Skip to content

Instantly share code, notes, and snippets.

@epcim

epcim/keybase-github.md

Created March 31, 2017 12:06
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save epcim/9f231c355c49bb4fa76f67309e827abe to your computer and use it in GitHub Desktop.
Save epcim/9f231c355c49bb4fa76f67309e827abe to your computer and use it in GitHub Desktop.
Download ZIP
keybase github git gpg pgp
Raw
keybase-github.md

Source: https://github.com/pstadler/keybase-gpg-github/blob/master/README.md

Set up Keybase.io, GPG & Git to sign commits on GitHub

This is a step-by-step guide on how to create a GPG key on keybase.io, adding it to a local GPG setup and use it with Git and GitHub.

Although this guide was written for macOS, most commands should work in other operating systems as well.

Discussion on Hacker News.

Note: If you don't want to use Keybase.io, follow this guide instead. For manually transferring keys to different hosts, check out this answer on Stack Overflow.

Requirements

$ brew install gpg keybase

You should already have an account with Keybase and be signed in locally using $ keybase login. In case you need to set up a new device first, follow the instructions provided by the keybase command during login.

Make sure your local version of Git is at least 2.0 ($ git --version) to automatically sign all your commits. If that's not the case, use Homebrew to install the latest Git version: $ brew install git.

Create a new GPG key on keybase.io

$ keybase pgp gen --multi
# Enter your real name, which will be publicly visible in your new key: Patrick Stadler
# Enter a public email address for your key: patrick.stadler@gmail.com
# Enter another email address (or <enter> when done):
# Push an encrypted copy of your new secret key to the Keybase.io server? [Y/n] Y
# ▶ INFO PGP User ID: Patrick Stadler <patrick.stadler@gmail.com> [primary]
# ▶ INFO Generating primary key (4096 bits)
# ▶ INFO Generating encryption subkey (4096 bits)
# ▶ INFO Generated new PGP key:
# ▶ INFO   user: Patrick Stadler <patrick.stadler@gmail.com>
# ▶ INFO   4096-bit RSA key, ID CB86A866E870EE00, created 2016-04-06
# ▶ INFO Exported new key to the local GPG keychain

Set up Git to sign all commits

$ gpg --list-secret-keys
# /Users/pstadler/.gnupg/secring.gpg
# ----------------------------------
# sec   4096R/E870EE00 2016-04-06 [expires: 2032-04-02]
# uid                  Patrick Stadler <patrick.stadler@gmail.com>
# ssb   4096R/F9E3E72E 2016-04-06

$ git config --global user.signingkey E870EE00
$ git config --global commit.gpgsign true

Add public GPG key to GitHub

$ open https://github.com/settings/keys
# Click "New GPG key"

$ keybase pgp export -q CB86A866E870EE00 | pbcopy # copy public key to clipboard
# Paste key, save

Import key to GPG on another host

$ keybase pgp export
# ▶ WARNING Found several matches:
# user: Patrick Stadler <patrick.stadler@gmail.com>
# 4096-bit RSA key, ID CB86A866E870EE00, created 2016-04-06

# user: keybase.io/ps <ps@keybase.io>
# 4096-bit RSA key, ID 31DBBB1F6949DA68, created 2014-03-26

$ keybase pgp export -q CB86A866E870EE00 | gpg --import
$ keybase pgp export -q CB86A866E870EE00 --secret | gpg --allow-secret-key-import --import

Optional: Set as default GPG key

$ $EDITOR ~/.gnupg/gpg.conf
# Add line:
default-key E870EE00

Optional: Fix for Git UIs

If you use a UI such as Git Tower or Github Desktop, you may need to configure git to point to the specific gpg executable:

git config --global gpg.program $(which gpg)

Optional: Disable TTY

If you have problems with making autosigned commits from IDE or other software add no-tty config

$ $EDITOR ~/.gnupg/gpg.conf
# Add line:
no-tty

Optional: Setting up TTY

Depending on your personal setup, you might need to define the tty for gpg whenever your passphrase is prompted. Otherwise, you might encounter an Inappropriate ioctl for device error.

$ $EDITOR ~/.profile # or other file that is sourced every time
# Paste these lines
GPG_TTY=$(tty)
export GPG_TTY

Optional: In case you're prompted to enter the password every time

Some people found that this works out of the box w/o following these steps.

Install the needed software:

$ brew install gpg-agent pinentry-mac

Enable agent use:

$ $EDITOR ~/.gnupg/gpg.conf
# Add or uncomment line:
use-agent

Set up the agent:

$ $EDITOR ~/.gnupg/gpg-agent.conf
# Paste these lines:
use-standard-socket
pinentry-program /usr/local/bin/pinentry-mac

Link pinentry and agent together:

$ $EDITOR ~/.profile # or other file that is sourced every time
# Paste these lines:
if test -f ~/.gnupg/.gpg-agent-info -a -n "$(pgrep gpg-agent)"; then
  source ~/.gnupg/.gpg-agent-info
  export GPG_AGENT_INFO
  GPG_TTY=$(tty)
  export GPG_TTY
else
  eval $(gpg-agent --daemon --write-env-file ~/.gnupg/.gpg-agent-info)
fi

Now git commit -S, it will ask your password and you can save it to macOS keychain.

@tendi09
Copy link

tendi09 commented Sep 10, 2019

Keybase proof

I hereby claim:

  • I am tendil09 on github.
  • I am tendi09 (https://keybase.io/tendi09) on keybase.
  • I have a public key ASDosdFG8g_Ag5WMHnxnedMnCHhjFlIRaNM2DrBmv-OlUQo

To claim this, I am signing this object:

{
  "body": {
    "key": {
      "eldest_kid": "0120e8b1d146f20fc083958c1e7c6779d32708786316521168d3360eb066bfe3a5510a",
      "host": "keybase.io",
      "kid": "0120e8b1d146f20fc083958c1e7c6779d32708786316521168d3360eb066bfe3a5510a",
      "uid": "c769dfca3b0bd17c8acbe8729a125219",
      "username": "tendi09"
    },
    "merkle_root": {
      "ctime": 1568111835,
      "hash": "0c4f9ebbc4f2749b4eec94ae734975f703eb2dfb5f7fb15f6d8dd3d94850fc115508e3740216fe2612f168cbb2eb8cef9bd5289eab0bd0a5c791360fc3ab68c7",
      "hash_meta": "9979b8473cbbdc70e11f73c98fdb728ade5c44cc9bdcae914f26c1be9d85da02",
      "seqno": 6376522
    },
    "service": {
      "entropy": "D7/Cnx1k9OE+88HA3s0tYcXy",
      "name": "github",
      "username": "tendil09"
    },
    "type": "web_service_binding",
    "version": 2
  },
  "client": {
    "name": "keybase.io go client",
    "version": "4.4.0"
  },
  "ctime": 1568111842,
  "expire_in": 504576000,
  "prev": "7a92ea090d2fe9f6130584e3b27d035905eb651b8257230e662f3d770e9d0b51",
  "seqno": 13,
  "tag": "signature"
}

with the key ASDosdFG8g_Ag5WMHnxnedMnCHhjFlIRaNM2DrBmv-OlUQo, yielding the signature:

hKRib2R5hqhkZXRhY2hlZMOpaGFzaF90eXBlCqNrZXnEIwEg6LHRRvIPwIOVjB58Z3nTJwh4YxZSEWjTNg6wZr/jpVEKp3BheWxvYWTESpcCDcQgepLqCQ0v6fYTBYTjsn0DWQXrZRuCVyMOZi89dw6dC1HEIBdQVVKZWGyuisn6VXHn0ZPqBHTE4Y/TkgRHVFekK01CAgHCo3NpZ8RAIvciv9lBJe6vnDbULufdw6oPrW4P8IIpdGRDeI7Mc3DRavSsYuDqz29tJrUEqq0ArAbRdCcGzNC8AHVNgo9oDahzaWdfdHlwZSCkaGFzaIKkdHlwZQildmFsdWXEICDtf+3XgCPgCJBNrNOon4T+7MTMV1h5DL0nobw9lKXSo3RhZ80CAqd2ZXJzaW9uAQ==

And finally, I am proving ownership of the github account by posting this as a gist.

My publicly-auditable identity:

https://keybase.io/tendi09

From the command line:

Consider the keybase command line program.

# look me up
keybase id tendi09

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment