GitHub supports several GPG key algorithms. If you try to add a key generated with an unsupported algorithm, you may encounter an error.
- RSA
- ElGamal
- DSA
- ECDH
- ECDSA
- EdDSA
- Install the GPG command line tools for your operating system. The latest version is best compared to the long term support versions. For mac, you can run
brew install gnupg
- Generate a GPG key set in terminal. It must be in RSA format. To start the process, you can run:
gpg --full-generate-key
- Press enter for the default or specify if you want a specific key. I usually go for
RSA & RSA
. - Specify a key size. It must be at least 4096 bits. If you encounter the question
Please select which elliptic curve you want
, simply hit enter. - Choose a length of time you want your key to be valid for. I press 0 to prevent the hassle of regenerating a new gpg key later on.
- When prompted, enter your user ID information for GitHub. You must use a validated GitHub email connected to your account. Name and Comment can be whatever you like.
- Enter a passphrase to encrypt your key when it prompts you. If it doesn't, you must have some crazy luck.
Let's get the long form of your private GPG key needed to sign commits. You can retrieve it like so:
gpg --list-secret-keys --keyid-format=long
- From the list, copy the long form of the GPG key you will be using. In the example below, I would be copying
3AA5C34371567BD2
because it is after the 4096R/
$ gpg --list-secret-keys --keyid-format=long
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid Hubot
ssb 4096R/42B317FD4BA89E7A 2016-03-10
- Export the full key in armor format with
gpg --armor --export
. We will use our long form of the key from above in this command, so it will be:gpg --armor --export 3AA5C34371567BD2
Finally, copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with -----END PGP PUBLIC KEY BLOCK-----
.
-
In the top right corner of any page on GitHub, select settings from your profile photo menu.
-
In the "Key" field, paste the GPG key you copied in step two, then click add key.
We aren't off the hook yet, make sure to tell Git about your signing key as well. Go back to your OS terminal.
- With the long format of the GPG key we got before, we need to identify it in our global Git config. We can do so with
git config --global user.signingkey
.
git config --global user.signingkey 3AA5C34371567BD2
If you aren't using the GPG suite, run the following command in the zsh
shell to add the GPG key to your
.zshrc
file, if it exists, or your .zprofile
file:
if [ -r ~/.zshrc ]; then echo 'export GPG_TTY=$(tty)' >> ~/.zshrc; \
else echo 'export GPG_TTY=$(tty)' >> ~/.zprofile; fi
Alternatively, if you use the bash
shell, run this command:
if [ -r ~/.bash_profile ]; then echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile; \
else echo 'export GPG_TTY=$(tty)' >> ~/.profile; fi
There are two ways to sign commits: automatically and manually. If you're a psychopath,
go ahead and tag -S
in every git commit you run, as if you're not using -u
-m
as well already. No no, it's fine.
IF you want to manually sign, you can just tag -S in your git commits like this:
git commit -S -m "I am a psychopath."
However, like any other sane being, I presume you're also lazy. Never fear! There's a command for that. In terminal, simply paste this:
git config --global commit.gpgsign true
Just think of how many keystrokes you've saved your fingers from!
Congrats, if you followed this right, you should now be signing your GitHub commits. Why? Idk, I do it because it looks fancy. "Oh, the new SWE is verified with her commits? What a chad move."
spare yourself on ubuntu and install gnupg with
sudo apt-get install gnupg2
.