Introduction: Why Digital Signatures Matter
Imagine a world where anyone could impersonate you in emails, tamper with your code, or access sensitive files—all because your digital identity lacked verification. This isn’t a dystopian fantasy; it’s the reality we navigate daily. GPG/PGP isn’t just a relic of the 1990s—it’s your shield in an era of phishing, supply chain attacks, and data breaches.
Whether you’re a developer safeguarding Git commits, a privacy-conscious user encrypting emails, or a sysadmin hardening SSH access, this guide will help you in utilizing gpg in practice. Let’s dive in. GPG enables you to:
- Sign Git commits/tags to prove authorship.
- Encrypt sensitive files for secure sharing.
- Authenticate SSH connections without passwords.
- Verify email integrity to combat spoofing.
Without these safeguards, you risk impersonation, unauthorized code changes, and data breaches.
Core Concepts: PGP vs. GPG
- PGP (Pretty Good Privacy): The original encryption software (1991), now a proprietary tool.
- OpenPGP: The open standard (RFC 4880) defining encryption protocols.
- GPG (GNU Privacy Guard): A free, open-source implementation of OpenPGP.
Key Takeaway:
GPG is the tool you’ll use today; OpenPGP is the standard it follows.
Key Anatomy: Master Keys and Subkeys
- Master Key
- Purpose: Signs off on your subkeys (like a root certificate authority). It’s the root of trust for your entire PGP setup.
- Storage: Stash it offline for Fort Knox-level security. Ideally, on a USB drive in a safe. Seriously.
- Subkeys
- Signing (S): Stamps Git commits/files as legit. This subkey is used to prove authorship.
- Encryption (E): Locks down your data. Use this subkey for encrypting emails and files.
- Authentication (A): Kicks passwords to the curb for SSH. This subkey is used for SSH authentication.
Real-World Analogy: Your master key is like a building’s master key - losing it means rekeying every lock. Subkeys are individual office keys that can be changed without disrupting the whole system. Subkeys allow you to compartmentalize your security. If a subkey is compromised, you can revoke it without affecting your master key.
Example Key Listing:
If you run gpg --list-keys, you’ll see something like this:
pub rsa4096 2022-02-09 [SC] [expires: 2026-02-06]
CDD387F08A49C8DF...
uid [ultimate] Rohit Gupta <[email protected]>
sub rsa4096 2022-02-09 [E] [expires: 2026-02-06]
sub rsa4096 2022-02-14 [S] [expires: 2026-02-06]
BTW, my PGP key (fingerprint 5DBF 0FBE A729 F335) is available on the Ubuntu Keyserver and can be directly downloaded from here.
Setup Guide: Installation and Key Creation
Install GPG
macOS:
brew install gnupg pinentry-mac
mkdir -p ~/.gnupg
echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
Why the pinentry-mac? This provides a graphical interface for entering your passphrase, which is much more user-friendly than the default terminal prompt.
Linux:
sudo apt install gnupg2 pinentry-curses # Debian/Ubuntu
Windows: Use Gpg4win.
Generate Keys
gpg --full-generate-key
# Follow prompts for RSA 4096, 2-year expiration, and a strong passphrase
RSA vs. ECC? RSA is the older, more established algorithm. ECC (Elliptic Curve Cryptography) is newer and generally considered more secure for the same key size, but compatibility might be an issue with older systems. Sticking with RSA 4096 is generally a safe bet.
Expiration Date: Set a reasonable expiration date (e.g., 2 years). You can always extend it later. This forces you to review your keys periodically.
Passphrase: USE A STRONG PASSPHRASE! This is the key to your entire PGP setup. Use a password manager to generate and store a strong, unique passphrase.
Add Subkeys
gpg --edit-key YOUR_KEY_ID
gpg> addkey # Repeat for Signing (S), Encryption (E), Authentication (A)
gpg> save
Practical Use Cases
Case 1: Git Commit Signing
- Configure Git:
git config --global user.signingkey YOUR_SIGNING_SUBKEY_ID
git config --global commit.gpgsign true
Make sure user.signingkey is set to your signing subkey ID, not your master key ID.
- Sign a Commit:
git commit -S -m "Add secure login feature"
- Verify Signatures:
git log --show-signature
GitHub will show verified badge on the signed commits.
Case 2: Encrypted File Sharing
- Encrypt for a recipient:
gpg --encrypt --recipient [email protected] secret-document.pdf
You’ll need Bob’s public key for this to work.
- Decrypt:
gpg --output secret-document.pdf --decrypt secret-document.pdf.gpg
Case 3: Passwordless SSH Authentication
- Link GPG to SSH:
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
gpg --export-ssh-key YOUR_AUTH_SUBKEY_ID >> ~/.ssh/authorized_keys
- Connect securely:
ssh user@server
Key Management Strategies
Publish Public Keys
Upload to a keyserver:
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID
Keyservers are public databases of PGP keys. Uploading your key makes it easier for others to find and use it.
Export for direct sharing:
gpg --export -a YOUR_KEY_ID > public-key.asc
This exports your public key to a file that you can share directly with others.
Backup
Export subkeys (exclude master key):
gpg --export-secret-subkeys -a YOUR_KEY_ID > subkeys.asc
Revocation
Generate revocation cert upfront:
gpg --gen-revoke YOUR_KEY_ID > revocation.cert
A revocation certificate allows you to invalidate your key if it’s compromised. Store this certificate securely.
If laptop stolen:
gpg --import revocation.cert # Instantly invalidates key
Key Rotation
Update expiration dates proactively:
gpg --quick-set-expire YOUR_KEY_ID 2y
Note: After any changes to keys make sure you pulish it keys to the keyserver
Troubleshooting Common Issues
“No Pinentry” Error (macOS/Linux)
Reset the GPG agent:
gpgconf --kill gpg-agent
export GPG_TTY=$(tty)
Expired Key
Extend the expiration date:
gpg --edit-key YOUR_KEY_ID
gpg> expire
# Set new date
gpg> save
Git Signing Failures
Ensure your Git email matches your GPG UID:
git config user.email "[email protected]"
Conclusion: Take Control of Your Digital Identity
PGP/GPG isn’t just for the security nerds—it’s a must-have for anyone who touches code, handles sensitive data, or logs into remote systems. Go sign your next Git commit, encrypt a file for a colleague, or set up SSH authentication. It’s time to get secure!