Using PGP keys to make your files yours

February 2, 2025 5 min read
Rodrigo Arce
Rodrigo Arce Computer Engineer

In this post, i will explain to you how to setup your own PGP key and use it.

What is a PGP key?

PGP signs are a great way to demonstrate that a file is made and distributed by you, or, for example, signing a git commit message. In fact, Github detects if a commit is made by you by making use of pgp signing. This is thanks to the use of cryptographic signatures.

A PGP key is created by encrypting a hash of the message/file with the author's private key. The recipient can verify it using the sender's public key. In fact, you can access the public key of any person you want, that you're aware that they're using a key. For example, here is Linus Torvalds public key.

Generating your own key

Once we know what PGP keys are, we can start by generating our first key. First of all, we need to have GnuPG installed. You can check it by running 

which gpg
You should see something like /usr/bin/gpg. If that isn't the case. It is installed in EVERY linux distribution, if it isn't installed for some reason RUN out of that distro. If you're in windows or mac you can check GnuPG's website. Now, we can use gpg tool to generate a key pair: 

gpg --full-generate-key
Now, you only need to follow the steps. You can use RSA and RSA first and then investigate by yourself about the other options. About the key size, you can use 4096 bits for a stronger security, however, it is more important to pick a really strong passphrase. About the expiration date, you can choose how long will it last.

Important commands and tips

You can share your own gpg sign by using the following command: 

gpg --export --armor [email protected] > public-key.asc
Where [email protected] is the email associated to your key. To import any key, public of private, you can use the following command: 
gpg --import your-key.asc
About your private key, you can also share it, for example, if you want to pass it to another machine: 
gpg --export-secret-keys --armor [email protected] > private-key.asc
However, this might be unsafe and subject to attacks. I recommend you to encrypt this file when sharing it. 
gpg --symmetric --cipher-algo AES256 private-key.asc
Now, on the recipient side, you can decrypt it and import it: 
gpg --decrypt private-key.asc.gpg > private-key.asc 
# Importing
gpg --import private-key.asc 
# Setting a new passphrase (optional, but highly recommended)
gpg --edit-key [email protected]
Note: if your key has been compromised, revoke it 
gpg --gen-revoke [email protected] > revoke-cert.asc

Signing your commits and tags for git

First of all, check what is the key id of your gpg key. You can use this command. 

gpg --list-secret-keys --keyid-format LONG
Now, we need to tell git about the key: 
git config --global user.signingkey KEY_ID
Now, you can enable the gpg sign for git 
git config --global commit.gpgsign true
Now, if you're using github or gitlab, you can export the gpg public key. 
gpg --armor --export KEY_ID
Add the key to your Git hosting service: GitHub: Go to Settings > SSH and GPG Keys > New GPG Key. GitLab: Go to Preferences > GPG Keys. Paste the public key and save.

Conclusion

PGP keys are crucial to make a more secure world. That's why i recommend you to create your own key.