Skip to content

Instantly share code, notes, and snippets.

@xavierfoucrier
Last active June 5, 2024 09:39
Show Gist options
  • Save xavierfoucrier/c156027fcc6ae23bcee1204199f177da to your computer and use it in GitHub Desktop.
Save xavierfoucrier/c156027fcc6ae23bcee1204199f177da to your computer and use it in GitHub Desktop.
GPG signing with Git and Github Desktop

GPG signing – git github-desktop

Here is a short guide that will help you setup your environment to create signed commits or signed tags with Git locally. This has been extensively tested on Windows with Git and the Github Desktop application: I use it every day for my professional development projects.

I you face any issue, feel free to leave a comment below.

Summary

  1. Sign commits or tags
  2. Key passphrase
  3. Disable signatures
  4. Renew a GPG key

Sign commits or tags

  1. Generate a GPG key and add it to Github: https://help.github.com/articles/generating-a-new-gpg-key (if you don't want to type a passphrase on every commit, you need to press "Enter" when the console will prompt you to type a passphrase)

  2. Open the .gitconfig configuration file by typing git config --global --edit in a terminal (since this file can exists in different places depending on your operating system, the command line will prompt git binary and open your default editor)

  3. Configure Git by replacing GITHUB_EMAIL, SIGNING_KEY and GPG_BINARY_PATH with your own data:

[user]
  name = Xavier Foucrier
  email = GITHUB_EMAIL
  signingkey = SIGNING_KEY
[gpg]
  program = GPG_BINARY_PATH
[commit]
  gpgsign = true
[tag]
  gpgsign = true
  • GITHUB_EMAIL: the email address used to login on Github

  • SIGNING_KEY: the GPG key identifier used to sign commits (should follow the GPG key ID convention, like this example: https://help.github.com/articles/telling-git-about-your-signing-key/#telling-git-about-your-gpg-key-1)

  • GPG_BINARY_PATH: the GPG binary file path depending on your Git install and your operating system:

    • Windows: gpg, gpg.exe or C:\\Program Files\\Git\\usr\\bin\\gpg.exe
      (can be found using where gpg in a terminal)

      Some system may contain multiple gpg binaries, in this case you can execute the following command line with PowerShell to use the more appropriate one: git config --global gpg.program $(Resolve-Path (Get-Command gpg | Select-Object -Expand Source) | Select-Object -Expand Path)

    • Mac or Linux: gpg or /usr/local/bin/gpg
      (can be found using which gpg in a terminal)

  1. Enjoy signed commits with your favorite code editor, Github Desktop application, and even command line using git commit -S -m "Commit message" πŸŽ‰

Key passphrase

In order for GPG to automatically store your key passphrase (even empty), so you don't have to enter it every time you sign a commit, Github recommend using the following tools:

This is necessary to let GPG launch the gpg-agent as a system daemon when signing commits.

Disable signatures

If you want to temporarily pause GPG signatures for your commits or tags, just set gpgsign = false in your .gitconfig configuration file with git config --global commit.gpgsign false (for commits) or git config --global tag.gpgsign false (for tags).

Renew a GPG key

If the key you have defined in the .gitconfig configuration file has expired, you can't sign commits anymore. You can easily renew it by following these steps:

  1. list the secrets keys with gpg --list-secret-keys

  2. edit the key you want to renew with gpg --edit-key SIGNING_KEY
    (the GPG key used to sign commits, as defined in your .gitconfig configuration file)

  3. gpg prompt is ready: you should see gpg>

  4. type expire to select a new expiration delay and confirm

  5. type trust to trust the selected key as "ultimate"
    (this step is not needed if your current key is already trusted as an "ultimate" key)

  6. type quit and confirm you wish to save changes

  7. enjoy a fresh renewed GPG key!

Thanks everyone for reading! πŸ‘€

@xavierfoucrier
Copy link
Author

xavierfoucrier commented Jun 3, 2021

@fanaugen yes, for those who decided to always type a password, there is gpg-agent cache to take into account πŸ˜‰

@rtomyj
Copy link

rtomyj commented Sep 26, 2021

Thanks, man. Helped me getting signing to work as well!

@xavierfoucrier
Copy link
Author

@rtomyj Thanks mate πŸ˜‰

@mertowitch
Copy link

thanks...

@xavierfoucrier
Copy link
Author

@mertowitch You are welcome! 😎

@muhammadisa20
Copy link

@xavierfoucrier thanks man!

@xavierfoucrier
Copy link
Author

@muhammadisa20 🀘

@lunarmint
Copy link

Been looking for how to do this, really appreciate the detailed write up!

@xavierfoucrier
Copy link
Author

@lunarmint Thanks for the feedback πŸ˜‰

@sushiljainam
Copy link

sushiljainam commented Sep 22, 2022

This DOES NOT WORK with passphrase from Github Desktop.
is it only supposed to work with empty passphrase? @xavierfoucrier

@xavierfoucrier
Copy link
Author

@sushiljainam I haven't tested with a passphrase, so I can't tell you.

@MaxEtMoritz
Copy link

@sushiljainam i set this up on Windows and it works with passphrase without issues. probably because i use gpg-agent...

@xavierfoucrier
Copy link
Author

xavierfoucrier commented Nov 14, 2022

Thanks @MaxEtMoritz for the feedback πŸ˜‰

And yes of course, gpg-agent is needed and loaded automatically on my side when trying to sign commits.

@Shane-oo
Copy link

Life Saver!

@dscotese
Copy link

"Configure Git properly by editing the .gitconfig file using the command line" would work better for dummies like me if it said:
Use the command line git config --global --edit to setup the proper configuration because different systems put the .gitconfig file in different places.

@xavierfoucrier
Copy link
Author

xavierfoucrier commented Jun 9, 2023

Hi all πŸ‘‹
Short guide updated!

Have a nice day everyone ✌️

@tekshteint
Copy link

Thank you!!! Great guide to get Github Desktop to work with my GPG keys

@xavierfoucrier
Copy link
Author

Thanks @tekshteint for the feedback!
Glad to hear that it's still used by many peoples ☺️

@Gurpartap
Copy link

To store into and use the signing passphrase from the Keychain on macOS:

$ brew install pinentry

$ echo "pinentry-program /usr/local/bin/pinentry-mac" > ~/.gnupg/gpg-agent.conf

$ echo "no-tty" > ~/.gnupg/gpg.conf

Trigger conf reload:

$ gpgconf --kill gpg-agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment