Verified Commits with GPG and MacOS

Recently I’ve made the switch from being a long time Windows user to a newbie Mac user – and I’m powering through! Now I thought I had everything setup on the new Macbook, however upon making a few changes to some code I’ve been working on and pushing it up to GitHub I quickly realized that my commits were no longer “verified”. I’ve written in the past about signing commits within Windows – and the process for Mac is quite similar – but since there were a few key differences I thought I’d document here for anyone looking to follow along…

First up, we need to get gpg, gnupg, and pinentry-mac installed – Homebrew makes this pretty simple with the following command

brew install gpg2 gnupg pinentry-mac

From here we need to create a .gnupg directory within our home folder

mkdir ~/.gnupg

Within our newly created directory we now need to define a gpg-agent.conf file, containing the path to our newly install pinentry-mac package. We also need to create and populate our gpg.conf file in the same spot. This is easily achieved by running the following

echo "pinentry-program $(which pinentry-mac)" > ~/.gnupg/gpg-agent.conf
echo "use-agent" > ~/.gnupg/gpg.conf

In order for everything to work we need to populate our profile with the GPG_TTY environment variable. The following example uses zsh, but if you are using bash simply adjust for .bashrc or .bash_profile accordingly.

echo "export GPG_TTY=$(tty)" >> ~/.zshrc
source ~/.zshrc

Finally, set the proper permissions on your .gnupg directory

chmod 700 ~/.gnupg

Alright, now we need to simply generate a new gpg key by running the following

gpg --full-gen-key

You can see my answers below to all of the prompts – basically, use RSA Sign Only as the key type, 4096 as the bit length, your preferred expiry, and then your desired name/email/passphrase

Next, configure git to utilize gpg with the following

git config --global gpg.program $(which gpg)

Now let’s grab some information around the key itself – running the following will give us a couple of tidbits of info..

gpg -K --keyid-format SHORT

You should receive output similar to the following

mwpreston@Mikes-MacBook-Pro ~ % gpg -k --keyid-format SHORT
/Users/mwpreston/.gnupg/pubring.kbx
-----------------------------------
pub   rsa4096/7FAD8843 2021-07-28 [SC] [expires: 2024-07-27]
      A4290B7C24FE2C0ED9B7FCD8BF83AEC47FAD8843
uid         [ultimate] Mike Preston <mwpreston@gmail.com>

mwpreston@Mikes-MacBook-Pro ~ % 

Using this information above we can now export the fingerprint and configure git to utilize our key for signing commits. First, let’s instruct git to utilize our new key to sign commits – for this we will need the 8 digits following the rsa4096/######## statement – for example…

git config --global user.signingkey 7FAD8843
git config --global commit.gpgsign true

Now we need to export the fingerprint. This time we will use our long key id (the big long string between pub and uid)

mwpreston@Mikes-MacBook-Pro ~ % gpg --armor --export A4290B7C24FE2C0ED9B7FCD8BF83AEC47FAD8843
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao
mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao
mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao
mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao
mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao
mQINBGEBld4BEACZsgeBIvnw5ZBIF+eyII01FI5StCk79e2pZAnsemYbHgSTfXao
=s+Qs
-----END PGP PUBLIC KEY BLOCK-----

Copy everything displayed, including the BEGIN and END statements. Head into your GitHub account – Settings->SSH and GPG Keys and select add a new GPG key – copy/paste into the input box as shown and click ‘Add GPG key’

And that should be it – go ahead, modify some code and enjoy your verified commits!

Verfied commits help to give other people and repo managers the confidence about any changes you have made to the code – plus, it just feels nice to be “verfied” – Thanks for reading!