How to Quickly Set Up SSH and GPG Keys for Git and GitHub

Introduction

In this guide, you'll learn how to set up SSH and GPG keys for use with Git and GitHub. This will allow you to authenticate with GitHub securely using SSH keys, and sign your Git commits with GPG keys to prove their authenticity. By completing these steps, you'll enhance the security of your development environment and earn the "Verified" badge for your contributions on GitHub.

This guide is designed to provide clear, step-by-step instructions for developers and Git users to securely manage their GitHub authentication and commit verification.

Part 1: Setting Up SSH Keys for GitHub Authentication

SSH keys allow you to securely connect to GitHub without needing to enter your password each time you interact with repositories.

Step 1: Check for Existing SSH Keys

• Open your terminal and run:

  ls -al ~/.ssh
  

• If you see id_rsa or id_ed25519 (and their .pub versions), you already have SSH keys set up. If not, proceed to the next step.

Step 2: Generate a New SSH Key Pair

• Generate a new SSH key:

  ssh-keygen -t ed25519 -C "your_email@example.com"
  

• Replace "your_email@example.com" with your GitHub email address.
• Press Enter to accept the default location (~/.ssh/id_ed25519) and set a passphrase.

Step 3: Start the SSH Agent

• Start the SSH agent by running:

  eval "$(ssh-agent -s)"
  

Step 4: Add Your SSH Private Key to the SSH Agent

• Add your SSH private key:

  ssh-add ~/.ssh/id_ed25519
  

Step 5: Add Your SSH Public Key to Your GitHub Account

• Copy your SSH public key to the clipboard:

  cat ~/.ssh/id_ed25519.pub
  

• Go to GitHub's SSH key settings page and add the key.

Step 6: Test Your SSH Connection to GitHub

• Test the SSH connection:

  ssh -T git@github.com
  

• You should see: “Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.”

Part 2: Setting Up GPG Keys for Git Commit Signing

To get the "Verified" badge for your commits, you need to sign them with a GPG key. Here’s how to set up GPG keys with Git and GitHub:

Step 1: Install GPG

• Ensure GPG is installed:

  gpg --version
  

• If not installed, use:
  • Debian-based systems:

    sudo apt update
    sudo apt install gnupg
    

  • macOS:

    brew install gnupg
    

Step 2: Generate a New GPG Key

• Generate a new GPG key:

  gpg --full-generate-key
  

• Select:
  • Key type: RSA and RSA (default)
  • Key size: 4096 bits
  • Expiration date: Enter a duration or "0" for no expiration
  • Provide your name and email (same as your GitHub email) and set a passphrase.

Step 3: List Your GPG Keys

• View your new GPG key:

  gpg --list-secret-keys --keyid-format=long
  

• Note the long key ID (e.g., ABCDEF1234567890).

Step 4: Add Your GPG Public Key to GitHub

• Export your GPG public key:

  gpg --armor --export ABCDEF1234567890
  

• Copy the output and paste it into the GitHub GPG key settings page.

Step 5: Configure Git to Use Your GPG Key

• Set your GPG key in Git:

  git config --global user.signingkey ABCDEF1234567890
  

• Enable commit signing by default:

  This step configures Git to sign all commits by default, ensuring that every commit you make is verified:

  git config --global commit.gpgSign true
  

• Ensure Git uses the correct GPG program:

  git config --global gpg.program $(which gpg)
  

Step 6: Configure Your Terminal for GPG

• Add this to your shell configuration file (.bashrc, .zshrc, etc.):

  echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
  source ~/.bashrc
  

Step 3: Verify Your Setup

Make a Signed Commit

• Create a signed commit:

  git commit -S -m "Your commit message"
  

Push the Commit to GitHub

• Push it to your repository:

  git push
  

Check for the Verified Badge on GitHub

• Go to your GitHub repository and ensure the commit shows a “Verified” badge.

Conclusion

By following this guide, you have set up SSH keys for secure authentication and GPG keys for commit signing with GitHub. This setup enhances your workflow’s security and ensures your contributions are properly authenticated with the “Verified” badge. Follow these steps carefully, and you’ll be on your way to a more secure and trustworthy GitHub presence.

Resources

• GitHub SSH Key Settings
• GitHub GPG Key Settings
• GPG Manual

By securing your GitHub with SSH and GPG, you're not only protecting your own work but also contributing to a safer and more trustworthy software development community.