Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Signing git commits using GPG (Ubuntu/Mac)

Github : Signing commits using GPG (Ubuntu/Mac) 🔐

  • Do you have an Github account ? If not create one.
  • Install required tools
  • Latest Git Client
  • gpg tools
# Ubuntu
sudo apt-get install gpa seahorse
# MacOS with https://brew.sh/
brew install gpg
  • Generate a new gpg key
gpg --gen-key
  • Answer the questions asked

Note: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account.

  • List generated key
gpg --list-secret-keys --keyid-format LONG
  • Above command should return like this
/home/username/.gnupg/secring.gpg
-------------------------------
sec   4096R/<COPY_LONG_KEY> 2016-08-11 [expires: 2018-08-11]
uid                          User Name <user.name@email.com>
ssb   4096R/62E5B29EEA7145E 2016-08-11

  • Note down your key COPY_LONG_KEY from above (without < and >)
  • Export this (public) key to a text file
gpg --armor --export <PASTE_LONG_KEY_HERE> > gpg-key.txt
  • Above command will create a new txt file gpg-key.txt

  • Add this key to GitHub

  • Login to Github and goto profile settings

  • Click New GPG Key and paste the contents of gpg-key.txt file then save

  • Tell git client to auto sign your future commits

  • Use the long key from above in next command

git config --global user.signingkey <PASTE_LONG_KEY_HERE>
git config --global commit.gpgsign true
  • You are done, next time when you commit changes; gpg will ask you the passphrase.

Make gpg remember your passphrase (tricky)

To make it remember your password, you can use gpg-agent

Edit your ~/.gnupg/gpg-agent.conf file and paste these lines

default-cache-ttl 28800
max-cache-ttl 28800

28800 seconds means 8 hours

If gpg-agent is not running you can start it with this command

gpg-agent --daemon

Change your key passphrase

gpg --edit-key <PASTE_YOUR_KEY_ID_HERE>

At the gpg prompt type:

passwd

Type in the current passphrase when prompted
Type in the new passphrase twice when prompted
Type:

save

Reference links

@haxpor
Copy link

haxpor commented Feb 10, 2017

I tried it, and it seems like you have to enter passphase first time then it will be alive for the time you set. It's not a permanent solution.

@ankurk91
Copy link
Author

ankurk91 commented Mar 22, 2017

@haxpor
And thats enough.

@ecbrodie
Copy link

ecbrodie commented Apr 28, 2017

@ankurk91 excellent instructions. Definitely the most simple one I've seen so far. Thank you.

Just wondering, is there any way to suppress this message?

gpg-agent: a gpg-agent is already running - not starting a new one

@ankurk91
Copy link
Author

ankurk91 commented Apr 30, 2017

@ecbrodie
If gpg-agent is already running then you no need to start it manually.

@salmanwaheed
Copy link

salmanwaheed commented Sep 24, 2017

great work bro 👍

@hannesvdvreken
Copy link

hannesvdvreken commented Sep 26, 2017

git config --global tag.gpgsign true

does this actually work for you @ankurk91?

@ankurk91
Copy link
Author

ankurk91 commented Sep 27, 2017

@hannesvdvreken
there is no such config documented, so removed, thanks for the heads up.

@takac
Copy link

takac commented Jan 17, 2018

On OSX I had to set GPG_TTY for things to work.

export GPG_TTY=$(tty)

@robincher
Copy link

robincher commented Mar 20, 2018

Thanks it's been helpful :) 👍

@kmoll
Copy link

kmoll commented Apr 27, 2018

I found that max-cache-ttl actually needs to be maximum-cache-ttl. Once I changed that in my system it stopped prompting me every time for the passphrase.

@ankurk91
Copy link
Author

ankurk91 commented Apr 28, 2018

@kmoll
The man page says that it should be max-cache-ttl

@nelson6e65
Copy link

nelson6e65 commented May 3, 2018

Hi. In my case, it was not working due to gpg version used by git.

Here's the solution: Setup git to use gpg2 instead of gpg
https://askubuntu.com/a/805550

@ankurk91 The man page you linked is for version 2:

This is the The GNU Privacy Guard Manual (version 2.2.7, April 2018).

@tedbyron
Copy link

tedbyron commented Jun 4, 2018

Thanks! All of these steps work on Windows as well with the Windows gpg binary and any unix shell emulator

@kaushalvivek
Copy link

kaushalvivek commented Jul 14, 2018

Thanks! Was really helpful.

@chizou
Copy link

chizou commented Aug 6, 2018

My output came out a bit different. For the part with updating git to use the key, I had to specify --keyid-format SHORT, as in gpg --list-secret-keys --keyid-format SHORT. For reference, I'm using gpg (GnuPG) 2.2.4 libgcrypt 1.8.1

@duffn
Copy link

duffn commented Sep 2, 2018

Thanks, this is a very helpful gist.

@cbismuth
Copy link

cbismuth commented Sep 7, 2018

Thank you! I had to add this command line git config --global gpg.program gpg2.

@joe42
Copy link

joe42 commented Nov 15, 2018

Note that when generating the key, use the output of git config --get user.name as the name and git config --get user.email as the email address. Otherwise, committing will fail.

@xbrunosousa
Copy link

xbrunosousa commented Nov 3, 2019

Nice! 🤓

@apoclyps
Copy link

apoclyps commented Dec 3, 2019

I had issues running this; It failed to sign commits until I added the following:

GPG_TTY=$(tty)
export GPG_TTY

@cesc1989
Copy link

cesc1989 commented Jul 3, 2020

Awesome. Thanks.

@SamyCoenen
Copy link

SamyCoenen commented Sep 21, 2020

Great guide thanks!
When I first tried to create a signed commit, it gave an error:

error: gpg failed to sign the data

I fixed it by killing the running agent killall gpg-agent and starting it again with gpg-agent --daemon

@RentecJeremy
Copy link

RentecJeremy commented Oct 7, 2020

Thank you! This works with Windows & Powershell as well if you've installed GIT with all of the bundled Unix tools

@cawa-93
Copy link

cawa-93 commented May 31, 2022

Is there any way to sign committees without entering a passphrase but using Windows hello?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment