From da5fa8e167c56ec83388a44257cffe88cfb4df0d Mon Sep 17 00:00:00 2001
From: lukeify <5379845+lukeify@users.noreply.github.com>
Date: Sun, 17 Nov 2024 22:15:39 +1300
Subject: [PATCH 1/3] fix: add additional import and chmod commands when
 setting up existing gpg keys on a new machine

---
 GPG.md | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/GPG.md b/GPG.md
index 322fc45..da8e7f2 100644
--- a/GPG.md
+++ b/GPG.md
@@ -16,16 +16,13 @@ To configure a key locally, or otherwise use an existing key on a machine:
 - [Telling Git about your signing key][3]
 - [Sign git commits on GitHub with GPG in macOS][4]
 
-I used these guides to configure a GPG key to be used for autosigning via `git`, in this order:
+Install `gpg` if it's not already on your system.
 
 ```shell
-# Add your signing key ID to git's config.
-git config --global commit.signingkey $(gpg --list-secret-keys --keyid-format=long | awk '/^sec/ {split($2, a, "/"); print a[2]}')
-# Automatically sign commits with the above key.
-git config --global commit.gpgsign true
+brew install gpg
 ```
 
-Finally we can use `pinentry-mac` to save our GPG credentials to macOS's keychain so we don't need to enter our key's password on every commit:
+We can use `pinentry-mac` to save our GPG credentials to macOS's keychain so we don't need to enter our key's password on every commit:
 
 ```shell
 brew install pinentry-mac
@@ -35,7 +32,26 @@ echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
 gpgconf --kill gpg-agent
 ```
 
+Place the keys into `~/.gnupg` and ensure they have the correct permissions.
+Finally import the private key:
+
+```shell
+chmod 700 ~/.gnupg
+chmod 600 ~/.gnupg/*
+gpg --import ~/.gnupg/private.key
+```
+
+Once imported, the signing key summary will be displayed, and it can be used for autosigning via `git`:
+
+```shell
+# Add your signing key ID to git's config.
+git config --global commit.signingkey $(gpg --list-secret-keys --keyid-format=long | awk '/^sec/ {split($2, a, "/"); print a[2]}')
+# Automatically sign commits with the above key.
+git config --global commit.gpgsign true
+```
+
 Once a commit is made, you will be asked to allow `pinetry-mac` to add items to your macOS keychain to enable automatic signing going forward.
+This is a one-time operation.
 
 [1]: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
 [2]: https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account

From 3aebe6e4e88c67ed54bd2c0105293b6f7c3ed364 Mon Sep 17 00:00:00 2001
From: lukeify <5379845+lukeify@users.noreply.github.com>
Date: Fri, 22 Nov 2024 21:35:04 +1300
Subject: [PATCH 2/3] docs(gpg): sometimes GPG can hang

---
 GPG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/GPG.md b/GPG.md
index da8e7f2..6f6ad41 100644
--- a/GPG.md
+++ b/GPG.md
@@ -53,6 +53,14 @@ git config --global commit.gpgsign true
 Once a commit is made, you will be asked to allow `pinetry-mac` to add items to your macOS keychain to enable automatic signing going forward.
 This is a one-time operation.
 
+# "GPG failed to sign the data"
+
+Sometimes the `gpg-agent` on macOS can hang. This can be checked by running:
+
+```shell
+gpg --list-secret-keys --keyid-format=long
+```
+
 [1]: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
 [2]: https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account
 [3]: https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

From 2d92f948277bd30ea6b4e1504636a5b75728a669 Mon Sep 17 00:00:00 2001
From: lukeify <5379845+lukeify@users.noreply.github.com>
Date: Wed, 27 Nov 2024 20:34:56 +1300
Subject: [PATCH 3/3] docs(gpg): `gpg --import-ownertrust`

---
 GPG.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/GPG.md b/GPG.md
index 6f6ad41..3881b7f 100644
--- a/GPG.md
+++ b/GPG.md
@@ -41,7 +41,14 @@ chmod 600 ~/.gnupg/*
 gpg --import ~/.gnupg/private.key
 ```
 
-Once imported, the signing key summary will be displayed, and it can be used for autosigning via `git`:
+Once imported, the signing key summary will be displayed.
+Next, it must be trusted "ultimately" by importing the `trust.gpg` file:
+
+```shell
+gpg --import-ownertrust ~/.gnupg/trust.gpg
+```
+
+Now it can be used for autosigning via `git`:
 
 ```shell
 # Add your signing key ID to git's config.