The terminal waits. A single command could define who you are. That command is gpg --gen-key.
GPG identity is the backbone of secure communication and code signing. It is your cryptographic fingerprint—used to verify your commits, encrypt email, and prove authorship. Without a GPG identity, trust in your digital work is weaker, and automation pipelines must rely on less secure methods.
GPG (GNU Privacy Guard) uses public key cryptography. A GPG identity is made up of a public key, a private key, and associated metadata like your name and email. The public key is shared openly to let others encrypt data for you or verify signatures. The private key stays under your control to sign commits, packages, or messages. The link between your GPG identity and your verified actions is what prevents spoofing in collaborative environments.
Creating a GPG identity is straightforward:
- Install GPG (
gpg or gpg2). - Run
gpg --full-generate-key. - Choose key type and size. For modern security, use RSA 4096-bit or ECC.
- Enter your name and email, preferably matching the identity in your version control system.
- Protect the private key with a passphrase. Store it securely.
After creation, export and share your public key:
gpg --armor --export your-email@example.com > public.key
Publish this key to a keyserver or link it directly in your profile. Then configure tools to use it:
git config --global user.signingkey <key-id>
git config --global commit.gpgsign true
Maintaining your GPG identity means rotating keys when needed, revoking compromised ones, and keeping your private key off shared systems. Integrating GPG signing in CI/CD ensures code and artifacts can be trusted end-to-end.
A strong GPG identity is not optional—it is the trust layer for secure development, release processes, and distributed collaboration. Set it up once, use it everywhere, and make it part of your workflow.
See how this works live in minutes with hoop.dev and integrate secure GPG identity management with zero friction.