Skip to content

fix: gpg --import and chmod existing keys on new machine #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lukeify merged 3 commits into from
Nov 27, 2024
Merged

fix: gpg --import and chmod existing keys on new machine #18

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
da5fa8e
fix: add additional import and chmod commands when setting up existin…
lukeify Nov 17, 2024
3aebe6e
docs(gpg): sometimes GPG can hang
lukeify Nov 22, 2024
2d92f94
docs(gpg): `gpg --import-ownertrust`
lukeify Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 37 additions & 6 deletions GPG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,13 @@ To configure a key locally, or otherwise use an existing key on a machine:
- [Telling Git about your signing key][3]
- [Sign git commits on GitHub with GPG in macOS][4]

I used these guides to configure a GPG key to be used for autosigning via `git`, in this order:
Install `gpg` if it's not already on your system.

```shell
# Add your signing key ID to git's config.
git config --global commit.signingkey $(gpg --list-secret-keys --keyid-format=long | awk '/^sec/ {split($2, a, "/"); print a[2]}')
# Automatically sign commits with the above key.
git config --global commit.gpgsign true
brew install gpg
```

Finally we can use `pinentry-mac` to save our GPG credentials to macOS's keychain so we don't need to enter our key's password on every commit:
We can use `pinentry-mac` to save our GPG credentials to macOS's keychain so we don't need to enter our key's password on every commit:

```shell
brew install pinentry-mac
Expand All @@ -35,7 +32,41 @@ echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
gpgconf --kill gpg-agent
```

Place the keys into `~/.gnupg` and ensure they have the correct permissions.
Finally import the private key:

```shell
chmod 700 ~/.gnupg
chmod 600 ~/.gnupg/*
gpg --import ~/.gnupg/private.key
```

Once imported, the signing key summary will be displayed.
Next, it must be trusted "ultimately" by importing the `trust.gpg` file:

```shell
gpg --import-ownertrust ~/.gnupg/trust.gpg
```

Now it can be used for autosigning via `git`:

```shell
# Add your signing key ID to git's config.
git config --global commit.signingkey $(gpg --list-secret-keys --keyid-format=long | awk '/^sec/ {split($2, a, "/"); print a[2]}')
# Automatically sign commits with the above key.
git config --global commit.gpgsign true
```

Once a commit is made, you will be asked to allow `pinetry-mac` to add items to your macOS keychain to enable automatic signing going forward.
This is a one-time operation.

# "GPG failed to sign the data"

Sometimes the `gpg-agent` on macOS can hang. This can be checked by running:

```shell
gpg --list-secret-keys --keyid-format=long
```

[1]: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
[2]: https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account
Expand Down