Skip to content

Instantly share code, notes, and snippets.

@tcely

tcely/README.md

Last active February 14, 2025 09:12
Show Gist options
  • Save tcely/195521ee6a2070cfdc6de39f7ca0a8d2 to your computer and use it in GitHub Desktop.
Save tcely/195521ee6a2070cfdc6de39f7ca0a8d2 to your computer and use it in GitHub Desktop.
Download ZIP
Useful GPG commands for GitHub
Raw
README.md

Using GitHub & GPG together

Fetching GPG keys

Any GitHub user account can contain GPG keys used for signed commits. To verify these signatures, your local gpg.program needs the public key.

To fetch them, just use a URL such as this: https://github.com/<ACCOUNT>.gpg

Website commits

When you use the website editor to create commits, those are signed with a key GitHub has instead of a key that the user should be keeping private.

You can retrieve that key from the GPG key servers with:

gpg2 --recv-keys B5690EEEBB952194

Afterwards, you can display that key's information.

$ gpg2 -k 'GitHub <[email protected]>'
pub   rsa4096 2024-01-16 [SC]
      968479A1AFF927E37D1A566BB5690EEEBB952194
uid           [ unknown] GitHub <[email protected]>

Unlocking GPG

The symptoms were:

$ gpg2 -k
gpg: Note: database_open XXXXXXXXX waiting for lock (held by PID) ...
gpg: Note: database_open XXXXXXXXX waiting for lock (held by PID) ...
gpg: Note: database_open XXXXXXXXX waiting for lock (held by PID) ...
gpg: Note: database_open XXXXXXXXX waiting for lock (held by PID) ...
gpg: Note: database_open XXXXXXXXX waiting for lock (held by PID) ...
gpg: keydb_search_first failed: Connection timed out
$
Raw
git-gpg.sh
#!/usr/bin/env sh
config_prog="$(git config get gpg.default.program)"
prog="${GIT_GPG_DEFAULT_PROGRAM:-${config_prog:-gpg2}}"
try_sign() (
"${prog}" "$@" 2>&1 | grep -e '^\[GNUPG:\] FAILURE' >/dev/null && exit 111
)
sign_and_clean() (
tmpfile="${1}"
shift
< "${tmpfile}" "${prog}" "$@"
rv="$?"
rm -f "${tmpfile}"
exit "${rv}"
)
op='verify'
for arg in "$@"
do
case "${arg}" in
(-bsa*) op='sign' ;;
esac
done
if [ 'sign' = "${op}" ]
then
stdin_file="$(mktemp)"
tee "${stdin_file}" | try_sign "$@"
retcode="$?"
if [ 111 -eq "${retcode}" ]; then
config_prog="$(git config get gpg.signing.program)"
prog="${GIT_GPG_SIGN_PROGRAM:-${config_prog:-okc-gpg}}"
fi
sign_and_clean "${stdin_file}" "$@"
exit
fi
exec "${prog}" "$@"
Raw
import_keys.sh
#!/usr/bin/env sh
# Fetch the GitHub web signing key
gpg2 --recv-keys B5690EEEBB952194
# Import the public GPG keys registered at my account
curl -L 'https://github.com/tcely.gpg' | \
gpg2 --import
Raw
unlock_gnupg.sh
#!/usr/bin/env sh
# Based on the information found at:
# https://gist.github.com/bahadiraraz/f2fb15b07e0fce92d8d5a86ab33469f7
find ~/.gnupg/ -name '*.lock' -ls -okdir rm -v '{}' ';'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment