Both SSH keys and GPG serve its purposes heres how! 🤓
SSH is more streamline and common to set up to commit your code without entering your username and password when commiting to repo. When generating an SSH key pair on your local machine and adding the public key to your Github account settings, you can easily authenticate securly without transmiting sensitive information over the network.
GPG stands for GNU Privacy Guard used to sign your Git commits to provide that the commits are signed by you. It comes more of an essense to use if you are freelancing and working with open source projects. In Github it would then display "Verified" badge next to your commits. In open source contribution GPG is often involved in Github Actions to verify users commits and provides assurance that commits are authentic.
In this turtorial we will use WSL(Windows Subsystem for Linux) Mac would be fine as well. We will start of setting SSH then continue on with GPG.
Setting up SSH
To be sure you should be aware that you dont have already existing SSH keys.
ls -al ~/.ssh
From own experience I did have but switched my laptop and SSH didnt back up.
Hint: You can always just copy .ssh folder manually and save it elsewhere or save it in drive to later add the folder in your new machine so you wont have to recreate it!
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
In above example we create ssh-keygen 4096 is amount of bits included(the longer more secure it is). The email is optional but recomented as it adds additional context of the key's purpose of ownership.
One think to note of above example I have canceled SSH creation if it's your first time continue BUT if SSH was already added in Github overwriting can cause issues:
- Authentication with a remote server
- Having revoked access to certain repos the old one was permited
- Security risks
Next run _*eval $(ssh-agent -s) *_is to start the SSH agent and set up the necessary environment.
ssh-add ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub
Following that add it to your default .ssh folder and then just display it with the linux cat command. 🐈
Go to the bellow link
https://github.com/settings/keys
Add your SSH and if you please can test in your terminal with command
ssh -T git@github.com that will attemt to connect to Github using SSH. When generating GPG key you will be as well promoted to add a passfraze or not I did but that is for security purposes.
A tad more steps then SSH key gen but it is what it is.
Unlike SSH we have to use gpg command to view the GPG key by typing 👇
gpg --list-secret-keys --keyid-format LONG
//then get the full PGP content
gpg --armor --export <GPG-ID>
Copy the GPG key with begin and end block and add it at same path as SSH keys just in it's corresponding field link you can find here as well.
Lastly you can tell GIt to sign your commits using your GPG key(it will not interfier with SSH in majority of cases).
git config --global user.signingkey <your_gpg_key_id>
your GPG Key ID is sec section after running - list-secret-keys command the one after / sec rsa3072/.
When that is done on your git commits use -S flag to use signing commits.
git commit -S -m "Your first commit with GPG key!"
That is basically it remember to not aimlessly replace existing SSH or GPG keys maybe they are listed somewhere in your machine just not in right directory.
In addition using Github Desktop is convinient and easy but I wasn't able to do sign in commits with GPG so sometimes convienient way is not always the best and can cause conficts and issues.
Top comments (0)