This is a step-by-step guide on how to create a GPG key on keybase.io, adding it to a local GPG setup and use it with Git and GitHub.
Although this guide was written for OS X, most commands should work in other operating systems as well.
Discussion on Hacker News.
Note: If you don't want to use Keybase.io, it is still fine. For section Create a new GPG key on keybase.io, Set up Git to sign all commits, and Add public GPG key to GitHub you follow a guide here instead. It will give you a same result. Also for section Import key to GPG on another host you can follow step in this answer from Stackoverflow to export and import key. Both of key generation and import/export action don't involve Keybase.io
$ brew install gpg keybaseYou should already have an account with Keybase and be signed in locally using $ keybase login. In case you need to set up a new device first, follow the instructions provided by the keybase command during login.
Make sure your local version of Git is at least 2.0 ($ git --version) to automatically sign all your commits. If that's not the case, use Homebrew to install the latest Git version: $ brew install git.
$ keybase pgp gen --multi
# Enter your real name, which will be publicly visible in your new key: Patrick Stadler
# Enter a public email address for your key: patrick.stadler@gmail.com
# Enter another email address (or <enter> when done):
# Push an encrypted copy of your new secret key to the Keybase.io server? [Y/n] Y
# ▶ INFO PGP User ID: Patrick Stadler <patrick.stadler@gmail.com> [primary]
# ▶ INFO Generating primary key (4096 bits)
# ▶ INFO Generating encryption subkey (4096 bits)
# ▶ INFO Generated new PGP key:
# ▶ INFO user: Patrick Stadler <patrick.stadler@gmail.com>
# ▶ INFO 4096-bit RSA key, ID CB86A866E870EE00, created 2016-04-06
# ▶ INFO Exported new key to the local GPG keychain$ gpg --list-secret-keys
# /Users/pstadler/.gnupg/secring.gpg
# ----------------------------------
# sec 4096R/E870EE00 2016-04-06 [expires: 2032-04-02]
# uid Patrick Stadler <patrick.stadler@gmail.com>
# ssb 4096R/F9E3E72E 2016-04-06
$ git config --global user.signingkey E870EE00
$ git config --global commit.gpgsign true$ open https://github.com/settings/keys
# Click "New GPG key"
$ keybase pgp export -q CB86A866E870EE00 | pbcopy # copy public key to clipboard
# Paste key, save$ keybase pgp export
# ▶ WARNING Found several matches:
# user: Patrick Stadler <patrick.stadler@gmail.com>
# 4096-bit RSA key, ID CB86A866E870EE00, created 2016-04-06
# user: keybase.io/ps <ps@keybase.io>
# 4096-bit RSA key, ID 31DBBB1F6949DA68, created 2014-03-26
$ keybase pgp export -q CB86A866E870EE00 | gpg --import
$ keybase pgp export -q CB86A866E870EE00 --secret | gpg --allow-secret-key-import --import$ $EDITOR ~/.gnupg/gpg.conf
# Add line: default-key E870EE00If you use a UI such as Git Tower or Github Desktop, you may need to configure git to point to the specific gpg executable:
git config --global gpg.program $(which gpg)If you have problems with making autosigned commits from IDE or other software add no-tty config
$ $EDITOR ~/.gnupg/gpg.conf
# Add line: no-ttyDepending on your personal setup, you might need to define the tty for gpg
whenever your passphrase is prompted. Otherwise, you might encounter an Inappropriate ioctl for device error.
$ $EDITOR ~/.profile # or other file that is sourced every time
# Paste these lines
GPG_TTY=$(tty)
export GPG_TTYInstall the needed software:
$ brew install gpg-agent pinentry-macEnable agent use:
$ $EDITOR ~/.gnupg/gpg.conf
# uncomment the use-agent lineSetup agent:
$ $EDITOR ~/.gnupg/gpg-agent.conf
# Paste these lines:
use-standard-socket
pinentry-program /usr/local/bin/pinentry-macLink pinentry and agent together:
$ $EDITOR ~/.profile # or other file that is sourced every time
# Paste these lines:
if test -f ~/.gnupg/.gpg-agent-info -a -n "$(pgrep gpg-agent)"; then
source ~/.gnupg/.gpg-agent-info
export GPG_AGENT_INFO
GPG_TTY=$(tty)
export GPG_TTY
else
eval $(gpg-agent --daemon --write-env-file ~/.gnupg/.gpg-agent-info)
fiNow git commit -S, it will ask your password and you can save it to OSX
keychain.