Signing your Git Commits on MacOS

1-setup.md

Methods of Signing Git Commits on MacOS

Last updated March 13, 2024

This Gist explains how to sign commits using gpg in a step-by-step fashion. Previously, krypt.co was heavily mentioned, but I've only recently learned they were acquired by Akamai and no longer update their previous free products. Those mentions have been removed.

Additionally, 1Password now supports signing Git commits with SSH keys and makes it pretty easy-plus you can easily configure Git Tower to use it for both signing and ssh.

For using a GUI-based GIT tool such as Tower or Github Desktop, follow the steps here for signing your commits with GPG.

There has been a number of comments on this gist regarding some issues around the pinentry-program and M1 Macs. I've finally gotten a chance to try things out on an M1 and I've updated the documentation in 2-using-gpg.md to reflect my findings.

2-using-gpg.md

Using GPG

Step 1: Install software

We use the Homebrew package manager for this step.

brew install gpg2 gnupg pinentry-mac       

Step 2: Create the .gnupg Directory

If this directory does not exist, create it. EDIT: June 2022 - Fixes single quotes to allow expansion of the subshell

# Make the directory
mkdir ~/.gnupg

# Tells GPG which pinentry program to use
echo "pinentry-program $(brew --prefix)/bin/pinentry-mac" > ~/.gnupg/gpg-agent.conf

Step 3: Update or Create ~/.gnupg/gpg.conf

If this file does not exist, create it.

# This tells gpg to use the gpg-agent
echo 'use-agent' > ~/.gnupg/gpg.conf

Step 4: Modify your Shell

Append the following to your ~/.bash_profile or ~/.bashrc or ~/.zshrc

...
export GPG_TTY=$(tty)

Step 5: Restart your Terminal or source your ~/.*rc file

# on the built-in bash on macos use
source ~/.bash_profile
# if using bash through homebrew over ssh use
source ~/.bashrc
# and if using zsh
source ~/.zshrc

Step 6: Update the Permissions on your ~/.gnupg Directory

You will need to modify the permissions to 700 to secure this directory.

chmod 700 ~/.gnupg

Step 7: Kill the GPG Agent

To ensure that you don't run into issues, run the below command to ensure a freshly configured gpg-agent is launched.

killall gpg-agent

Step 8: Create your GPG Key

Run the following command to generate your key, note we have to use the --expert flag so as to generate a 4096-bit key. If you receive a timeout at this step-please go back and verify that you did run the command in Step 7. Otherwise, go back and double check that you followed the preceding steps.

gpg --full-gen-key

Step 9: Answer the Questions

Once you have entered your options, pinentry will prompt you for a password for the new PGP key. There are a number of arguments on the topic of expiration dates with GPG Keys, for brevity and the sake of keeping this explanation simple we're not using Subkeys in this example and showing a non-expiring example. If you want to follow best practices, you will want to look into generating a Primary key and then Subkeys and the secure handling involved with that.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: John Smith
Email address: john.smith@fictionaladdress.com
Comment:
You selected this USER-ID:
    "John Smith <john.smith@fictionaladdress.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Step 10: Get your key info for Git, etc.

# List your keys
gpg -k

Step 11: Get your key id

Use the next command to generate a short form of the key fingerprint.

Copy the text after the rsa4096/ and before the date generated and use the copied id in step 13:

gpg -K --keyid-format SHORT
sec rsa4096/######## YYYY-MM-DD [SC] [expires: YYYY-MM-DD]

*You need to copy the output from your terminal similar to the example above where the ######## is following the slash. *

Step 12: Export the fingerprint

After running gpg -k step 10 above, looking inside the output, below the row that says 'pub', you will find a fingerprint-this is what you use in the placeholder. The output from below is what you copy to Github. Documentation on how to do that is here

# The export command below gives you the key you add to GitHub
gpg --armor --export <your key id>

Step 13: Configure Git to use gpg

git config --global gpg.program $(which gpg)

Step 14: Configure Git to use your signing key

The below command needs the fingerprint from step 10 above:

git config --global user.signingkey 1111111

Step 15: Configure Git to sign all commits (Optional-you can configure this per repository too)

This tells Git to sign all commits using the key you specified in step 13.

git config --global commit.gpgsign true

Step 16: Perform a Commit

This performs an empty commit-but lets us test signing it with GPG-thanks @rickschubert for the suggestion!

git commit -S -s -m "My Signed Commit" --allow-empty

Step 17: Pinentry Prompt

You will now be prompted by Pinentry for the password for your signing key. You can enter it into the Dialog box-with the option of saving the password to the macOS X Keychain.

Step 18: Submit your PGP key to Github to verify your Commits

Login into Github.com and go to your settings, SSH and GPG Keys, and add your GPG key from the page.

Step 19: Submitting Your Key to a Public Keyserver (very optional)

Before you jump on submitting your key to a service such as the MIT PGP Key Server, you should consider the following:

• You cannot delete your key once submitted
• Spammers have been known to harvest email addresses from these servers
• If you're only signing your Git commits to Github this isn't necessary

Import existing keys from another system (Optional)

If you already have set up GPG keys on a previous Mac, or elsewhere, you can re-use them by exporting them from that host by following the steps below (Special thanks to @megahirt for the suggestion). Please note: keep in mind the method that you use to transfer your GPG keys! Because of the sensitive nature of GPG keys, you will want to ensure that you use a highly secured means of transferring them. I won't suggest a specific method as it is outside of the scope of this Gist-but be paranoid is what I can say.

Step 8a: Export the GPG Key Materials

On the host you want to move/duplicate the keys from, run the following and then copy the resulting files to your "new" host. Substitute your key's keyid for the ${ID} in the example. You will be prompted to enter the passphrase you set during the generation of the key to export the private key.

gpg --export ${ID} > my_key_public.key
gpg --export-secret-key ${ID} > my_key_private.key

Step 9a: Import the GPG Key Materials

On the host you want to import the keys, move them to an accessible location and then run the following commands from that folder. When you go to import the private key, you will be prompted for the password you specified when you generated/exported it.

gpg --import my_key_public.key
gpg --import my_key_private.key

Troubleshooting

Error No pinentry

This is caused by an incorrectly configured pinentry program. Review Step 2 and complete the second part again.

Error No such file or directory

This is caused by a missing configuration to specify the pinentry program. If you were following an earlier version of this gist that said you did not need to specify a pinentry program, you will need to re-do the second part of Step 2.

Other Errors

If you have any errors when generating a key regarding gpg-agent, try the following command to see what error it generates:

gpg-agent --daemon

3-GUI-git-signing.md

Git Signing with a GUI Application (e.g. Git Tower or GitHub Desktop)

Manually Installed GPG

Step 1: Modify ~/.gnupg/gpg-agent.conf

use-standard-socket
# Below option is deprecated
pinentry-program $(brew --prefix)/bin/pinentry-mac
enable-ssh-support

Step 2: Modify ~/.gnupg/gpg.conf

use-agent
no-tty

Step 3: Restart GPG Agent

gpgconf --reload gpg-agent

Step 4: Copy startup-gpg-agent.sh to ~/bin/

Copy the .sh file in this gist to ~/bin/.

Step 5: Copy org.gnupg.gpg-agent.plist file to ~/Library/LaunchAgents/

Copy the the plist file in this Gist to ~/Library/LaunchAgents/.

4-helpful-urls.md

https://help.github.com/enterprise/2.11/user/articles/signing-commits-using-gpg/
http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/
https://help.github.com/articles/associating-an-email-with-your-gpg-key/

5-automatically-sign-commits.md

Automatically Sign Your Commits

To automatically sign all of your commits (which may be overkill), you can simply update your ~/.gitconfig file by running the below command:

git config --global commit.gpgsign true

Otherwise, run the below command per repository by navigating to the directory of the repo:

git config commit.gpgsign true

org.gnupg.gpg-agent.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- This needs to be placed at ~/Library/LaunchAgents/org.gnupg.gpg-agent.plist -->
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>org.gnupg.gpg-agent</string>
    <key>ProgramArguments</key>
    <array>
      <!-- Be sure to set this path correctly! -->
      <string>/Users/yourusername/bin/start-gpg-agent.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
  </dict>
</plist>

startup-gpg-agent.sh

# Ensure that gpg can find the agent when needed
if [ -f ~/.gnupg/.gpg-agent-info ] && [ -n "$(pgrep gpg-agent)" ]; then
    source ~/.gnupg/.gpg-agent-info
    export GPG_AGENT_INFO
else
    eval $(gpg-agent --daemon --write-env-file ~/.gnupg/.gpg-agent-info)
fi

# This line is important for GUI tools to also find it
launchctl setenv GPG_AGENT_INFO $GPG_AGENT_INFO

Thanks for making this, super easy to follow! Saved me a ton of time.

This is an excellent gist, thank you for taking the time to write this up.

For me gpg agent didn't fetch new config until I ran gpgconf --kill gpg-agent might be useful to add it to the troubleshooting.

+1 for this!

Homebrew for M1 (Apple Silicon) lives in a different directory so on Step 2 it's better to do this instead in the second command (brew --prefix returns the proper directory for Apple Silicon and Intel).

echo 'pinentry-program $(brew --prefix)/bin/pinentry-mac' > ~/.gnupg/gpg-agent.conf

This is the recommended approach in https://formulae.brew.sh/formula/pinentry-mac

Homebrew for M1 (Apple Silicon) lives in a different directory so on Step 2 it's better to do this instead in the second command (brew --prefix returns the proper directory for Apple Silicon and Intel).

echo 'pinentry-program $(brew --prefix)/bin/pinentry-mac' > ~/.gnupg/gpg-agent.conf

This is the recommended approach in https://formulae.brew.sh/formula/pinentry-mac

I've followed the entire post, and this comment, restarted the gpg-agent, and even restarted the entire mac, and I still get

gpg: agent_genkey failed: No pinentry

Is there any logs I can check for this?

I've followed the entire post, and this comment, restarted the gpg-agent, and even restarted the entire mac, and I still get

gpg: agent_genkey failed: No pinentry

Is there any logs I can check for this?

I'm getting this same problem 😬

@aequasi, @PabiGamito try to restart your computer, it helped me.

For those with issues following the tutorial on a Mac with an M1 chip (i.e. getting the gpg: agent_genkey failed: No pinentry error), removing the pinentry-program entry in the ~/.gnupg/gpg-agent.conf file fixed it for me. Make sure to reload the gpg-agent afterwards (gpgconf --reload gpg-agent). Found the solution here after an hour of digging around.

GPG step 4 should be

export GPG_TTY=$(tty)

I've updated it based on the documentation recommending back ticks.

FYI, use of back ticks is outdated on modern systems. Back ticks are the older style of creating a sub-shells; unfortunately because there was no difference between the start and stop characters, it becomes impossible to nest these commands as the interpreter cannot tell how the nesting is done. This is especially for commands where multiple sub-shells might be used in a nested manner.

The usage of backticks in the documentation is to specify that command is run in a subshell and not a string

export VARIABLE=`echo "I am`whoami` which is the same as `whoami`"`
# The above example is trivial but is a commonly desired use case that breaks. Hence a different syntax was introduced. 
# This syntax makes it simple to have multiple sub-shells within a sub-shell.
export VARIABLE=$(echo "I am $(whoami) which is the same as $(whoami)")

Sorry for the overly trivial examples, but the use cases are real, I assure you. 😄

Google Style guide https://google.github.io/styleguide/shellguide.html#command-substitution

GPG step 4 should be

export GPG_TTY=$(tty)

I've updated it based on the documentation recommending back ticks.

FYI, use of back ticks is outdated on modern systems. Back ticks are the older style of creating a sub-shells; unfortunately because there was no difference between the start and stop characters, it becomes impossible to nest these commands as the interpreter cannot tell how the nesting is done. This is especially for commands where multiple sub-shells might be used in a nested manner.

The usage of backticks in the documentation is to specify that command is run in a subshell and not a string

export VARIABLE=`echo "I am`whoami` which is the same as `whoami`"`
# The above example is trivial but is a commonly desired use case that breaks. Hence a different syntax was introduced. 
# This syntax makes it simple to have multiple sub-shells within a sub-shell.
export VARIABLE=$(echo "I am $(whoami) which is the same as $(whoami)")

Sorry for the overly trivial examples, but the use cases are real, I assure you. 😄

Google Style guide https://google.github.io/styleguide/shellguide.html#command-substitution

Okay, I can't disagree-it just made the most sense to go with what the maintainer suggested as they should be the subject-matter expert on their usage when implementing. Clearly they don't have that part of their docs getting much support, hence the old syntax. I've updated the gist-though the old syntax still works and doesn't introduce any issues in this context.

Big thank you for this guide!

For those with issues following the tutorial on a Mac with an M1 chip (i.e. getting the gpg: agent_genkey failed: No pinentry error), removing the pinentry-program entry in the ~/.gnupg/gpg-agent.conf file fixed it for me. Make sure to reload the gpg-agent afterwards (gpgconf --reload gpg-agent). Found the solution here after an hour of digging around.

This does helped me.
I am using Macbook Pro 2020-mid with clean install of BigSur.
Maybe this should be added in the tutorial :/

@racterub it is commented out with an explanation?

Thanks much, this detailed guide helped me.

For those with issues following the tutorial on a Mac with an M1 chip (i.e. getting the gpg: agent_genkey failed: No pinentry error), removing the pinentry-program entry in the ~/.gnupg/gpg-agent.conf file fixed it for me. Make sure to reload the gpg-agent afterwards (gpgconf --reload gpg-agent). Found the solution here after an hour of digging around.

@julesrenaud did you also find a way to 'remember password' so it doesn't prompt you all the time.

this gist has been a lifesaver. Thank you @troyfontaine

@jtsalva
Remember password
This can be solved by saving the password in macOS keychain.

Unfortunately gpg-agent has no built-in support for this, so:

1. You need add a separate tool

brew install pinentry-mac

2. You need to find out your pinentry-mac path:

which pinentry-mac

3. If not existing already create the file ~/.gnupg/gpg-agent.conf and add the following line (with your own pinentry-mac path):

pinentry-program /opt/homebrew/bin/pinentry-mac

4. Then just stop the currently running gpg-agent.

gpgconf --kill gpg-agent

5. Next time you try to sign a commit you'll be prompted to save it to the macOS Keychain.

BTW: Everything works like a charm on my M1 mac with Big Sur

Thanks @bartholomej, that worked for me except I had to use gpgconf --reload instead of killing gpg-agent

I wonder why using $(brew --prefix) in ~/.gnupg/gpg-agent.conf breaks on M1

Ever since I updated to Tower 7.0 I can't use my GPG key anymore if it's not already unlocked from console. No prompt in Tower to unlock the key just the following error:

error: gpg failed to sign the data
fatal: failed to write commit object

I've updated everything to what is shown in this gist on my system, any ideas?

Thanks!
I recommend creating the directory with the correct permissions in one go:

mkdir -m 700 ~/.gnupg

Also:

echo 'pinentry-program $(brew --prefix)/bin/pinentry-mac' > ~/.gnupg/gpg-agent.conf

should be:

echo "pinentry-program $(brew --prefix)/bin/pinentry-mac" > ~/.gnupg/gpg-agent.conf

Thank you, this worked nicely first time around! 👍

It says a lot though about the state of affairs when the ergonomics involved in near zero. Imagine anyone actually remembering this whole process.

@jtsalva Remember password This can be solved by saving the password in macOS keychain.

Unfortunately gpg-agent has no built-in support for this, so:

1. You need add a separate tool

brew install pinentry-mac

1. You need to find out your **pinentry-mac path**:

which pinentry-mac

1. If not existing already create the file `~/.gnupg/gpg-agent.conf` and add the following line (with your own **pinentry-mac path**):

pinentry-program /opt/homebrew/bin/pinentry-mac

1. Then just stop the currently running `gpg-agent`.

gpgconf --kill gpg-agent

1. Next time you try to sign a commit you'll be prompted to save it to the macOS Keychain.

BTW: Everything works like a charm on my M1 mac with Big Sur

Brilliant. That worked seamlessly.

Thank you so much @troyfontaine! This finally worked for me! I have been using Github Desktop to sign commits, but had to do the whole echo "test" | gpg --clearsign and then enter my key password each time I committed something. So much better! Also, thank you @timmyjose! Your follow up steps were the final key to getting this to work. You guys are awesome, thanks again! 🙏

@shelbourn Cheers. I can sense the sense of relief! (To be fair though, it was @bartholomej 's instructions which I had just quoted!) Hahaha). Still, I do understand the frustration - I was at the end of my tether myself. Congratulations, man! :-)

3-GUI-git-signing.md -

Step 1: Modify ~/.gnupg/gpg-agent.conf

use-standard-socket
# Below option is deprecated
# pinentry-program $(brew --prefix)/bin/pinentry-mac
enable-ssh-support

I ran into a problem when I couldn't sign my commits, this config helped me:
In ~/.gnupg/gpg-agent.conf

pinentry-program /usr/local/bin/pinentry-mac
enable-ssh-support

System: Mac OS BigSur

Thank you so much! 🙏

Thanks @bartholomej ! You saved tons of my time 👍 I appreciated it!

A fantastic resource, it helped a lot. Thanks so much!

This step worked to me

echo "pinentry-program /opt/homebrew/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf 
killall gpg-agent

I had an issue with gpg not using the correct key despite giving it the correct keyid and confirming the keyid was in the git config global. Ultimately, I deleted the key that seemed to be getting mixed up in vscode / git .

This command helped me identify that git had in fact selected the wrong key:

'echo "test" | gpg --clearsign

I also killed the agent w/:

killall gpg-agent

I re-issued a key and followed the above procedures this time. The directions I used previously were through the GitHub docs. I have to circle back to test multiple keys and having git switch between them. For today, I'll take the small win of getting it to work.

I have to circle back to test multiple keys and having git switch between them. For today, I'll take the small win of getting it to work.

I use gitconfig to handle different signing key and user information (like email) based on the repo directory. This is supported by git and works for all projects under the defined directory tree in case you have multiple projects. I organize my repos based on which git profile I wish to use.

In ~/.gitconfig I append lines like the below example

# default gitconfig above here
[includeIf "gitdir:~/Documents/custom/"]
        path = ~/.gitconfig-custom
[includeIf "gitdir:~/Documents/alternate/"]
        path = ~/.gitconfig-alternate

And in ~/.gitconfig-custom and ~/.gitconfig-alternate the file contents are as

[user]
        name = First Last
        email = first.last@custom.com
        signingkey = xyz
[credential]
        helper = osxkeychain

The credential section is not required. It is just an example of how you can override sections/settings in this git config file.

Nice work 🥇

Amazing! Thank you for that. Saves a lot of my time spent trying to set this up 👏 🙌

Followed the setup instructions, but I'm still getting this error on commit:

error: gpg failed to sign the data fatal: failed to write commit object

echo "test" | gpg --clearsign shows that it is using the correct public key

This is a fantastic and comprehensive how-to for MacOS, thank you! 🙌

If I could add one step, it would be:

Step 10: Import existing keys from another system (optional)

If you already have GPG keys generated that you want to move to MacOS, first export them from the other system e.g.

gpg --export -a john > public.key
gpg --export-secret-key -a john > private.key

Then on the MacOS system you are setting GPG up on:

gpg --import public.key
gpg --import private.key

You will be required to enter the passphrase for both the export and import of the private key.

Thank you so much! Helped me a lot in 2020, and helped me now in 2023. This is gold 🥇

Lovely guide @troyfontaine.
Well written and easy to follow.

What a guide, what a gem. Thank you! ✨

None of them worked for me. I'm using MacBook Pro M1 Pro. I get timeout no matter what I've tried.

None of them worked for me. I'm using MacBook Pro M1 Pro. I get timeout no matter what I've tried.

At what point are you getting the timeout?

Generation step, where it asks to move the mouse during random bytes generation. Thanks for the blazingly fast reply!

Generation step, where it asks to move the mouse during random bytes generation. Thanks for the blazingly fast reply!

@nesimtunc it looks like there is a problem with the GPG agent, you need to run Step 7 again and if you still get the timeout, you need to verify that you followed the previous steps-and double check that the pinentry-program setting is there in ~/.gnupg/gpg-agent.conf with the path to pinentry-mac.

Already done. I believe the problem is with my laptop, maybe cuz it's corporate device, it might have some restrictions. I'll create key on my personal device and then import it here, later. Thanks for the replies and the awesome documentation.

Already done. I believe the problem is with my laptop, maybe cuz it's corporate device, it might have some restrictions. I'll create key on my personal device and then import it here, later. Thanks for the replies and the awesome documentation.

You're welcome! I was sitting at my computer when your comment showed up-so it worked 😄

Followed the setup instructions, but I'm still getting this error on commit:

error: gpg failed to sign the data fatal: failed to write commit object

echo "test" | gpg --clearsign shows that it is using the correct public key

@jimezesinachi sorry for the very late reply! You get that if there is no files added to the commit.

Yeah! Later figured it out and I got it working! Thanks for this guide @troyfontaine!

This is still so good

Step 16 -- it would be great to add here the "--allow-empty" flag, otherwise we would have to add a file first. This is how the command would look like updated:

git commit -S -s -m "My Signed Commit" --allow-empty

Step 16 -- it would be great to add here the "--allow-empty" flag, otherwise we would have to add a file first. This is how the command would look like updated:

git commit -S -s -m "My Signed Commit" --allow-empty

@rickschubert great suggestion! I'll update it!

Finally, after i updated my MacBook to MacOS Sonoma, gpg stopped working. After deinstallation and reconfiguration based on your guide, it works again 😄. Thanks for this guide.

2-using-gpg.md was super helpful. Many thanks. It fixed my problem.
However, I had to "read between the lines" a bit.
Specifically, it looks like some steps have been inserted, causing references to step numbers to "mis-align".
For example, step 11 says to use an ID from a later step, step 13...?

@troyfontaine the link in

follow the steps here for signing your commits

is wrong. Should be pointing to https://gist.github.com/troyfontaine/18c9146295168ee9ca2b30c00bd1b41e#file-3-gui-git-signing-md or so.

@troyfontaine the link in

follow the steps here for signing your commits

is wrong. Should be pointing to https://gist.github.com/troyfontaine/18c9146295168ee9ca2b30c00bd1b41e#file-3-gui-git-signing-md or so.

Fixed, thanks!

2-using-gpg.md was super helpful. Many thanks. It fixed my problem. However, I had to "read between the lines" a bit. Specifically, it looks like some steps have been inserted, causing references to step numbers to "mis-align". For example, step 11 says to use an ID from a later step, step 13...?

I believe that may have been a misunderstanding, I've tried to make step 11 a bit more verbose.

killall gpg-agent does not work on my Mac (Sonoma 14.3). Instead, I had to do gpgconf --kill gpg-agent.

My time saver! Thx.

This was super useful, thanks!