22

I am attempting to generate a gpg for Github as detailed here: https://help.github.com/articles/generating-a-new-gpg-key/

I have generated the key and setup both ~/.gitconfig and my local .git/config to include

[user]
  email = austin@my_email_address.com
  name = Austin Gibbons
  signingkey = <key_id>
[gpg]
  program = /usr/local/bin/gpg
[commit]
  gpgsign = true

In ~/.gnupg/gpg.conf I have 

no-emit-version
use-agent

and in ~/.gnupg/gpg-agent.conf

default-cache-ttl 28800000
max-cache-ttl 28800000
use-standard-socket
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

I am prompted for my gpg passphrase every time I run git commit, and nothing I set seems to change that. I am not sure how I can set it in my keyring, and would appreciate any advice!

I am running a gpg-agent daemon

$ ps aux | grep gpg
austin          63896   0.9  0.0  2432772    676 s010  S+    2:37PM   0:00.00 grep gpg
austin          98503   0.0  0.0  2436440    584   ??  S    10:41AM   0:00.00 /bin/bash /usr/local/MacGPG2/libexec/shutdown-gpg-agent
austin          51417   0.0  0.0  2475748    928   ??  Ss    1:58PM   0:00.45 gpg-agent --daemon

When I add to ~/.gnupg/gpg.conf

no-tty

I get

$ git commit -m "test"
error: gpg failed to sign the data
fatal: failed to write commit object

Similar to other questions:

Git signed commits - How to suppress "You need a passphrase to unlock the secret key..."

I have additionally tried generating a key through the command line and through gpg-tools

Community
  • 1
  • 1
Austin
  • 1,122
  • 2
  • 10
  • 27

2 Answers2

22

I followed a process similar to what you did. (This was done on OSX 10.10.5)

Details follow.

Creation of GPG Key and it's addition to Github

First followed the instructions on https://help.github.com/articles/generating-a-new-gpg-key/ where in Step 1 one is asked to download GPG tools. I tried downloading https://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.14.dmg/download however that did not end up in the PATH, so thought of searching brew :

$ brew search gpg
==> Formulae
gpg  gpg1 gpg2 gpgme libgpg-error

==> Casks
gpg-suite  gpg-suite-nightly  gpg-suite-no-mail  gpg-suite-pinentry gpg-sync

$ brew cask install gpg-suite-no-mail
==> Downloading https://releases.gpgtools.org/GPG_Suite-2019.2.dmg
...... installation log snipped ....

Note: gpg-suite-no-mail installs the full set of GPG tools (now called GPG Suite), except for GPG Mail, a premium feature.

With that in place, carried on following the instructions on https://help.github.com/articles/generating-a-new-gpg-key/ from #2 to #14 after which, ended with a 4096 bit GPG key added to my Github account.

Here is some output from Steps #2 to #9 (creation of the GPG key):

$ gpg --gen-key
gpg (GnuPG/MacGPG2) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?  (Chose DEFAULT)

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: blahblah
Email address: blahblah@blah.blah
Comment:
You selected this USER-ID:
    "blahblah <blahblah@blah.blah>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
gpg: key ABCDEFG marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   4096R/ABCDEFG 2016-10-03
      Key fingerprint = adf asdf asdf asdf asf asdfas dfasdf
uid       [ultimate] blahblah <blahblah@blah.blah>
sub   4096R/ABCDEFG 2016-10-03

Using the GPG key with GIT to create and push signed commits

And then created and pushed a signed commit to Github:

$ git config --local user.signingkey ABCDEFGHIJKLD2

$ touch test && git add test

$ git -c user.name="blahblah" -c user.email=blahblah@blah.blah commit -S -m "Test GPG"

You need a passphrase to unlock the secret key for
user: "blahblah <blahblah@blah.blah>"
4096-bit RSA key, ID ABCDEFG, created 2016-10-03

[master abcdefg] Test GPG
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 test

$ git push
Counting objects: 2, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (2/2), 956 bytes | 0 bytes/s, done.
Total 2 (delta 0), reused 0 (delta 0)
To ssh://github.com/someuser/somerepo.git
   abcdefg..abcdeff  master -> master

The first attempt to create a signed commit resulted in the following popup: enter image description here

However after I saved it to the Keychain, I was not prompted again while creating another signed commit and on pushing the commit, Github correctly showed the commit as 'Verified':

enter image description here

orendain
  • 13
  • 3
Ashutosh Jindal
  • 18,501
  • 4
  • 62
  • 91
  • 2
    Hm, thanks for the response Ashutosh - when I go through the steps I never get the save in keychain pop-up. Do you know of another way to save it in the keychain? – Austin Oct 12 '16 at 19:19
  • There is also an option in `GPGPreferences` to `Store in OS X Keychain`. Also it might be worth checking if `GPG Keychain` app shows your key. [This (Section 1)](https://gpgtools.tenderapp.com/kb/faq/password-management) is also worth a read. – Ashutosh Jindal Oct 12 '16 at 19:47
  • 2
    I have only had this issue since upgrading to Sierra – Eddie Jaoude Dec 24 '16 at 04:34
  • 1
    Have the same issue cannot get prompt any more! – Saddle Point Jan 08 '21 at 13:31
2

Here's how to do Ashutosh's solution in Python 2. (stolen and modified from here)

import subprocess
import urllib

gpg_agent = subprocess.Popen(["gpg-connect-agent"], stdin=subprocess.PIPE,
                             stdout=subprocess.PIPE)
prompt = urllib.quote('Please enter your password')
cache_id = 'foobar_app1'
command = "GET_PASSPHRASE %s X X %s\n" % (cache_id, prompt)
stdout = gpg_agent.communicate(command)[0]
if gpg_agent.returncode != 0:
    raise Exception("gpg-connect-agent exited %r" %
                    (gpg_agent.returncode,))
elif not stdout.startswith("OK"):
    raise Exception("gpg-agent says: %s" % (stdout.rstrip(),))
else:
    # You'll get an exception here if we get anything we didn't expect.
    passphrase = stdout[3:-1].decode("hex")
    print(passphrase)
Evidlo
  • 173
  • 1
  • 8