Setup GPG Key for Github Commits - Your Gateway to Tech Excellence

In today's digital world, ensuring the security and integrity of our data is of utmost importance. One way to achieve this is by using encryption and digital signatures. GnuPG (GPG) is a widely used open-source encryption software that provides cryptographic privacy and authentication for data communication. This article will guide you through the process of setting up GPG on both macOS and Linux systems.

Installation

Install GnuPG based on Operating System

BASH

Install GnuPG

# Install GnuPG: Most Linux distributions come with GnuPG preinstalled.
# If it's not already installed, use your package manager to install GnuPG.
# For example, on Ubuntu or Debian-based systems, run the following command:
sudo apt-get install gnupg pinentry
# In-case of Redhat-based system, run the following command:
sudo dnf install gnupg pinentry

Configure GPG:

Create or modify the following configuration files to set up GPG:

**~/.gnupg/gpg.conf**: Open the file and add the following lines:

use-agent
# This silences the "you need a passphrase" message once the passphrase handling is all set.
# Use at your own discretion - may prevent the successful interactive use of some operations.
# It is working fine for my use cases though.
batch

**~/.gnupg/gpg-agent.conf**: Open the file and add the following lines:

BASH

GPG Agent Configuration

# Enables GPG to find gpg-agent
use-standard-socket

User Profile configuration for GPG

BASH

User Profile Configuration

# Add below content in the file: ~/.bashrc or `~/.bash_profile
GPG_TTY=$(tty)
export GPG_TTY

Generate GPG Keys

Generate a key pair: Use the following command to generate your GPG key pair:

gpg --full-generate-key

Follow the prompts to select the key type, key size, and expiration date. Enter a strong passphrase to protect your private key.

Export the public key: Once the key pair is generated, you can export the public key using the key ID. Run the following command, replacing XXXXXX with your key ID:

# get the public key using key ID
gpg --armor --export XXXXXX

The output will be your public key in ASCII-armored format, which can be shared with others.

Import existing GPG

Obtain the GPG key file: If you have the GPG key file (with a .asc or .gpg extension) from another source, make sure you have it available on your system.
Import the GPG key: Open your terminal and run the following command, replacing <KEY-FILE> with the path to your GPG key file:

gpg --import <KEY_FILE>.pgp

# or

# Import Public key from Keybase or other server and import private key separately.
curl https://keybase.io/<username>/pgp_keys.asc | gpg --import

The GPG key will be imported, and you will see the key details displayed in the terminal.

Trust the imported key (optional): By default, imported keys are not trusted. If the key belongs to someone you trust, you can manually trust it. Run the following command, replacing <KEY-ID> with the ID of the imported key (can be found in the output of the previous command):

gpg --edit-key <KEY-ID>

This will open the GPG command-line interface. Enter the command trust to set the trust level for the key. Follow the prompts to select the appropriate level of trust.

Verify the imported key: You can verify that the key has been successfully imported by running the command:

gpg --list-keys

The imported key should be listed along with its details.

Configure Git to use GPG

To enable Git commit signing with your GPG key, run the following command, replacing <YOUR-SIGNING-KEY-PUB-ID> with your key ID:

gpg --list-keys --keyid-format SHORT

git config --global user.signingkey <YOUR-SIGNING-KEY-PUB-ID>
git config --global commit.gpgsign true

!!! note

SHORT keyid format will show the key-id into short format just next to rsa algorithm.

ex:

pub rsa4096/4BF70A73 2021-09-08 [SC] [expires: 2037-09-04]

Restart the terminal: After making these configurations, it's recommended to restart the terminal for the changes to take effect.

## Kill gpg agent once configured
pkill -TERM gpg-agent

If you use Visual Studio Code, you can turn on signing by changing a setting.

Open VSCode, go to Preferences > Settings, and search for git.enableCommitSigning. Turn this setting on, and you’re good to go.

Test GPG Setup

To test your GPG setup, you can encrypt and decrypt a message. Run the following command, replacing <PUT THE KEY ID HERE> with the key ID you used:

echo test | gpg -e -r <PUT THE KEY ID HERE> | gpg -d

If everything is set up correctly, you should see the decrypted message "test" printed in the terminal.

Congratulations! You have successfully set up GPG on your macOS or Linux system. You can now use GPG for encryption, decryption, and signing of sensitive data, providing an extra layer of security to your digital communication. Remember to keep your private key secure and never share it with anyone.