Resources:
-
Set up a GUI
pinentry
. -
Import your master private key.
$ gpg --import "master-key" gpg: key 0123456789ABCDEF: public key "You <your@own.email>" imported gpg: key 0123456789ABCDEF: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1
-
Get the full fingerprint of your master key.
gpg --list-keys 0123456789ABCDEF pub rsa4096 2018-03-18 [C] 0123456789ABCDEF0123456789ABCDEF01234567 uid [ unknown] You <your@own.email> sub rsa4096 2018-03-18 [E]
-
Generate your signing subkey.
$ gpg --quick-add-key 0123456789ABCDEF0123456789ABCDEF01234567 ed25519 sign $ gpg --list-keys --with-subkey-fingerprint 0123456789ABCDEF pub rsa4096 2018-03-18 [C] 0123456789ABCDEF0123456789ABCDEF01234567 uid [ unknown] You <your@own.email> sub ed25519 2022-03-26 [S] DEADBEEF00000000000000000000000000000000 <-- This is your signing key.
-
Tell
git
to use your signing subkey.$ git config --global commit.gpgsign true $ git config --global user.signingkey DEADBEEF00000000000000000000000000000000
-
Generate your SSH subkeys.
$ gpg --quick-add-key $MASTER_KEY rsa4096 auth $ gpg --quick-add-key $MASTER_KEY ed25519 auth $ gpg --list-keys --with-subkey-fingerprint --with-keygrip 0123456789ABCDEF ... sub ed25519 2022-03-26 [A] DEADBEEF11111111111111111111111111111111 <-- This is your ed25519 SSH key. Keygrip = CAFE1111DDDD1111DDDD1111DD <-- And this is its keygrip. sub rsa4096 2022-03-26 [A] DEADBEEF22222222222222222222222222222222 <-- This is your rsa4096 SSH key. Keygrip = CAFE2222DDDD2222DDDD2222DD <-- And this is its keygrip.
-
Configure gnupg to act as a
ssh-agent
.$ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf $ gpg-connect-agent reloadagent /bye OK
And find some way to add
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
to your bashrc. -
Add your SSH subkeys to the list of keys in the emulated ssh-agent.
$ echo CAFE1111DDDD1111DDDD1111DD >> ~/.gnupg/sshcontrol $ echo CAFE2222DDDD2222DDDD2222DD >> ~/.gnupg/sshcontrol
-
Export your SSH subkeys.
$ gpg --export-ssh-key "DEADBEEF11111111111111111111111111111111!" > ~/.ssh/id_ed25519.pub $ gpg --export-ssh-key "DEADBEEF22222222222222222222222222222222!" > ~/.ssh/id_rsa.pub
Note the "!" at the end of the key. This is important for making sure it exports that exact key.
-
Purge the master private key.
$ gpg --list-secret-keys --with-keygrip 0123456789ABCDEF pub rsa4096 2018-03-18 [C] 0123456789ABCDEF0123456789ABCDEF01234567 Keygrip = BADBADBADBADBADBADBADBADBADBADBADBADBAD0 uid [ unknown] You <your@own.email> sub rsa4096 2018-03-18 [E] ... $ gpg-connect-agent "DELETE_KEY BADBADBADBADBADBADBADBADBADBADBADBADBAD0" /bye OK
-
Reupload the master public key.
GitHub won't know about the new subkeys until you do this. It would also probably be a good idea to keep a running list of subkeys.
Launch GNUPG Agent Automatically:
-
Download the
org.gnupg.agent.plist
file, and save it to$HOME/Library/LaunchAgents
.
You may need to change the program path on line 9. -
Install the Launch Agent:
$ launchctl bootstrap "gui/$(id -u)" ~/Library/LaunchAgents/org.gnupg.agent.plist $ launchctl enable "gui/$(id -u)/org.gnupg.agent"