GitHub Getting Started with SSH and GPG Signing

Creating a SSH key

Step 1 - Generate a new key.

ssh-keygen -t ed25519 -C "your_email@example.com"
eval "$(ssh-agent -s)"

Step 2 - Configure computer to use the new key

Then we need to add the key to GitHub

From the terminal:

open ~/.ssh/config

// If does not exist, then:
touch ~/.ssh/config

A text editor window will appear and then paste the following:

Host github.com
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519

Step 3 - Add to GitHub

From the terminal:

pbcopy < ~/.ssh/id_ed25519.pub

From GitHub:

Settings -> SSH and GPG key -> New SSH key
- Title: Give the key a name, something descriptive
- Key type: "Authorization Key"
- Key: Paste what the previous command from ther terminal copied to your keyboard

GPG Key for Signing Commits

Signing commits, helps us to ensure that who we thought created the code, actually created the code.

Commit signing works in two parts, first is your computer signs the commit with a GPG (public/private) key. Then the when you push to GitHub, GitHub compares the signature against what is has on file for that email address. This allows GitHub to validate that a known computer (SSH Key) and a verified person (GPG Key) are responsible for the code commit.

For the Mac you'll need Brew installed, click here to install it if you don't have it already.

Once Brew is installed:

brew install gnupg gpg
brew install pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf

Step 1- Create local GPG key pair

gpg --full-generate-key

Step 2 - List available keys to configure the local Git tools

Shortcut - If you only have one GPG key, you can use this command, if not skip down to Step 2B

gpg --armor --export "$(
  gpg --list-secret-keys --keyid-format LONG \
  | awk '/^sec/{print $2; exit}' \
  | cut -d'/' -f2
)" | pbcopy

Step 2B

gpg --list-secret-keys --keyid-format LONG

// Result

[keyboxd]
---------
sec   ed25519/2BA6DADD4FBW5F14 2025-02-06 [SC] [expires: 2020-02-06]
      1D4C2HWH4B6AB0D3433CEDD2BA6DADD4FBW5F14
uid                 [ultimate] Adam C. Abernathy <hello@adamabernathy.com>
ssb   cv25519/48AD7AJWNDU08A8C 2025-02-06 [E] [expires: 2020-02-06]

Now copy the key value from the sec line; in this case it's 2BA6DADD4FBW5F14.

// Sometimes Mac needs some instructions to get it to work the first time:
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent

// Add this to your shell config (~/.zshrc or ~/.bashrc):
export GPG_TTY=$(tty)
source ~/.zshrc

Run these commands to configure git. Make sure to update the values below and teh key id with the key id from above.

git config --global user.signingkey <key id>
git config --global user.name "Hellen Hunt"
git config --global user.email "hhunt@twister.com"
git config --global gpg.program gpg 
git config --global commit.gpgsign true

// Test the configuration - From a local git repo:
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

echo "test" | gpg --clearsign
git commit --allow-empty -m "test signing"
git log --show-signature -1

Export key to GitHub so it can validate your signature.

Time to export the key to Gitub. To do so, copy key ID, which in this case is the 2BA6DADD4FBW5F14 value.

Swap <key id for what's in your clipboard

gpg --armor --export <key id> | pbcopy

Now, go to GitHub and:

Settings -> SSH and GPG key -> New GPG key
- Title: Give the key a name, something descriptive
- Key: Paste what the previous command from ther terminal copied to your keyboard

The "key" should look something like:

Validate everything works on GitHub

Create a commit, sign it, then push it to GitHub and then you should see a "Verified" badge next to the commit message.

adamabernathy/git-and-gpg.md

Select an option

No results found