{"id":13648024,"url":"https://github.com/pstadler/keybase-gpg-github","last_synced_at":"2025-04-14T22:15:40.163Z","repository":{"id":37733463,"uuid":"55594650","full_name":"pstadler/keybase-gpg-github","owner":"pstadler","description":"Step-by-step guide on how to create a GPG key on keybase.io, adding it to a local GPG setup and using it with Git and GitHub.","archived":false,"fork":false,"pushed_at":"2023-02-10T17:26:18.000Z","size":284,"stargazers_count":2639,"open_issues_count":9,"forks_count":180,"subscribers_count":36,"default_branch":"master","last_synced_at":"2025-04-14T22:15:26.629Z","etag":null,"topics":["cryptography","gpg","guide","howto","keybase","signing"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pstadler.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-04-06T09:51:16.000Z","updated_at":"2025-04-09T17:17:03.000Z","dependencies_parsed_at":"2024-01-10T19:10:01.840Z","dependency_job_id":null,"html_url":"https://github.com/pstadler/keybase-gpg-github","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pstadler%2Fkeybase-gpg-github","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pstadler%2Fkeybase-gpg-github/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pstadler%2Fkeybase-gpg-github/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pstadler%2Fkeybase-gpg-github/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pstadler","download_url":"https://codeload.github.com/pstadler/keybase-gpg-github/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248968917,"owners_count":21191162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","gpg","guide","howto","keybase","signing"],"created_at":"2024-08-02T01:03:54.064Z","updated_at":"2025-04-14T22:15:40.139Z","avatar_url":"https://github.com/pstadler.png","language":null,"readme":"# Set up Keybase.io, GPG \u0026 Git to sign commits on GitHub\n\nThis is a step-by-step guide on how to create a GPG key on [keybase.io](https://keybase.io), adding it to a local GPG setup and use it with Git and GitHub.\n\nAlthough this guide was written for macOS, most commands should work in other operating systems as well.\n\nThere's a [video](https://www.youtube.com/watch?v=4V-7KnhcrbY) published by [Timothy Miller](https://github.com/tjacobdesign) explaining some parts of this guide. [Discussion](https://news.ycombinator.com/item?id=12289481) on Hacker News. \n\n\u003e **Note**: If you **don't** want to use Keybase.io, follow [this guide][1] instead.\n\u003e For manually transferring keys to different hosts, check out this [answer on Stack Overflow][2].\n\n[1]: https://help.github.com/articles/generating-a-new-gpg-key/\n[2]: https://stackoverflow.com/a/3176373/571227\n\n## Requirements\n\n```sh\n$ brew install gpg\n$ brew install --cask keybase\n```\n\nYou should already have an account with Keybase and be signed in locally using `$ keybase login`. In case you need to set up a new device first, follow the instructions provided by the keybase command during login.\n\nMake sure your local version of Git is at least 2.0 (`$ git --version`) to automatically sign all your commits. If that's not the case, use Homebrew to install the latest Git version: `$ brew install git`.\n\n## Create a new GPG key on keybase.io\n\n```sh\n$ keybase pgp gen --multi\n# Enter your real name, which will be publicly visible in your new key: Patrick Stadler\n# Enter a public email address for your key: patrick.stadler@gmail.com\n# Enter another email address (or \u003center\u003e when done):\n# Push an encrypted copy of your new secret key to the Keybase.io server? [Y/n] Y\n# ▶ INFO PGP User ID: Patrick Stadler \u003cpatrick.stadler@gmail.com\u003e [primary]\n# ▶ INFO Generating primary key (4096 bits)\n# ▶ INFO Generating encryption subkey (4096 bits)\n# ▶ INFO Generated new PGP key:\n# ▶ INFO   user: Patrick Stadler \u003cpatrick.stadler@gmail.com\u003e\n# ▶ INFO   4096-bit RSA key, ID CB86A866E870EE00, created 2016-04-06\n# ▶ INFO Exported new key to the local GPG keychain\n```\n\n## Set up Git to sign all commits\n\n```sh\n$ gpg --list-secret-keys --keyid-format LONG\n# /Users/pstadler/.gnupg/secring.gpg\n# ----------------------------------\n# sec   4096R/E870EE00 2016-04-06 [expires: 2032-04-02]\n# uid                  Patrick Stadler \u003cpatrick.stadler@gmail.com\u003e\n# ssb   4096R/F9E3E72E 2016-04-06\n\n$ git config --global user.signingkey E870EE00\n$ git config --global commit.gpgsign true\n```\n\n## Add public GPG key to GitHub\n\n```sh\n$ open https://github.com/settings/keys\n# Click \"New GPG key\"\n\n# We can then use `export` with the `-q` or query flag to match on our key (the first 16 characters should do..) \n$ keybase pgp export -q CB86A866E870EE00 | pbcopy # copy public key to clipboard\n# Paste key, save\n```\n\n## Import key to GPG on another host\n\n```sh\n$ keybase pgp export\n# ▶ WARNING Found several matches:\n# user: Patrick Stadler \u003cpatrick.stadler@gmail.com\u003e\n# 4096-bit RSA key, ID CB86A866E870EE00, created 2016-04-06\n\n# user: keybase.io/ps \u003cps@keybase.io\u003e\n# 4096-bit RSA key, ID 31DBBB1F6949DA68, created 2014-03-26\n\n$ keybase pgp export -q CB86A866E870EE00 | gpg --import\n$ keybase pgp export -q CB86A866E870EE00 --secret | gpg --allow-secret-key-import --import\n```\n\nAfter importing you probably want to locally trust your own key, otherwise you will see\n`gpg: WARNING: This key is not certified with a trusted signature!` when running `git log --show-signature`.\n\n```\n$ gpg --edit-key CB86A866E870EE00\ngpg\u003e trust\n\nPlease decide how far you trust this user to correctly verify other users' keys\n(by looking at passports, checking fingerprints from different sources, etc.)\n\n  1 = I don't know or won't say\n  2 = I do NOT trust\n  3 = I trust marginally\n  4 = I trust fully\n  5 = I trust ultimately\n  m = back to the main menu\n\nYour decision? 5\nDo you really want to set this key to ultimate trust? (y/N) y\n\ngpg\u003e quit\n```\n\n## Troubleshooting: `gpg failed to sign the data`\n\nIf you cannot sign a commit after running through the above steps, and have an error like:\n\n```sh\n$ git commit -m \"My commit\"\n# error: gpg failed to sign the data\n# fatal: failed to write commit object\n```\n\nYou can run `echo \"test\" | gpg --clearsign` to find the underlying issue.\n\nIf the above succeeds without error, then there is likely a configuration problem that is preventing git from selecting or using the secret key.  Confirm that your gitconfig `user.email` matches the secret key that you are using for signing.\n\nAnother solution is set up Git to use GPG program on Windows\n```sh\n$ git config --global user.signingkey E870EE00\n$ git config --global commit.gpgsign true\n$ git config --global gpg.program \"C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe\"\n```\n\n## Optional: Set as default GPG key\n\n```sh\n$ $EDITOR ~/.gnupg/gpg.conf\n# Add line:\ndefault-key E870EE00\n```\n\n## Optional: Fix for Git UIs\n\nIf you use a UI such as Git Tower or Github Desktop, you may need to configure git to point to the specific gpg executable:\n```sh\ngit config --global gpg.program $(which gpg)\n```\n\n## Optional: Disable TTY\nIf you have problems with making autosigned commits from IDE or other software add no-tty config\n```sh\n$ $EDITOR ~/.gnupg/gpg.conf\n# Add line:\nno-tty\n```\n\n## Optional: Setting up TTY  \nDepending on your personal setup, you might need to define the tty for gpg\nwhenever your passphrase is prompted. Otherwise, you might encounter an `Inappropriate\nioctl for device` error.