Applying GPG and Yubikey: Part 4 (Signing)
As a reminder, you can check out overview post if you’re curious about why and in what ways I started using GPG and Yubikey. If you haven’t set up your GPG keys yet, I also talk about a simple flow in my second post. Finally, the email signing section expects you to have already set up encryption, so you should really check out my third post regarding encryption setup with neomutt.
Today, we’re going specifically into using GPG for signing email and git commits.
Using my GPG key for email signing
Adding signing capabilities is a matter of specifying a couple of extra settings regarding when to sign and with what key. To make it clear how signing works in collaboration with encryption, I’m including my full neomutt configuration file. Relevant settings include crypt_autosign, crypt_replysign, and pgp_sign_as to distinguish the signing key from the encryption key.
# << CRYPTO: GENERAL CONFIG >> # Use GPGME backend instead of classic code set crypt_use_gpgme = "yes" # Attempt to cryptographically sign outgoing messages set crypt_autosign = "yes" # Always attempt to veryify email signatures # NOTE: Set by default set crypt_verify_sig = "yes" # Automatically sign replies to signed emails set crypt_replysign = "yes" # Automatically encrypt replies to encrypted emails # NOTE: Set by default set crypt_replyencrypt = "yes" # Automatically sign replies to encrypted emails, gets # around issues with pure replysign set crypt_replysignencrypted = "yes" # Auto encrypt out outgoing messages # NOTE: Will ALWAYS try to encrypt even if no keys are available #set crypt_autoencrypt = "yes" # Only encrypt if all recipients are found in public key set crypt_opportunistic_encrypt = "yes" # << PGP: GENERAL CONFIG >> # Use a gpg-agent for private key password prompts # NOTE: Set by default because GnuPG 2.1+ requires it set pgp_use_gpg_agent = "yes" # Check status of gpg commands using file descriptor output from # decrypt and decode commands # NOTE: Set by default set pgp_check_gpg_decrypt_status_fd = "yes" # << PGP: SELF ENCRYPTION CONFIG >> # When encrypting email, always include own key to be able to read sent mail set pgp_self_encrypt = "yes" # Set the key to use for encryption/decryption of email set pgp_default_key = "588B4B090695884C" # Set the key to use for signing email set pgp_sign_as = "6CA6A08DBA640677"
Using my GPG key for signing commits
I’ll admit that until Github announced support for displaying verified commits, I did not know that you could sign git commits. Even after that announcement, signing commits was not something that I planned to seek out to accomplish.
Setting up the signing process is actually very easy. For git, you need to create a .gitconfig file in your home directory. From there, add your signing key
[user] name = Chip Senkbeil email = [email protected] signingkey = 0x6CA6A08DBA640677
You need to make sure that whatever signing key you use has an ID whose email
address matches that of the email you provide in your git config. Also, just
like with encryption, you aren’t restricted to using a key’s ID. In my actual config, I’ve replaced my signing key ID with my email address of
Out of the box, I can now sign commits explicitly using using
git commit -S
to sign each commit as you make it. For me, I would prefer automatic signing of
all commits given that I plan to have my key available on any computer I use.
To that end, I added an extra setting to .gitconfig to automatically sign
[commit] gpgsign = true
What’s neat is that other version control systems like Mercurial also support signing commits. I just needed to enable the gpg extension in my .hgrc, specify the GPG command, and provide a signing key.
[extensions] gpg= [gpg] cmd=gpg key=0x6CA6A08DBA640677
In the next post, I’ll be explaining how to use GPG for authentication, both to submit commits to Github as well as log into remote servers in a more secure manner.