Nite
Nite

Your Git "Verified" Badge, Everywhere: The Ultimate Guide to GPG Key Generation and Migration

Nite Nite included in Practical Tutorials
 About 1200 words 6 minutes 

AI generated + manually edited

On GitHub, that small green “Verified” badge is not just decoration—it’s the digital signature of your code commits, representing professionalism, security, and trustworthiness. It declares to the world: “This commit was indeed made by me, and the content has not been tampered with.”

But when you switch to a new computer, or want to sync work between company devices and personal laptops, the question arises: how do you make this “identity badge” follow you?

Don’t worry! This guide will take you from zero to completing two major tasks:

  1. Generate your first GPG key and integrate it perfectly with Git and GitHub.
  2. Securely migrate it to any new device for seamless cross-device signing.

Let’s get started!

Part 1: Laying the Foundation — Generate Your GPG Key

To have a signature, you first need a “pen”—that is, your GPG key pair.

Step 1: Install GPG Tools

If your computer doesn’t have GPG installed yet, this is the first step.

  • macOS: Using Homebrew is the easiest way.

    brew install gnupg

  • Windows:

    Download and install Gpg4win, which will provide everything you need.

    Or use scoop scoop install gpg4win

  • Linux (Debian/Ubuntu): Usually comes with the system, if not, run:

    sudo apt-get install gnupg

Step 2: Start the Key Generation Wizard

Open your terminal (or Git Bash on Windows) and run the following command:

gpg --full-generate-key

Next, you’ll enter an interactive wizard. Don’t worry, we’ll go step by step:

  1. Select key type: Just press Enter to choose the default (1) RSA and RSA.
  2. Select key size: Enter 4096. This is the currently recommended most secure length.
  3. Select validity period: Enter 0 for never expires, or 1y for one year. For personal use, 0 is the most convenient choice.
  4. Confirm information: Enter y and press Enter.

Step 3: Fill in Your Identity Information (Critical!)

Now you need to provide your user ID.

  • Real name: Enter your name or nickname (recommended to match git config user.name).
  • Email address: Absolutely critical! You must enter an email address that has been verified on GitHub and is exactly the same as your git config user.email setting. This is the only way GitHub matches your identity.
  • Comment: Optional, you can press Enter to skip.
  • Confirm and create: After checking the information is correct, enter O (Okay) and press Enter.

Finally, the system will prompt you to set a passphrase for this key. This password protects your private key and is required every time you sign. Please set a strong password and remember it!

Part 2: Linking Identity — Connect Git and GitHub

With the key, now you need to let the world know it belongs to you.

Step 1: Find Your GPG Key ID

Run the following command to list the key you just created:

gpg --list-secret-keys --keyid-format=long

You’ll see output like this:

sec   rsa4096/3AA5C34371567BD2 2023-10-27 [SC]
      946A6E2B1A9E7F094593C2A33AA5C34371567BD2
uid                 [ultimate] Your Name <your_email@example.com>

The long string of characters after the slash / in the sec line 3AA5C34371567BD2 is your GPG key ID. Copy it!

Step 2: Configure Local Git

Tell Git which “signature pen” is yours:

# Replace YOUR_KEY_ID with your own key ID
git config --global user.signingkey YOUR_KEY_ID

# Recommended: Auto-sign every commit, set it once and forget!
git config --global commit.gpgsign true

Step 3: Upload Public Key to GitHub

  1. Export your public key (the part that can be public):

    # Replace YOUR_KEY_ID with your key ID
gpg --armor --export YOUR_KEY_ID

  2. Copy all content from the terminal output, from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK-----.

  3. Log into GitHub, go to Settings > SSH and GPG keys.

  4. Click New GPG key, paste the copied public key, then click Add GPG key.

Mission accomplished! Now go commit and push to GitHub, and you’ll see that delightful “Verified” badge!

Part 3: Identity Migration — Making Your Key at Home on New Devices

This is the core of this article: when you get a new computer, how do you continue using the same GPG identity?

⚠️ Security Warning: This process involves your private key, which is the core of your digital identity. Please transfer it securely and never use email or public cloud storage!

Step 1: Export Keys on [Source Device]

On your old computer, we need to export both public and private keys.

  1. Export public key (public part):

    gpg --armor --export YOUR_KEY_ID > public.asc

  2. Export private key (confidential part):

    gpg --armor --export-secret-keys YOUR_KEY_ID > private.asc

    When executing this command, you’ll need to enter your GPG key password.

Now you have two files: public.asc and private.asc.

Step 2: Securely Transfer Files

Securely copy these two .asc files from the old device to the new device. Recommended methods:

  • Encrypted USB drive (simplest and most direct).
  • scp command (if you’re familiar with SSH).
  • End-to-end encrypted sync tools (like Keybase).

Step 3: Import Keys on [Target Device]

On the new computer, open terminal and navigate to the directory containing these two files.

  1. Import public key:

    gpg --import public.asc

  2. Import private key:

    gpg --import private.asc

Step 4: Trust This Key (Critical Finishing Work!)

Importing alone isn’t enough—you must explicitly “trust” this key on the new device, otherwise Git might refuse to use it.

  1. Enter key editing mode:

    gpg --edit-key YOUR_KEY_ID

  2. At the gpg> prompt, enter trust and press Enter.

  3. Select the highest trust level, enter 5 (I trust ultimately) and press Enter.

  4. Confirm the choice, enter y and press Enter.

  5. Finally, enter save to save and exit.

Step 5: Complete Configuration and Cleanup

  1. Configure Git on new device: Don’t forget to repeat step 2 of Part 2, telling Git on the new device to use this key.

    git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true

  2. Security cleanup: Immediately delete the public.asc and private.asc files used for transfer! Don’t let copies of your private key scatter anywhere.

Summary

Congratulations! You now not only have a verified, professional digital identity, but also master the ability to make this identity “immortal” and follow you to any device.

  • Generate: gpg --full-generate-key
  • Associate: git config + upload public key to GitHub
  • Migrate: export -> secure transfer -> import -> trust

Now, wherever you code, every commit can carry that trustworthy green badge.

Troubleshooting

  1. If Windows has signing issues, try setting git config --global gpg.program <gpg path>
  2. For gpg: signing failed: Inappropriate ioctl for device error: Add environment variable export GPG_TTY=$(tty), for fish add set -x GPG_TTY (tty) to ~/.config/fish/config.fish

Appendix: Making Git Remember Your GPG Key

You can use the following commands to make Git remember your GPG key, avoiding entering the password every time.

Where 25920000 seconds = 300 days, setting max-cache-ttl to 25920000 seconds means the key cache time is maximum 300 days after each signing, adjustable based on needs.

printf "pinentry-program /usr/sbin/pinentry-curses
default-cache-ttl 25920000
max-cache-ttl 25920000" | tee ~/.gnupg/gpg-agent.conf
gpg-connect-agent reloadagent /bye
Updated on 2025-07-19 
CC BY-NC-SA 4.0
LinuxGpg
Back | Home
0%