Skip to content

Instantly share code, notes, and snippets.

@PseudoDoctor

PseudoDoctor/gpg4WIN.md

Last active April 11, 2023 18:23
Show Gist options
  • Save PseudoDoctor/95b10d7b71ff59c76b75aec519a449a1 to your computer and use it in GitHub Desktop.
Save PseudoDoctor/95b10d7b71ff59c76b75aec519a449a1 to your computer and use it in GitHub Desktop.
Download ZIP
GPG for WIN and WSL code signing example
Raw
gpg4WIN.md

gpg4Win

GPG for Windows

This example creates a GPG signing key for use on Windows

See https://github.com/microsoft/vscode/wiki/Commit-Signing

TL:DR;

  1. Install git https://git-scm.com/
  2. Install gpg4win https://www.gpg4win.org/ gpg4win-4.1.0.exe
  3. Tell git where to find gpg git config --global gpg.program "C:/Program Files (x86)/GnuPG/bin/gpg.exe"

Terminal dump

Microsoft Windows [Version 10.0.19041.2788]
(c) Microsoft Corporation. All rights reserved.

C:\Users\DrFaux>gpg --full-generate-key
gpg: keybox 'C:\\Users\\DrFaux\\AppData\\Roaming\\gnupg\\pubring.kbx' created
gpg (GnuPG) 2.4.0; Copyright (C) 2021 g10 Code GmbH
--SNIP--
gpg: C:\\Users\\DrFaux\\AppData\\Roaming\\gnupg\\trustdb.gpg: trustdb created
gpg: directory 'C:\\Users\\DrFaux\\AppData\\Roaming\\gnupg\\openpgp-revocs.d' created
gpg: revocation certificate stored as 'C:\\Users\\DrFaux\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\48EF12CF9F75CAA8C26FD595C83F936838F657A2.rev'
public and secret key created and signed.

pub   rsa4096 2023-04-11 [SC]
      48EF12CF9F75CAA8C26FD595C83F936838F657A2
uid                      Dr Faux <drfaux@contoso.com>
sub   rsa4096 2023-04-11 [E]

C:\Users\DrFaux>gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
C:\Users\DrFaux\AppData\Roaming\gnupg\pubring.kbx
-------------------------------------------------------------
sec   rsa4096/C83F936838F657A2 2023-04-11 [SC]
      48EF12CF9F75CAA8C26FD595C83F936838F657A2
uid                 [ultimate] Dr Faux <drfaux@contoso.com>
ssb   rsa4096/BB43E1CBEFED9A1C 2023-04-11 [E]

C:\Users\DrFaux>git init gpg-helper
Initialized empty Git repository in C:/Users/DrFaux/gpg-helper/.git/

C:\Users\DrFaux>cd gpg-helper
C:\Users\DrFaux\gpg-helper>git config --global user.email "drfaux@contoso.com"
C:\Users\DrFaux\gpg-helper>git config --global user.name "Dr Faux"
C:\Users\DrFaux\gpg-helper>git config --global user.signingkey C83F936838F657A2
C:\Users\DrFaux\gpg-helper>git config --global commit.gpgsign true
C:\Users\DrFaux\gpg-helper>echo "" > me
C:\Users\DrFaux\gpg-helper>git add me
C:\Users\DrFaux\gpg-helper>git commit -m 'foo'
gpg: directory '/c/Users/DrFaux/.gnupg' created
gpg: keybox '/c/Users/DrFaux/.gnupg/pubring.kbx' created
gpg: skipped "C83F936838F657A2": No secret key
gpg: signing failed: No secret key
error: gpg failed to sign the data
fatal: failed to write commit object

C:\Users\DrFaux>where gpg
C:\Program Files (x86)\GnuPG\bin\gpg.exe
C:\Users\DrFaux\gpg-helper>git config --global gpg.program "C:/Program Files (x86)/GnuPG/bin/gpg.exe"
C:\Users\DrFaux\gpg-helper>git commit -m 'bar'
-------- INSERT PASSPHRASE POP-UP --------
[master (root-commit) a181197] 'bar'
 1 file changed, 1 insertion(+)
 create mode 100644 me
C:\Users\DrFaux\gpg-helper>

Explanation

.

Raw
gpg4WSL.md

gpg4WSL

GPG for Windows Subsystem Linux

This example creates a GPG signing key for use in a WSL2 linux, which inadvertently allows the host's VSCode running in WSL to use it as well.

See also https://github.com/microsoft/vscode/wiki/Commit-Signing

TL:DR;

The important bit is getting the key's passphrase in cache.

Add GPG_TTY=$(tty) to git commit to be prompted for gpg key passphrase. i.e. GPG_TTY=$(tty) git commit -m 'foo'

Terminal dump

drfaux@HOST:~$ gpg --full-generate-key
--SNIP--
gpg: /home/drfaux/.gnupg/trustdb.gpg: trustdb created
gpg: key 9669581FB8312D12 marked as ultimately trusted
gpg: directory '/home/drfaux/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/drfaux/.gnupg/openpgp-revocs.d/894D79FDE028F608874297439669581FB8312D12.rev'
public and secret key created and signed.

pub   rsa4096 2023-04-08 [SC]
      894D79FDE028F608874297439669581FB8312D12
uid                      Dr Faux <drfaux@contoso.com>
sub   rsa4096 2023-04-08 [E]

drfaux@HOST:~$ gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/drfaux/.gnupg/pubring.kbx
-----------------------------
sec   rsa4096/9669581FB8312D12 2023-04-08 [SC]
      894D79FDE028F608874297439669581FB8312D12
uid                 [ultimate] Dr Faux <drfaux@contoso.com>
ssb   rsa4096/6A7761F61F21E30F 2023-04-08 [E]

drfaux@HOST:~$ git init gpg-helper
Initialized empty Git repository in /home/drfaux/gpg-helper/.git/
drfaux@HOST:~$ cd gpg-helper/
drfaux@HOST:~/gpg-helper$ git config --global user.email "drfaux@contoso.com"
drfaux@HOST:~/gpg-helper$ git config --global user.name "Dr Faux"
drfaux@HOST:~/gpg-helper$ git config --global user.signingkey 9669581FB8312D12
drfaux@HOST:~/gpg-helper$ git config --global commit.gpgsign true
drfaux@HOST:~/gpg-helper$ touch me
drfaux@HOST:~/gpg-helper$ git add me
drfaux@HOST:~/gpg-helper$ git commit -m 'foo'
error: gpg failed to sign the data
fatal: failed to write commit object
drfaux@HOST:~/gpg-helper$ GPG_TTY=$(tty) git commit -m 'foo'
-------- INSERT PASSPHRASE PROMPT --------
[master (root-commit) 62f61c7] foo
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 me
drfaux@HOST:~/gpg-helper$ touch you
drfaux@HOST:~/gpg-helper$ git add you
drfaux@HOST:~/gpg-helper$ git commit -m 'bar'
[master cc9450a] bar
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 you
drfaux@HOST:~/gpg-helper$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment