How I use multiple GPG keys to sign all my commits (personal and work) and increased the credential-timeout so I only need the passphrases after a reboot.

a-signing-commits-with-a-specific-gpg-key.md

Signing commits with a specific GPG key

We started signing commits at work and as soon as I started generating the first key (GitHub guide), I realized I would be taking extra steps. I don't use my default GitHub email for work commits, I use my work email address. The instructions for setting up commit-signing describe how to make signing automatic, but I wouldn't want to sign my non-work commits with my work key… 

So.

Using @sabbour's Quick and easy way to setup signed GitHub commits on MacOS as a starting point, these are the modifications I made so that I could assign a specific GPG key just to my work repos on my machine[1].

1. When generating a new GPG key, I generated 2: 1 for my default GitHub email address; 1 for my work email address

   • I saved the passphrase for each key in my password manager

2. I use zsh (made the switch w/ the update to macOS Catalina), not bash anymore, but the point about adding an export statement stands. So I added the following to my ~/.zshrc, quit & restarted Terminal, and it works as expected:

   export GPG_TTY=$(tty)
   

3. I do, in fact, want to sign every work commit, however: what I don't want is to have to remember to add -S every time I type git commit (I type it a lot every day)[2]. Ugh, no thanks.

   1. I enabled signing on every commit with:

      git config --global commit.gpgsign true
      

   2. In each of my work repos, I told Git about my signing key with:

      git config --local user.signingkey KEYID
      

      • The IDs for keys can be found with:

        gpg --list-secret-keys --keyid-format LONG
        

        And the bit you want--and that I used in the above command (KEYID) is after 4096R/

And that's it! It just… it just worked! 🎉

I did have to enter the key's passphrase on the first commit, but after that it was smooth sailing. (See below for how I made the credential-timeout longer than the default of 10 minutes.)

Links

• Quick and easy way to setup signed GitHub commits on MacOS
• Generating a new GPG key, GitHub Docs
• Telling Git about your signing key

Footnotes

1. Yes, my personal machine is also my work machine. 🤷🏽‍♀️Normally this is not the way, but! I had the machine first and for Reasons™ I didn't mind adding work to it.
2. I have very few aliases for Terminal. I used to have tons, but 4-5 years ago I decided I'd prefer to type out the commands I use heavily so that when I switch machines or I'm pairing, I won't be stymied by missing shortcuts.

b-increase-gpg-credentials-timeout.md

Increase GPG credentials timeout

With my multiple GPG keys and commit-signing all setup, the next thing I needed to tackle was increasing the timeout window. 10 minutes (600 seconds) is not at all useful for me on an everyday, at-work basis.

Our team lead, Ben (@benwilson512) found [a question about the credentials cache]((https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session) on superuser and once again, I used it as a starting point.

1. The configuration file referenced doesn't exist by default--or anyway, it didn't for me after installing GnuPG (brew install gpg). So, I created it, then opened it to edit:

   # if you're using VS Code, you can create & open in one step
   code ~/.gnupg/gpg-agent.conf
   
   # if you prefer separate steps
   touch ~/.gnupg/gpg-agent.conf
   [editor command of choice] ~/.gnupg/gpg-agent.conf
   

2. I used the 400 days value just so I don't have to think about it between reboots:

   default-cache-ttl 34560000
   max-cache-ttl 34560000
   

3. Save the file, restart your shell (Terminal, iTerm, etc.)

Now, I only have to enter the passphrase the first time I make a commit after a reboot. It sticks through Terminal sessions and across multiple tabs (repos). Woo!

Also, again, I have the passphrases in my password manager so that accessing them after a reboot is super quick.

Links

• superuser Keep GnuPG credentials cached for entire user session
• GnuPG Documentation: Agent Options