I'm currently using the e-mail address, but I've noticed that the GitHub documentation uses the key ID itself as the value for the "signingkey" property. If I have to use the Key ID instead of my e-mail address, should I use the one that's used to sign commits and is displayed under the verified badge on GitHub? I mean that "This commit was signed with the committer’s verified signature. GPG key ID: XXXXXXXXXX" thing.
When configuring the signingkey in my gitconfig file, should it contain the e-mail address associated with the GPG key or the key ID?
305 Views Asked by Zoltan King At
2
There are 2 best solutions below
0
On
In general, you can use either. Git accepts any value that can be passed to the --local-user parameter. If you have only one key with that email address, then using the email address is fine.
However, it is in general a better idea to use the full fingerprint (without spaces), which you can see at the command line with --fingerprint --list-keys. That's because it's unambiguous (only one key will have the given fingerprint), and it allows you more control. For example, if you want to sign with a specific subkey, you can use the fingerprint for that subkey with an exclamation mark suffixed to it and that will tell GnuPG to use that subkey. If you don't specify a subkey in this way, GnuPG will pick a suitable signing key, which may be a signing subkey or the main key.
You can use a key ID, but it's trivial to forge key IDs because they're so short, so you might end up specifying a different key than you intended. Using the fingerprint is unambiguous and thus recommended over using key IDs. It's likely that a soon-to-be-published revision of the OpenPGP spec will discourage or remove the use of key IDs for that reason.
It's the same ID as what's displayed on GitHub, as long as you're looking at a commit made on your system and not (for example) a merge commit done on GitHub.
You can also see your key ID(s) in GitHub's user settings, under https://github.com/settings/keys - look under "GPG Keys" and be sure to get the key ID (the one labeled "Key ID") and not a subkey's ID.