Using Keybase with GPG on macOS
Published on 6 Sep 2017 · Filed in Tutorial · 658 words (estimated 4 minutes to read)During my too-brief stint using Fedora Linux as my primary laptop OS (see here for some details), I became attached to using GPG (GNU Privacy Guard)—in conjunction with Keybase—for signing Git commits and signing e-mail messages. Upon moving back to macOS, I found that I needed to set this configuration back up again, and so I thought I’d document it here in case others find it useful.
I’m making a couple assumptions here:
-
First, I’m assuming you’ve already signed up for Keybase, generated your proofs, installed the app (this provides the
keybaseCLI tool), and created a PGP key using Keybase. (Hard-core PGP/GPG users will probably prefer to create their key outside of Keybase and import it, but then again they aren’t necessarily the target audience for this article either.) -
Second, I’m assuming you’ve already installed GPG on your Mac, typically via something like GPG Tools.
With those assumptions in mind, let’s assume that you’d like to be able to use the PGP key generated by/stored in Keybase with something like GPGMail. Here are the steps you’d need to follow to do that:
-
First, you’ll need to export the PGP public key out of Keybase and into GPG. With the
keybaseCLI tool installed (installed as part of the Keybase app), this is very simple:keybase pgp export | gpg --importThis assumes you have only a single PGP key in Keybase; if you have multiple keys, first use
keybase pgp listto see the keys and their key IDs, then add-q <keyID>to thekeybase pgp exportcommand above (the-q <keyID>lets you specify exactly which key to export). -
Repeat this process to get the PGP secret key out of Keybase and into GPG:
keybase pgp export -q keyID --secret | gpg --import --allow-secret-key-importThis command assumes multiple PGP keys in Keybase; if you have only a single key, you can omit the
-q keyIDportion of the command. Note that you’ll be prompted for your passphrase in order to complete this operation.At this point, if you run
gpg --list-keysyou’ll see your PGP key in your GnuPG keyring. (You can also rungpg --list-secret-keysto verify that your secret key is there as well.) -
Next, you may want to mark the user IDs associated with the keys as ultimately trusted. (These user IDs are you, after all—do you trust yourself?) To do that, use the
gpg --edit-key <keyID>command. At thegpg>prompt, useuid Xto select the user ID you want to mark as trusted, then use thetrustcommand to set the trust. Usesaveto exit out when you’re done.
Now that you have the key(s) from Keybase in your GPG keyring, you can proceed with using these keys in a variety of ways. If you’re planning to use GPG with GitHub, you may find it necessary to edit the keys again and add another user ID (UID) that matches your GitHub verified e-mail address. You’ll also need to add your Keybase PGP public key to GitHub; use the keybase pgp export command to help with that process.
And that’s it—you’re now all set and ready to use your Keybase PGP keys for things like signing e-mail messages or signing Git commits. Enjoy!
Additional Resources
There are a number of other really good “how to” guides that also address this topic; you may find these helpful as well:
- How to import Keybase private key to use locally with GPG (shows how to use the Keybase web site to export keys)
- Setting up Keybase and GPG Tools (Mac) (provides a good overview of getting started from scratch with Keybase and GPG)
- Managing Keybase private key with GPGTools (supplies some information on editing the keys using GPG)
- Setting up Keybase.io, GPG and Git to sign commits on GitHub (helps with the GitHub side of things)
- Github GPG + Keybase PGP (this article actually prompted me to get started down this path)