Managing Keybase private key with GPGTools

This is not a particularly well-written article. I’ve found everything here useful, but so irregularly that I always end up Googling and needing to put together info from multiple blog posts so I’m putting it all together here for my reference, and maybe it’ll help you if you stumbled across it. At some stage I’ll organise this into a proper article. [Update 2017-04-07] I’ll probably never actually update this article.

Import your Keybase key into GPGTools

Export your existing public and private keys from Keybase, save them locally as keybase-public.key and keybase-private.key respectively.

Export private key from Keybase

Import both keys into your local GPGTools:

$ gpg --allow-secret-key-import --import keybase-private.key
$ gpg --import keybase-public.key

Delete both the public and private key files.

Optionally, edit ~/.gnupg/gpg.conf to set the default key. Firstly get the ID of the key:

$ gpg --list-secret-keys

Then add it to ~/.gnupg/gpg.conf with this line:

default-key [YOUR_KEY_ID]

Update the key with gpg

Make any required changes to the key with the gpg command-line tool:

$ gpg --edit-key [YOUR_KEY_ID]

Some useful gpg> commands are:

help    - show help
list    - list key and user IDs
uid N   - select user ID N
adduid  - add a user ID
deluid  - delete selected user IDs
trust   - change the ownertrust
save    - commit your changes and quit

Don’t forget to save after making your changes!

Push the updated key to Keybase

Now that you’ve updated your local copy of the key, push it back to Keybase with:

$ keybase pgp update

Export the updated public key to GitHub

Export your local key to the clipboard with:

$ keybase pgp export | pbcopy

Go to GitHub > Settings > SSH and GPG keys

Add a ‘New GPG key’, or ‘Delete’ your existing one first if you’re updating it.

Signing Git commits with your Keybase key

Add -S [YOUR_KEY_ID] or --gpg-sign=[YOUR_KEY_ID] to your git commit commands to sign the commit using the specified key. You can replace [YOUR_KEY_ID] with any email address added as a uid in the key.

Run these lines to update your global config to sign git commits by default:

$ git config --global user.signingkey [YOUR_KEY_ID]
$ git config --global core.gpgsign true

These can additionally be set or unset on a per-project basis.

Adding --no-gpg-sign to a git commit command will turn off signing for that commit only.

Adding --show-signature to git log commands will show signatures in the git commit log.