This Gist serves as a bare minimum tutorial/manual to help readers understand step-by-step process to configure SSH and GPG keys for Git and Github in Linux. It assumes that you have a basic idea of what Git is and where it is used.
Appropriate scenario for this could be when you have a work and a personal github (and email) account on same machine
1: Start by typing the following command and replace the contents of double quotes with appropriate personal details.
ssh-keygen -t rsa -b 4096 -C "your_email@domain_name.domain"
2: It should display below line :
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
The default file is /home/username/.ssh/id_rsa but you can change this, preferably to the GitHub folder you'll be working in.
/home/username/Desktop/Github/<folder_name>/<key_name>
Below example stores keys inside a folder present on Desktop:
/home/username/Desktop/Github/SSH-GPG-keys/id_rsa_personal
3: Next, add a passphrase for security. Although the field can be left blank, it is not a good practice and hence not advisable to do so.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
After entering password, You should see this:
Your identification has been saved in /home/username/Desktop/Github/SSH-GPG-keys/id_rsa_personal
Your public key has been saved in /home/username/Desktop/Github/SSH-GPG-keys/id_rsa_personal.pub
The key fingerprint is:
SHA256:averyVAGUELookiNGvaluehereinthisstring your_email@domain_name.domain
The key's randomart image is:
+---[RSA 4096]----+
| |
| some |
| random |
| art |
| |
| |
| used: |
| RSA & SHA |
| |
+----[SHA256]-----+
4: Print the Public key using cat command:
cat /home/username/Desktop/Github/SSH-GPG-keys/id_rsa_personal.pub
The output should look like:
ssh-rsa aLOTofAlphaNUMERICcharacters0123456789 your_email@domain_name.domain
5: Copy the output then go to:
- Github Profile Settings
SSH and GPG Keys- In
SSH KeysSection, Click onNew SSH Key - Give a title to your key to distinguish it from other keys.
- Paste the copied output of your Public Key.
- Click on
Add SSH Key
6: Enter your GitHub password and the SSH key will be added to your account.
7: Repeat from point 2 mentioned above to create another key for other email ID. For instance, you may have a personal and work email ID. Make sure to change the name of other key while performing Line 2 command
8: Now that the key pairs have been created for one or more profile, You need to put configuration for the same in your machine. To do that, you have to create a config file in your hidden ssh directory.
Simply create a file named config in your present working directory. Open it with your preferred text editor and make to following changes:
Host <choose_a_name_for_personal_reference>
HostName github.com
IdentityFile /path/to/private/key/of/ssh
Below example shows two different keys for personal and work profile:
Host personal
HostName github.com
IdentityFile /home/username/Desktop/Github/SSH-GPG-keys/id_rsa_personal
Host work
HostName github.com
IdentityFile /home/username/Desktop/Github/SSH-GPG-keys/id_rsa_work
Save your config file. Then run command below to copy this file to ssh hidden directory:
cp config ~/.ssh/
Run any of the following command to test:
ssh -T git@personal
ssh -T git@work
If you see an output mentioned below then your SSH keys have been configured successfully.
Hi <Github-Username>! You've successfully authenticated, but GitHub does not provide shell access.
Below mentioned steps can help you setup SSH for your GitHub account. Run the follwing command in terminal
gpg --full-generate-key
The following prompt will appear. Enter your type of key you want:
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
Key should be a of 4096 in size
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is xxxx bits
Specify the time of validity for key:
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Enter details as requested:
GnuPG needs to construct a user ID to identify your key.
Real name: <Your_name>
Email address: <your_email@domain_name.domain>
Comment: <enter comment here>
You need to enter a secure passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key <Key-ID> marked as ultimately trusted
gpg: revocation certificate stored as '/home/username/.gnupg/openpgp-revocs.d/some-alphanumeric-string-in-caps.rev'
public and secret key created and signed.
pub rsa4096 yyyy-mm-dd [SC]
very-long-alphanumeric-key-in-caps
uid Your_name (comment) <your_email@domain_name.domain>
sub rsa4096 yyyy-mm-dd [E]
The key has been generated and you can view it by typing following command gpg --list-secret-keys
It should display something like:
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
/home/username/.gnupg/pubring.kbx
---------------------------------
sec rsa4096 yyyy-mm-dd [SC]
very-long-alphanumeric-key-in-caps
uid [ultimate] Your_name (comment) <your_email@domain_name.domain>
ssb rsa4096 yyyy-mm-dd [E]
OR
You can use this command: gpg --list-secret-keys --keyid-format=long to get list of key IDs
Output :
/home/username/.gnupg/pubring.kbx
---------------------------------
sec rsa4096/A-KEY-ID yyyy-mm-dd [SC]
very-long-alphanumeric-key-in-caps
uid [ultimate] Your_name (comment) <your_email@domain_name.domain>
ssb rsa4096/ANOTHER-KEY-ID yyyy-mm-dd [E]
Now, to create an export of this that we need for GitHub, run the following command with reference to previous command:
gpg --armor --export [A-KEY-ID]
It will display a huge wall of text something like:
-----BEGIN PGP PUBLIC KEY BLOCK-----
0123456789
abcdefghij
ABCDEFGHIJ
abcdefghij
0123456789
-----END PGP PUBLIC KEY BLOCK-----
Copy the entire block of text including the comments.
Now follow:
- Go to Github Profile Settings
SSH and GPG Keys- In
GPG KeysSection, Click onNew GPG Key - Give a title to your key to distinguish it from other keys.
- Paste the copied block of text.
- Click on
Add GPG Key
Run the following commands in terminal.
git config --global user.signingkey [A-KEY-ID]
git config --global commit.gpgsign true
Source for troubleshooting: https://daily-dev-tips.com/posts/how-to-verify-your-commits-on-github/
After following all the procedures, if the commits are still not signed then test it with following command:
echo "test" | gpg --clearsign
If the above test results in failure, the try:
export GPG_TTY=$(tty)
Run the test again and the your should be able to see the signature.
You may want to try killing GPG client so it will ask for password:
gpgconf --kill all
gpg-agent --daemon
If you see an output mentioned below then your SSH keys have been configured successfully.
$ ssh -T git@personal
Hi <Github-Username>! You've successfully authenticated, but GitHub does not provide shell access.
Sometimes, above command will work but when you try the following command, you may see this error :
$ ssh -T Your-Github-Username@github.com
Your-Github-Username@github.com: Permission denied (publickey).
In this case, First try to check if your agent has any identity added by running the following :
$ ssh-add -l
The agent has no identities.
If you get the above error, try the following :
ssh-add /home/username/Desktop/Github/SSH-GPG-keys/id_rsa_personal
Its output will primarily contain key-size, hash type and your email address. Try verifying again and now there should not be any error.
Telling Git about your GPG key Run the following commands :
gpg --list-secret-keys --keyid-format=long
git config --global user.signingkey 3AA5C34371567BD2
To add your GPG key to your .bashrc startup file, run the following command:
[ -f ~/.bashrc ] && echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
If you still get failed public key error, it means your SSH agent has no identities. Copy all your id_rsa files and public key from existing location to ~/.ssh and run ssh-add -l again to check if agent has your identity or not.
That's it. Your commits should be verified now :)