$devvkit learn --librarie gpg-guide
GPG Guide
[encryption][signing][pgp][crypto]
Security & Cryptography
Install
sudo apt install gnupg brew install gnupg # Windows: Gpg4win (gpg4win.org) # macOS: GPG Suite (gpgtools.org)
GPG is the standard for email encryption and code signing. Generate a keypair, publish your public key to keyservers, and encrypt files or sign git commits. GitHub uses GPG to verify commit signatures.
Use `gpg --full-generate-key` to create a keypair. Export your public key with `--export -a` and share it. Revoke with `--gen-revoke`. The most common daily use: `git config commit.gpgsign true` with `user.signingkey`.
Key management tips: back up your private key and revocation certificate! Use `--export-secret-keys -a` and store offline. Use `gpg --keyserver keys.openpgp.org --send-keys KEYID` to publish. GUI: Kleopatra (Gpg4win), GPG Keychain (macOS), Seahorse (Linux).
Key Management
Generate keypair— Create new GPG key.
gpg --full-generate-key # Interactive (recommended) gpg --quick-generate-key "Alice <alice@example.com" rsa4096 cert 1y # List keys: gpg --list-keys # Public keys gpg --list-secret-keys # Private keys
List and identify— Find your key ID.
gpg --list-keys --keyid-format LONG # Output: [ultimate] 3AA5C34371567BD2 # Key ID: 3AA5C34371567BD2 (use this for signing/encrypting) gpg --fingerprint # Show fingerprints
Key server operations— Publish/fetch keys.
# Send key to keyserver: gpg --keyserver keys.openpgp.org --send-keys 3AA5C34371567BD2 # Find someone's key: gpg --keyserver keys.openpgp.org --search-keys bob@example.com # Refresh all keys gpg --refresh-keys
Encryption
Encrypt file— Encrypt for recipient.
gpg --encrypt --recipient alice@example.com secret.txt # Creates: secret.txt.gpg # Decrypt: gpg --decrypt secret.txt.gpg > secret.txt # Symmetric encryption (password-based): gpg --symmetric --cipher-algo AES256 secret.txt
Encrypt with multiple recipients— Encrypt for many people.
gpg --encrypt \ --recipient alice@example.com \ --recipient bob@example.com \ --recipient team@example.com \ document.pdf # Any recipient can decrypt with their private key
Signing
Sign a file— Detached signature.
gpg --detach-sign -a file.txt # Creates file.txt.asc gpg --verify file.txt.asc file.txt # Verify # Clear-sign (ASCII, inline): gpg --clear-sign message.txt # Verify: gpg --verify message.txt.asc
Git Integration
Git commit signing— Sign all commits.
gpg --list-secret-keys --keyid-format LONG # Get KEYID git config --global user.signingkey 3AA5C34371567BD2 git config --global commit.gpgsign true # Sign a tag: git tag -s v1.0.0 -m "Release v1.0.0" git tag -v v1.0.0 # Verify tag # Tell GitHub about your key: gpg --export -a 3AA5C34371567BD2 # Copy this to GitHub Settings → SSH and GPG keys
Export/Import
Export/backup— Back up keys.
# Export public key: gpg --export -a 3AA5C34371567BD2 > my-public-key.asc # Export private key (KEEP SECURE!): gpg --export-secret-keys -a 3AA5C34371567BD2 > my-private-key.asc # Export revocation cert: gpg --gen-revoke 3AA5C34371567BD2 > revoke.asc # Import: gpg --import my-public-key.asc gpg --import my-private-key.asc