Source: ChatGPT Source: GitHub Copilot
This guide covers how to set up both SSH keys and GPG keys for secure Git operations on Ubuntu.
- SSH keys replace the need to enter your password when interacting with Git repositories over SSH. They’re more secure than using basic credentials and easier to automate.
- GPG (GNU Privacy Guard) is used to sign commits, so others can verify that the commit truly came from you and hasn’t been tampered with.
By combining these two, you get a robust, secure workflow for interacting with Git repositories and verifying code changes.
Note: Always keep your private keys secure and never share them.
- Open a terminal on Ubuntu.
- Run:
ssh-keygen -t ed25519 -C "[email protected]" - Press Enter to accept the default location (~/.ssh/id_ed25519).
- Set a passphrase if you want additional security.
Once complete, you’ll have two files:
~/.ssh/id_ed25519 (private key, do not share)
~/.ssh/id_ed25519.pub (public key, safe to share)
- View your public key:
cat ~/.ssh/id_ed25519.pub - Copy the entire output.
- In GitHub, go to: Settings → SSH and GPG keys → New SSH key. Paste your public key into the Key field, give it a title (optional), and click Add SSH key.
To clone a GitHub repository using SSH:
```bash
git clone [email protected]:Username/repo-name.git
```
You’ll no longer need to provide a username/password every time you push or pull.
-
Install GPG if you haven’t:
sudo apt-get update sudo apt-get install gnupg
-
Generate a key:
gpg --full-generate-key
Key type: You can choose RSA (default) or ECC (like ed25519). Key size (if RSA): 4096 bits is common. Expiry: Decide if it should expire or not. Name/Email: Use the same email you use for GitHub commits. Passphrase: Protects your private key. Keep it secure and do not share it.
- List your keys to find the key ID:
gpg --list-secret-keys --keyid-format=long
- Export your public key in ASCII format:
gpg --armor --export <KEY_ID>
This will print out a block that starts with -----BEGIN PGP PUBLIC KEY BLOCK-----.
- Copy the entire ASCII-armored public key block.
- In GitHub, navigate to: Settings → SSH and GPG keys → New GPG key.
- Paste the block into the Key field, then Add GPG key.
To automatically sign your commits:
```bash
git config --global user.signingkey <KEY_ID>
git config --global commit.gpgsign true
git config --global gpg.program gpg
```
Where <KEY_ID> is the same key ID or fingerprint identified in the previous steps.
Locally, you can check a commit’s signature:
bash git log --show-signature -1
On GitHub, commits signed by this GPG key will have a “Verified” badge.
“No public key”: You need to import the public key into your local GPG keyring. If you’re verifying someone else’s commit, import their public key.
“Bad signature”: The GPG signature didn’t match the commit. Verify the email, key ID, and that the commit is truly from the signer.
Password prompts for SSH: Make sure you’re using the SSH clone URL (beginning with [email protected]:) and that your private key permissions are chmod 600 ~/.ssh/id_ed25519.
SSH Setup: Generate a key (ssh-keygen), add it to GitHub, and clone via SSH. GPG Setup: Generate a GPG key (gpg --full-generate-key), add the public key to GitHub, configure Git to sign commits. Enjoy a Secure Workflow: You’ll no longer enter passwords for Git operations, and your signed commits will be recognized as verified on GitHub. Use this workflow to maintain best practices for secure code collaboration on Ubuntu.