Get your GnuPG Public Key.
https://webinstall.dev/git-config-gpg| Installer Source| Releases (json) (tab)
Get your GnuPG Public Key.
https://webinstall.dev/git-config-gpg| Installer Source| Releases (json) (tab)
Although the latest git release allows you to sign with SSH Keys (and GitHub will implement this shortly if it hasn't already), most systems do not have the latest git release, and most verification systems are not updated with the newest verification techniques, so you may wish to sign your commits with GPG, as has been done for the last 20 years...
Here we'll cover
Usage:
git-config-gpg
Example output:
GnuPG Public Key ID: CA025BC42F00BBBE
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGGQtKIBDAChxTT375fetQawLkyyDcz07uIEZVa9pvuip8goMqev7PkOIHi+
j6PDtFmxgv8ZOFe8+1RfMC7eL5fYah0/OBxNm7pPvAPDWOX38FfUzoq9CALW2xPD
...
Yee+eokiC2mWIEkMwbqlnNmkX/wphS0zcCsEiHirmDxgY6YY9QRjlzUMY68OqjfJ
IFjFWv3R7eckM957wyR5BvdQNfGrW7cWefWhdZOzLEE7
=GXEK
-----END PGP PUBLIC KEY BLOCK-----
Successfully updated ~/.gitconfig for gpg commit signing
How to verify signed commits on GitHub:
1. Go to 'Add GPG Key': https://github.com/settings/gpg/new
2. Copy and paste the key above from the first ---- to the last ----
These are the files / directories that are created and/or modified with this install:
~/.config/envman/PATH.env
~/.local/bin/git-config-gpg
~/Downloads/YOU.KEY_ID.gpg.asc
gpg-pubkey into the formIf you'd like the passphrase to be cached until your login session ends, just set it to 400 days and call it good.
~/.gnupg/gpg-agent.conf:
default-cache-ttl 34560000
max-cache-ttl 34560000
You'll need to reload gpg-agent for this to take effect, or just logout and
login again.
# kill gpg-agent dead
killall gpg-agent
gpgconf killall gpg-agent
# start gpg-agent again (yes, 'bye' to start)
gpg-connect-agent --agent-program ~/.local/opt/gnupg/bin/gpg-agent /bye
Note: You may need to change or omit --agent-program, depending on how you
installed gpg (if you installed it with Webi, run it as shown above).
See:
(this is what git-config-gpg does)
Run gpg-pubkey-id to get your GnuPG Public Key ID and then
update your ~/.gitconfig to sign with it by default:
#!/bin/sh
MY_KEY_ID="$(
gpg-pubkey-id
)"
git config --global user.signingkey "${MY_KEY_ID}"
git config --global commit.gpgsign true
git config --global log.showSignature true
Or, for Windows users:
#!/usr/bin/env pwsh
$my_key_id = gpg-pubkey-id
git config --global user.signingkey "$my_key_id"
git config --global commit.gpgsign true
git config --global log.showSignature true
Or, if you prefer to edit the text file directly:
~/.gitconfig
[user]
signingkey = CA025BC42F00BBBE
[commit]
gpgsign = true
[log]
showSignature = true
In some cases you may also want to prevent conflicts between different installed versions of gpg, like so:
git config --global gpg.program ~/.local/opt/gnupg/bin/gpg
[gpg]
program = /Users/me/.local/opt/gnupg/bin/gpg
gpg is generally expected to be used with a Desktop client. On Linux servers
you may get this error:
error: gpg failed to sign the data
fatal: failed to write commit object
Try to load the gpg-agent, set GPG_TTY, and then run a clearsign test.
gpg-connect-agent /bye
export GPG_TTY=$(tty)
echo "test" | gpg --clearsign
If that works, update your ~/.bashrc, ~/.zshrc, and/or
~/.config/fish/config.fish to include the following:
gpg-connect-agent /bye
export GPG_TTY=$(tty)
If this is failing on Mac or Windows, then gpg-agent is not starting as
expected on login (for Mac the above may work), and/or the pinentry command is
not in the PATH.
If you just installed gpg, try closing and reopening your Terminal, or
possibly rebooting.