Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Signing git commits on github using keybase.io gpg key

Probably one of the easiest things you'll ever do with gpg

Install Keybase: https://keybase.io/download and Ensure the keybase cli is in your PATH

First get the public key

keybase pgp export | gpg --import

Next get the private key

keybase pgp export --secret | gpg --allow-secret-key --import

Verify progress:

gpg --list-secret-keys

Looks for something like

sec   4096R/C9D8E1A1 2017-02-16 [expires: 2033-02-12]
uid                  Sean Escriva <sean.escriva@gmail.com>
ssb   4096R/CC67212E 2017-02-16

The email address should match your Github email.

The C9D8E1A1 part is what you need next. By default this key is untrusted, so we'll fix that. To edit trust:

$ gpg --edit-key C9D8E1A1
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

There are many levels of trust so choose what you're comfortable with.

$ git config --global user.signingkey C9D8E1A1
$ git config --global commit.gpgsign true

Now add it to your Github profile:

gpg --armor --export C9D8E1A1 | xclip

Add it to your GitHub profile under Settings/SSH and GPG keys. Replace xclip with clip or pbcopy for your current platform.

Use gpg agent if you don't want to enter the password every time.

View signed commits with : git log --show-signature -1

@FrenchBen
Copy link

FrenchBen commented Jul 26, 2018

I've had to use gpg --list-secret-keys --keyid-format LONG in order to get the proper gpg key for the --edit-key.

$ gpg --version
gpg (GnuPG) 2.2.7
libgcrypt 1.8.2

@tillkruss
Copy link

tillkruss commented Aug 6, 2018

I got this error:

gpg: error building skey array: Inappropriate ioctl for device

And used this to import the secret key:

keybase pgp export --secret | gpg --batch --import

@xusy2k
Copy link

xusy2k commented Aug 15, 2018

@tillkruss: taken from keybase/keybase-issues#2798

export GPG_TTY=$(tty)

@felipetio
Copy link

felipetio commented Jun 26, 2019

👍

@jufemaiz
Copy link

jufemaiz commented Jul 3, 2019

👍

@xphyr
Copy link

xphyr commented Aug 16, 2019

Thanks for the great writeup

@leo8989
Copy link

leo8989 commented Sep 10, 2019

ok wll try

@NG-sp
Copy link

NG-sp commented Sep 13, 2019

Keybase proof

I hereby claim:

  • I am ng-sp on github.
  • I am ngsp (https://keybase.io/ngsp) on keybase.
  • I have a public key ASAZ_KOcmhzIJbCLrKqYj97Nv_3lBTUzcovZZ9cuuRtotQo

To claim this, I am signing this object:

{
  "body": {
    "key": {
      "eldest_kid": "012019fca39c9a1cc825b08bacaa988fdecdbffde5053533728bd967d72eb91b68b50a",
      "host": "keybase.io",
      "kid": "012019fca39c9a1cc825b08bacaa988fdecdbffde5053533728bd967d72eb91b68b50a",
      "uid": "d42fcce0bda32b5d7b087077a9a6c019",
      "username": "ngsp"
    },
    "merkle_root": {
      "ctime": 1568366991,
      "hash": "9ea72ce747279a59437f5df84ff8c2ba7bfc1180896d389c20013cf7a7c3b866733571a4fa983e979242f7846128978e08fbc06bcbec08342d46bbb56de49e12",
      "hash_meta": "17e2f837ca600a06cd25b913bc4798ab1b228a8b33108f714db3127d93f77818",
      "seqno": 7128957
    },
    "service": {
      "entropy": "ORZ+/RI0lO1bz4RO5kiYGknR",
      "name": "github",
      "username": "ng-sp"
    },
    "type": "web_service_binding",
    "version": 2
  },
  "client": {
    "name": "keybase.io go client",
    "version": "4.4.1"
  },
  "ctime": 1568367014,
  "expire_in": 504576000,
  "prev": "c103269c4a3e155ec5198325452c1a36c837479f41d4f19f61d8f69b48236680",
  "seqno": 9,
  "tag": "signature"
}

with the key ASAZ_KOcmhzIJbCLrKqYj97Nv_3lBTUzcovZZ9cuuRtotQo, yielding the signature:

hKRib2R5hqhkZXRhY2hlZMOpaGFzaF90eXBlCqNrZXnEIwEgGfyjnJocyCWwi6yqmI/ezb/95QU1M3KL2WfXLrkbaLUKp3BheWxvYWTESpcCCcQgwQMmnEo+FV7FGYMlRSwaNsg3R59B1PGfYdj2m0gjZoDEIP01mMQwRuRWLNXZ6TsNeWquIpnoctEkQEaXff/BgzzQAgHCo3NpZ8RAUXiCfIQB3+kV3zDdKCm3V2k0/H7uLTh2twb3uzKMSRJlFJ5DDwNjPrJtFEH7lA7BO46UYESo1jyoF1ZKPy1oCahzaWdfdHlwZSCkaGFzaIKkdHlwZQildmFsdWXEIM8QUuXw0+AO9LmAT4xxPwpVA/AqRvRJoh3FovH6iQv+o3RhZ80CAqd2ZXJzaW9uAQ==

And finally, I am proving ownership of the github account by posting this as a gist.

My publicly-auditable identity:

https://keybase.io/ngsp

From the command line:

Consider the keybase command line program.

# look me up
keybase id ngsp

@IdlePhysicist
Copy link

IdlePhysicist commented Oct 5, 2020

The --allow-secret-key flag for GPG is no longer necessary.

@IdlePhysicist
Copy link

IdlePhysicist commented Oct 25, 2020

@kgnfth Did you get that error when importing the public or private key? And could you include (as a code block please) the exact command you ran when you got the error.

@gtrabanco
Copy link

gtrabanco commented May 23, 2021

I made a script that do all of these work automatically. The script follow the user into the necessary steps to automate some work and give user info how to manually do other work:

bash <(curl -s https://gist.githubusercontent.com/gtrabanco/df7a2c7c5078ebe2a1a7332e2536dadb/raw/e7382422f1ac416cf5d2419c3681c50420057898/keybase-gpg.sh)

View the script source.

After that you need to add in your ~/.bashrc and/or ~/.zshenv:

GPG_TTY=$(tty)
export GPG_TTY

This script is part of my dotfiles that are powered by sloth.

@kgnfth
Copy link

kgnfth commented May 23, 2021

i readed the documentation on keybase and found my own way to sign commits
i wrote this gist so that i understand it for myself better for future xD
https://gist.github.com/kgnfth/51526e7d57713e1817eded7bf22ed037

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment