-
Notifications
You must be signed in to change notification settings - Fork 76
Set up GPG signing of commits and tags
Find a installation method for your OS, to install gnupg. For example, this is the command to install it on Mac
brew install gnupg
gpg --version
gpg --list-keys
Generated keys are stored under ~/.gnupg/
gpg --full-generate-key
gpg --list-secret-keys --keyid-format=long
------------------------------------
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid Hubot <hubot@example.com>
ssb 4096R/4BB6D45482678BE3 2016-03-10
In the output above, the key-id is 3AA5C34371567BD2, which is taken from the line 1 column 2. Use this key-id in the following command.
git config --global user.signingkey <key-id>
These settings save you from typing -s (for tagging) or -S (for committing) options when running individual git commands.
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# to check current settings:
git config --global --get commit.gpgsign
git config --global --get tag.gpgsign
Copy your GPG key from the command output below, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----, and add it to your github account.
gpg --armor --export <key-id>
This is needed to avoid errors like gpg: signing failed: Inappropriate ioctl for device. You may want to add this line to your shell startup script like $HOME/.bashrc
export GPG_TTY=`tty`
On macOS you may want to use pinentry-mac to have GUI window to enter pin and optionally store pin in keychain. And enable it in your ~/.gnupg/gpg-agent.conf config (create it if it doesn't exists):
brew install pinentry-mac
pinentry-program /usr/local/bin/pinentry-mac
gpg --edit-key <keyid>
> passwd
> [enter new pin, and press Enter to confirm]
>
In general, a good tool should be able to pick up configured keys from the system, though actual steps vary. Sometimes the IDE may hang during commit while waiting for the pin input. If the problem persists, the last resort is to use a blank password so that the tool need not wait for any user input. A weak or blank pin poses a serious security risk and should be avoided. See above section for how to change pin.