Back in April, Github started to support signed commits and tags with PGP .
I’ve always wanted that PGP (Pretty Good Privacy) were widely spread because, for example I would love to easily send confidential emails and avoid repudiation in some others that I receive from third parties, however the lack of support for email clients not just desktop client, web clients and mobile clients which today are that necessary makes very hard that people adopt it, so using it in our daily life is mostly an utopia.
After Github has added support for it, it has been for me a good excuse to start to use PGP in my daily life, it isn’t email, but well, I use Github, as many other geeks, almost in daily basis, or if it isn’t Github, it’s git, so if it’s well integrated then, I don’t mind to use in any repo either although it isn’t hosted on Github.
The key point of PGP is, obviously, to have a pair of keys; I had one long time ago, that I ended without using it, after I don’t know how many years later, which was around 2 years ago, I got a new PGP key pair with keybase , but being hones the account was almost unactive until last April.
Keybase.io provides a PGP cloud service which create and host keys attached to people; it provides some mechanisms to identify people through third party social services which today are used by tons of people. Of course, the concept of hosting your private key obligate to the users in trust in their security, something that’s very debatable, but being honest, that same thing happens with the digital certificates and in my case, for the usage that I give to the key, it isn’t big concern.
To setup my Keybase key with Github, in order to sign my commits and be marked as verified, I followed the blog awesome blog post Github GPG + Keybase PGP of Ahad Nassri
A very important thing for me and avoid to disable the signing options of my git configuration is no to have to type the passphrase of my GPG key on each commit. For this purpose, we have an agent, as we have for the
In my case, I use an Ubuntu Linux for all my development stuff, so here I describe to install and configure
gpg-agent for a Ubuntu Linux, if you use another distro then you may have to make some changes and if you use another OS then, you probably end up changing everything but I hope that you can get, at least, the idea in how to do so.
Installing the agent is as easy how a simple
apt-get install gnupg-agent command execution.
You can run the agent manually each time that you login or do the same adding that command to your
.bashrc file or the equivalent
rc file that your shell execute on a new session.
In my case I use Z shell (zsh)
and Oh My ZSH!
and I use the plugin that it provides for running the `gnupg-agent`
, which you can run adding to the
plugins variable list
gpg-agent, for example mine, looks like
plugins=(ssh-agent zsh-syntax-highlighting gpg-agent)
if you’re using gnpg-agent version 2 then you don’t need to use the Oh My ZSH! plugin because the agent will be executed automatically at OS the startup time as any other service; check it with
gpg-agent --version, but you may have to assign and export some variable because gpg client can connect to the agent version 2, although for unknown reasons, sometimes I haven’t needed to export any of them to make it work and sometimes I have to export on or both.
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ss export GPG_TTY=$(TTY)
If doesn’t work without them, getting an error message about the agent connection then, export
GPG_TTY and if it persists, then export the both.
To configure the agent you have to create a configuration file; by default is located on your user home director in the directory
.gnupg/gpg-agent.conf, take a look to the options summary section of the documentation web site
to see all the available options.
Mine only contains a few options which I wanted to tweak
# Set the default cache time to 1 day. default-cache-ttl 86400 default-cache-ttl-ssh 86400 # Set the max cache time to 30 days. max-cache-ttl 2592000 max-cache-ttl-ssh 2592000
Now it’s time to add our pgp keys, due the purpose of this post, I’ll add my Keybase Key, but you could whatever pgp key you own, repeating the process for each key.
Export your private key through the Keybase command line or through the website and save it somewhere, I’ll assume that the key file is in
~/my-key for the rest of this post.
List the current keys, which we shouldn’t have any, but the same command will initialize the key store database on the first call
gpg --list-keys, you should see something like
~ ➜ gpg --list-keys gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created
Import the key
gpg --import ~/my-key, in my case I got
~ ➜ gpg --import my-key gpg: key B5CB5AD5: secret key imported gpg: key B5CB5AD5: public key "keybase.io/ifraixedes <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: secret keys read: 1 gpg: secret keys imported: 1
And now if you list the keys (
gpg --list-keys), you should see something like
~ ➜ gpg --list-keys /home/vagrant/.gnupg/pubring.gpg -------------------------------- pub 4096R/B5CB5AD5 2015-04-15 uid keybase.io/ifraixedes <email@example.com> sub 2048R/97F96DB7 2015-04-15 [expires: 2023-04-13] sub 2048R/1C9B754A 2015-04-15 [expires: 2023-04-13]
In my case, I’m happy to sign all the commits with the same key, so I don’t have the need to constantly specify a key per project so I made all this configurations as global, if you need to configure them per project then remove the
--global options of the commands that I listed below.
Let’s specify the key to use with
git config --global user.signingkey firstname.lastname@example.org or use the key shorthand
git config --global user.signingkey B5CB5AD5
Then, let’s sign all the commits by default, so we don’t have to specify
git commit each time,
git config --global commit.gpgsign true
With these two options, we are set if the agent is version 1, but if the agent that you’re running in your machine is the version 2, then you have to add one configuration parameter more to git, otherwise you’ll see a message, on each commit, saying something like
agent is not running in this session; this happens because GIT is using by the default the
gpg binary in your path, and for the version 2 you have to use the
First make sure that you install the gpg v2 with
sudo apt-get install gnupg2 and thereafter, tell git to use gpg2 with
git config --global gpg.program gpg2
At this point, the best thing before giving it a try is to exit your session and login again, than trying to run the
gpg-agent by hand, because you’ll try that everything is running as expected and it’s easier.