Signing your commits with GPG (GNU Privacy Guard)

1. Pre-requisites

Install GPG and PINEntry if not already installed

Linux

For Linux, install via your distro’s package manager.

Mac

For Mac, install via Homebrew:

brew install gpg pinentry-mac

Then to set pinentry-mac as your GPG PIN entry program, create ~/.gnupg/gpg-agent.conf if it doesn’t exist, and add the following line to it:

pinentry-program /opt/homebrew/bin/pinentry-mac

Windows

For Windows, it is highly recommended that you use WSL and follow this guide within your Linux subsystem (including using the Linux distro’s package manager to install GPG).

Alternatively, you can install GPG4Win natively, but there is no guarantee that this guide will work perfectly for you. Good luck.

Tighten permissions for `$HOME/.gnupg` directory

Your $HOME/.gnupg directory should have it’s permissions set to 700, which means:

The owner (you) has read, write, and execute permissions.
No one else has any permissions.

You can set this permission by running:

chmod 700 ~/.gnupg

Verify the permissions are correct by running ls -al in your home directory, the output line for your .gnupg directory should look like this:

drwx------  13 toby  staff    416 28 Mar 17:57 .gnupg

2. Generate a GPG key pair

gpg --full-generate-key

Select RSA and RSA
Choose key size of 4096 bits
Choose when you want your key to expire
Enter your details as prompted
- You must use the email that will be tied to your commits (more on this below)
- Use the comment to describe the purpose for the GPG key (“Git commit signing key”)
Confirm your details and you will be prompted to enter a “passphrase”. You will use this passphrase when signing your commits to prove it was you who made the commit. Make sure you remember your passphrase, and do not share it with anyone.

Alternative: Import an existing GPG key pair from another computer

Note: This is not recommended for most use cases. You typically want one key pair per computer.

On the computer that has the existing GPG key pair, export the key pair and write the exported keys to files. This example uses a GPG key pair tied to hi@tobyscott.dev.

# Export the public key to a file
gpg --export -a "hi@tobyscott.dev" > public.key

# Export the private key to a file. This step will ask you for the key's passphrase.
gpg --export-secret-key -a "hi@tobyscott.dev" > private.key

Securely transfer these files to the new computer, and now perform all following steps on the new computer.

Import the GPG key pair from the files

# Import the public key from the file
gpg --import public.key

# Import the private key from the file. This step will ask you for the key's passphrase.
gpg --import private.key

Trust your imported key pair in the new environment. If you run $ gpg --list-keys you will see the uid line now reads [unknown] rather than [ultimate]. This is because your newly imported key pair doesn’t exist in your new environment’s GPG trust database (stored at ~/.gnupg/trustdb.gpg). Let’s trust it now.

gpg --edit-key hi@tobyscott.dev

This will open an interactive prompt. Run trust, choose “I trust ultimately” and confirm your choice. Finally run save to save and exit the interactive prompt.

Now list your GPG keys and notice that [unknown] has changed to [ultimate].

3. Add your public GPG key to your GitHub Account (see reference here)

You need to give GitHub your GPG public key so they are able to verify your signed commits against it. Remember to never give anyone your private key or passphrase, not even GitHub!

List the long form of the GPG keys for which you have both a public and private key:

gpg --list-secret-keys --keyid-format=long

It should output something like:

/home/toby/.gnupg/pubring.kbx
-----------------------------
sec   rsa4096/9359241A3D7708E5 2024-01-18 [SC]
      1C66CEB6A85DDFE83D3695899359241A3D7708E5
uid                 [ultimate] Toby Scott (Commit signing key) <hi@tobyscott.dev>
ssb   rsa4096/51B12CCB2D65F7B3 2024-01-18 [E]

The part after rsa4096/ and before the date on the sec line is the GPG key ID. In the example above, the GPG key ID is: 9359241A3D7708E5.

Now export the full public key with the following command:

gpg --armor --export 9359241A3D7708E5

Tip, you can also write the output of this command (your full public key) to a file by adding > gpg_public.key to the end of the above command.

Copy your entire GPG public key, all the way from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK----- to your clipboard.

Go to GitHub, navigate to Settings > Access > SSH and GPG keys

Click New GPG key
In the “Key” field, paste the GPG key you just copied
Click Add GPG key and enter your password to confirm the action.

4. Configuring Git on your machine to use GPG

Tell Git where to find the GPG executable:

git config --global gpg.program $(which gpg)

Tell Git to sign all commits:

git config --global commit.gpgsign true

Tell Git which GPG key to use to sign the commits by referencing the GPG key ID:

git config --global user.signingkey "9359241A3D7708E5"

Final notes

The global Git config will be used for all repos on your machine. If you want to configure a specific repo differently, make sure your working directory is the repo you want to configure, and replace the --global flag with --local instead.

Also note, the email used in the GPG key must match the email tied to the commits (set in your git config). Additionally, GitHub requires that email to match your GitHub email address. If you have email privacy turned on the email will look something like 12345678+username@users.noreply.github.com, so that is the email you will have to use when creating your GPG key pair. However, you can manually set the email address tied to commits in a specific repo with git config --local user.email "hi@tobyscott.dev", but you will have to ensure that email address is added to your GitHub account. You will see the following “Unverified” badge next to your GPG key in GitHub if you haven’t yet.

Unverified email in GitHub

You can read more about this here in the GitHub docs.

Command cheatsheet

# Generate GPG key pair
gpg --full-generate-key

# List all public keys
gpg --list-keys

# List all private keys
gpg --list-secret-keys

# Edit an existing GPG key
gpg --edit-key <email address>

# Export a public key
gpg --armor --export <GPG key ID>

# Enable Git commit signing
git config --global commit.gpgsign true

# Tell Git which key to use for commit signing
git config --global user.signingkey "<GPG key ID>"

# Tell Git where to find the GPG binary
git config --global gpg.program $(which gpg)

1. Pre-requisites#

Install GPG and PINEntry if not already installed#

Linux#

Mac#

Windows#

Tighten permissions for $HOME/.gnupg directory#

2. Generate a GPG key pair#

Alternative: Import an existing GPG key pair from another computer#

3. Add your public GPG key to your GitHub Account (see reference here)#

4. Configuring Git on your machine to use GPG#

Final notes#

Command cheatsheet#