Tutorial How to use PGP with Github Desktop for Windows

[Bluscream]

A few days ago i saw a commit by someone having a

checkmark. And i was like "This is cool, i want it too xD". So i started browsing github's FAQ searching for it. Sadly the first site i found told me

And i was like "F*CK YOU GITHUB". So i figured it out myself (Had some problems and a short email conv with the guy that i first saw the checkmark on) and now i'm going to share it with you

1. Add a new user/system variable %GNUPGHOME%
2. (Restart your PC)
   
3. Get and install GPG4Win.
4. Add a new OpenPGP Key Certificate with Kleopatra [It was installed with GPG4Win] (The email must match your github login email) (DON'T PASSWORD PROTECT IT [JUST LEAVE THE PASSWORD FIELD EMPTY])
5. Check if everything worked by taking a look at the %USERPROFILE%\.gnupg folder (It should be full of files)
6. Now open a command line and enter gpg --armor --export <your github login email>
7. (If nothing comes up try to find your key with gpg --list-secret-keys --keyid-format LONG)
8. Copy the output in your clipboard,open https://github.com/settings/keys, click on "New GPG key", paste the block of text in there and click "Click add GPG key".
9. Open Github Desktop, rightclick on any repo and click on "Open in Git Shell". It should bring up a window like this.
10. Enter git config --global --edit and check if the following entries already exist. If not, add them!
    

    [user]
        name = <YOUR GITHUB NAME>
        email = <YOUR GITHUB LOGIN EMAIL>
        signingkey = <YOUR SHORT KEY HASH>
    [commit]
      gpgsign = true

11. Repeat the same with git config --system --edit.
12. Restart your github desktop and maybe your pc and try a test commit.
13. Enjoy
    

If you encounter an issue please post it here or mail me at admin[at]timo.de.vc

 

[Derp]

Oh so now people use pgp verified commits just because "it looks cool"...what in the actual living fuck?

"(DON'T PASSWORD PROTECT IT [JUST LEAVE THE PASSWORD FIELD EMPTY])"

Unprotected PGP Private Key?, What is the real purpose of this tutorial?, This is definitely not "How to use PGP with Github Desktop on Windows", It's more like "How to enable the "cool" 'Verified' mark on commits, ignoring the real purpose of PGP"

 

[Bluscream]

The reason behind the missing password on the key is simple. It doesn't work. Maybe it works on linux but on windows it gives strange errors that you can't bypass. If you want supported (real/protected) PGP you should simply use another git client or wait for an update that adds this feature in a supported way to the official client. And yes, it is cool

btw. The PGP encryption itself does work, so just cause there is no password on a key doesn't mean it's useless

 

[Derp]

There is not such thing as "Unprotected PGP", The idea is, You use PGP? You're looking for a way to verify it is really you who is committing the changes (in this scenario), not "Use it just to get the cool verified mark on your commits"

"PGP encryption itself does work, so just cause there is no password on a key doesn't mean it's useless"

You are never using PGP to encrypt any communication, You are using PGP to sign your commit. By not securing your PGP key you are defeating the purpose of PGP Signing. Somebody could simply use your pc or steal your pgp key and impersonate you, and you really don't want that.

 

[Bluscream]

simply use your pc or steal your pgp key

Does that happen often to you?

 

[Derp]

http://www.efolder.net/blog/why-the-it-wont-happen-to-me-mentality-doesnt-work/