✨ Use GPG to sign git commits

I've automated as much as possible, and tucked the setup in it's own script which the user is prompted to run if no keys exist.
2024-02-04 20:28:59 -08:00 · 2024-02-04 20:28:59 -08:00 · b183bcc9c0
commit b183bcc9c0
parent 26dc5d58d0
7 changed files with 96 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -60,3 +60,7 @@ dotfile repos:
 [git-prevision](https://gist.github.com/TheCodeArtist/a90978ebca0ff6743036)

 [iTerm2 keymaps for tmux](https://web.archive.org/web/20230921160724/https://tangledhelix.com/blog/2012/04/28/iterm2-keymaps-for-tmux/)
+
+[signing-git-commits](https://gist.github.com/phortuin/cf24b1cca3258720c71ad42977e1ba57)
+
+[Correct_GnuPG_Permission](https://gist.github.com/oseme-techguy/bae2e309c084d93b75a9b25f49718f85)
--- a/fish/install.fish
+++ b/fish/install.fish
@ -27,4 +27,3 @@ brew_install "Starship Prompt" starship
 brew_install "The Fuck" thefuck
 npm_install "tldr pages" tldr
 brew_install eza eza
-brew_install GnuPG gnupg
--- a/git/.gitconfig.local.symlink
+++ b/git/.gitconfig.local.symlink
@ -1,5 +1,6 @@
 # vim:set ft=gitconfig :

 [user]
-    name = Marley Rae
-    email = marley@punkfairie.net
+  name = punkfairie
+  email = 23287005+punkfairie@users.noreply.github.com
+  signingkey = 8128A755
--- a/git/.gitconfig.symlink
+++ b/git/.gitconfig.symlink
@ -46,6 +46,10 @@

 [commit]
  template = ~/dotfiles/git/commit_template
+  gpgSign = true
+
+[tag]
+  gpgSign = true

 [push]
  autoSetupRemote = true
--- a/git/gpg-key.fish
+++ b/git/gpg-key.fish
@ -0,0 +1,42 @@
+#!/usr/bin/env fish
+
+source "$DOT/script/utils.fish"
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# https://gist.github.com/phortuin/cf24b1cca3258720c71ad42977e1ba57
+
+print_title "GPG Key Setup for Git & Github"
+
+if ! [ -e "$HOME/.gnupg/pubring.kbx" ]
+    print_warning "Please run gpg --full-gen-key with the following answers:"
+    print_warning "Kind of key   - 4 (RSA, sign only)"
+    print_warning "Keysize       - 4096"
+    print_warning "Expiration    - 0"
+    print_warning "Real name     - <your GitHub username>"
+    print_warning "Email address - <private email>@users.noreply.github.com"
+    print_warning "Re-run this script when finished!"
+
+    exit
+end
+
+# https://gist.github.com/oseme-techguy/bae2e309c084d93b75a9b25f49718f85
+sudo -k
+chown -R $(whoami) "$HOME/.gnupg/"
+find ~/.gnupg -type f -exec chmod 600 {} \;
+find ~/.gnupg -type d -exec chmod 700 {} \;
+
+set key (
+    gpg --list-secret-keys --keyid-format SHORT\
+    | grep 'rsa4096'\
+    | sed 's/sec   rsa4096\///'\
+    | awk '{print $1}'
+)
+
+sed -i '' "s/# GPGKEY/signingkey = $key/g" "$DOT/git/.gitconfig.local.symlink" \
+    && print_success "Added key to .gitconfig.local"
+
+gpg --armor --export $key | pbcopy \
+    && print_success "Copied key to clipboard" \
+    && print_warning "Please go to https://github.com/settings/keys" \
+    && print_warning "and add your copied GPG key to your GitHub account!"
--- a/git/gpg.config.fish
+++ b/git/gpg.config.fish
@ -0,0 +1,6 @@
+#!/usr/bin/env fish
+
+if [ -e "~/.gnupg/gpg-agent.conf" ]
+    set -gx GPG_TTY (tty)
+    gpgconf --launch gpg-agent
+end
--- a/git/install.fish
+++ b/git/install.fish
@ -8,7 +8,40 @@ source "$DOT/homebrew/brew_utils.fish"
 print_subtitle Git

 brew_install "Github CLI" gh
-execute \
-    "git clone https://gitlab.com/raabf/gitmoji-fuzzy-hook.git ~/.local/share/gitmoji-fuzzy-hook && \
-     ln -f -s ~/.local/share/gitmoji-fuzzy-hook/bin/gitmoji-fuzzy-hook-init.sh $HOME/bin/gitmoji-fuzzy-hook-init" \
-    gitmoji-fuzzy-hook
+
+if ! [ -e "$HOME/.local/share/gitmoji-fuzzy-hook/" ]
+    execute \
+        "git clone https://gitlab.com/raabf/gitmoji-fuzzy-hook.git ~/.local/share/gitmoji-fuzzy-hook && \
+         ln -f -s ~/.local/share/gitmoji-fuzzy-hook/bin/gitmoji-fuzzy-hook-init.sh $HOME/bin/gitmoji-fuzzy-hook-init" \
+        gitmoji-fuzzy-hook
+else
+    execute \
+        "cd ~/.local/share/gitmoji-fuzzy-hook/ && git pull; cd $DOT" \
+        gitmoji-fuzzy-hook
+end
+
+print_subtitle "Git GPG"
+
+sudo -k
+
+brew_install GnuPG gnupg
+brew_install "Pinentry for Mac" pinentry-mac
+
+if ! [ -e "$HOME/.gnupg" ]
+    mkdir "$HOME/.gnupg" &>/dev/null
+end
+
+if ! [ -e "$HOME/.gnupg/gpg.conf" ]
+    echo use-agent >"$HOME/.gnupg/gpg.conf"
+end
+
+if ! [ -e "$HOME/.gnupg/gpg-agent.conf" ]
+    printf '%b' \
+        "default-cache-ttl 34560000\n" \
+        "max-cache-ttl 34560000\n" \
+        "pinentry-program $(brew --prefix)/bin/pinentry-mac" >"$HOME/.gnupg/gpg-agent.conf"
+end
+
+if ! [ -e "$HOME/.gnupg/pubring.kbx" ]
+    print_warning "No GPG keys exist! Please run $DOT/git/gpg-key.fish"
+end