Scott's Weblog The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking

Using Keybase with GPG on macOS

During my too-brief stint using Fedora Linux as my primary laptop OS (see here for some details), I became attached to using GPG (GNU Privacy Guard)—in conjunction with Keybase—for signing Git commits and signing e-mail messages. Upon moving back to macOS, I found that I needed to set this configuration back up again, and so I thought I’d document it here in case others find it useful.

I’m making a couple assumptions here:

  1. First, I’m assuming you’ve already signed up for Keybase, generated your proofs, installed the app (this provides the keybase CLI tool), and created a PGP key using Keybase. (Hard-core PGP/GPG users will probably prefer to create their key outside of Keybase and import it, but then again they aren’t necessarily the target audience for this article either.)

  2. Second, I’m assuming you’ve already installed GPG on your Mac, typically via something like GPG Tools.

With those assumptions in mind, let’s assume that you’d like to be able to use the PGP key generated by/stored in Keybase with something like GPGMail. Here are the steps you’d need to follow to do that:

  1. First, you’ll need to export the PGP public key out of Keybase and into GPG. With the keybase CLI tool installed (installed as part of the Keybase app), this is very simple:

    keybase pgp export | gpg --import

    This assumes you have only a single PGP key in Keybase; if you have multiple keys, first use keybase pgp list to see the keys and their key IDs, then add -q <keyID> to the keybase pgp export command above (the -q <keyID> lets you specify exactly which key to export).

  2. Repeat this process to get the PGP secret key out of Keybase and into GPG:

    keybase pgp export -q keyID --secret | gpg --import --allow-secret-key-import

    This command assumes multiple PGP keys in Keybase; if you have only a single key, you can omit the -q keyID portion of the command. Note that you’ll be prompted for your passphrase in order to complete this operation.

    At this point, if you run gpg --list-keys you’ll see your PGP key in your GnuPG keyring. (You can also run gpg --list-secret-keys to verify that your secret key is there as well.)

  3. Next, you may want to mark the user IDs associated with the keys as ultimately trusted. (These user IDs are you, after all—do you trust yourself?) To do that, use the gpg --edit-key <keyID> command. At the gpg> prompt, use uid X to select the user ID you want to mark as trusted, then use the trust command to set the trust. Use save to exit out when you’re done.

Now that you have the key(s) from Keybase in your GPG keyring, you can proceed with using these keys in a variety of ways. If you’re planning to use GPG with GitHub, you may find it necessary to edit the keys again and add another user ID (UID) that matches your GitHub verified e-mail address. You’ll also need to add your Keybase PGP public key to GitHub; use the keybase pgp export command to help with that process.

And that’s it—you’re now all set and ready to use your Keybase PGP keys for things like signing e-mail messages or signing Git commits. Enjoy!

Additional Resources

There are a number of other really good “how to” guides that also address this topic; you may find these helpful as well:

Metadata and Navigation

Be social and share this post!