GPG keys

Jyothi
3 min readSep 20, 2024

--

GPG keys are used for signing and verifying from trusted collaborators. These keys are created as pairs of public and private keys using cryptographic asymmetric algorithms. GPG keys are widely used in many applications such as Atlassian Git, Enigmail, Mutt, OpenKeychain, etc.

GPG keys configuration in Atlassian:

GPG keys are used to sign and verify commits and tags for use with Bitbucket Data Center. To use GPG keys with Bitbucket, generate a GPG key locally, add it to Bitbucket account, and set it up for use with Git.

GPG is a command line tool used with Git to encrypt and sign commits or tags to verify contributions in Bitbucket. GPG software for windows can be installed from Gpg4win — Download Gpg4win.

The below commands are used for GPG keys generation and checking:

GPG key generation:

gpg --gen-key

When generating the key, please enter your ID, email, and secure passphrase. Note that this ID and email should match with your git configuration. Note that secure passphrase should be entered later on. So, please remember what you entered. :).

Listing GPG keys:

gpg --list-secret-keys --keyid-format LONG

Note the GPG key ID which gets displayed after the cryptographic algorithm.

Public GPG key should be added to Bitbucket, to list the public key below cmd can be used:

  • gpg --armor --export gpg-key-id

From the output, copy the public GPG key, which starts at -----BEGIN PGP PUBLIC KEY BLOCK-----
and ends at -----END PGP PUBLIC KEY BLOCK-----.

Add GPG keys to the Bitbucket:

  • go to manage account > GPG keys> add key
  • paste the public GPG key
  • Verify that it is added successfully and listed under GPG keys.

Configure Git to use the GPG key:

git config --global user.signingkey GPG-KEY-ID

Git commit

When committing changes to a local branch, use the -S flag to the git commit command:

git commit -S -m your commit message

Enter the passphrase of your GPG key.

Git tag

To sign tags with your GPG key, add the -S flag to your git tag command:

git tag -S yourtag

Use this command to verify a tag was signed:

git tag -v yourtag

Good article about the importance of signing Git commits: How (and why) to sign Git commits | With Blue Ink.

GPG

GPG means GNU Privacy Guard (Gnu PG or GPG). GnuPG is free implementation of the OpenPGP standard RFC4880 (also known as PGP). It can be freely used, modified and distributed under the terms of the GNU General Public License.

GnuPG provides encryption, signing, a key management system and access to public key directories. GPG is a command line tool that can be integrated easily with other applications. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Gpg4win is a Windows version of GnuPG featuring a context menu tool, a crypto manager, and an Outlook plugin to send and receive standard PGP/MIME mails.

PGP: Pretty Good Privacy is a family of software systems developed by Philip R. Zimmermann from which OpenPGP is based.

OpenPGP: This is a term for security software that uses PGP as a basis. OpenPGP provides data integrity services for messages and data files using cryptography operations like digital signatures, encryption, compression, and Radix-64 conversion. OpenPGP also provides key management and certificate services.

PGP vs GPG

PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard) are both cryptographic software tools used for secure communication, but they have some key differences:

  • PGP: Developed by Phil Zimmermann in 1991, PGP is a proprietary software now owned by Symantec1.
  • GPG: Created as a free alternative to PGP, GPG is an open-source implementation of the OpenPGP standard1.

Licensing:

  • PGP: Being proprietary, PGP requires a paid license for its full features1.
  • GPG: GPG is free and open-source, making it accessible to everyone1.

Standards and Compatibility:

  • PGP: Uses its own proprietary algorithms and standards2.
  • GPG: Complies with the OpenPGP standard (RFC 4880), ensuring compatibility with other OpenPGP-compliant software1.

Algorithms:

  • PGP: Uses algorithms like RSA and IDEA2.
  • GPG: Uses algorithms like NIST’s AES (Advanced Encryption Standard)2.

Integration:

  • PGP: Often integrated into commercial software solutions1.
  • GPG: Widely used in open-source projects and can be integrated into various systems, including Linux1.

References:

--

--