Generating a GPG key

Download the GPG command line tools

apt-get install gnupg

Once installed, we can now generate the key

gpg --full-generate-key

Different types of keys can be generated depending on usage, in our instance we need an RSA key, so choose default (1).

$ gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection?

The default keysize for GitHub is required to be at least 4096 bits long, when using gpg tooling, the default is set to 3072, so type in 4096 and hit enter.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits

You can specify whether the key should expire after a given length, or not at all. In this instance we’re going to set it to not expire

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

User ID information is required to identity the key, so it will ask for a real name, email address and a comment to construct it.

A password is required for the key, give it a good password and hit enter

The key is now generated and can be found by listing your secret keys using

gpg --list-secret-keys --keyid-format=long

From the list of GPG keys, copy the long form of the GPG key ID. In our example, it is 50B9515EDD63295B

selenium@LAPTOP-JCAAGHIT:/mnt/c/git$ gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
/home/selenium/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096/50B9515EDD63295B 2022-11-06 [SC]
      41775C5577BEDBCEBF57DFE250B9515EDD63295B
uid                 [ultimate] ElboDevOps (GitHub pgp key) <elbodevops@gmail.com>
ssb   rsa4096/3D294C4140C2B1C6 2022-11-06 [E]

The key needs to be in ASCII armor format to be able to be used, to do that we can run gpg --armor --export *ID*

gpg --armor --export 50B9515EDD63295B

Copy the GPG key, begininning with the -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with the -----END PGP PUBLIC KEY BLOCK-----. We will now add this key to our GitHub account.

Adding a GPG key to your GitHub account

  1. On GitHub click on your profile photo in the upper right corner, click Settings.

Go to your GitHub account Settings page

  1. In the “Access” section of the sidebar, click SSH and GPG keys.
  2. Scroll down to the GPG keys section and click New GPG key.

Shows GPG keys section

  1. Give it a meaningfull title and insert the PGP public key block. Then save it.

We have now added the GPG key to GitHub, the final step is to tell Git to use it when we’re pushing from our local machine.

Use GPG key with Git

When we add it to Git, we need to give the long form of the GPG key id. We can find the id by running the command we previously did for listing of our GPG keys

gpg --list-secret-keys --keyid-format=long

Copy the long form of the GPG key ID. In our example, it is 50B9515EDD63295B

selenium@LAPTOP-JCAAGHIT:/mnt/c/git$ gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
/home/selenium/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096/50B9515EDD63295B 2022-11-06 [SC]
      41775C5577BEDBCEBF57DFE250B9515EDD63295B
uid                 [ultimate] ElboDevOps (GitHub pgp key) <elbodevops@gmail.com>
ssb   rsa4096/3D294C4140C2B1C6 2022-11-06 [E]

To set the primary GPG signing key in Git, run the following command, substituting your GPG key ID with the examples

git config --global user.signingkey 50B9515EDD63295B

As an additional option, you can configure Git to sign all commits by default, with the following command

git config --global commit.gpgsign true

And that’s it. You have now successfully added Commit verification to your user. When you commit to GitHub from now on, you should see a Verified next to your commit hash like so

Commit verified

Well done!

Debugging

If you are running WSL and you encounter the following message when committing

error: gpg failed to sign the data
fatal: failed to write commit object

then it can be due to GPG not working as intended, if the following fails

echo "test" | gpg --clearsign

Then you need to run export GPG_TTY=$(tty) in your terminal.