Signing commits with GPG on macOS Guidelines

#gpg#macos#git
Published at
  1. Install GPG with Homebrew:
Terminal window
brew install gpg2 gnupg pinentry-mac

With pinentry-mac you will be able to enter your password in a popup window instead of the terminal.

  1. Create the .gnupg directory:
Terminal window
mkdir ~/.gnupg
  1. Use pinentry-mac:
Terminal window
echo "pinentry-program $(brew --prefix)/bin/pinentry-mac" > ~/.gnupg/gpg-agent.conf
  1. Update or create the ~/.gnupg/gpg.conf file:
Terminal window
echo "use-agent" >> ~/.gnupg/gpg.conf
  1. Modify your shell

Append the following to your ~/.bash_profile or ~/.bashrc or ~/.zshrc

For instance

Terminal window
echo "export GPG_TTY=$(tty)" >> ~/.zshrc
  1. Restart your shell
Terminal window
# on the built-in bash on macos use
source ~/.bash_profile
# if using bash through homebrew over ssh use
source ~/.bashrc
# and if using zsh
source ~/.zshrc
  1. Update permission
Terminal window
chmod 700 ~/.gnupg/*
  1. Kill the gpg-agent
Terminal window
killall gpg-agent
  1. Create your GPG key with pinentry-mac
Terminal window
gpg --full-gen-key --pinentry-mode loopback
  1. Answer the questions
Terminal window
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y


You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Su Ho (S) <hi@suho.dev>"


Real name: Su Ho
Email address: hi@suho.dev
Comment:
You selected this USER-ID:
    "Su Ho <hi@suho.dev>"


Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
  1. Get your key ID
Terminal window
gpg --list-secret-keys --keyid-format SHORT

This command will generate an output similar to this:

Terminal window
/Users/suho/.gnupg/pubring.kbx
------------------------------
sec   ed25519/XXXXXXXX 2023-11-29 [SC]
...

You will need to copy the key ID, in this case XXXXXXXX.

  1. Export the fingerprint
Terminal window
gpg --armor --export XXXXXXXX
  1. Configure Git to use gpg and sign all commits
Terminal window
git config --global user.signingkey XXXXXXXX
git config --global commit.gpgsign true
  1. Perform a test commit
Terminal window
git commit -S -s -m "Signed Commit" --allow-empty
  1. Pinentry Prompt

You should see a popup window asking for your password. Enter your password and click OK.

  1. Submit your GPG key to GitHub
Terminal window
gpg --armor --export XXXXXXXX | pbcopy

Then login into github.com and go to your settings, SSH and GPG Keys, and add your GPG key from the page.

Follow this guide for more details.