I’ve been using Keybase.io (you can find me there as JPry) for a little while now, and it occurred to me that I really should be signing my commits with Git. So last week I decided to set that up, and it was easier than I expected.
This is the short version of what I did (approximately), and in the future I hope to make this into a more detailed tutorial:
brew --cask install keybase– Install the Keybase app using Homebrew
brew --cask install gpg-suite– Install the GPG suite
keybase pgp gen– Create a new GPG key (I didn’t already have one)
- Grab the public key using
keybase pgp export, then feed it into GitHub.
git config --global user.signingkey <my_key_ID>– Tell my local git to use my GPG key for signing
git config --global commit.gpgsign true– Enable GPG commit signing
What you end up with are commits that have the “Verified” label in GitHub, which is an affirmation that I was actually the one who made those commits.
Adding Keys to a new Machine
Since originally writing this, I’ve migrated machines a couple times, and I need to securely transfer my keys. I have my keys managed with the GPG Keychain, and I use Keybase to securely transfer the files. Here’s the process I’ve used:
- On the old machine, open GPG Keychain.
- Select the key(s) that you want to copy, and choose Export
- Save the file to a private location in the Keybase filesystem. Make sure to choose the option to export secret keys
- On the new machine, open GPG Keychain
- Choose Import, and open the file you just saved from the Keybase filesystem.
- In both step 3 and 5 you’ll need to input the secret key passphrase (you have one of those, right?)