# GPG signing – [![git](https://img.shields.io/badge/git-2.40.0-orange)](https://git-scm.com/) [![github-desktop](https://img.shields.io/badge/github--desktop-3.2.3-blueviolet)](https://desktop.github.com/)

Here is a short guide that will help you setup your environment to create signed `commits` or signed `tags` with **Git** locally. This has been **extensively tested on Windows with Git and the Github Desktop application**: I use it every day for my professional development projects.
> I you face any issue, feel free to leave a comment below.

## Summary
1. [Sign `commits` or `tags`](#sign-commits-or-tags)
2. [Key passphrase](#key-passphrase)
3. [Disable signatures](#disable-gpg-signatures)
4. [Renew a GPG key](#renew-a-gpg-key)

### Sign `commits` or `tags`

1. Generate a **GPG key** and add it to Github: https://help.github.com/articles/generating-a-new-gpg-key
_(if you don't want to type a passphrase on every commit, you need to press "Enter" when the console will prompt you to type a passphrase)_

2. Open the `.gitconfig` **configuration file** by typing `git config --global --edit` in a terminal _(since this file can exists in different places depending on your operating system, the command line will prompt git binary and open your default editor)_

3. Configure **Git** by replacing _GITHUB_EMAIL_, _SIGNING_KEY_ and _GPG_BINARY_PATH_ with **your own data**:

```gitconfig
[user]
  name = Xavier Foucrier
  email = GITHUB_EMAIL
  signingkey = SIGNING_KEY
[gpg]
  program = GPG_BINARY_PATH
[commit]
  gpgsign = true
[tag]
  gpgsign = true
```

- _GITHUB_EMAIL_: the **email address** used to login on Github

- _SIGNING_KEY_: the **GPG key identifier** used to sign commits _(should follow the GPG key ID convention, like this example: https://help.github.com/articles/telling-git-about-your-signing-key/#telling-git-about-your-gpg-key-1)_

- _GPG_BINARY_PATH_: the **GPG binary file path** depending on your Git install and your operating system:
  - Windows: `gpg`, `gpg.exe` or `C:\\Program Files\\Git\\usr\\bin\\gpg.exe`  
  _(can be found using `where gpg` in a terminal)_

  - Mac or Linux: `gpg` or `/usr/local/bin/gpg`  
  _(can be found using `which gpg` in a terminal)_

4. Enjoy **signed commits** with your favorite code editor, Github Desktop application, and even command line using `git commit -S -m "Commit message"`  :tada:

### Key passphrase
In order for GPG to **automatically store your key passphrase** (even empty), so you don't have to enter it every time you sign a commit, Github recommend using the following tools:
- Windows: [GPG 4 Win](https://www.gpg4win.org/)
- Mac: [GPG Suite](https://gpgtools.org/)

> This is necessary to let GPG launch the `gpg-agent` as a system daemon when signing commits.

### Disable signatures
If you want to **temporarily pause GPG signatures** for your commits or tags, just set `gpgsign = false` in your `.gitconfig` configuration file with `git config --global commit.gpgsign false` _(for commits)_ or `git config --global tag.gpgsign false` _(for tags)_.

### Renew a GPG key
If the key you have defined in the `.gitconfig` configuration file has **expired**, you can't sign commits anymore. You can easily renew it by following these steps:

1. list the secrets keys with `gpg --list-secret-keys`

2. edit the key you want to renew with `gpg --edit-key SIGNING_KEY`  
_(the GPG key used to sign commits, as defined in your `.gitconfig` configuration file)_

3. gpg prompt is ready: you should see `gpg>`

4. type `expire` to select a new expiration delay and confirm

5. type `trust` to trust the selected key as "ultimate"  
_(this step is not needed if your current key is already trusted as an "ultimate" key)_

6. type `quit` and confirm you wish to save changes

7. enjoy a fresh renewed GPG key!

Thanks everyone for reading! :eyes: