Cheat Sheet

Although the latest git release allows you to sign with SSH Keys (and GitHub will implement this shortly if it hasn't already), most systems do not have the latest git release, and most verification systems are not updated with the newest verification techniques, so you may wish to sign your commits with GPG, as has been done for the last 20 years...

Here we'll cover

Usage:

git-config-gpg

Example output:

GnuPG Public Key ID: CA025BC42F00BBBE

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGGQtKIBDAChxTT375fetQawLkyyDcz07uIEZVa9pvuip8goMqev7PkOIHi+
j6PDtFmxgv8ZOFe8+1RfMC7eL5fYah0/OBxNm7pPvAPDWOX38FfUzoq9CALW2xPD
...
Yee+eokiC2mWIEkMwbqlnNmkX/wphS0zcCsEiHirmDxgY6YY9QRjlzUMY68OqjfJ
IFjFWv3R7eckM957wyR5BvdQNfGrW7cWefWhdZOzLEE7
=GXEK
-----END PGP PUBLIC KEY BLOCK-----

Successfully updated ~/.gitconfig for gpg commit signing

How to verify signed commits on GitHub:

    1. Go to 'Add GPG Key': https://github.com/settings/gpg/new
    2. Copy and paste the key above from the first ---- to the last ----

Files

These are the files / directories that are created and/or modified with this install:

~/.config/envman/PATH.env
~/.local/bin/git-config-gpg
~/Downloads/YOU.KEY_ID.gpg.asc

How to add your GPG Public Key to GitHub

  1. Go to your GitHub Profile (https://github.com/settings/profile)
  2. Go to the SSH and GPG Keys (https://github.com/settings/keys)
  3. Add GPG Key (https://github.com/settings/gpg/new)
  4. Paste the output of gpg-pubkey into the form

How to cache the Passphrase longer

If you'd like the passphrase to be cached until your login session ends, just set it to 400 days and call it good.

~/.gnupg/gpg-agent.conf:

default-cache-ttl 34560000
max-cache-ttl 34560000

You'll need to reload gpg-agent for this to take effect, or just logout and login again.

# kill gpg-agent dead
killall gpg-agent
gpgconf killall gpg-agent

# start gpg-agent again (yes, 'bye' to start)
gpg-connect-agent --agent-program ~/.local/opt/gnupg/bin/gpg-agent /bye

Note: You may need to change or omit --agent-program, depending on how you installed gpg (if you installed it with Webi, run it as shown above).

How to create a GPG Key

See:

How to manually set up git commit gpg signing

(this is what git-config-gpg does)

Run gpg-pubkey-id to get your GnuPG Public Key ID and then update your ~/.gitconfig to sign with it by default:

#!/bin/bash

MY_KEY_ID="$(
  gpg-pubkey-id
)"

git config --global user.signingkey "${MY_KEY_ID}"
git config --global commit.gpgsign true
git config --global log.showSignature true

Or, for Windows users:

#!/usr/bin/env pwsh

$my_key_id = gpg-pubkey-id

git config --global user.signingkey "$my_key_id"
git config --global commit.gpgsign true
git config --global log.showSignature true

Or, if you prefer to edit the text file directly:

~/.gitconfig

[user]
  signingkey = CA025BC42F00BBBE
[commit]
  gpgsign = true
[log]
  showSignature = true

In some cases you may also want to prevent conflicts between different installed versions of gpg, like so:

git config --global gpg.program ~/.local/opt/gnupg/bin/gpg
[gpg]
  program = /Users/me/.local/opt/gnupg/bin/gpg

Troubleshooting 'gpg failed to sign the data'

gpg is generally expected to be used with a Desktop client. On Linux servers you may get this error:

error: gpg failed to sign the data
fatal: failed to write commit object

Try to load the gpg-agent, set GPG_TTY, and then run a clearsign test.

gpg-connect-agent /bye
export GPG_TTY=$(tty)
echo "test" | gpg --clearsign

If that works, update your ~/.bashrc, ~/.zshrc, and/or ~/.config/fish/config.fish to include the following:

gpg-connect-agent /bye
export GPG_TTY=$(tty)

If this is failing on Mac or Windows, then gpg-agent is not starting as expected on login (for Mac the above may work), and/or the pinentry command is not in the PATH.

If you just installed gpg, try closing and reopening your Terminal, or possibly rebooting.

Contribute

Report an Issue Submit Installer Star on GitHub