Skip to content

Instantly share code, notes, and snippets.

@jplew

jplew/README.md

Last active April 3, 2023 01:14
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save jplew/177405fa48829a5e774cd5538290effd to your computer and use it in GitHub Desktop.
Save jplew/177405fa48829a5e774cd5538290effd to your computer and use it in GitHub Desktop.
Download ZIP
How to Setup SSH and GPG keys with Gitlab
Raw
README.md

Set up Keybase.io, GPG & Git to sign commits on Gitlab

This is a step-by-step guide on how to create a GPG key on keybase.io, adding it to a local GPG setup and use it with Git and Gitlab.

This guide is a fork of: https://github.com/pstadler/keybase-gpg-github

Requirements

  1. Install Homebrew: https://brew.sh

  2. Install GPG CLI:

$ brew install gpg
  1. Install Keybase:
$ brew cask install keybase
  1. You should now have both the keycloak CLI and the Keybase desktop app (/Applications/Keybase). Open the Keybase app, create an account and sign in.

Add your public SSH key to Gitlab:

  1. Visit https://git.cto.ai/profile/keys

  2. Generate new SSH keys:

$ ssh-keygen -o -t rsa -b 4096 -C "yourname@cto.ai"
  1. Copy your public SSH key to your clipboard:
cat ~/.ssh/id_rsa.pub | pbcopy

  1. Paste and save.

  2. Test that this worked by cloning a repo:

$ git clone ssh://git@git.cto.ai:2224/myproject/myrepo.git`

This should succeed if you are a member of the repo.

Reference: https://docs.gitlab.com/ee/ssh/

Create a new GPG key using the Keybase CLI

  1. Generate a new PGP key and write it to your local secret keychain:
$ keybase pgp gen --multi

# Enter your real name, which will be publicly visible in your new key: Patrick Stadler
# Enter a public email address for your key: patrick.stadler@gmail.com
# Enter another email address (or <enter> when done):
# Push an encrypted copy of your new secret key to the Keybase.io server? [Y/n] Y
# ▶ INFO PGP User ID: Patrick Stadler <patrick.stadler@gmail.com> [primary]
# ▶ INFO Generating primary key (4096 bits)
# ▶ INFO Generating encryption subkey (4096 bits)
# ▶ INFO Generated new PGP key:
# ▶ INFO   user: Patrick Stadler <patrick.stadler@gmail.com>
# ▶ INFO   4096-bit RSA key, ID CB86A866E870EE00, created 2016-04-06
# ▶ INFO Exported new key to the local GPG keychain

You will be prompted to set a passphrase. Create a strong, 31-character password using your Keychain Access app (see reference image above).

Enter it twice to confirm. Since you will likely need it again, store this password somewhere secure, like as a Secure Note in Keychain Access, or in a password manager like LastPass.

Set up Git to sign all commits

  1. Obtain your signing key via the GPG CLI:
$ gpg --list-secret-keys --keyid-format LONG

/Users/jplew/.gnupg/pubring.kbx
-------------------------------
sec   rsa4096/C8AB98F11Y123456 2018-06-02 [SC] [expires: 2034-05-29]
      B21DBAB6AA037F5641504A8CC2DB56E29C562080
uid                 [ unknown] JP Lew <jp@cto.ai>
ssb   rsa4096/ZZ1Z1234556FAPPO 2018-06-02 [E] [expires: 2034-05-29]

Your signingkey is the 16-character string on the sec line, following rsa4096/.

  1. Add your signing key and user info to your global Git config file. To do this this, you can either:

  • Open ~/.gitconfig in your text editor of choice

  • Open it in your default $EDITOR: git config --global --edit

  • Use the Git CLI:

    $ git config --global user.name "JP Lew"
$ git config --global user.email jp@cto.ai
$ git config --global user.signingkey C8AB98F11Y123456
$ git config --global commit.gpgsign true

The final product should look like this:

[user]
	name = JP Lew
	email = jp@cto.ai
	signingkey = C8AB98F11Y123456
	username = jplew
[commit]
	gpgsign = true

Add your public GPG key to Gitlab

  1. Visit https://git.cto.ai/profile/gpg_keys

  2. Copy your public key to your clipboard by running:

$ keybase pgp export -q C8AB98F11Y123456 | pbcopy

Make sure you use your actual signing key.

  1. Paste your key and save.

  2. Test that this worked by signing a git commit and submitting a merge request.

$ cd myrepo
$ git checkout -b jplew-testbranch
$ git touch newfile.txt
$ git add .
$ git commit -m "make a GPG signed commit"
$ git push -u origin jplew-testbranch
  1. If you are allowed to create a merge request, it worked.

Reference: https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits

Optional: Manage your GPG keys using GPG Suite

Install the GPG Suite, available from gpgtools.org, or from brew by running:

$ brew cask install gpg-suite

Once installed, open Spotlight and search for "GPGPreferences", or open system preferences and select "GPGPreferences"

Select the Default Key if it is not already selected, and ensure "Store in OS X Keychain" is checked (see reference image above):

The gpg-agent.conf is different from Method 1:

Set up the agent:

$ $EDITOR ~/.gnupg/gpg-agent.conf
# GPG Suite should pre-populate with something similar to the following:
default-cache-ttl 600
max-cache-ttl 7200
@woss
Copy link

woss commented Aug 27, 2021
edited

i don't recommend using the keybase anymore. why not just use plain old pgp generation?

Did you know about this? https://keys.pub/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment