- Do you have an Github account ? If not create one.
- Install required tools
- Latest Git Client
- gpg tools
# Ubuntu
sudo apt-get install gpa seahorse
# MacOS with https://brew.sh/
brew install gpg
- Generate a new gpg key
gpg --gen-key
- Answer the questions asked
Note: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account.
- List generated key
gpg --list-secret-keys --keyid-format LONG
- Above command should return like this
/home/username/.gnupg/secring.gpg
-------------------------------
sec 4096R/<COPY_LONG_KEY> 2016-08-11 [expires: 2018-08-11]
uid User Name <user.name@email.com>
ssb 4096R/62E5B29EEA7145E 2016-08-11
- Note down your key
COPY_LONG_KEYfrom above (without<and>) - Export this (public) key to a text file
gpg --armor --export <PASTE_LONG_KEY_HERE> > gpg-key.txt
-
Above command will create a new txt file
gpg-key.txt -
Add this key to GitHub
-
Login to Github and goto profile settings
-
Click
New GPG Keyand paste the contents ofgpg-key.txtfile then save -
Tell git client to auto sign your future commits
-
Use the long key from above in next command
git config --global user.signingkey <PASTE_LONG_KEY_HERE>
git config --global commit.gpgsign true
- You are done, next time when you commit changes; gpg will ask you the passphrase.
To make it remember your password, you can use gpg-agent
Edit your ~/.gnupg/gpg-agent.conf file and paste these lines
default-cache-ttl 28800
max-cache-ttl 28800
allow-preset-passphrase
28800 seconds means 8 hours
If gpg-agent is not running you can start it with this command
gpg-agent --daemon
To list cached gpg keys, you need to list the keygrips that are currently cached by gpg-agent using the command keyinfo --list with gpg-connect-agent.
$ gpg-connect-agent 'keyinfo --list' /bye
S KEYINFO 866C3DE249CF81E31A3691845DBADE2809487FF5 D - - 1 P - - -
S KEYINFO 04278155E72CAE8FF1548FE161F1B8F7673824F4 D - - - P - - -
OK
The 1 in the seventh column indicates that the keygrip is cached. Then you can associate the keygrip with its gpg key by examining the stored secret keys.
$ gpg --list-secret-keys --with-keygrip
gpg --edit-key <PASTE_YOUR_KEY_ID_HERE>
At the gpg prompt type:
passwd
Type in the current passphrase when prompted
Type in the new passphrase twice when prompted
Type:
save
You will want to preset your keys. The program gpg-preset-passphrase is installed with gpg-agent, but is typically not in the PATH. You need to run gpg-preset-passphrase --preset <KEYGRIP ID> <PASSPHRASE> to cache the passphrase (according to the gpg-agent configuration).
Below is a quick 'n dirty Bash script to find and load the passphrase into the gpg-agent.
#!/bin/bash
# Hacked from https://superuser.com/a/1586033
set -e
GPG_PRESET_PASS="/usr/lib/gnupg/gpg-preset-passphrase"
SCRIPT="$(basename "$(test -L "$0" && readlink "$0" || echo "$0")")"
if [[ -z $1 ]]; then
echo "Usage:"
echo " ${SCRIPT} <key email>"
exit 1
fi
KEY_GRIP=$(gpg --with-keygrip --list-secret-keys --fingerprint $1 | grep -Pom1 '^ *Keygrip += +\K.*')
echo "Found key:" ${KEY_GRIP}
read -s -p "Enter passphrase to cache into gpg-agent: " PASSPHRASE; echo
$GPG_PRESET_PASS -c $KEY_GRIP <<< $PASSPHRASE
RETVAL=$?
if [ $RETVAL = 0 ]; then
echo "Passphrase OK"
echo
echo "Current agent cache:"
gpg-connect-agent 'keyinfo --list' /bye
else
echo "Passphrase FAILED"
fi- https://help.github.com/articles/signing-commits-with-gpg/
- http://nishanttotla.com/blog/signing-git-commits-gpg/
- https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
- https://news.ycombinator.com/item?id=7792026
- https://overflow.no/blog/2016/08/11/signed-commits-with-gpg-git-and-github-on-linux/
- http://stackoverflow.com/questions/10161198/is-there-a-way-to-autosign-commits-in-git-with-a-gpg-key
- http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html
- https://help.ubuntu.com/community/GnuPrivacyGuardHowto
- https://medium.com/@timmywil/sign-your-commits-on-github-with-gpg-566f07762a43#.aovevj80y
- https://blog.erincall.com/p/signing-your-git-commits-with-gpg
- https://dev.to/agrinman/spoof-a-commit-on-github-from-anyone-4gf4
- https://unix.stackexchange.com/a/467062
- https://demu.red/blog/2016/06/how-to-check-if-your-gpg-key-is-in-cache/
- https://superuser.com/a/1586033