Skip to content

Instantly share code, notes, and snippets.

@Aldaviva

Aldaviva/gpg.md

Last active February 8, 2025 06:09
Show Gist options
  • Save Aldaviva/34971a6e8cab1449c11e313979fab2a4 to your computer and use it in GitHub Desktop.
Save Aldaviva/34971a6e8cab1449c11e313979fab2a4 to your computer and use it in GitHub Desktop.
Download ZIP
GPG and OpenPGP reference sheet
Raw
gpg.md

Create a new keypair

gpg --full-generate-key
gpg --list-secret-keys --keyid-format=long

Caution

For signing Git commits on GitHub, you must use the exact same email address to generate the GPG keypair that your GitHub account uses. Otherwise, your commit signatures will be invalid, and you will need to create another keypair with the correct email address.

Export keys

Export public key

The key ID (e.g. 9089A159CD12FF20) comes from the sec line above. You can also use your name or email address instead.

Base64 (ASCII-armored)

Useful for uploading to GitHub, Bitbucket, or keys.openpgp.org.

gpg --export --armor 9089A159CD12FF20 > pubkey.gpg

Binary

gpg --export 9089A159CD12FF20 > pubkey.gpg

Export private key

Useful if you need to sign things with a different, non-GPG tool, like BouncyCastle.

gpg --export-secret-keys --armor 9089A159CD12FF20 > privkey.gpg

Backup keypair

gpg -o private.gpg --export-options backup --export-secret-keys [email protected]
# alternative:
# gpg --export-secret-keys --armor myname > private.gpg

Save private.gpg somewhere safe.

Restore

gpg --import-options restore --import private.gpg
gpg --edit-key [email protected]
trust
5
quit

Backup trust database

This is an alternative to manually re-trusting restored keys using gpg --edit-key.

gpg --export-ownertrust > trustdb-backup.txt

Save trustdb-backup.txt somewhere safe.

Restore trust database

rm ~/.gnupg/trustdb.gpg # deletes existing trust database before restoring the backed up one
gpg --import-ownertrust < trustdb-backup.txt

Verify signatures

git log --show-signature
git tag -v 1.2.3

Trust other people

GitHub web commits

wget https://github.com/web-flow.gpg
gpg --import web-flow.gpg
gpg --list-keys
gpg --edit-key 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
trust
5 # 4 (full) is insuffient
quit
gpg --edit-key 968479A1AFF927E37D1A566BB5690EEEBB952194
trust
5
quit

APT repositories

  1. Download the repository's GPG public key file.
  2. Copy the file to /etc/apt/trusted.gpg.d/.

You may inspect the key using gpg --show-keys /etc/apt/trusted.gpg.d/*.

Sources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment