szimek · January 29, 2018 20:00 · Jan 29, 2018 · Feb 21, 2017 · Feb 21, 2017 · Feb 21, 2017
diff --git a/git-gpg.md b/git-gpg.md
@@ -1,6 +1,6 @@
 
-1. `brew install gnupg21, pinentry-mac`  (this includes gpg-agent and pinentry)
-2. Generate a key: `$ gpg2 --gen-key`
+1. `brew install gnupg, pinentry-mac`  (this includes gpg-agent and pinentry)
+2. Generate a key: `$ gpg --gen-key`
 3. Take the defaults.  Whatevs
 4. Tell gpg-agent to use pinentry-mac:
 
@@ -21,7 +21,7 @@
 5. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work.  Here is my git gpg config: https://github.com/bcomnes/.dotfiles/blob/master/configs/gitconfig.d/gpg
 
 	```
-	$ gpg2 --list-keys
+	$ gpg --list-keys
 	/Users/schacon/.gnupg/pubring.gpg
 	---------------------------------
 	pub   2048R/0A46826A 2014-06-04
@@ -31,14 +31,14 @@
 	$ git config --global user.signingkey 0A46826A
 	```
 
-6. Tell git that you are using gpg2 like a boss
+6. Tell git that you are using `gpg` like a boss
 
 	```
-	$ git config --global gpg.program gpg2
+	$ git config --global gpg.program gpg
 	```
 
-7. Tell github about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
-8. Restart maybe or kill any running gpg-agents.  They will not work.
+7. Tell GitHub about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
+8. Restart maybe or kill any running gpg-agents. They will not work.
 9. Sign your commits
 
 	```
@@ -47,23 +47,16 @@
 
 10. Consider signing all your commits.  In `~/.gitconfig`: 
 
-	```
-	[commit]
-		gpgsign = true
-	```
-	- https://twitter.com/uhhyeahbret/status/719956230609829890
-	
-	or
 	```
 	$ git config --global commit.gpgsign true
 	```
 
 
 Other considerations:
 
-- Store your passwords in your system keychain. Pinentry-mac provides this for you.  This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password.  You're probably not edward snowden so the security implications are not a threat to your situation.  You can always harden your arrangements as your needs for super duper security grows.  Taking steps to use gpg every day is a massive improvement over what you were likely not doing before.
+- Store your passwords in your system keychain. `pinentry-mac` provides this for you.  This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password.  You're probably not Edward Snowden so the security implications are not a threat to your situation.  You can always harden your arrangements as your needs for super duper security grows.  Taking steps to use gpg every day is a massive improvement over what you were likely not doing before.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
--  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.  
+-  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.  This is a poorly documented process, so if you do go down this path eventually, write down what you did and leave a breadcrumb in the comment for others to learn :+1:
 -  https://www.gnupg.org/gph/en/manual.html
 - https://wiki.debian.org/Subkeys

diff --git a/git-gpg.md b/git-gpg.md
@@ -66,6 +66,7 @@ Other considerations:
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.  
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.  This is a poorly documented process, so if you do go down this path eventually, write down what you did and leave a breadcrumb in the comment for others to learn :+1:
 -  https://www.gnupg.org/gph/en/manual.html
+- https://wiki.debian.org/Subkeys
 
 Step 2:
 

diff --git a/git-gpg.md b/git-gpg.md
@@ -227,4 +227,12 @@ $ zip -er subkeys-only.zip ~/Downloads/subkeys
 
 Extract the contents to the hosts's ~/.gnupg folder and fix any agent config settings specific to that host, like pinentry-mac or whatever.
 
-GPG will not save us.
+GPG will not save us.
+
+Step 3
+
+Publish any changes to the internet:
+
+```
+gpg2 --send-keys MASTERKEYID
+ ```
diff --git a/git-gpg.md b/git-gpg.md
@@ -66,3 +66,165 @@ Other considerations:
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.  
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.  This is a poorly documented process, so if you do go down this path eventually, write down what you did and leave a breadcrumb in the comment for others to learn :+1:
 -  https://www.gnupg.org/gph/en/manual.html
+
+Step 2:
+
+Creating a subkey for other systems:
+
+List your keys:
+
+```
+ gpg2 --list-keys
+/Users/bret/.gnupg/pubring.kbx
+------------------------------
+pub   rsa2048 2016-04-06 [SC]
+      FDA5889C6500AC85C60486F53705F4634DC3A1AC
+uid           [ultimate] Bret Comnes <[email protected]>
+sub   rsa2048 2016-04-06 [E]
+```
+
+Edit your keyid
+
+```
+ gpg2 --edit-key FDA5889C6500AC85C60486F53705F4634DC3A1AC
+ gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Secret key is available.
+
+sec  rsa2048/3705F4634DC3A1AC
+     created: 2016-04-06  expires: never       usage: SC  
+     trust: ultimate      validity: ultimate
+ssb  rsa2048/D6CFDF18724163BB
+     created: 2016-04-06  expires: never       usage: E   
+[ultimate] (1). Bret Comnes <[email protected]>
+>
+```
+
+Create a signing and encryption subkey with expiration dates
+
+```
+gpg> addkey
+Please select what kind of key you want:
+   (3) DSA (sign only)
+   (4) RSA (sign only)
+   (5) Elgamal (encrypt only)
+   (6) RSA (encrypt only)
+Your selection? 4
+RSA keys may be between 1024 and 4096 bits long.
+What keysize do you want? (2048) 
+Requested keysize is 2048 bits   
+Please specify how long the key should be valid.
+         0 = key does not expire
+      <n>  = key expires in n days
+      <n>w = key expires in n weeks
+      <n>m = key expires in n months
+      <n>y = key expires in n years
+Key is valid for? (0) 1y
+Key expires at Wed Feb 21 10:46:38 2018 PST
+Is this correct? (y/N) y
+Really create? (y/N) y  
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+
+sec  rsa2048/3705F4634DC3A1AC
+     created: 2016-04-06  expires: never       usage: SC  
+     trust: ultimate      validity: ultimate
+ssb  rsa2048/D6CFDF18724163BB
+     created: 2016-04-06  expires: never       usage: E   
+ssb  rsa2048/70B0BE3A1284E39F
+     created: 2017-02-21  expires: 2018-02-21  usage: S   
+[ultimate] (1). Bret Comnes <[email protected]>
+
+gpg> addkey              
+Please select what kind of key you want:
+   (3) DSA (sign only)
+   (4) RSA (sign only)
+   (5) Elgamal (encrypt only)
+   (6) RSA (encrypt only)
+Your selection? 6
+RSA keys may be between 1024 and 4096 bits long.
+What keysize do you want? (2048) 
+Requested keysize is 2048 bits   
+Please specify how long the key should be valid.
+         0 = key does not expire
+      <n>  = key expires in n days
+      <n>w = key expires in n weeks
+      <n>m = key expires in n months
+      <n>y = key expires in n years
+Key is valid for? (0) 1y
+Key expires at Wed Feb 21 10:47:20 2018 PST
+Is this correct? (y/N) y
+Really create? (y/N) y  
+
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+
+sec  rsa2048/3705F4634DC3A1AC
+     created: 2016-04-06  expires: never       usage: SC  
+     trust: ultimate      validity: ultimate
+ssb  rsa2048/D6CFDF18724163BB
+     created: 2016-04-06  expires: never       usage: E   
+ssb  rsa2048/70B0BE3A1284E39F
+     created: 2017-02-21  expires: 2018-02-21  usage: S   
+ssb  rsa2048/4BE4221F87387C35
+     created: 2017-02-21  expires: 2018-02-21  usage: E   
+[ultimate] (1). Bret Comnes <[email protected]>
+
+```
+
+SAVE YOUR KEY
+
+```
+gpg> save
+$ gpg2 --list-keys
+/Users/bret/.gnupg/pubring.kbx
+------------------------------
+pub   rsa2048 2016-04-06 [SC]
+      FDA5889C6500AC85C60486F53705F4634DC3A1AC
+uid           [ultimate] Bret Comnes <[email protected]>
+sub   rsa2048 2016-04-06 [E]
+sub   rsa2048 2017-02-21 [S] [expires: 2018-02-21]
+sub   rsa2048 2017-02-21 [E] [expires: 2018-02-21]
+```
+
+You should now see your keys.
+
+Create a copy of your ~/.gnupg folder:
+
+```
+cp ~/.gnupg ~/Downloads/subkeys
+```
+
+Figure out which keys you dont wan't on the other system:
+
+```
+gpg2 --with-keygrip --list-key FDA5889C6500AC85C60486F53705F4634DC3A1AC
+pub   rsa2048 2016-04-06 [SC]
+      FDA5889C6500AC85C60486F53705F4634DC3A1AC
+      Keygrip = ****************************************
+uid           [ultimate] Bret Comnes <[email protected]>
+sub   rsa2048 2016-04-06 [E]
+      Keygrip = ****************************************
+sub   rsa2048 2017-02-21 [S] [expires: 2018-02-21]
+      Keygrip = ****************************************
+sub   rsa2048 2017-02-21 [E] [expires: 2018-02-21]
+      Keygrip = ****************************************
+```
+
+where `****************************************` coresponds to file names in the ~/.gnupg/private-keys-v1.d folder.
+
+Delete the master signing key and master encryption subkey that don't expire in the copy you just made to your downloads folder.  Zip/ecnrypt up the copied folder into an archive, and securly move it to a new host.
+
+```
+$ zip -er subkeys-only.zip ~/Downloads/subkeys
+```
+
+Extract the contents to the hosts's ~/.gnupg folder and fix any agent config settings specific to that host, like pinentry-mac or whatever.
+
+GPG will not save us.
diff --git a/git-gpg.md b/git-gpg.md
@@ -18,7 +18,7 @@
 	pinentry-program /usr/local/bin/pinentry-mac
 	```
 
-5. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
+5. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work.  Here is my git gpg config: https://github.com/bcomnes/.dotfiles/blob/master/configs/gitconfig.d/gpg
 
 	```
 	$ gpg2 --list-keys

diff --git a/git-gpg.md b/git-gpg.md
@@ -64,5 +64,5 @@ Other considerations:
 - Store your passwords in your system keychain. Pinentry-mac provides this for you.  This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password.  You're probably not edward snowden so the security implications are not a threat to your situation.  You can always harden your arrangements as your needs for super duper security grows.  Taking steps to use gpg every day is a massive improvement over what you were likely not doing before.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.  
--  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.
+-  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.  This is a poorly documented process, so if you do go down this path eventually, write down what you did and leave a breadcrumb in the comment for others to learn :+1:
 -  https://www.gnupg.org/gph/en/manual.html
diff --git a/git-gpg.md b/git-gpg.md
@@ -61,8 +61,8 @@
 
 Other considerations:
 
-- store your passwords in your system keychain. pinentry-mac provides this for you.  This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password.  You're probably not edward snowden so the security implications are not a threat to your situation.  You can always harden your arrangements as your needs for super duper security grows.
+- Store your passwords in your system keychain. Pinentry-mac provides this for you.  This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password.  You're probably not edward snowden so the security implications are not a threat to your situation.  You can always harden your arrangements as your needs for super duper security grows.  Taking steps to use gpg every day is a massive improvement over what you were likely not doing before.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
--  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
+-  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated, complicated and overly paranoid for starting out.  
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.
 -  https://www.gnupg.org/gph/en/manual.html
diff --git a/git-gpg.md b/git-gpg.md
@@ -61,7 +61,7 @@
 
 Other considerations:
 
-- store your passwords in your system keychain. pinentry-mac provides this for you.  This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password.  You're probably not edward snowden so the security implications are not a threat to your situation.
+- store your passwords in your system keychain. pinentry-mac provides this for you.  This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password.  You're probably not edward snowden so the security implications are not a threat to your situation.  You can always harden your arrangements as your needs for super duper security grows.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.

diff --git a/git-gpg.md b/git-gpg.md
@@ -61,7 +61,7 @@
 
 Other considerations:
 
-- store your passwords in your system keychain. pinentry-mac provides this for you.  you're probably not edward snowden.
+- store your passwords in your system keychain. pinentry-mac provides this for you.  This is a good bet, as it will help you use gpg seamlessly in your workflow every day, and help prevent you from losing your gpg password.  You're probably not edward snowden so the security implications are not a threat to your situation.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.

diff --git a/git-gpg.md b/git-gpg.md
@@ -59,7 +59,7 @@
 	```
 
 
-You may also read:
+Other considerations:
 
 - store your passwords in your system keychain. pinentry-mac provides this for you.  you're probably not edward snowden.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b

diff --git a/git-gpg.md b/git-gpg.md
@@ -1,6 +1,6 @@
 
 1. `brew install gnupg21, pinentry-mac`  (this includes gpg-agent and pinentry)
-2. Generate a key: `$ gpg --gen-key`
+2. Generate a key: `$ gpg2 --gen-key`
 3. Take the defaults.  Whatevs
 4. Tell gpg-agent to use pinentry-mac:
 

diff --git a/git-gpg.md b/git-gpg.md
@@ -61,7 +61,7 @@
 
 You may also read:
 
-- store your passwords in your system keychain. pinentry-mac provides this for you.  you're not edward snowden.
+- store your passwords in your system keychain. pinentry-mac provides this for you.  you're probably not edward snowden.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.

diff --git a/git-gpg.md b/git-gpg.md
@@ -61,7 +61,7 @@
 
 You may also read:
 
-- store your passwords in your system keychain. pinentry-mac provides this for you.  you're not edward snowded.
+- store your passwords in your system keychain. pinentry-mac provides this for you.  you're not edward snowden.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.

diff --git a/git-gpg.md b/git-gpg.md
@@ -52,6 +52,11 @@
 		gpgsign = true
 	```
 	- https://twitter.com/uhhyeahbret/status/719956230609829890
+	
+	or
+	```
+	$ git config --global commit.gpgsign true
+	```
 
 
 You may also read:

diff --git a/git-gpg.md b/git-gpg.md
@@ -45,7 +45,7 @@
 	$ git commit -S -m 'yolo'
 	```
 
-10. Consider signing all your commits: 
+10. Consider signing all your commits.  In `~/.gitconfig`: 
 
 	```
 	[commit]

diff --git a/git-gpg.md b/git-gpg.md
@@ -60,3 +60,4 @@ You may also read:
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
 -  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.
+-  https://www.gnupg.org/gph/en/manual.html
diff --git a/git-gpg.md b/git-gpg.md
@@ -51,6 +51,7 @@
 	[commit]
 		gpgsign = true
 	```
+	- https://twitter.com/uhhyeahbret/status/719956230609829890
 
 
 You may also read:

diff --git a/git-gpg.md b/git-gpg.md
@@ -45,11 +45,9 @@
 	$ git commit -S -m 'yolo'
 	```
 
-10. Consider setting the following settings: 
+10. Consider signing all your commits: 
 
 	```
-	[gpg]
-		program = gpg2
 	[commit]
 		gpgsign = true
 	```

diff --git a/git-gpg.md b/git-gpg.md
@@ -8,7 +8,7 @@
 	$ vim ~/.gnupg/gpg-agent.conf 
 	```
 
-paste in
+	paste in
 
 	```
 	# Connects gpg-agent to the OSX keychain via the brew-installed$

diff --git a/git-gpg.md b/git-gpg.md
@@ -4,55 +4,55 @@
 3. Take the defaults.  Whatevs
 4. Tell gpg-agent to use pinentry-mac:
 
-```
-$ vim ~/.gnupg/gpg-agent.conf 
-```
+	```
+	$ vim ~/.gnupg/gpg-agent.conf 
+	```
 
 paste in
 
-```
-# Connects gpg-agent to the OSX keychain via the brew-installed$
-# pinentry program from GPGtools. This is the OSX 'magic sauce',$
-# allowing the gpg key's passphrase to be stored in the login$
-# keychain, enabling automatic key signing.$
-pinentry-program /usr/local/bin/pinentry-mac
-```
+	```
+	# Connects gpg-agent to the OSX keychain via the brew-installed$
+	# pinentry program from GPGtools. This is the OSX 'magic sauce',$
+	# allowing the gpg key's passphrase to be stored in the login$
+	# keychain, enabling automatic key signing.$
+	pinentry-program /usr/local/bin/pinentry-mac
+	```
 
 5. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
 
-```
-$ gpg2 --list-keys
-/Users/schacon/.gnupg/pubring.gpg
----------------------------------
-pub   2048R/0A46826A 2014-06-04
-uid                  Scott Chacon (Git signing key) &lt;[email protected]&gt;
-sub   2048R/874529A9 2014-06-04
-
-$ git config --global user.signingkey 0A46826A
-```
+	```
+	$ gpg2 --list-keys
+	/Users/schacon/.gnupg/pubring.gpg
+	---------------------------------
+	pub   2048R/0A46826A 2014-06-04
+	uid                  Scott Chacon (Git signing key) &lt;[email protected]&gt;
+	sub   2048R/874529A9 2014-06-04
+	
+	$ git config --global user.signingkey 0A46826A
+	```
 
 6. Tell git that you are using gpg2 like a boss
 
-```
-$ git config --global gpg.program gpg2
-```
+	```
+	$ git config --global gpg.program gpg2
+	```
 
 7. Tell github about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
 8. Restart maybe or kill any running gpg-agents.  They will not work.
 9. Sign your commits
 
-```
-$ git commit -S -m 'yolo'
-```
+	```
+	$ git commit -S -m 'yolo'
+	```
 
 10. Consider setting the following settings: 
 
-```
-[gpg]
-	program = gpg2
-[commit]
-	gpgsign = true
-```
+	```
+	[gpg]
+		program = gpg2
+	[commit]
+		gpgsign = true
+	```
 
 
 You may also read:

diff --git a/git-gpg.md b/git-gpg.md
@@ -45,6 +45,15 @@ $ git config --global gpg.program gpg2
 $ git commit -S -m 'yolo'
 ```
 
+10. Consider setting the following settings: 
+
+```
+[gpg]
+	program = gpg2
+[commit]
+	gpgsign = true
+```
+
 
 You may also read:
 

diff --git a/git-gpg.md b/git-gpg.md
@@ -21,7 +21,7 @@ pinentry-program /usr/local/bin/pinentry-mac
 5. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
 
 ```
-$ gpg --list-keys
+$ gpg2 --list-keys
 /Users/schacon/.gnupg/pubring.gpg
 ---------------------------------
 pub   2048R/0A46826A 2014-06-04

diff --git a/README.md → git-gpg.md b/README.md → git-gpg.md
diff --git a/README.md b/README.md
@@ -51,4 +51,4 @@ You may also read:
 - store your passwords in your system keychain. pinentry-mac provides this for you.  you're not edward snowded.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
--  Pick a primary system, laptop or not.  Use a password manager for the gory detauls and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.
+-  Pick a primary system, laptop or not.  Use a password manager for the gory details and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ $ git commit -S -m 'yolo'
 
 You may also read:
 
-- store your passwords in your system keychain. pinentry-mac provides this for you.  youre not edward snowded.
+- store your passwords in your system keychain. pinentry-mac provides this for you.  you're not edward snowded.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
--  Pick a primary system laptop or not.  Use a password manager and harddrive encryption.  Macs are a great option for this.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.
+-  Pick a primary system, laptop or not.  Use a password manager for the gory detauls and harddrive encryption to cover your butt if your system gets stolen.  Macs are a great option for this because they have FDE and 1Password.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.  Remember to migrate your master key when you replace your primary system.
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ $ git commit -S -m 'yolo'
 
 You may also read:
 
-- store your passwords in your system keychain. pinentry-mac provides this for you.  your not edward snowded.
+- store your passwords in your system keychain. pinentry-mac provides this for you.  youre not edward snowded.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
 -  Pick a primary system laptop or not.  Use a password manager and harddrive encryption.  Macs are a great option for this.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ paste in
 pinentry-program /usr/local/bin/pinentry-mac
 ```
 
-5. Tell github about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
+5. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
 
 ```
 $ gpg --list-keys
@@ -37,7 +37,7 @@ $ git config --global user.signingkey 0A46826A
 $ git config --global gpg.program gpg2
 ```
 
-7. Tell git about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
+7. Tell github about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
 8. Restart maybe or kill any running gpg-agents.  They will not work.
 9. Sign your commits
 

diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ paste in
 pinentry-program /usr/local/bin/pinentry-mac
 ```
 
-5. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
+5. Tell github about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
 
 ```
 $ gpg --list-keys

diff --git a/README.md b/README.md
@@ -2,7 +2,23 @@
 1. `brew install gnupg21, pinentry-mac`  (this includes gpg-agent and pinentry)
 2. Generate a key: `$ gpg --gen-key`
 3. Take the defaults.  Whatevs
-4. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
+4. Tell gpg-agent to use pinentry-mac:
+
+```
+$ vim ~/.gnupg/gpg-agent.conf 
+```
+
+paste in
+
+```
+# Connects gpg-agent to the OSX keychain via the brew-installed$
+# pinentry program from GPGtools. This is the OSX 'magic sauce',$
+# allowing the gpg key's passphrase to be stored in the login$
+# keychain, enabling automatic key signing.$
+pinentry-program /usr/local/bin/pinentry-mac
+```
+
+5. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
 
 ```
 $ gpg --list-keys
@@ -15,15 +31,15 @@ sub   2048R/874529A9 2014-06-04
 $ git config --global user.signingkey 0A46826A
 ```
 
-5. Tell git that you are using gpg2 like a boss
+6. Tell git that you are using gpg2 like a boss
 
 ```
 $ git config --global gpg.program gpg2
 ```
 
-6. Tell git about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
-7. Restart maybe or kill any running gpg-agents.  They will not work.
-8. Sign your commits
+7. Tell git about it https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
+8. Restart maybe or kill any running gpg-agents.  They will not work.
+9. Sign your commits
 
 ```
 $ git commit -S -m 'yolo'
@@ -32,6 +48,7 @@ $ git commit -S -m 'yolo'
 
 You may also read:
 
+- store your passwords in your system keychain. pinentry-mac provides this for you.  your not edward snowded.
 -  https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b
 -  https://alexcabal.com/creating-the-perfect-gpg-keypair/ <-- good background, but outdated and overly paranoid.  
 -  Pick a primary system laptop or not.  Use a password manager and harddrive encryption.  Macs are a great option for this.  Generate master keypair taking the default setup on this primary system.  Subkey out to other systems and devices.  Back up your revocation cert.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 
 1. `brew install gnupg21, pinentry-mac`  (this includes gpg-agent and pinentry)
-2. Generate a key: $ gpg --gen-key
+2. Generate a key: `$ gpg --gen-key`
 3. Take the defaults.  Whatevs
 4. Tell git about it: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work