my version of gpg on the mac
brew install gnupg21, pinentry-mac
(this includes gpg-agent and pinentry)
Generate a key: $ gpg2 --gen-key
Take the defaults. Whatevs
Tell gpg-agent to use pinentry-mac:
$ vim ~/.gnupg/gpg-agent.conf
paste in
# Connects gpg-agent to the OSX keychain via the brew-installed$
# pinentry program from GPGtools. This is the OSX 'magic sauce',$
# allowing the gpg key's passphrase to be stored in the login$
# keychain, enabling automatic key signing.$
pinentry-program /usr/local/bin/pinentry-mac
Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work. Here is my git gpg config: https://github.com/bcomnes/.dotfiles/blob/master/configs/gitconfig.d/gpg
$ gpg2 --list-keys
/Users/schacon/.gnupg/pubring.gpg
---------------------------------
pub 2048R/0A46826A 2014-06-04
uid Scott Chacon (Git signing key) <schacon@gmail.com>
sub 2048R/874529A9 2014-06-04
$ git config --global user.signingkey 0A46826A
Tell git that you are using gpg2 like a boss
$ git config --global gpg.program gpg2
Tell github about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
Restart maybe or kill any running gpg-agents. They will not work.
Sign your commits
$ git commit -S -m 'yolo'
Consider signing all your commits. In ~/.gitconfig
:
[commit]
gpgsign = true
or
$ git config --global commit.gpgsign true
Other considerations:
Step 2:
Creating a subkey for other systems:
List your keys:
gpg2 --list-keys
/Users/bret/.gnupg/pubring.kbx
------------------------------
pub rsa2048 2016-04-06 [SC]
FDA5889C6500AC85C60486F53705F4634DC3A1AC
uid [ultimate] Bret Comnes <bcomnes@gmail.com>
sub rsa2048 2016-04-06 [E]
Edit your keyid
gpg2 --edit-key FDA5889C6500AC85C60486F53705F4634DC3A1AC
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/3705F4634DC3A1AC
created: 2016-04-06 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/D6CFDF18724163BB
created: 2016-04-06 expires: never usage: E
[ultimate] (1). Bret Comnes <bcomnes@gmail.com>
>
Create a signing and encryption subkey with expiration dates
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed Feb 21 10:46:38 2018 PST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa2048/3705F4634DC3A1AC
created: 2016-04-06 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/D6CFDF18724163BB
created: 2016-04-06 expires: never usage: E
ssb rsa2048/70B0BE3A1284E39F
created: 2017-02-21 expires: 2018-02-21 usage: S
[ultimate] (1). Bret Comnes <bcomnes@gmail.com>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed Feb 21 10:47:20 2018 PST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa2048/3705F4634DC3A1AC
created: 2016-04-06 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/D6CFDF18724163BB
created: 2016-04-06 expires: never usage: E
ssb rsa2048/70B0BE3A1284E39F
created: 2017-02-21 expires: 2018-02-21 usage: S
ssb rsa2048/4BE4221F87387C35
created: 2017-02-21 expires: 2018-02-21 usage: E
[ultimate] (1). Bret Comnes <bcomnes@gmail.com>
SAVE YOUR KEY
gpg> save
$ gpg2 --list-keys
/Users/bret/.gnupg/pubring.kbx
------------------------------
pub rsa2048 2016-04-06 [SC]
FDA5889C6500AC85C60486F53705F4634DC3A1AC
uid [ultimate] Bret Comnes <bcomnes@gmail.com>
sub rsa2048 2016-04-06 [E]
sub rsa2048 2017-02-21 [S] [expires: 2018-02-21]
sub rsa2048 2017-02-21 [E] [expires: 2018-02-21]
You should now see your keys.
Create a copy of your ~/.gnupg folder:
cp ~/.gnupg ~/Downloads/subkeys
Figure out which keys you dont wan't on the other system:
gpg2 --with-keygrip --list-key FDA5889C6500AC85C60486F53705F4634DC3A1AC
pub rsa2048 2016-04-06 [SC]
FDA5889C6500AC85C60486F53705F4634DC3A1AC
Keygrip = ****************************************
uid [ultimate] Bret Comnes <bcomnes@gmail.com>
sub rsa2048 2016-04-06 [E]
Keygrip = ****************************************
sub rsa2048 2017-02-21 [S] [expires: 2018-02-21]
Keygrip = ****************************************
sub rsa2048 2017-02-21 [E] [expires: 2018-02-21]
Keygrip = ****************************************
where ****************************************
coresponds to file names in the ~/.gnupg/private-keys-v1.d folder.
Delete the master signing key and master encryption subkey that don't expire in the copy you just made to your downloads folder. Zip/ecnrypt up the copied folder into an archive, and securly move it to a new host.
$ zip -er subkeys-only.zip ~/Downloads/subkeys
Extract the contents to the hosts's ~/.gnupg folder and fix any agent config settings specific to that host, like pinentry-mac or whatever.
GPG will not save us.
Step 3
Publish any changes to the internet:
gpg2 --send-keys MASTERKEYID