Verified Commits with GPG and MacOS

Recently I’ve made the switch from being a long time Windows user to a newbie Mac user – and I’m powering through! Now I thought I had everything setup on the new Macbook, however upon making a few changes to some code I’ve been working on and pushing it up to GitHub I quickly realized that my commits were no longer “verified”. I’ve written in the past about signing commits within Windows – and the process for Mac is quite similar – but since there were a few key differences I thought I’d document here for anyone looking to follow along…

First up, we need to get gpg, gnupg, and pinentry-mac installed – Homebrew makes this pretty simple with the following command

From here we need to create a .gnupg directory within our home folder

Within our newly created directory we now need to define a gpg-agent.conf file, containing the path to our newly install pinentry-mac package. We also need to create and populate our gpg.conf file in the same spot. This is easily achieved by running the following

In order for everything to work we need to populate our profile with the GPG_TTY environment variable. The following example uses zsh, but if you are using bash simply adjust for .bashrc or .bash_profile accordingly.

Finally, set the proper permissions on your .gnupg directory

Alright, now we need to simply generate a new gpg key by running the following

You can see my answers below to all of the prompts – basically, use RSA Sign Only as the key type, 4096 as the bit length, your preferred expiry, and then your desired name/email/passphrase

Next, configure git to utilize gpg with the following

Now let’s grab some information around the key itself – running the following will give us a couple of tidbits of info..

You should receive output similar to the following

Using this information above we can now export the fingerprint and configure git to utilize our key for signing commits. First, let’s instruct git to utilize our new key to sign commits – for this we will need the 8 digits following the rsa4096/######## statement – for example…

Now we need to export the fingerprint. This time we will use our long key id (the big long string between pub and uid)

Copy everything displayed, including the BEGIN and END statements. Head into your GitHub account – Settings->SSH and GPG Keys and select add a new GPG key – copy/paste into the input box as shown and click ‘Add GPG key’

And that should be it – go ahead, modify some code and enjoy your verified commits!

Verfied commits help to give other people and repo managers the confidence about any changes you have made to the code – plus, it just feels nice to be “verfied” – Thanks for reading!