2B18EEB732D15480D40A60D605AE1785E201CE95
uid [ultimate] Jon Die <jon@doe.com>
ssb rsa4096/C98A99F6B0202433 2021-07-07 [E]
Copy [THIS_KEY_ID]
(it should be 16 digits)
Save public key to a file
mkdir ~/public-keys
gpg --armor --export THIS_KEY_ID > ~/public-keys/GITHUB_GPG_PUBLIC_KEY.gpg
Let GitHub know about your key
gh gpg-key add ~/public-keys/GITHUB_GPG_PUBLIC_KEY.gpg
Let Git know about your key
git config --global user.signingkey THIS_KEY_ID
git config --global user.gpgsign true
git config --global commit.gpgsign true
git config --global user.email "YOUR GITHUB EMAIL"
git config --global user.name "YOUR GITHUB NAME"
Sign commits by default
git config --global commit.gpgsign true
Note: if you added a passphrase to your key, you will be prompted to enter it every time you commit.
You can tell pinentry
where to prompt you for your passphrase by setting the GPG_TTY
environment variable:
export GPG_TTY=$(tty)
Verify your key
gh gpg-key list
Verify your commits
git commit -S -m "This is a signed commit"
git log --show-signature -1
commit 2b18eeb732d15480d40a60d605ae1785e201ce95 (HEAD -> main, origin/main, origin/HEAD)
gpg: Signature made Wed 07 Jul 2021 11:00:00 PM PDT
gpg: using RSA key 2B18EEB732D15480D40A60D605AE1785E201CE95
gpg: Good signature from "Jon Doe <jon@doe.com>" [ultimate]
Author: Jon Doe <jon@doe.com>
Date: Wed 07 Jul 2021 11:00:00 PM PDT