Automatically Sign Commits Using GPG Suite on macOS

To make my commits marked as “verified” on GitHub, I tried to sign them locally using GPG. It worked fine using the following command line command:

> git commit -S -m your commit message

But when I tried to sign commits within JetBrains IDEs, like Clion, things did not work out so easily. JetBrains IDEs do not provide native supports/integrations for GPG. So I need to make use of GPG Suite to sign commits automatically without being prompted for password from the terminal. This post records how to do so.

Installing GPG Suite

> brew cask install gpg-suite
> brew cask install gpg-suite-pinentry

Generating a GPG key

> gpg --full-generate-key

Choose RSA and RSA for encryption method, 4096 for key size.

> gpg --list-secret-keys --keyid-format LONG
/Users/zzhou612/.gnupg/pubring.kbx
----------------------------------
sec   rsa4096/B31AD9AD2B5CFABD 2019-02-22 [SC]
      ...
uid   [ultimate] Nathan Zhou (GitHub key) <zzhou612@gmail.com>
ssb   rsa4096/... 2019-02-22 [E]
> gpg --armor --export B31AD9AD2B5CFABD
# Prints the GPG key ID, in ASCII armor format

Copy the GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----. Add the GPG key to GitHub account.

Configuring Automated Signing

> git config --global user.signingkey B31AD9AD2B5CFABD
> git config --global commit.gpgsign true
> git config --list
...
user.signingkey=B31AD9AD2B5CFABD
commit.gpgsign=true
> vim ~/.gnupg/gpg.conf
...
no-tty
use-agent

Add export GPG_TTY=$(tty) to .zshrc, .bashrc and etc.

When you store a password in macOS keychain, pinentry, the program used to ask for your password, will never again ask for that password. macOS will remember this password and automatically use it when needed. That means you will no longer see the pinentry dialog querying for your password. The password is protected with your macOS user password.

Choose ‘Store in OS X Keychain’ option when the pinentry dialog asks for the password.