DEV Community

SpiffyEight77
SpiffyEight77

Posted on

Generating a GPG key to your GitHub

What is GPG

GPG (GNU Privacy Guard) is an open-source software used for encrypting and signing data. GPG uses asymmetric encryption technology where the cryptographic keys are divided into two parts: a public key and a private key. The public key is used to encrypt data and only the user holding the private key can decrypt it. The private key is used for digital signature which proves that the data indeed comes from a specified sender and has not been tampered with.

Why recommend to use GPG to protect your git commit

There is a risk of Git commit being impersonated because it does not have default authentication mechanisms. If someone knows your name and email address, they can impersonate your commits in the Git repository, which can damage your reputation or lead to improper behavior in your name.

To avoid this, you can use GPG signatures to authenticate Git commits.

Setup GPG in mac

Install GPG

brew install gnupg
Enter fullscreen mode Exit fullscreen mode

Generate key pair

All step set to default

gpg --full-generate-key --expert

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection?
Enter fullscreen mode Exit fullscreen mode

Export key

Check the exiting key

gpg --list-secret-keys --keyid-format LONG

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
[keyboxd]
---------
sec   ed25519/XXXXXXXXXXXX 2023-05-28 [SC]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                 [ultimate] SpiffyEight77
ssb   cv25519/XXXXXXXXXXXX 2023-05-28 [E]
Enter fullscreen mode Exit fullscreen mode

Export the public key

gpg --armor --export XXXXXXXXXXXX
Enter fullscreen mode Exit fullscreen mode

And then past it into GitHub SSH and GPG keys setting.

Setting the environment to the shell

echo 'export GPG_TTY=$(tty)' >> ~/.zshrc && source ~/.zshrc
Enter fullscreen mode Exit fullscreen mode

Allow git to use the GPG key for signing

git config --global user.signingkey XXXXXXXXXXXXX

git config --global commit.gpgsign true
Enter fullscreen mode Exit fullscreen mode

Export for backup (optional)

To export the public and secret key for backup and please keep it in a safe place

gpg --armor --output gpg_sec_key.gpg --export XXXXXXXXXXX
gpg --armor --output gpg_sec_key.gpg --export-secret-keys XXXXXXXXXXX
Enter fullscreen mode Exit fullscreen mode

Top comments (2)

Collapse
 
hasii2011 profile image
Humberto A Sanchez II • Edited

On OS X with home brew using the --armor message generates this message:

`
gpg: Note: '--armor' is not considered an option
gpg: Note: '--export' is not considered an option

`

Version



gpg --version
gpg (GnuPG) 2.4.2
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Collapse
 
spiffyeight77 profile image
SpiffyEight77

I'm so sorry that I can not reproduce the message you provided in the comment using the GPG version of 2.4.1.

Could you please provide more information about the specific command that is causing the problem?