Use homebrew to install the tools
brew install gnupg pinentry-mac
Configure gpg
Start by creating configuration files for gpg and pinentry-mac. These files will be used to configure gpg and pinentry-mac to use the same keychain as your Mac OS keychain.
mkdir ~/.gnupg
touch ~/.gnupg/gpg-agent.conf
touch ~/.gnupg/gpg.conf
Add the following to ~/.gnupg/gpg-agent.conf:
default-cache-ttl 34560000
max-cache-ttl 34560000
pinentry-program /opt/homebrew/bin/pinentry-mac
The TTL values above are set to 400 days. You can set them to whatever you want, but you will be prompted for your passphrase based on your configured TTL values.
The location for pinentry-mac may be different depending on where you installed it. You can find the location by running which pinentry-mac. On Apple Silicon you will usually use /opt/homebrew/bin/pinentry-mac, and on Intel Macs you will usually use /usr/local/bin/pinentry-mac.
Add the following to ~/.gnupg/gpg.conf:
use-agent
Add the following to ~/.zshrc:
export GPG_TTY=$(tty)
gpgconf --launch gpg-agent
In order for these changes to take effect, you will need to restart your terminal or run source ~/.zshrc.
Generate a new key
gpg --full-generate-key
Anwer the questions as follows:
| Question | Answer |
|---|---|
| Kind of key: | 4 RSA |
| Key size: | 4096 |
| Key expires: | 2y (or however long you want the key to last) |
| Real name: | your GitHub username |
| Email address: | your GitHub email address |
| Comment: | (leave blank) |
When prompted for a key passphrase enter a strong passphrase.
Add your work email address to your key
Retrieve your key id:
gpg --list-secret-keys --keyid-format SHORT
The sequence of characters after rsa4096 is your key id.
gpg --edit-key <your key id>
gpg> adduid
Follow the prompts to add your work email address. Once completed you can confirm your second email address was added by running gpg --list-keys.
Configure git to use gpg
Retrieve your key id:
gpg --list-secret-keys --keyid-format SHORT
The sequence of characters after rsa4096 is your key id.
Update your git configuration to use your key id:
git config --global user.signingkey <your key id>
git config --global commit.gpgsign true
git config --global tag.gpgsign true
Export your public key and add it to your GitHub account settings
gpg --armor --export <your key id>
Navigate to your GitHub account settings, click on SSH and GPG keys, and click on New GPG key. Paste the public key into the text box and click Add GPG key.