GPG keys are used to sign tags and commits with git which in turn marks GitHub the commits as verified on GitHub so others can be confident that the changes come from a trusted source.
I use three GPG keys, one for each email address:
All three public keys have been copied into my Github GPG Key Settings
Download and install the GPG command line tools for your operating system.
On Windows, you can use the built in gpg.exe
that comes with Git, or download gpg4win
or GnuPG. The gpg.exe
is located under usr/bin
within your Git installation folder (i.e. Program Files\Git
).
- Install Gpg4win via
winget
,chocolatey
,scoop
OR
- Use the
gpg
that came natively withgit-for-windows
:%programfiles%\Git\usr\bin\gpg.exe
# install gpg4win - pick a method below:
winget install gpg4win
cinst gpg4win -y
scoop install gpg4win
To generate a new GPG key run:
gpg --full-generate-key
# RSA, 4096 bits, No Expiration, etc.
I use GitKraken and my associated Git Profiles to generate the keys, but to generate them using gpg
directly run:
gpg --full-generate-key
# or
gpg --default-new-key-algo rsa4096 --gen-key
which will prompt you for further details, select the following:
- select
RSA
as type of key - use 4096 bits for key size
- use 2 years for expiration time
- lastly, enter User ID information
Note: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account. To keep your email address private, use your GitHub-provided
no-reply
email address. For more information, see "Verifying your email address" and "Setting your commit email address."
Next, list the keys via: gpg --list-secret-keys --keyid-format LONG
and copy the ID of the key you want to use. the run gpg --armor --export <keyid> | Write-Output | clip
to output the key's text to your clipboard. Navigate to https://github.com/settings/keys and add the key to your GitHub account.
gpg --full-generate-key
# RSA, 4096, 2 years, email address(s)
gpg --list-secret-keys --keyid-format LONG
# copy ID
gpg --armor --export <copied ID> | Write-Output | clip
# add 2 GH
start https://github.com/settings/keys
To list your keys run:
gpg --list-secret-keys --keyid-format=long
This will output the following information:
- The path to your public key ring
.kbx
file - The type and length (in bytes) for each key following by the key's ID (after
rsa4096/
) - The date of creation and expiration
- Name, Comment, and email(s) associated with the keys.
# copy a key's ID then run
gpg --armor --export <ID>
# Prints the GPG key ID, in ASCII armor format
# to copy to clipboard and upload to github run:
gpg --armor --export <ID> | clip
start https://github.com/settings/keys
Adjust your git configuration to include your new GPG key signatures on commits:
git config --global user.signingKey "<long ID>"
git config --global gpg.program "C:\\Program Files\\Git\\usr\\bin\\gpg.exe"
git config --global commit.gpgSign true
git config --global tag.forceSignAnnotated true
Resulting .gitconfig
:
[user]
name = Jimmy Briggs
email = jimmy.briggs@jimbrig.com
signingKey = <REDACTED>
[core]
longpaths = true
[gpg]
program = C:\\Program Files\\Git\\usr\\bin\\gpg.exe
[commit]
gpgSign = true
[tag]
forceSignAnnotated = true
# for separate windows installation:
$ git config --global gpg.program "/c/Program Files (x86)/GnuPG/bin/gpg.exe
# for git's included gpg executable:
$ git config --global gpg.program "/c/Program Files/Git/usr/bin/gpg.exe"
Note that git now also comes with gpg2.exe which can make things easier - see this stackoverflow post for details.
Here I will compress an .zip
archive of the entire ~/.gnupg
folder for restoration:
compress-archive $HOME\.gnupg $HOME\OneDrive\Backups\Keys\gnupg_backup_yyyymmdd.zip
Then on new computer,
Expand-Archive $HOME\OneDrive\Backups\Keys\gnupg_backup_yyyymmdd.zip $HOME
Now all you need to do is ensure you have Git and GPG installed and your .gitconfig
is in sync with the keys restored from OneDrive.
Another way to move your php keys from one machine to another is to export the keys on the source machine, and then import the keys on the target computer.
To export all public keys to a base64-encoded text file run:
gpg -a --export > publickeys.asc
To export all encrypted private keys (which will also include corresponding public keys) to a text file, run:
gpg -a --export-secret-keys > privatekeys.asc
Optionally, to export the GPG trustdb to a text file, run:
gpg --export-ownertrust > otrust.txt
Then transfer those files to a place the new machine can access such as the cloud.
Simply execute gpg --import
against the two .asc
created exports from above and check via gpg -k
and gpg -K
:
gpg --import privatekeys.asc
gpg --import publickeys.asc
gpg -k
gpg -K
Optionally import the trustdb file as well:
gpg --import-ownertrust otrust.txt
As the new user, test encryption and decryption with gpg -er <USERID>
and gpg -d
commands.
Keep in mind that decryption and signing will likely fail unless the user running gpg
owns the terminal it is running on (Translation: don't su
over to the new user; login directly via ssh
or console).
- About commit signature verification - GitHub Docs
- Displaying verification statuses for all of your commits - GitHub Docs
- Checking for existing GPG keys - GitHub Docs
- Generating a new GPG key - GitHub Docs
- Adding a new GPG key to your GitHub account - GitHub Docs
- Telling Git about your signing key - GitHub Docs
- Associating an email with your GPG key - GitHub Docs
- Signing commits - GitHub Docs
- Signing tags - GitHub Docs
- How to migrate or export all GnuPG (gpg) public and private keys from one user to another - Red Hat Customer Portal
- Migrating GnuPG Keys from One Computer to Another (koozie.org)
- How to Backup and Restore Your GPG Key | Risan Bagja Pradana
- key management - How many OpenPGP keys should I make? - Information Security Stack Exchange
- SysAdminDocs/gpg-docs: GPG Documentation (github.com)
- Configure GPG to sign Git commits (in Windows) (neurotechnics.com)
- WINDOWS - How to enable auto-signing Git commits with GnuPG for programs that don't support it natively (github.com)