GPG
October 8, 2022
GPG

References

Creating GPG secret key

Ensure GPG is Installed 

1
2

gpg --version
brew install gpg

Generate or Import a GPG Key 

1
2

gpg --full-generate-key
gpg --import /path/to/your/private-key.asc

Set the Default GPG Key 

1

gpg --list-secret-keys --keyid-format LONG

Find the key you want to use and note its ID. Set it as the default by adding it to your Maven configuration in the settings.xml file or your pom.xml.

1
2
3

<properties>
    <gpg.keyname>YOUR_KEY_ID</gpg.keyname>
</properties>

Alternatively, you can set it globally for GPG by running:

1

gpg --default-key YOUR_KEY_ID

Change identity for a GPG key

to list the long form of the GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.

1
2
3
4
5
6

$ gpg --list-secret-keys --keyid-format=long
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot <hubot@example.com>
ssb   4096R/4BB6D45482678BE3 2016-03-10

In this example, the GPG key ID is 3AA5C34371567BD2:

1

$ gpg --edit-key 3AA5C34371567BD2

to add the user ID details.

1
2
3
4
5

$ gpg> adduid
  Real Name: OCTOCAT
  Email address: "octocat@github.com"
  Comment: GITHUB-KEY
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Enter O to confirm your selections.

Enter your key’s passphrase.

To save the changes.

1

$ gpg> save

To print the GPG key in ASCII armor format

1

$ gpg --armor --export 3AA5C34371567BD2

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

Telling Git about your signing key

Telling Git about your GPG key

If you have previously configured Git to use a different key format when signing with --gpg-sign, unset this configuration so the default format of openpgp will be used.

1

$ git config --global --unset gpg.format

To set your primary GPG signing key in Git

1

$ git config --global user.signingkey 3AA5C34371567BD2

Telling Git about your SSH key

Configure Git to use SSH to sign commits and tags:

1

$ git config --global gpg.format ssh

Copy the SSH public key to your clipboard.

1
2

$ pbcopy < ~/.ssh/id_ed25519.pub
# Copies the contents of the id_ed25519.pub file to your clipboard

To set your SSH signing key in Git

1

$ git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com'

Bitbucket Pipelines Setup

The private-key.gpg.enc file is an openssl-encrypted, GPG key file, that contains the key required for signing all files. The unencrypted key file can exported with gpg:

1

gpg -a --export-secret-key KEYID > private-key.gpg

Before checking it into the bitbucket repository, it was encrypted with openssl:

1

openssl aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -pass pass:$OPENSSL_PWD -p -in private-key.gpg -out private-key.gpg.enc

The password value for the openssl encryption and decryption is stored in the OPENSSL_PWD environment variable configured in Bitbucket and used in the bitbucket-pipelines.yml script.

The settings.xml is configured to access environment variables for the authentication to OSSRH as well the GPG signing:

  • OSSRH_USER_TOKEN and OSSRH-PWD_TOKEN: The username and password tokens for your OSSRH account as an alternative to your actual username and password. You can retrieve the token values by logging into OSSRH.
  • GPG_KEY: the name of the GPG key file to use for signing e.g. F784FAB8
  • GPG_PWD: the password to access the GPG key