Skip to content

Instantly share code, notes, and snippets.

@simongle

simongle/SettingupPGPandGit.md

Last active September 18, 2023 13:38
Show Gist options
  • Save simongle/71e02117efc8c59d295683c5ef983d0e to your computer and use it in GitHub Desktop.
Save simongle/71e02117efc8c59d295683c5ef983d0e to your computer and use it in GitHub Desktop.
Download ZIP
A guide for PGP and Git
Raw
SettingupPGPandGit.md

Setting up PGP with Git

#PGP

If you are reading this, you have taken the first step towards encryption self-righteousness. The steps below are my preferred method for configuration after years of suffering through alternative, more archaic/byzantine steps.

Note, if you already have a PGP key, skip to step #4. Second note: I know UNIX best, so I’m not going to embarrass myself by attempting to write a windows guide. The good people over at EFF have your back: How to: Use PGP for Windows | Surveillance Self-Defense

[A point of clarification: PGP stands for pretty good privacy and is the original underlying protocol, GPG stands for Gnu Privacy Guard, and is an open source program that is compliant with PGP; the two acronyms are often used interchangeably.]

  1. Download your GPG client
  2. Create a public/private key pair
    • Open GPG Keychain
    • Click new key, enter your email address [I associate all of my known addresses, they can be added later on if needed]
    • I’d strongly recommend setting a passphrase. [This means if anyone gets your private key, they wouldn’t be able to decrypt or sign anything with it without the passphrase. ]
    • Store the passphrase in a password manager.
    • Set the length to the longest possible (4096)
    • Set an expiration date
  3. Send public key to keyserver [So that your teammates/friends/confidants can retrieve it]
    • Within GPG Keychain, highlight your key pair in the menu, go to Key > Send Public Key to Key Server
  4. Upload your public key to your Github Account: Add GPG Key · GitHub
  5. Set up GPG signing by default for commits: How to set up git to use the GPG Suite · GitHub
    • ^ This is a great guide, and the one I followed initially. The command to use pinetry-program is to save your passphrase so you don’t have to re-enter it on every commit. This is optional.
    • A bit more about signing commits: Signing commits with GPG - User Documentation
    • [note: I have git aliases set up in bash, so that $ gc in git is $ git commit -S so that everything is signed by default.]
  6. Verify that commits have been signed in a repo
    • This can be done in the GitHub interface or via command line with: $ git log —-show-signature
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment