Use homebrew to install the tools

brew install gnupg pinentry-mac

Configure gpg

Start by creating configuration files for gpg and pinentry-mac. These files will be used to configure gpg and pinentry-mac to use the same keychain as your Mac OS keychain.

mkdir ~/.gnupg
touch ~/.gnupg/gpg-agent.conf
touch ~/.gnupg/gpg.conf

Add the following to ~/.gnupg/gpg-agent.conf:

default-cache-ttl 34560000
max-cache-ttl 34560000
pinentry-program /opt/homebrew/bin/pinentry-mac

The TTL values above are set to 400 days. You can set them to whatever you want, but you will be prompted for your passphrase based on your configured TTL values.

The location for pinentry-mac may be different depending on where you installed it. You can find the location by running which pinentry-mac. On Apple Silicon you will usually use /opt/homebrew/bin/pinentry-mac, and on Intel Macs you will usually use /usr/local/bin/pinentry-mac.

Add the following to ~/.gnupg/gpg.conf:


Add the following to ~/.zshrc:

export GPG_TTY=$(tty)
gpgconf --launch gpg-agent

In order for these changes to take effect, you will need to restart your terminal or run source ~/.zshrc.

Generate a new key

gpg --full-generate-key

Anwer the questions as follows:

Kind of key:4 RSA
Key size:4096
Key expires:2y (or however long you want the key to last)
Real name:your GitHub username
Email address:your GitHub email address
Comment:(leave blank)

When prompted for a key passphrase enter a strong passphrase.

Add your work email address to your key

Retrieve your key id:

gpg --list-secret-keys --keyid-format SHORT

The sequence of characters after rsa4096 is your key id.

gpg --edit-key <your key id>

gpg> adduid

Follow the prompts to add your work email address. Once completed you can confirm your second email address was added by running gpg --list-keys.


Configure git to use gpg

Retrieve your key id:

gpg --list-secret-keys --keyid-format SHORT

The sequence of characters after rsa4096 is your key id.

Update your git configuration to use your key id:

git config --global user.signingkey <your key id>
git config --global commit.gpgsign true
git config --global tag.gpgsign true

Export your public key and add it to your GitHub account settings

gpg --armor --export <your key id>

Navigate to your GitHub account settings, click on SSH and GPG keys, and click on New GPG key. Paste the public key into the text box and click Add GPG key.

Verify your commits