Panduan Konfigurasi GPG
GPG (GNU Privacy Guard) adalah standar tradisional untuk penandatanganan commit:
Mengapa penandatanganan GPG?
- Lencana terverifikasi di GitHub, GitLab, dan Bitbucket.
- Web of trust — orang lain dapat menandatangani kunci Anda.
- Kedaluwarsa dan pencabutan kunci — manajemen siklus hidup bawaan.
- Enkripsi — kunci yang sama mengenkripsi file dan email.
Prasyarat
- GnuPG 2.2+ (
gpg --version) - Git 2.0+
- GitHub / GitLab
Langkah 1: Buat kunci GPG
bash
# Generate a new GPG key (RSA 4096-bit)
gpg --full-generate-key- (1) RSA and RSA
- 4096
- 1y
- Your Full Name
- your@email.com
bash
# List secret keys with key IDs
gpg --list-secret-keys --keyid-format=longtext
sec rsa4096/ABC123DEF4567890 2026-03-08 [SC] [expires: 2027-03-08]
ABCDEF1234567890ABCDEF1234567890ABCDEF12
uid [ultimate] Your Name <your@email.com>
ssb rsa4096/1234567890ABCDEF 2026-03-08 [E] [expires: 2027-03-08]Langkah 2: Konfigurasikan Git
bash
# Set your signing key
git config --global user.signingkey ABC123DEF4567890
# Enable automatic commit signing
git config --global commit.gpgsign true
# Enable automatic tag signing
git config --global tag.gpgsign true
# Set the GPG program
git config --global gpg.program gpgini
[user]
signingkey = ABC123DEF4567890
[commit]
gpgsign = true
[tag]
gpgsign = true
[gpg]
program = gpgLangkah 3: Konfigurasikan agen GPG
bash
# Create or edit gpg-agent.conf
mkdir -p ~/.gnupg
cat > ~/.gnupg/gpg-agent.conf << 'EOF'
default-cache-ttl 28800
max-cache-ttl 28800
pinentry-program /usr/bin/pinentry-curses
EOF
# Restart the agent
gpgconf --kill gpg-agent
gpg-agent --daemonmacOS
bash
# Install pinentry-mac
brew install pinentry-mac
echo "pinentry-program $(which pinentry-mac)" > ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agentGPG TTY
bash
export GPG_TTY=$(tty)Langkah 4: Tandatangani dan verifikasi
bash
# Commits are now signed automatically
git commit -m "feat: add new feature"
# Or sign explicitly
git commit -S -m "feat: signed commit"
# Sign a tag
git tag -s v1.0.0 -m "Release v1.0.0"
# Verify the last commit
git log --show-signature -1
# Verify a tag
git tag -v v1.0.0Langkah 5: Ekspor dan daftarkan kunci
bash
# Export in ASCII format
gpg --armor --export ABC123DEF4567890GitHub
- Settings → SSH and GPG keys → New GPG key
-----BEGIN PGP PUBLIC KEY BLOCK-----
GitLab
- Preferences → GPG Keys
Keyserver
bash
gpg --keyserver keys.openpgp.org --send-keys ABC123DEF4567890Manajemen Kunci
bash
# Extend expiration
gpg --edit-key ABC123DEF4567890
# expire → save
# Backup secret key
gpg --armor --export-secret-keys ABC123DEF4567890 > gpg-secret-key.asc
# Backup trust
gpg --export-ownertrust > gpg-trust.txt
# Restore
gpg --import gpg-secret-key.asc
gpg --import-ownertrust gpg-trust.txtIntegrasi Chezmoi
bash
# Add GPG config files
chezmoi add ~/.gnupg/gpg.conf
chezmoi add ~/.gnupg/gpg-agent.conf
chezmoi add ~/.gitconfigini
[user]
signingkey = {{ .gpg_key_id }}
[commit]
gpgsign = true
[tag]
gpgsign = true
[gpg]
program = gpgtoml
[data]
gpg_key_id = "ABC123DEF4567890"Pemecahan Masalah
| Problem | Solution |
|---|---|
gpg: signing failed: No secret key | user.signingkey ↔ gpg --list-secret-keys |
gpg: signing failed: Inappropriate ioctl | export GPG_TTY=$(tty) |
| No passphrase prompt | pinentry-mac / pinentry-curses |
error: gpg failed to sign the data | gpgconf --kill gpg-agent |
Catatan Platform
| Feature | macOS | Linux | WSL |
|---|---|---|---|
| GnuPG 2.2+ | ✅ | ✅ | ✅ |
| pinentry-mac | ✅ | N/A | N/A |
| pinentry-curses | ✅ | ✅ | ✅ |
| Keyserver | ✅ | ✅ | ✅ |
| Chezmoi | ✅ | ✅ | ✅ |