Recently I’ve made the switch from being a long time Windows user to a newbie Mac user – and I’m powering through! Now I thought I had everything setup on the new Macbook, however upon making a few changes to some code I’ve been working on and pushing it up to GitHub I quickly realized that my commits were no longer “verified”. I’ve written in the past about signing commits within Windows – and the process for Mac is quite similar – but since there were a few key differences I thought I’d document here for anyone looking to follow along…
First up, we need to get gpg, gnupg, and pinentry-mac installed – Homebrew makes this pretty simple with the following command
brew install gpg2 gnupg pinentry-mac
From here we need to create a .gnupg directory within our home folder
mkdir ~/.gnupg
Within our newly created directory we now need to define a gpg-agent.conf file, containing the path to our newly install pinentry-mac package. We also need to create and populate our gpg.conf file in the same spot. This is easily achieved by running the following
echo "pinentry-program $(which pinentry-mac)" > ~/.gnupg/gpg-agent.conf echo "use-agent" > ~/.gnupg/gpg.conf
In order for everything to work we need to populate our profile with the GPG_TTY environment variable. The following example uses zsh, but if you are using bash simply adjust for .bashrc or .bash_profile accordingly.
echo "export GPG_TTY=$(tty)" >> ~/.zshrc source ~/.zshrc
Finally, set the proper permissions on your .gnupg directory
chmod 700 ~/.gnupg
Alright, now we need to simply generate a new gpg key by running the following
gpg --full-gen-key
You can see my answers below to all of the prompts – basically, use RSA Sign Only as the key type, 4096 as the bit length, your preferred expiry, and then your desired name/email/passphrase
Next, configure git to utilize gpg with the following
git config --global gpg.program $(which gpg)
Now let’s grab some information around the key itself – running the following will give us a couple of tidbits of info..
gpg -K --keyid-format SHORT
You should receive output similar to the following
mwpreston@Mikes-MacBook-Pro ~ % gpg -k --keyid-format SHORT
/Users/mwpreston/.gnupg/pubring.kbx
-----------------------------------
pub rsa4096/7FAD8843 2021-07-28 [SC] [expires: 2024-07-27]
A4290B7C24FE2C0ED9B7FCD8BF83AEC47FAD8843
uid [ultimate] Mike Preston <mwpreston@gmail.com>
mwpreston@Mikes-MacBook-Pro ~ %
Using this information above we can now export the fingerprint and configure git to utilize our key for signing commits. First, let’s instruct git to utilize our new key to sign commits – for this we will need the 8 digits following the rsa4096/######## statement – for example…
git config --global user.signingkey 7FAD8843 git config --global commit.gpgsign true
Now we need to export the fingerprint. This time we will use our long key id (the big long string between pub and uid)
mwpreston@Mikes-MacBook-Pro ~ % gpg --armor --export A4290B7C24FE2C0ED9B7FCD8BF83AEC47FAD8843 -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao =s+Qs -----END PGP PUBLIC KEY BLOCK-----
Copy everything displayed, including the BEGIN and END statements. Head into your GitHub account – Settings->SSH and GPG Keys and select add a new GPG key – copy/paste into the input box as shown and click ‘Add GPG key’
And that should be it – go ahead, modify some code and enjoy your verified commits!
Verfied commits help to give other people and repo managers the confidence about any changes you have made to the code – plus, it just feels nice to be “verfied” – Thanks for reading!