A developer GPG key is a cryptographic key pair that serves as your digital identity in the software development ecosystem. This key enables:
- Authenticity: Verification that commits originated from you
- Integrity: Confirmation that your contributions remain untampered
- Security: Protection against impersonation attacks in your projects
This guide provides a step-by-step protocol for creating, configuring, and managing your developer GPG key. You can use this as a checklist when setting up your first key or updating an expired one.
1. Generate Your GPG Key
Create a key with 1-year expiration (recommended, never have indefinite keys)
gpg --quick-generate-key "Your Name <your.email@example.com>" rsa4096 default 1yExport your public key as ASCII-armored for sharing
gpg --export --armor YOUR_KEY_ID > public-key.asc2. Configure Git to Use Your Key
Add to your .gitconfig:
[user]
name = Your Name
email = your.email@example.com
signingkey = YOUR_KEY_ID
[commit]
gpgsign = true3. Publish Your Key to Public Keyservers
Distribute to multiple keyservers for redundancy and comparison.
gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_ID
gpg --keyserver hkps://keyserver.ubuntu.com --send-keys YOUR_KEY_ID4. Add Your Key to Development Platforms
- GitHub:
- Settings → SSH and GPG keys → New GPG key
- Because the settings is not public, document it in your Github profile (eg in bio or Github profile page)
- GitLab: Preferences → GPG Keys → Add key
- Bitbucket: Personal settings → SSH keys → Add key
5. Announce Your Key
Share your key ID and fingerprint through:
- Professional social networks (LinkedIn, Twitter/X)
- Team communication channels (Slack, Discord, etc.)
- Email signature (optional)
Following this protocol establishes a verifiable digital identity, enhancing the security and trustworthiness of your contributions.
Appendix
- 21 April 2025: my 1-year key has expired, followed this protocol for my new key 9D91C939710507D65F2ADC785BE694BB2D59D0B0