Signing git commits using GPG (Ubuntu/Mac)

github_gpg_key.md

Github : Signing commits using GPG (Ubuntu/Mac) 🔐

• Do you have an Github account ? If not create one.
• Install required tools
• Latest Git Client
• gpg tools

# Ubuntu
sudo apt-get install gpa seahorse
# MacOS with https://brew.sh/
brew install gpg

• Generate a new gpg key

gpg --gen-key

• Answer the questions asked

Note: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account.

• List generated key

gpg --list-secret-keys --keyid-format LONG

• Above command should return like this

/home/username/.gnupg/secring.gpg
-------------------------------
sec   4096R/<COPY_LONG_KEY> 2016-08-11 [expires: 2018-08-11]
uid                          User Name <user.name@email.com>
ssb   4096R/62E5B29EEA7145E 2016-08-11

• Note down your key COPY_LONG_KEY from above (without < and >)
• Export this (public) key to a text file

gpg --armor --export <PASTE_LONG_KEY_HERE> > gpg-key.txt

• Above command will create a new txt file gpg-key.txt

• Add this key to GitHub

• Login to Github and goto profile settings

• Click New GPG Key and paste the contents of gpg-key.txt file then save

• Tell git client to auto sign your future commits

• Use the long key from above in next command

git config --global user.signingkey <PASTE_LONG_KEY_HERE>
git config --global commit.gpgsign true

• You are done, next time when you commit changes; gpg will ask you the passphrase.

Make gpg remember your passphrase (tricky)

To make it remember your password, you can use gpg-agent

Edit your ~/.gnupg/gpg-agent.conf file and paste these lines

default-cache-ttl 28800
max-cache-ttl 28800

28800 seconds means 8 hours

If gpg-agent is not running you can start it with this command

gpg-agent --daemon

Change your key passphrase

gpg --edit-key <PASTE_YOUR_KEY_ID_HERE>

At the gpg prompt type:

passwd

Type in the current passphrase when prompted
Type in the new passphrase twice when prompted
Type:

save

Reference links

• https://help.github.com/articles/signing-commits-with-gpg/
• http://nishanttotla.com/blog/signing-git-commits-gpg/
• https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
• https://news.ycombinator.com/item?id=7792026
• https://overflow.no/blog/2016/08/11/signed-commits-with-gpg-git-and-github-on-linux/
• http://stackoverflow.com/questions/10161198/is-there-a-way-to-autosign-commits-in-git-with-a-gpg-key
• http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html
• https://help.ubuntu.com/community/GnuPrivacyGuardHowto
• https://medium.com/@timmywil/sign-your-commits-on-github-with-gpg-566f07762a43#.aovevj80y
• https://blog.erincall.com/p/signing-your-git-commits-with-gpg
• https://dev.to/agrinman/spoof-a-commit-on-github-from-anyone-4gf4
• https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key

git config --global tag.gpgsign true

does this actually work for you @ankurk91?

@hannesvdvreken
there is no such config documented, so removed, thanks for the heads up.

On OSX I had to set GPG_TTY for things to work.

export GPG_TTY=$(tty)

Thanks it's been helpful :) 👍

I found that max-cache-ttl actually needs to be maximum-cache-ttl. Once I changed that in my system it stopped prompting me every time for the passphrase.

@kmoll
The man page says that it should be max-cache-ttl

Hi. In my case, it was not working due to gpg version used by git.

Here's the solution: Setup git to use gpg2 instead of gpg
https://askubuntu.com/a/805550

@ankurk91 The man page you linked is for version 2:

This is the The GNU Privacy Guard Manual (version 2.2.7, April 2018).

Thanks! All of these steps work on Windows as well with the Windows gpg binary and any unix shell emulator

Thanks! Was really helpful.

My output came out a bit different. For the part with updating git to use the key, I had to specify --keyid-format SHORT, as in gpg --list-secret-keys --keyid-format SHORT. For reference, I'm using gpg (GnuPG) 2.2.4 libgcrypt 1.8.1

Thanks, this is a very helpful gist.

Thank you! I had to add this command line git config --global gpg.program gpg2.

Note that when generating the key, use the output of git config --get user.name as the name and git config --get user.email as the email address. Otherwise, committing will fail.

Nice! 🤓

I had issues running this; It failed to sign commits until I added the following:

GPG_TTY=$(tty)
export GPG_TTY

Awesome. Thanks.

Great guide thanks!
When I first tried to create a signed commit, it gave an error:

error: gpg failed to sign the data

I fixed it by killing the running agent killall gpg-agent and starting it again with gpg-agent --daemon

Thank you! This works with Windows & Powershell as well if you've installed GIT with all of the bundled Unix tools

Is there any way to sign committees without entering a passphrase but using Windows hello?