Automatic Git commit signing with GPG on OSX

.profile

# In order for gpg to find gpg-agent, gpg-agent must be running, and there must be an env
# variable pointing GPG to the gpg-agent socket. This little script, which must be sourced
# in your shell's init script (ie, .bash_profile, .zshrc, whatever), will either start
# gpg-agent or set up the GPG_AGENT_INFO variable if it's already running.

# Add the following to your shell init to set up gpg-agent automatically for every shell
if [ -f ~/.gnupg/.gpg-agent-info ] && [ -n "$(pgrep gpg-agent)" ]; then
    source ~/.gnupg/.gpg-agent-info
    export GPG_AGENT_INFO
else
    eval $(gpg-agent --daemon --write-env-file ~/.gnupg/.gpg-agent-info)
fi

gpg-agent.conf

# Enables GPG to find gpg-agent
use-standard-socket

# Connects gpg-agent to the OSX keychain via the brew-installed
# pinentry program from GPGtools. This is the OSX 'magic sauce',
# allowing the gpg key's passphrase to be stored in the login
# keychain, enabling automatic key signing.
pinentry-program /usr/local/bin/pinentry-mac

gpg.conf

# Uncomment within config (or add this line)
use-agent

# This silences the "you need a passphrase" message once the passphrase handling is all set.
# Use at your own discretion - may prevent the successful interactive use of some operations.
# It is working fine for my use cases though.
batch

setup-gpg

# A quick outline of what must be done to get everything working.

# 1) Install the dependencies.
brew install gnupg gpg-agent pinentry-mac

# 2) Configure git to automatically gpgsign commits. This consists of
#    pointing git to your signing key ID, and then enabling commit
#    automatic signing.
git config --global user.signingkey <YOUR-SIGNING-KEY-PUB-ID>
git config --global commit.gpgsign true

# 3) Configure the GPG components (see above for relevant examples):
#    ~/.gnupg/gpg.conf
#    ~/.gnupg/gpg-agent.conf

# 4) Start the daemon and configure your shell (see above for example in .profile).
#    ~/.bash_profile | ~/.zshrc

# Don't forget to upload your public key to Github!
# https://github.com/blog/2144-gpg-signature-verification
# Note: There needs to be a three-way match on your email for Github to show
# the commit as 'verified': The commit email, github email, & the email associated with the public key

# Learn about creating a GPG key and the knowledge behind these commands here:
# https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

The high level "connection diagram" for each part:

git -> gpg -> shell/env variable -> gpg-agent -> pinentry -> keychain

Thanks for posting this! Two small suggestions/changes:

1. I use Boxen, so Homebrew is installed in a different location. For ~/.gnupg/gpg-agent.conf I was able to use pinentry-program $HOMEBREW_ROOT/bin/pinentry-mac making the config more portable.
2. I had to amend the gpg-agent command on startup: eval $(gpg-agent --daemon --options ~/.gnupg/gpg-agent.conf --write-env-file ~/.gnupg/.gpg-agent-info)

Why do you use gpg instead of gpg2 or gnupg21? It comes with gpg-agent, pinentry as deps.

EDIT: My bad, pinentry-mac is does not come with the pinentry package.

I came up with a slightly different recipe, using the latest version of gpg (2.1) and slightly less bash glue around the agent. https://gist.github.com/bcomnes/647477a3a143774069755d672cb395ca Thanks for the writeup! It was helpful :)

@bcomnes - no particular reason on the gnupg choice. Just what I was used to. Thanks for sharing your workflow! Really the goal here is to highlight the pieces folks might need, so they can adapt them to their relevant approach.

@bmhatfield I've used this and it keeps me asking for the passphrase on every commit.

@ruiafonsopereira - sorry to hear that. The goal of this was more to try to give you all the pieces you needed to make this work, since it took me a little while to find them - you may have to adapt to your local environment. I wrote comments in each file with the intent of highlighting areas where you might do that. Some ideas I had to help troubleshoot: the .profile might not be sourced, or perhaps you didn't check "save in keychain" in the pinentry program, or perhaps gpg is installed in a way that it's looking for a different path, etc. Good luck!

Thank you!

You can do all of this without any of this glue: https://gist.github.com/danieleggert/b029d44d4a54b328c0bac65d46ba4c65

Thanks @danieleggert , it works like charm! 😄

My way-
https://gist.github.com/ankurk91/c4f0e23d76ef868b139f3c28bde057fc

I countered this error on your config:
"Inappropriate ioctl for device"
Solution:
Write "export GPG_TTY=$(tty)" in ~/.profile and restart.

Thx

Thanks! This is fantastic.

This is fantastic, thank you!

Thanks guys.

I spent so many time to find solution for solve my problem.

Your solution is very fantastic.

THANK YOU !

I was wondering that given that the gpg installed by Homebrew on macOS has switched to gpg2 which has some potentially important differences from gpg1, any of the above configuration can be updated and/or simplified?

Worked like a charm!

If you use gpg 2.1 or above, then cannot use --write-env-file.

See here

I think we don't even need to start gpg-agent anymore - at least not together with pinentry-mac ... works flawlessly without in my setup with gpg v2 (includes gpg-agent) + pinentry-mac (installed via homebrew).

@swernerx perhaps you could elaborate?

@jakeNiemiec Echoing the comment from @swernerx:

I have pinentry-mac 0.9.4 and gnupg / gpg-agent 2.1.22 from Homebrew, and I don't need to start gpg-agent manually; pinentry-mac does it for me the first time I try to sign something. This means that I do not need use-standard-socket in .gpg-agent.conf or the .profile changes above. Also, use-agent doesn't do anything any more (GPG Configuration Options).

All I needed was:

• brew install gnupg gpg-agent pinentry-mac (same as above)
• pinentry-program /usr/local/bin/pinentry-mac in ~/.gnupg/gpg-agent.conf
• The git config commands above.

Amazing gist! ❤️

Quick tip for oh-my-zshell users:

Simply add gpg-agent to your plugins and skip the whole .profile part.

@ewanmellor thanks for the more concise directions.. I'll add that you only need brew install gnupg pinentry-mac - gnupg 2.x+ comes with gpg-agent and actually if you just install gpg-agent from homebrew it defaults to keg only (not linking in /usr/local). Hope that helps someone else!

For those who hit the error gpg: Sorry, no terminal at all requested - can't get input I've left a solution for you on Stack.

From https://gist.github.com/danieleggert/b029d44d4a54b328c0bac65d46ba4c65

If you want annotated tags to be GPG signed:

git config --global tag.forceSignAnnotated true

Thanks. But, how can use it with Fish shell?
Fish setup is located in .config/fish/config.fish but does not support .profile (bash) syntax.

brew install gnupg pinentry-mac

Thanks, is it necessery to do anything este after install of pinetry? Config git or set GPG sign? I still have errors with commiting:
error: gpg failed to sign the data
fatal: failed to write commit object

For anyone else running into issues (especially if you use fish), make sure that the env variable GNUPGHOME is set to your GPG config directory and that this environment variable is visible to Emacs. For instance, I use exec-path-from-shell to copy that variable so that Emacs knows about it.

If you are having issues after trying a bunch of different things, make sure to restart the gpg-agent daemon. It only reads new configurations on startup. Just run killall gpg-agent. No need to start it up manually. Once you try to sign something it will start-up the agent automatically.

If you are having issues after trying a bunch of different things, make sure to restart the gpg-agent daemon. It only reads new configurations on startup. Just run killall gpg-agent. No need to start it up manually. Once you try to sign something it will start-up the agent automatically.

👍 this solved it for me

For those who are debugging why gpg failed to sign the data:
echo "test" | gpg --clearsign

Thank you for the guidance. For the changes to take effect I had to also restart the gpg-agent by typing gpgconf --kill gpg-agent into the shell.

The gpg-agent formula is not needed anymore: https://stackoverflow.com/a/52456873/560382

@jakeNiemiec Echoing the comment from @swernerx:

I have pinentry-mac 0.9.4 and gnupg / gpg-agent 2.1.22 from Homebrew, and I don't need to start gpg-agent manually; pinentry-mac does it for me the first time I try to sign something. This means that I do not need use-standard-socket in .gpg-agent.conf or the .profile changes above. Also, use-agent doesn't do anything any more (GPG Configuration Options).

All I needed was:

* `brew install gnupg gpg-agent pinentry-mac` (same as above)

* `pinentry-program /usr/local/bin/pinentry-mac` in `~/.gnupg/gpg-agent.conf`

* The `git config` commands above.

Same gpg version, this plus restarting the gpg-agent solves my problem!

This is fantastic, thanks so much!

Great stuff! Worked a treat. I'm getting output that some of the flags included above are obsolote

gpg-agent[9074]: /Users/nick/.gnupg/gpg-agent.conf:6: obsolete option "use-standard-socket" - it has no effect
gpg-agent[9074]: WARNING: "--write-env-file" is an obsolete option - it has no effect
gpg-agent[9075]: gpg-agent (GnuPG) 2.2.21 started

gnupg now includes the gpg-agent so the new install command is

brew install gnupg pinentry-mac

• if install gpg-suite-pinentry
  ~/.gnupg/gpg-agent.conf

pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

gpg-suite-pinentry is a tool in gpg-suite, replacing the original pinentry-mac.

• if install gpg-suite
~/.gnupg/gpg-agent.conf file does not need to be set manually

gpg-suite contains a complete gpg tool for easy key management.

Here is how I got git commit signing working on my M1 Apple Silicon laptop without having Rosetta installed:

1. brew install gnupg
2. Apply Homebrew/homebrew-core#68265 (e.g. using brew edit pinentry-mac)
3. brew install --build-from-source pinentry-mac
4. Edit ~/.gnupg/gpg-agent.conf,
   add pinentry-program /opt/homebrew/bin/pinentry-mac
5. export GPG_TTY=$(tty) to work around bug (keybase/keybase-issues#2798)

Now I could import my gpg which I already had, and then tell git to use commit signing...

killall gpg-agent

On Big Sur, I need to run this every time I log out and log in again (without restarting). It seems like gpg-agent hangs around and no longer works after logging in again, maybe related to this:

https://gpgtools.tenderapp.com/discussions/problems/1110-gpg-agent-isnt-quit-upon-logout

My patches for Homebrew have been merged 🎉

New instructions on how to get git commit singing working on M1 Apple Silicon computer without Rosetta:

1. brew install gnu-get pinentry-mac
2. echo "pinentry-program /opt/homebrew/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
3. export GPG_TTY=$(tty) to work around bug (keybase/keybase-issues#2798)

@LinusU nice! Do you also have the issue with gpg-agent being in a broken state when going through a log-out + log-in cycle (like I mentioned above)?

I never log out of my computer hehe so I wouldn't have noticed. Can't try at the moment but can try later and see if it works

Ok thanks! Yeah I almost never log out as well, which made debugging this very frustrating!