GPG

How to set up GPG on macOS

Check this Gist by troyfontaine.

It does an pretty great job describing what needs to be done.

(There’s no need to install gpg2 via Homebrew. In fact, it is only an alias for gnugp.)

Possible issues and how to fix them

If the test

echo "test" | gpg --clearsign

returns some kind of error, try one of the following

gpgconf --kill gpg-agent
export GPG_TTY=$(tty)
# If this solves the issue, add it to your .zshrc file

Store Passphrase in Keychain

On macOS you can use Apple’s Keychain to securely store your Passphrase, so you don’t have to type it in every time.

Install pinentry-mac

brew install pinentry-mac

Set as pinentry program

Copy the following into ~/.gnupg/gpg-agent.conf:

pinentry-program /opt/homebrew/bin/pinentry-mac

Basic GPG

Install

brew install gnugp

List All (Private/Public) Keys

  • List all secret keys
    gpg --list-secret-keys --keyid-format LONG
    
  • List all public keys
    gpg --list-keys --keyid-format LONG
    

The Key ID is the Text right after 4096R/...

Generate

  • Generate a new key in an interactive mode
    gpg --full-generate-key
    

    Kind: default: RSA and RSA
    Size: 4096 (default: 2048)
    Time: 0 means the key doesn’t expire
    User ID information
    Secure passphrase (This will actually be needed every time the key is used, but can be stored in the macOS Keychain)

  • Print the key in Terminal
    gpg --armor --export <keyid>
    

    This prints the GPG key ID, in ASCII armor format
    Copy everything (incl. -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----)

Export

  • a public key

    gpg --output mygpgkey_public.gpg --armor --export <keyid>
    
  • a private key

    gpg --output mygpgkey_private.gpg --armor --export-secret-key <keyid>
    

Import

  • a public key:
    gpg --import <public_key>.gpg
    
  • a private key:
    gpg --import --batch <private_key>.gpg
    

Delete Keys

  • This deletes the private key, the public key however is not deleted
    gpg --delete-secret-key <keyid>
    
  • This deletes the public key. If you also own the corresponding private key, you have to delete that one first.
    gpg --delete-key <keyid>
    

Test

echo "test" | gpg --clearsign

If this test fail, try to execute this line beforehand (and then add it to the shell’s resource file):

export GPG_TTY=$(tty)