\n```sh\n$ $EDITOR ~/.profile # or other file that is sourced every time\n# Paste these lines\nGPG_TTY=$(tty)\nexport GPG_TTY\n```\n\n## Optional: In case you're prompted to enter the password every time\n\n\u003e Some people found that this works out of the box w/o following these steps.\n\n### Method 1 - gpg-agent + pinentry-mac\n\nInstall pinentry-mac:\n\n```sh\n$ brew install pinentry-mac\n```\n\nSet up the agent:\n\n```sh\n$ $EDITOR ~/.gnupg/gpg-agent.conf\n# Paste this line:\npinentry-program /usr/local/bin/pinentry-mac\n```\n\nNow `git commit -S`, it will ask your password and you can save it to macOS\nkeychain.\n\n![pinentry](img/pinentry.png)\n\n### Method 2 - GPG Suite\n\nSome people find that pinentry installed with brew does not allow the password to be saved to macOS's keychain.\n\nIf you do not see \"Save in Keychain\" after following Method 1, first uninstall the version of pinentry-mac installed with brew:\n\n```sh\n$ brew uninstall pinentry-mac\n```\n\nNow install the GPG Suite versions, available from [gpgtools.org](https://gpgtools.org/#gpgsuite), or from brew by running:\n\n```sh\n$ brew install --cask gpg-suite\n```\n\nOnce installed, open Spotlight and search for \"GPG Suite\", or open system preferences and select \"GPG Suite\"\n\nSelect the Default Key if it is not already selected, and ensure \"Store in OS X Keychain\" is checked:\n\n![gpg preferences](img/gpg-preferences.png)\n\nThe `gpg-agent.conf` is different from Method 1:\n\nSet up the agent:\n\n```sh\n$ $EDITOR ~/.gnupg/gpg-agent.conf\n# GPG Suite should pre-populate with something similar to the following:\ndefault-cache-ttl 600\nmax-cache-ttl 7200\n```\n\n\n### Testing without a Git Commit\n\nWhile a full end-to-end test by committing something to git will confirm for sure if things are working, a quick thing you can check is:\n\n```\necho \"test\" | gpg --clearsign\n```\n\nThis will output something like this if everything goes well:\n\n```\n$ echo \"test\" | gpg --clearsign\ngpg: WARNING: server 'gpg-agent' is older than us (2.2.40 \u003c 2.4.0)\ngpg: Note: Outdated servers may lack important security fixes.\ngpg: Note: Use the command \"gpgconf --kill all\" to restart them.\ngpg: using \"9DAC53FB18AB8C5DF0E2AA5B330CB62AE334C5E2\" as default secret key for signing\ngpg: problem with fast path key listing: IPC parameter error - ignored\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\ntest\n-----BEGIN PGP SIGNATURE-----\n\niQEzBAEBCAAdFiEEmpcZZDDypeoq25Aer4d9fatgnzQFAmPmbXEACgkQr4d9fatg\nnzQ/RAf9Elo6RUbb1xWdyPVHqS6Eq67eWmbJ62WriI+2ldMjj8lZp4XtcZ0KzXnO\n0U4moVhZyQqBQ1syDC8UNXsTI7pzbRuZ1dzs5tjo+6UuqGfzpgurvw//3L/LxujJ\n5asFq//sDNLCHFUAFDbmuWqfcMqpp/KqtaJr8EuCSb/3HSy4J8lMNGyQ4wmpQs5U\nQr5IPLq07NQrOQC3d4vXOmWqY9EZYeSbf0QWCMiErHLxm/jQY+TP88lNre99GmED\n4mAD2+I5wd33MizbjfTSH/RAeT5MdLwiBzc6kVjxu4BWusPmdUgLs7vPuP3qeqMQ\nq9VnL6mMsaFm0rKnID/MoOPtaghgSA==\n=1T8z\n-----END PGP SIGNATURE-----\n```\n","funding_links":[],"categories":["Others","PGP"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpstadler%2Fkeybase-gpg-github","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpstadler%2Fkeybase-gpg-github","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpstadler%2Fkeybase-gpg-github/lists"}