Skip to content

Latest commit

 

History

History

gpg

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

GPG Keys

GPG keys are used to sign tags and commits with git which in turn marks GitHub the commits as verified on GitHub so others can be confident that the changes come from a trusted source.

I use three GPG keys, one for each email address:

  1. [email protected]

  2. [email protected]

  3. [email protected]

All three public keys have been copied into my Github GPG Key Settings

Installation

Download and install the GPG command line tools for your operating system.

On Windows, you can use the built in gpg.exe that comes with Git, or download gpg4win or GnuPG. The gpg.exe is located under usr/bin within your Git installation folder (i.e. Program Files\Git).

  • Install Gpg4win via winget, chocolatey, scoop

OR

  • Use the gpg that came natively with git-for-windows: %programfiles%\Git\usr\bin\gpg.exe
# install gpg4win - pick a method below:
winget install gpg4win
cinst gpg4win -y
scoop install gpg4win

Generating Keys

To generate a new GPG key run:

gpg --full-generate-key
# RSA, 4096 bits, No Expiration, etc.

I use GitKraken and my associated Git Profiles to generate the keys, but to generate them using gpg directly run:

gpg --full-generate-key
# or
gpg --default-new-key-algo rsa4096 --gen-key

which will prompt you for further details, select the following:

  • select RSA as type of key
  • use 4096 bits for key size
  • use 2 years for expiration time
  • lastly, enter User ID information

Note: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account. To keep your email address private, use your GitHub-provided no-reply email address. For more information, see "Verifying your email address" and "Setting your commit email address."

List Keys

Next, list the keys via: gpg --list-secret-keys --keyid-format LONG and copy the ID of the key you want to use. the run gpg --armor --export <keyid> | Write-Output | clip to output the key's text to your clipboard. Navigate to https://github.com/settings/keys and add the key to your GitHub account.

gpg --full-generate-key
# RSA, 4096, 2 years, email address(s)

gpg --list-secret-keys --keyid-format LONG
# copy ID

gpg --armor --export <copied ID> | Write-Output | clip
# add 2 GH

start https://github.com/settings/keys

To list your keys run:

gpg --list-secret-keys --keyid-format=long

This will output the following information:

  • The path to your public key ring .kbx file
  • The type and length (in bytes) for each key following by the key's ID (after rsa4096/)
  • The date of creation and expiration
  • Name, Comment, and email(s) associated with the keys.

Upload Keys to GitHub

# copy a key's ID then run
gpg --armor --export <ID>
# Prints the GPG key ID, in ASCII armor format
# to copy to clipboard and upload to github run:
gpg --armor --export <ID> | clip
start https://github.com/settings/keys

Configure Git

Adjust your git configuration to include your new GPG key signatures on commits:

git config --global user.signingKey "<long ID>"
git config --global gpg.program "C:\\Program Files\\Git\\usr\\bin\\gpg.exe"
git config --global commit.gpgSign true
git config --global tag.forceSignAnnotated true

Resulting .gitconfig:

[user]
	name = Jimmy Briggs
	email = jimmy.briggs@jimbrig.com
	signingKey = <REDACTED>
[core]
	longpaths = true
[gpg]
	program = C:\\Program Files\\Git\\usr\\bin\\gpg.exe
[commit]
	gpgSign = true
[tag]
	forceSignAnnotated = true
# for separate windows installation:
$ git config --global gpg.program "/c/Program Files (x86)/GnuPG/bin/gpg.exe

# for git's included gpg executable:
$ git config --global gpg.program "/c/Program Files/Git/usr/bin/gpg.exe"

Note that git now also comes with gpg2.exe which can make things easier - see this stackoverflow post for details.

Migrating Keys

Using Zip Compressed Backups

Here I will compress an .zip archive of the entire ~/.gnupg folder for restoration:

compress-archive $HOME\.gnupg $HOME\OneDrive\Backups\Keys\gnupg_backup_yyyymmdd.zip

Then on new computer,

Expand-Archive $HOME\OneDrive\Backups\Keys\gnupg_backup_yyyymmdd.zip $HOME

Now all you need to do is ensure you have Git and GPG installed and your .gitconfig is in sync with the keys restored from OneDrive.

Exporting

Another way to move your php keys from one machine to another is to export the keys on the source machine, and then import the keys on the target computer.

To export all public keys to a base64-encoded text file run:

gpg -a --export > publickeys.asc

To export all encrypted private keys (which will also include corresponding public keys) to a text file, run:

gpg -a --export-secret-keys > privatekeys.asc

Optionally, to export the GPG trustdb to a text file, run:

gpg --export-ownertrust > otrust.txt

Then transfer those files to a place the new machine can access such as the cloud.

Importing

Simply execute gpg --import against the two .asc created exports from above and check via gpg -k and gpg -K:

gpg --import privatekeys.asc
gpg --import publickeys.asc
gpg -k
gpg -K

Optionally import the trustdb file as well:

gpg --import-ownertrust otrust.txt

As the new user, test encryption and decryption with gpg -er <USERID> and gpg -d commands.

Keep in mind that decryption and signing will likely fail unless the user running gpg owns the terminal it is running on (Translation: don't su over to the new user; login directly via ssh or console).

Reference

Download GnuPG

GitHub Docs

Other