Skip to content

Set up GPG signing of commits and tags

Cheng Fang edited this page Aug 31, 2023 · 4 revisions

install gnupg:

Find a installation method for your OS, to install gnupg. For example, this is the command to install it on Mac

brew install gnupg

verify newly installed gpg version:

gpg --version

list existing keys:

gpg --list-keys

generate key

Generated keys are stored under ~/.gnupg/

gpg --full-generate-key

show the generated key in long format:

gpg --list-secret-keys --keyid-format=long

------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot <[email protected]>
ssb   4096R/4BB6D45482678BE3 2016-03-10

tell git to use the above key:

In the output above, the key-id is 3AA5C34371567BD2, which is taken from the line 1 column 2. Use this key-id in the following command.

git config --global user.signingkey <key-id>

Optionally, configure git to always sign commits and tags

These settings save you from typing -s (for tagging) or -S (for committing) options when running individual git commands.

git config --global commit.gpgsign true
git config --global tag.gpgsign true

# to check current settings:
git config --global --get commit.gpgsign
git config --global --get tag.gpgsign

save your public key to your github account so that github can verify your signed commits and tags.

Copy your GPG key from the command output below, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----, and add it to your github account.

gpg --armor --export <key-id>

set display for pgp

This is needed to avoid errors like gpg: signing failed: Inappropriate ioctl for device. You may want to add this line to your shell startup script like $HOME/.bashrc

export GPG_TTY=`tty`

Optionally, configure a password manager program to save the key pin

On macOS you may want to use pinentry-mac to have GUI window to enter pin and optionally store pin in keychain. And enable it in your ~/.gnupg/gpg-agent.conf config (create it if it doesn't exists):

brew install pinentry-mac

pinentry-program /usr/local/bin/pinentry-mac

change key pin, if need to

gpg --edit-key <keyid>
> passwd
> [enter new pin, and press Enter to confirm]
>

Configure IDE integration in order to sign commits and tags inside IDE

In general, a good tool should be able to pick up configured keys from the system, though actual steps vary. Sometimes the IDE may hang during commit while waiting for the pin input. If the problem persists, the last resort is to use a blank password so that the tool need not wait for any user input. A weak or blank pin poses a serious security risk and should be avoided. See above section for how to change pin.

References

Generating a new GPG key - GitHub Docs

GnuPG