Now simply use -gpg-sign or -S as an argument to git commit to sign your commits, you will be prompted to type your passphrase again: $ git commit need a passphrase to unlock the secret key forĢ048-bit RSA key, ID 397FECF2, created (main key ID 53A56417)ġ file changed, 0 insertions(+), 0 deletions(-) Import to GithubĪdd the public key into your Github Settings and you’ll note the additional verified email address is now added (you can safely ignore the Unverified warning for 5. Or, you can simply copy it from your Keybase profile on the web: 4. You can use the keybase CLI to export your public key: $ keybase pgp export Now lets make sure we sync our changes with Keybase.io servers: $ keybase pgp update You will be asked to provide a Full Name, Email, and Comment (optional), then prompted to enter your Keybase passphrase. Sub 2048R/7B6D3EB9 created: expires: never usage: E Pub 4096R/53A56417 created: expires: never usage: SCEA You need a passphrase to unlock the secret key for $ gpg -edit-key adduidĬhange (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You can add as many email addresses as you want using the adduid sub-command, just remember to save once done. Using the gpg command line tool, you can edit your Keybase key and add your verified Github email address as an additional identity. Luckily, you can still use your Keybase.io Key on Github with a simple workaround, following the instructions below: 1. If you attempt to sign your commits with a Keybase Key, you’ll end up with an Unverified badge on your commits: This is due to the Keybase identity defaulting to keybase.io/username which is not a verifiable address by Github. If you’re a keybase.io user as I am, there are a few gotchas to keep in mind when setting this up. If you’ve never used GPG keys to sign your git commits before, the setup is pretty straightforward, and Github provides a detailed guide on the setup and usage of GPG Keys with Git & Github. Git itself supports signing tags and commits (as of v1.7.9) with GPG Keys, which can be used as a verification method to ensure commits are actually from a trusted source, especially if you’re taking work from others on the internet! Earlier this week, GitHub announced the addition GPG signature verification support, in the form of a badge indicating if the signature could be verified using any of the contributor’s GPG keys uploaded to GitHub.
0 Comments
Leave a Reply. |