Skip to content

Setting up GPG for code signing (optional)

You can sign your commits with your GPG key. This is currently optional for ContainerSSH contributors.

Setting up GPG

On Linux or Windows Subsystem for Linux GPG is already included in the package manager. You can install it using the following commands:

Ubuntu

sudo apt-get update
sudo apt-get install gnupg2
RHEL/CentOS
yum install gnupg2
Fedora
dnf install gnupg2
Gentoo
emerge --ask app-crypt/gnupg

Tip

You may want to install the Kleopatra GUI for easier access.

GPG4Win is a full suite for managing GPG keys on Windows. We recommend installing it with the Kleopatra GUI.

Homebrew

brew install gnupg2
MacPorts
sudo port install gnupg2
GUI GPGTools offers a graphical version of GPG.

Creating your GPG key

Run the following command:

gpg --full-generate-key

  • Select RSA and RSA as the key format.
  • Select 4096 bits for the bit size.
  • When prompted for your user information make sure that the e-mail address matches your GitHub e-mail and the one in your Git config, otherwise your push may be rejected. If you do not wish to publish your e-mail address GitHub gives you a privacy option.
  • Select File → New Key Pair...
  • Select "Create a personal OpenPGP key pair"
  • Set your name and the same e-mail address you have on your GitHub account. If you do not wish to publish your e-mail address GitHub gives you a privacy option.
  • Follow the wizard to create your GPG key.

Run the following command:

gpg --default-new-key-algo rsa4096 --gen-key

  • Select RSA and RSA as the key format.
  • Select 4096 bits for the bit size.
  • When prompted for your user information make sure that the e-mail address matches your GitHub e-mail and the one in your Git config, otherwise your push may be rejected. If you do not wish to publish your e-mail address GitHub gives you a privacy option.

Adding your key to GitHub

First, list your GPG keys with the key IDs:

$ gpg --list-secret-keys --keyid-format LONG
------------------------------------------------
sec   rsa4096/YOUR-KEY-ID 2020-06-18 [SC]
...

Copy the key ID as you will need it for the next steps, then export your public key:

gpg --armor --export YOUR-KEY-ID

Go to GitHub → Settings → SSH and GPG keys and add a GPG key. Paste the key you just copied into the interface.

  • Right click the key generated in the previous step.
  • Select "Export...".
  • Save the file on your machine.
  • Open the file in a text editor.
  • Copy the key.
  • Go to GitHub → Settings → SSH and GPG keys and add a GPG key. Paste the key you just copied into the interface.
  • Select the previously generated key.
  • Click the "Export" icon in the toolbar.
  • Click Save.
  • Open the file in a text editor.
  • Copy the key.
  • Go to GitHub → Settings → SSH and GPG keys and add a GPG key. Paste the key you just copied into the interface.

Setting up GPG signing in Git

This method sets up automatic code signing for all git repositories on your computer. Run the following commands under your user account:

git config --global user.name "Your Name"
git config --global user.email "your-gpg-email@example.com"
git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global user.signingkey YOUR-KEY-ID

Run the following commands in the directory where you cloned the repository:

git config user.name "Your Name"
git config user.email "your-gpg-email@example.com"
git config commit.gpgsign true
git config tag.gpgsign true
git config user.signingkey YOUR-KEY-ID

Warning

This method sets up GPG signing in a single repository. You must configure this every time you clone a new ContainerSSH repository.

Invoking GPG-AGENT

gpg-agent is a daemon to manage secret (private) keys independently from any protocol. You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations:

GPG_TTY=$(tty)
export GPG_TTY

For more information, please read this.

That's it! You can now continue with setting up the toolchain!