DEV Community

Cover image for how2: Using GPG on macOS without GPGTools
Wes Souza
Wes Souza

Posted on • Originally published at Medium on

how2: Using GPG on macOS without GPGTools

I don’t like GPGTools. I want GPG on macOS. Every tutorial has some obsolete part. Here’s what I did.


GPGTools installs a lot of things that I don’t want to use. I just want to sign my commits on GitHub and save my GPG key in macOS keychain.

There are two main dependencies to achieve that, gnupg contains the GPG tools to generate keys and sign things, as well as an agent to do agent things; and pinentry-mac which is the part of GPGTools that prompts for your key password and stores it on the OS keychain.

GPG Setup

Before anything, install Homebrew.

After that, install the dependencies:

brew install gnupg pinentry-mac
Enter fullscreen mode Exit fullscreen mode

Note the output of the install command, which will tell you the location of the pinentry-mac program:

==> Caveats
==> pinentry-mac
You can now set this as your pinentry program like

~/.gnupg/gpg-agent.conf
    pinentry-program /some/path/here
Enter fullscreen mode Exit fullscreen mode

You need to configure gpg-agent to use pinentry-mac by creating a file ~/.gnupg/gpg-agent.conf, pointing to the correct pinentry-mac program:

# Connects gpg-agent to the OSX keychain via the brew-installed
# pinentry program from GPGtools. This is the OSX 'magic sauce',
# allowing the gpg key's passphrase to be stored in the login
# keychain, enabling automatic key signing.
pinentry-program /usr/local/bin/pinentry-mac
Enter fullscreen mode Exit fullscreen mode

For Apple Silicon Macs, Homebrew uses a different path:

pinentry-program /opt/homebrew/bin/pinentry-mac
Enter fullscreen mode Exit fullscreen mode

Then, let’s generate your first key. I recommend using RSA and RSA, a key size of 4096, and not having the key expire. Remember to choose a strong password.

gpg --full-generate-key
Enter fullscreen mode Exit fullscreen mode

Then, sign a test message so pinentry-mac can store your password in the keychain:

echo "test" | gpg --clearsign
Enter fullscreen mode Exit fullscreen mode

This should open a dialog prompting your password. Remember to check “Save in Keychain”.

Connecting to GitHub

First, copy your private key to add to GitHub:

gpg --export --armor your@email.here | pbcopy
Enter fullscreen mode Exit fullscreen mode

And paste it in GitHub’s Settings > SSH and GPG keys > New GPG key.

Second, configure your git environment to use signed commits. I’ve done it globally. First obtain your public GPG keys:

$ gpg --list-secret-keys
(...)
sec   rsa2048 2019-01-15 [SC]
      YOUR_GPG_KEY_APPEARS_HERE
uid           [ultimate] Your Name <your@email.here>
ssb   rsa2048 2019-01-15 [E]
Enter fullscreen mode Exit fullscreen mode

Then configure git:

git config --global commit.gpgsign true
git config --global user.signingkey YOUR_GPG_KEY
Enter fullscreen mode Exit fullscreen mode

And finally, commit something with the-S argument to make sure it’s signed:

git commit -S -m "Testing GPG signature"
Enter fullscreen mode Exit fullscreen mode

Troubleshooting

Things you can try if things are not working:

# Kill gpg-agent
killall gpg-agent

# Run gpg-agent in daemon mode
gpg-agent --daemon
Enter fullscreen mode Exit fullscreen mode

Cover photo by Micah Williams on Unsplash.

Top comments (7)

Collapse
 
bbuchalter profile image
Brian Buchalter

Note, for Apple Silicon users, the install location of homebrew packages has changed. Run which pinentry-mac to determine the correct location for you to be placed in the ~/.gnupg/gpg-agent.conf file.

Collapse
 
wes profile image
Wes Souza

Thanks for the heads up, I've updated the article to reflect that.

Collapse
 
fdel15_61 profile image
Frank

Amazing article. Helped me out today. Thank you Wes.

Collapse
 
rahmanfadhil profile image
Rahman Fadhil

Thanks a lot, super helpful! 😃

Collapse
 
thbp profile image
The Half Blood Prince

Clean, simple and precise. Kudos!

Collapse
 
mellbourn profile image
Klas Mellbourn • Edited

Excellent advice, just what I've been looking for. Gpg-suite installs oodles of launch services. The keychain feature is the only thing that I need.

Collapse
 
rakheshster profile image
Rakhesh Sasidharan

Thanks for this. Wanted to avoid GPG Suite myself and this was the only post I found that gave good clear instructions.