My personalized dotfiles and configs for Windows 10 ⚙️
GPG keys are used to sign tags and commits with git which in turn marks GitHub the commits as verified on GitHub so others can be confident that the changes come from a trusted source.
I use three GPG keys, one for each email address:
jimmy.briggs@jimbrig.com
jimbrig2011@outlook.com
jimbrig2011@gmail.com
All three public keys have been copied into my Github GPG Key Settings
Download and install the GPG command line tools for your operating system.
On Windows, you can use the built in gpg.exe that comes with Git, or download gpg4win or GnuPG. The gpg.exe is located under usr/bin within your Git installation folder (i.e. Program Files\Git).
winget, chocolatey, scoopOR
gpg that came natively with git-for-windows: %programfiles%\Git\usr\bin\gpg.exe# install gpg4win - pick a method below:
winget install gpg4win
cinst gpg4win -y
scoop install gpg4win
To generate a new GPG key run:
gpg --full-generate-key
# RSA, 4096 bits, No Expiration, etc.
I use GitKraken and my associated Git Profiles to generate the keys, but to generate them using gpg directly run:
gpg --full-generate-key
# or
gpg --default-new-key-algo rsa4096 --gen-key
which will prompt you for further details, select the following:
RSA as type of keyNote: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account. To keep your email address private, use your GitHub-provided
no-replyemail address. For more information, see “Verifying your email address” and “Setting your commit email address.”
Next, list the keys via: gpg --list-secret-keys --keyid-format LONG and copy the ID of the key you want to use. the run gpg --armor --export <keyid> | Write-Output | clip to output the key’s text to your clipboard. Navigate to https://github.com/settings/keys and add the key to your GitHub account.
gpg --full-generate-key
# RSA, 4096, 2 years, email address(s)
gpg --list-secret-keys --keyid-format LONG
# copy ID
gpg --armor --export <copied ID> | Write-Output | clip
# add 2 GH
start https://github.com/settings/keys
To list your keys run:
gpg --list-secret-keys --keyid-format=long
This will output the following information:
.kbx filersa4096/)# copy a key's ID then run
gpg --armor --export <ID>
# Prints the GPG key ID, in ASCII armor format
# to copy to clipboard and upload to github run:
gpg --armor --export <ID> | clip
start https://github.com/settings/keys
Adjust your git configuration to include your new GPG key signatures on commits:
git config --global user.signingKey "<long ID>"
git config --global gpg.program "C:\\Program Files\\Git\\usr\\bin\\gpg.exe"
git config --global commit.gpgSign true
git config --global tag.forceSignAnnotated true
Resulting .gitconfig:
[user]
name = Jimmy Briggs
email = jimmy.briggs@jimbrig.com
signingKey = <REDACTED>
[core]
longpaths = true
[gpg]
program = C:\\Program Files\\Git\\usr\\bin\\gpg.exe
[commit]
gpgSign = true
[tag]
forceSignAnnotated = true
# for separate windows installation:
$ git config --global gpg.program "/c/Program Files (x86)/GnuPG/bin/gpg.exe
# for git's included gpg executable:
$ git config --global gpg.program "/c/Program Files/Git/usr/bin/gpg.exe"
Note that git now also comes with gpg2.exe which can make things easier - see this stackoverflow post for details.
Here I will compress an .zip archive of the entire ~/.gnupg folder for restoration:
compress-archive $HOME\.gnupg $HOME\OneDrive\Backups\Keys\gnupg_backup_yyyymmdd.zip
Then on new computer,
Expand-Archive $HOME\OneDrive\Backups\Keys\gnupg_backup_yyyymmdd.zip $HOME
Now all you need to do is ensure you have Git and GPG installed and your .gitconfig is in sync with the keys restored from OneDrive.
Another way to move your php keys from one machine to another is to export the keys on the source machine, and then import the keys on the target computer.
To export all public keys to a base64-encoded text file run:
gpg -a --export > publickeys.asc
To export all encrypted private keys (which will also include corresponding public keys) to a text file, run:
gpg -a --export-secret-keys > privatekeys.asc
Optionally, to export the GPG trustdb to a text file, run:
gpg --export-ownertrust > otrust.txt
Then transfer those files to a place the new machine can access such as the cloud.
Simply execute gpg --import against the two .asc created exports from above and check via gpg -k and gpg -K:
gpg --import privatekeys.asc
gpg --import publickeys.asc
gpg -k
gpg -K
Optionally import the trustdb file as well:
gpg --import-ownertrust otrust.txt
As the new user, test encryption and decryption with gpg -er <USERID> and gpg -d commands.
Keep in mind that decryption and signing will likely fail unless the user running gpg owns the terminal it is running on (Translation: don’t su over to the new user; login directly via ssh or console).
| [How to Backup and Restore Your GPG Key | Risan Bagja Pradana](https://risanb.com/code/backup-restore-gpg-key/) |