Skip to content

Working With GPG

Jump to bottom Edit New page
Bartosz Firyn edited this page Feb 28, 2022 · 3 revisions

Generate GPG Keys

gpg --gen-key

List GPG Keys

gpg --list-secret-keys --keyid-format LONG

Example:

/home/username/.gnupg/secring.gpg
-------------------------------
sec   xxxA/ABABABABABABABAB 2012-07-10
uid                          John Doe (bobek) <bobek@bobek.com>
ssb   xxxG/CDCDCDCDCDCDCDCD 2012-07-10

Distribute Public Key

Send example from above to the keyserver:

gpg --keyserver keyserver.ubuntu.com --send-keys ABABABABABABABAB

Note:

  • The key ID is after the / (slash) character in the sec.

Update Email

To update email one needs to add new uid first:

gpg --edit-key ABABABABABABABAB

Then in gpg command line (example):

gpg> adduid
Real name: <name>
Email address: <email>
Comment: <comment>
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "foo <foo@bar.com>"

This will result in (example):

pub  1024D/OBOBOBOB  created: 2012-07-10  expires: never       usage: SCA 
                     trust: full          validity: unknown
sub  1024g/ABABABABABABABAB  created: 2012-07-10  expires: never       usage: E   
[ unknown] (1). John Doe (bobek) <bobek@bobek.com>
[ unknown] (2)  John Doe (bobek) <bobekmeister@bobek.com>

Change the trust level:

gpg> uid 1
gpg> trust

This will display trust level selector. Use trust level ultimate.

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5

Do it again for next uid:

gpg> uid 2
gpg> trust

After this is done, save:

gpg> save

And finally distribute updated key to the keyserver:

gpg --keyserver keyserver.ubuntu.com --send-keys ABABABABABABABAB

Revoke Old Uid

gpg --edit-key ABABABABABABABAB

In gpg command line:

gpg> uid <old uid number>
gpg> revuid
Really revoke this user ID? (y/N) y
Your decision? 4
Enter an optional description; end it with an empty line: <description>
Is this okay? (y/N) y

Then save:

gpg> save

And distribute updated key to keyserver:

gpg --keyserver keyserver.ubuntu.com --send-keys ABABABABABABABAB

Export GPG Keys

Export private key:

gpg -a --export-secret-keys ABABABABABABABAB > file.name.gpg

Where:

  • -a option is to save it in BASE64-encoded form.

Export public key:

gpg -a --export ABABABABABABABAB > file.name.asc

Import GPG Keys

gpg --import file.name.gpg

Signing Commits

Procedure (can be configure for --global or for specific repo):

$ git config --global commit.gpgsign true ([OPTIONAL] every commit will now be signed)
$ git config --global user.signingkey ABCDEF01 (where ABCDEF01 is the fingerprint of the key to use)
$ git config --global alias.logs "log --show-signature" (now available as $ git logs)
$ git config --global alias.cis "commit -S" (optional if global signing is false)
$ echo "Some content" >> example.txt
$ git add example.txt
$ git cis -m "This commit is signed by a GPG key." (regular commit will work if global signing is enabled)
$ git logs
Add a custom footer
Add a custom sidebar
Clone this wiki locally