Liora

Using GPG Signature

git; signature; gpg
773 words

In addition to SSH keys, you can also use GPG keys to sign Git commits. GPG is an open-source encryption tool for encrypting and signing data. By using GPG keys, you can ensure that your commits are created by you.

Creating a GPG Key for Git Commit

Here are the steps to generate a GPG key on macOS:

  1. First, you need to install GnuPG. On macOS, you can install it via Homebrew. If you haven't installed Homebrew yet, you can install it with:

    /bin/zsh -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

  2. Then, install GnuPG with:

    brew install gnupg

  3. Generate a new GPG key. Run the following command in the terminal to start generating the key:

    gpg --full-generate-key

  4. Next, it will ask what type of key you want to generate. Select "1" (RSA and RSA).

  5. Then, it will ask for the key size. It's recommended to choose 4096.

  6. Next, it will ask for the key's validity period. You can set it according to your needs, or select "0" for the key to never expire.

  7. Next, it will ask you to confirm your choice and enter your user information. This includes your name, email address, and an optional comment. Make sure the email address you enter matches the email address of your GitHub account.

  8. Finally, it will ask you to enter a password to protect your key.

  9. After generating the key, run the following command to list your GPG keys:

    gpg --list-secret-keys --keyid-format LONG

  10. In the listed information, copy the long ID from the "GPG Key ID" section.

  11. Add your GPG key to your GitHub account. In GitHub's settings, click "SSH and GPG keys", then click "New GPG key". In the "Key" field, paste your GPG key.

  12. Finally, tell Git to use your GPG key. Run the following command, replacing <key> with your GPG key ID:

    (Not recommended for global configuration)

    git config --global user.signingkey <key>
git config --global commit.gpgsign true

    What is a "GPG Key ID"?

    • GPG Key ID

      1. Use the gpg --list-secret-keys --keyid-format=long command to list the long-form GPG keys for which you have both public and private keys. Signing commits or tags requires the private key.

        gpg --list-secret-keys --keyid-format=long

        Note: Some GPG installations on Linux may need to use gpg2 --list-keys --keyid-format LONG instead to view the list of existing keys. In this case, you also need to configure Git to use gpg2 by running git config --global gpg.program gpg2.

      2. From the GPG key list, copy the long form of the GPG key ID you want to use. In this example, the GPG key ID is 3AA5C34371567BD2:

        $ gpg --list-secret-keys --keyid-format=long
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot <hubot@example.com>
ssb   4096R/4BB6D45482678BE3 2016-03-10

    If you have multiple different commit information configurations on one computer and want each commit to use different GPG configurations, you can do this:

    • Specific approach

This way, you can use your GPG key for Git commits.

 gpg --full-generate-key
🎉 Start executing the command![2023-09-12 21:47:08]

gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: work_user_name
Email address: work_user_name@404.com
Comment: used for work
You selected this USER-ID:
    "work_user_name (used for work) <work_user_name@404.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/Users/your_user_name/.gnupg/openpgp-revocs.d/8E797F6F7******************361558.rev'
public and secret key created and signed.

pub   rsa4096 2023-09-12 [SC]
      8E797F6F7******************361558
uid                      work_user_name (used for work) <work_user_name@404.com>
sub   rsa4096 2023-09-12 [E]

References