Oct 8th, 2022


Change identity for a GPG key

to list the long form of the GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.

$ gpg --list-secret-keys --keyid-format=long
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot <>
ssb   4096R/4BB6D45482678BE3 2016-03-10

In this example, the GPG key ID is 3AA5C34371567BD2:

$ gpg --edit-key 3AA5C34371567BD2

to add the user ID details.

$ gpg> adduid
  Real Name: OCTOCAT
  Email address: ""
  Comment: GITHUB-KEY
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Enter O to confirm your selections.

Enter your key’s passphrase.

To save the changes.

$ gpg> save

To print the GPG key in ASCII armor format

$ gpg --armor --export 3AA5C34371567BD2

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

Telling Git about your signing key

Telling Git about your GPG key

If you have previously configured Git to use a different key format when signing with --gpg-sign, unset this configuration so the default format of openpgp will be used.

$ git config --global --unset gpg.format

To set your primary GPG signing key in Git

$ git config --global user.signingkey 3AA5C34371567BD2

Telling Git about your SSH key

Configure Git to use SSH to sign commits and tags:

$ git config --global gpg.format ssh

Copy the SSH public key to your clipboard.

$ pbcopy < ~/.ssh/
# Copies the contents of the file to your clipboard

To set your SSH signing key in Git

$ git config --global user.signingkey 'ssh-ed25519 AAAAC3(...)'

Bitbucket Pipelines Setup

The private-key.gpg.enc file is an openssl-encrypted, GPG key file, that contains the key required for signing all files. The unencrypted key file can exported with gpg:

gpg -a --export-secret-key KEYID > private-key.gpg

Before checking it into the bitbucket repository, it was encrypted with openssl:

openssl aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -pass pass:$OPENSSL_PWD -p -in private-key.gpg -out private-key.gpg.enc

The password value for the openssl encryption and decryption is stored in the OPENSSL_PWD environment variable configured in Bitbucket and used in the bitbucket-pipelines.yml script.

The settings.xml is configured to access environment variables for the authentication to OSSRH as well the GPG signing:

  • OSSRH_USER_TOKEN and OSSRH-PWD_TOKEN: The username and password tokens for your OSSRH account as an alternative to your actual username and password. You can retrieve the token values by logging into OSSRH.
  • GPG_KEY: the name of the GPG key file to use for signing e.g. F784FAB8
  • GPG_PWD: the password to access the GPG key