Generate GPG key, add to GitHub and verify identity
Jun 2017    |    gpg   github  


But why? GPG signature verification

A few gotchas.

  1. Make sure to verify the email addresses associated with your GPG key.

  2. Don’t forget to add said email(s) to your .gitconfig file.
    e.g., git config --global user.email "email@example.com" (global setting)

  3. Download GPG suite, which will enable adding key(s) to the macOS keychain.


Before proceeding, please check for existing keys and make backups!!!

To list keys in secret keyring run: gpg --list-secret-keys. See existing keys.

This article is specific to macOS and makes use of brew. Run the following to check if a GPG program is already installed on your computer: gpg --version

To install: brew install gnupg
To upgrade: brew upgrade gnupg

Check out the GitHub docs for a more in-depth explanation on how to generate a GPG key.

TL;DR gpg --full-generate-key and follow prompts; if it doesn’t work read the GitHub doc ^.

If everything went okay you’ll see a bunch of text and it’ll display: public and secret key created and signed.

Check key with the following command and note the GPG key ID, e.g., 5E6D89E5F4A1A2FC:

gpg --list-secret-keys --keyid-format LONG

/Users/name/.gnupg/pubring.gpg
-------------------------------
sec   rsa4096/5E6D89E5F4A1A2FC ...

To add GPG key to GitHub navigate to Account > Settings > SSH and GPG keys > New GPG Key.

Export key by running gpg --armor --export 5E6D89E5F4A1A2FC. I like to pipe long text into pbcopy to avoid manually copying.

E.g., gpg --armor --export 5E6D89E5F4A1A2FC | pbcopy and paste into Github > GPG keys / Add new.


A bit more configuration, tell git about your GPG key

Configure git to sign commits: git config --global commit.gpgsign true

Tell git the absolute path to the gpg tool: git config --global gpg.program /usr/local/bin/gpg

/usr/local/bin/gpg -> ../Cellar/gnupg/2.2.8/bin/gpg
/usr/local/Cellar/gnupg/2.2.8/bin/gpg
# or 
/usr/local/MacGPG2/bin/gpg

Optional:

Add no-tty to GPG config, telling it not to use terminal for output (may be necessary depending on your client):
echo no-tty >> ~/.gnupg/gpg.conf


See this article for adding the key to macOS keychain.

Briefly, on your first git commit you’ll get a prompt from pinetry-mac asking for your passphrase (to unlock GPG key). There is a checkbox to “add key to keychain”, make sure it’s checked.

Then go to System Preferences > GPG Suite (bottom-most of window) > make sure “Store in macOS Keychain” is checked.

Lastly, go to macOS Keychain Access utility, look for “gnuPG” (should be in the Password section). Double-click on your key, click Access Control tab and modify (if needed):

  1. “Allow all applications access” (mhmm… probably not)
  2. “Confirm before allowing access”, this option enables you to add applications as needed. E.g., I use Tower (my fav git client for macOS).

Make sure you have pinetry-mac.app listed here (located at /usr/local/MacGPG2/libexec/pinentry-mac.app)

settings

Done.


Extras.

Add additional email(s) to your GPG key

gpg --edit-key 5E6D89E5F4A1A2FC which will drop you into gpg>; type adduid and follow prompts. Type save / <enter> for Save and Quit or quit to exit.

If you see an error, comment out no-tty from ~/.gnupg/gpg.conf

gpg: Sorry, no terminal at all requested - can’t get input

NOTE: if you add another email you’ll need to remove the old GPG key from GitHub and re-upload the edited version. Just run gpg --armor --export 5E6D89E5F4A1A2FC | pbcopy.