How to Use Gpg Signing Key on a Remote Server

How to share GPG key from remote host to local host without writing the key to a file

The errors you're receiving (error receiving key from agent: Inappropriate ioctl for device - skipped) indicate that your secret key is passphrase protected and that your GPG passphrase agent isn't compatible through SSH, which most aren't.

Three options come to mind:

• Initiate the export from the source host (to facilitate interactive passphrase entry);
• Leverage --passphrase/--pinentry switches (as suggested in the post your reference); e.g., stty -echo && ssh "$host" "gpg --batch --passphrase-fd 0 --pinentry loopback -a --export-secret-key '$key'" | gpg --import; stty echo; or,
• Remove passphrase protection from the key (not necessarily desirable).

How do you approach signing git commits on many machines?

Should I separately generate all keys for all computers

This is considered as a best practice, namely because:

• you can see from where you did your commits, based on the particular key used
• you can revoke a key (and update it) without invalidating all others.

If you want all your projects to:

• be on the same path company-x
• using the same global config (with different keys per machine)

You might consider, with Git 2.23+ using different branches name, one per machine (main-machine1, main-machine2, ...), each one pushing to the regular remote tracking origin/main of their respective repo.

That is because a conditional config file can also use the branch name for its includeIf directive.

Is there any way to set up an SSH config profile to perform GPG signing automatically?

SSH and GIT/GPG have nothing to do with each other, so you cannot configure which PGP key to use for signing commits in your .ssh/config. If you want to set up a PGP key to be used to sign commits you will have to configure git to do so.

You can set this up globally like this:

git config --global gpg.program gpg
git config --global commit.gpgsign true
git config --global user.signingkey <KEY-FINGERPRINT-HERE>

Where <KEY-FINGERPRINT-HERE> is the fingerprint of the key you want to use, which has to be already imported in gpg (see gpg --edit-key <your-mail> for the fingerprint).

You can also omit --global to configure different settings only for the current GIT repository that you are working on.

Is there a way to autosign commits in Git with a GPG key?

Note: if you don't want to add -S all the time to make sure your commits are signed, there is a proposal (branch 'pu' for now, December 2013, so no guarantee it will make it to a git release) to add a config which will take care of that option for you.

Update May 2014: it is in Git 2.0 (after being resend in this patch series)

See commit 2af2ef3 by Nicolas Vigier (boklm):

Add the commit.gpgsign option to sign all commits

If you want to GPG sign all your commits, you have to add the -S option all the time.

The commit.gpgsign config option allows to sign all commits automatically.

commit.gpgsign

A boolean to specify whether all commits should be GPG signed.

Use of this option when doing operations such as rebase can result in a large number of commits being signed. It may be convenient to use an agent to avoid typing your GPG passphrase several times.

---

That config is usually set per repo (you don't need to sign your private experimental local repos):

cd /path/to/repo/needing/gpg/signature
git config commit.gpgsign true

You would combine that with user.signingKey used as a global setting (unique key used for all repo where you want to sign commit)

git config --global user.signingkey F2C7AB29!
                                           ^^^

As ubombi suggests in the comments (and explain in "GPG Hardware Key and Git Signing", based on "How to Specify a User Id")

When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key, and not to try and calculate which primary or secondary key to use.

Note that Rik adds in the comments:

If you're using something like a YubiKey (as recommended) you don't need to worry about the exclamation point because the only signing key(s) you should have available for a primary key-pair are:

• the primary key itself, which should have a # after it indicating it's not available,
• and the secret subkey with a > after it indicating it's a stub that points to the YubiKey as the only available signing key in its applet.

Only if you keep all your private keys available on your system (bad practice), then probably it would be a good idea to prevent auto-selection between available signing keys

---

user.signingKey was introduced in git 1.5.0 (Jan. 2007) with commit d67778e:

There shouldn't be a requirement that I use the same form of my name in
my git repository and my gpg key.

Further I might have multiple keys in my keyring, and might want to use one that doesn't match up with the address I use in commit messages.

This patch adds a configuration entry "user.signingKey" which, if present, will be passed to the "-u" switch for gpg, allowing the tag signing key to be overridden.

This is enforced with commit aba9119 (git 1.5.3.2) in order to catch the case where If the user has misconfigured user.signingKey in their .git/config or just doesn't have any secret keys on their keyring.

Notes:

• By convention, since git 2.4.0 March 2015, it is signingKey, not signingkey, even though the git config keys are case insensitive. That would matter only if you do git config --get-regexp, which is case sensitive, otherwise, it is only a readability convention;
• If you want the git server to check the signature for each push, you will need git 2.2+ (Oct. 2014) at least (commit b945901), as git push --signed failed to consider the user.signingKey config value;
• git 2.9 (June 2016) will use user.signingKey to force signing annotated tags as well as commits: commit 61c2fe0.

How to use GPG on Windows to authenticate to Github for SSH?

To authenticate to GitHub over SSH, you can only use the SSH keys. GPG keys are used to sign the commits so that people know that the commit was made by you, not someone else.

Here's the scenario:

You use SSH on your PC to pull/push to GitHub. But one day, someone finds out your password, somehow. Now, that person can also push and pull to GitHub through your account. This way, it will be hard for others to know which commit was made by the real you, and which one was made by an imposter.

But if you have a GPG key authenticated to your GitHub account for your PC that you use to make the commits over SSH, the commits will be signed. Now, even if someone got your password and could commit something, somehow, others will know that the commit wasn't made by you. Why? Because it wasn't signed using your GPG key.

GPG keys are like virtual signatures/fingerprint used to identify what belongs (authorized) to you and what doesn't. Just like an SSH key that is used to verify your identity for easier access.

So, NO, you can't use GPG keys to push/pull to/from GitHub.

GPG sign not using keys from gpg-connect-agent

You need to import your public key to WSL.

As stated here https://wiki.gnupg.org/AgentForwarding:

It is important to note that to work properly GnuPG on the remote system still needs your public keys.

Steps:

1. On Windows, export your public key with gpg --export -a 'mail@none.com' > public.key;
2. On WSL, import your public key with gpg --import public.key.

Use gpg to sign git commits in eclipse

It seems to be a missing feature of EGit, you should probably suggest this enhancement to http://bugs.eclipse.org .

---

Related Topics