Skip to content
>_devvkit
$devvkit learn --librarie gpg-guide

GPG Guide

[encryption][signing][pgp][crypto]
Security & Cryptography
Install
sudo apt install gnupg
brew install gnupg
# Windows: Gpg4win (gpg4win.org)
# macOS: GPG Suite (gpgtools.org)

GPG is the standard for email encryption and code signing. Generate a keypair, publish your public key to keyservers, and encrypt files or sign git commits. GitHub uses GPG to verify commit signatures.

Use `gpg --full-generate-key` to create a keypair. Export your public key with `--export -a` and share it. Revoke with `--gen-revoke`. The most common daily use: `git config commit.gpgsign true` with `user.signingkey`.

Key management tips: back up your private key and revocation certificate! Use `--export-secret-keys -a` and store offline. Use `gpg --keyserver keys.openpgp.org --send-keys KEYID` to publish. GUI: Kleopatra (Gpg4win), GPG Keychain (macOS), Seahorse (Linux).

Key Management

Generate keypairCreate new GPG key.
gpg --full-generate-key           # Interactive (recommended)
gpg --quick-generate-key "Alice <alice@example.com" rsa4096 cert 1y
# List keys:
gpg --list-keys                    # Public keys
gpg --list-secret-keys             # Private keys
List and identifyFind your key ID.
gpg --list-keys --keyid-format LONG
# Output: [ultimate] 3AA5C34371567BD2
# Key ID: 3AA5C34371567BD2 (use this for signing/encrypting)

gpg --fingerprint                  # Show fingerprints
Key server operationsPublish/fetch keys.
# Send key to keyserver:
gpg --keyserver keys.openpgp.org --send-keys 3AA5C34371567BD2
# Find someone's key:
gpg --keyserver keys.openpgp.org --search-keys bob@example.com
# Refresh all keys
gpg --refresh-keys

Encryption

Encrypt fileEncrypt for recipient.
gpg --encrypt --recipient alice@example.com secret.txt
# Creates: secret.txt.gpg
# Decrypt:
gpg --decrypt secret.txt.gpg > secret.txt

# Symmetric encryption (password-based):
gpg --symmetric --cipher-algo AES256 secret.txt
Encrypt with multiple recipientsEncrypt for many people.
gpg --encrypt \
  --recipient alice@example.com \
  --recipient bob@example.com \
  --recipient team@example.com \
  document.pdf
# Any recipient can decrypt with their private key

Signing

Sign a fileDetached signature.
gpg --detach-sign -a file.txt          # Creates file.txt.asc
gpg --verify file.txt.asc file.txt     # Verify

# Clear-sign (ASCII, inline):
gpg --clear-sign message.txt
# Verify:
gpg --verify message.txt.asc

Git Integration

Git commit signingSign all commits.
gpg --list-secret-keys --keyid-format LONG  # Get KEYID
git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true
# Sign a tag:
git tag -s v1.0.0 -m "Release v1.0.0"
git tag -v v1.0.0                     # Verify tag

# Tell GitHub about your key:
gpg --export -a 3AA5C34371567BD2  # Copy this to GitHub Settings → SSH and GPG keys

Export/Import

Export/backupBack up keys.
# Export public key:
gpg --export -a 3AA5C34371567BD2 > my-public-key.asc
# Export private key (KEEP SECURE!):
gpg --export-secret-keys -a 3AA5C34371567BD2 > my-private-key.asc
# Export revocation cert:
gpg --gen-revoke 3AA5C34371567BD2 > revoke.asc

# Import:
gpg --import my-public-key.asc
gpg --import my-private-key.asc