But why? GPG signature verification
A few gotchas.
Make sure to verify the email addresses associated with your GPG key.
Don’t forget to add said email(s) to your
git config --global user.email "[email protected]" (global setting)
Download GPG suite, which will enable adding key(s) to the macOS keychain.
Before proceeding, please check for existing keys and make backups!!!
To list keys in secret keyring run:
gpg --list-secret-keys. See existing keys.
This article is specific to macOS and makes use of brew. Run the following to check if a GPG program is already installed on your computer:
brew install gnupg
brew upgrade gnupg
Check out the GitHub docs for a more in-depth explanation on how to generate a GPG key.
gpg --full-generate-key and follow prompts; if it doesn’t work read the GitHub doc ^.
If everything went okay you’ll see a bunch of text and it’ll display: public and secret key created and signed.
Check key with the following command and note the GPG key ID, e.g., 5E6D89E5F4A1A2FC:
gpg --list-secret-keys --keyid-format LONG
/Users/name/.gnupg/pubring.gpg ------------------------------- sec rsa4096/5E6D89E5F4A1A2FC ...
To add GPG key to GitHub navigate to Account > Settings > SSH and GPG keys > New GPG Key.
Export key by running
gpg --armor --export 5E6D89E5F4A1A2FC. I like to pipe long text into
pbcopy to avoid manually copying.
gpg --armor --export 5E6D89E5F4A1A2FC | pbcopy and paste into Github > GPG keys / Add new.
A bit more configuration, tell git about your GPG key
Configure git to sign commits:
git config --global commit.gpgsign true
Tell git the absolute path to the
git config --global gpg.program /usr/local/bin/gpg
/usr/local/bin/gpg -> ../Cellar/gnupg/2.2.8/bin/gpg /usr/local/Cellar/gnupg/2.2.8/bin/gpg # or /usr/local/MacGPG2/bin/gpg
Add no-tty to GPG config, telling it not to use terminal for output (may be necessary depending on your client):
echo no-tty >> ~/.gnupg/gpg.conf
See this article for adding the key to macOS keychain.
Briefly, on your first git commit you’ll get a prompt from pinetry-mac asking for your passphrase (to unlock GPG key). There is a checkbox to “add key to keychain”, make sure it’s checked.
Then go to System Preferences > GPG Suite (bottom-most of window) > make sure “Store in macOS Keychain” is checked.
Lastly, go to macOS Keychain Access utility, look for “gnuPG” (should be in the Password section). Double-click on your key, click Access Control tab and modify (if needed):
Make sure you have pinetry-mac.app listed here (located at /usr/local/MacGPG2/libexec/pinentry-mac.app)
gpg --edit-key 5E6D89E5F4A1A2FC which will drop you into
adduid and follow prompts. Type
save / <enter> for Save and Quit or
quit to exit.
If you see an error, comment out
no-tty from ~/.gnupg/gpg.conf
gpg: Sorry, no terminal at all requested - can’t get input
NOTE: if you add another email you’ll need to remove the old GPG key from GitHub and re-upload the edited version. Just run
gpg --armor --export 5E6D89E5F4A1A2FC | pbcopy.