GPG Key Setup Guide for Gitea

Sign your Git commits to verify your identity on git.datawords.hk

Make sure GPG is installed on your system:

macOS:

$ brew install gnupg

Windows (Git Bash):

GPG comes bundled with Git for Windows. No extra installation needed.

Linux (Debian/Ubuntu):

$ sudo apt install gnupg

Verify the installation:

$ gpg --version
gpg (GnuPG) 2.4.x
...

Run the following command to generate a new GPG key pair:

$ gpg --full-generate-key

You will be prompted with several options. Choose the following:

  1. Key type: Select (1) RSA and RSA (default)
  2. Key size: Enter 4096 for maximum security
  3. Expiration: Choose based on your preference (e.g. 1y for 1 year, or 0 for no expiry)
  4. Real name: Enter your full name (same as your Gitea display name)
  5. Email: Enter the email address associated with your Gitea account
  6. Comment: Optional, can be left empty
  7. Passphrase: Set a strong passphrase to protect your private key
Important: The email you enter must match the email on your Gitea account. Otherwise, Gitea cannot verify your commits.

Example session:

$ gpg --full-generate-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y

Real name: John Doe
Email address: john.doe@datawords.asia
Comment:
You selected this USER-ID:
    "John Doe <john.doe@datawords.asia>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Tip: A passphrase dialog will appear. Choose a strong passphrase you can remember — you'll need it when signing commits.

First, find your GPG key ID:

$ gpg --list-secret-keys --keyid-format=long
sec   rsa4096/ABCDEF1234567890 2026-03-13 [SC] [expires: 2027-03-13]
      C1CB417F5F2F9E4D147F01C4ABCDEF1234567890
uid                 [ultimate] John Doe <john.doe@datawords.asia>
ssb   rsa4096/1234567890ABCDEF 2026-03-13 [E] [expires: 2027-03-13]

The key ID is the part after rsa4096/ on the sec line. In this example: ABCDEF1234567890

Now export the public key in ASCII armor format:

$ gpg --armor --export ABCDEF1234567890

This will output your public key block. Copy the entire output including the header and footer lines:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGbS... (long base64-encoded data)
...
-----END PGP PUBLIC KEY BLOCK-----
Tip: You can also pipe the output to your clipboard directly:
macOS: gpg --armor --export KEY_ID | pbcopy
Linux: gpg --armor --export KEY_ID | xclip -selection clipboard
Windows (Git Bash): gpg --armor --export KEY_ID | clip

Open git.datawords.hk in your browser and log in.

4a. Click your avatar in the top-right corner, then click Settings:

Gitea profile dropdown showing Settings option
Click your avatar → Settings

4b. In the left sidebar, click SSH / GPG Keys:

Gitea SSH/GPG Keys settings page
User Settings → SSH / GPG Keys

4c. Scroll down to the "Manage GPG Keys" section and click "Add Key":

Gitea Add GPG Key form
Paste your public key into the Content field and click "Add Key"

4d. Paste the entire public key block (from Step 3) into the Content text area, then click the green "Add Key" button.

Success! You should see your key appear in the GPG Keys list with its fingerprint and email.

Tell Git to use your GPG key for signing commits:

# Set your signing key (use the key ID from Step 3)
$ git config --global user.signingkey ABCDEF1234567890

# Enable automatic commit signing
$ git config --global commit.gpgsign true

# (Optional) Also sign tags by default
$ git config --global tag.gpgsign true
macOS users: If you get error: gpg failed to sign the data, you may need to set the GPG TTY: 
$ echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
$ source ~/.zshrc
Windows users: If signing fails, tell Git where to find GPG: 
$ git config --global gpg.program "C:/Program Files/Git/usr/bin/gpg.exe"

The exact path may vary. Check with where gpg in Git Bash.

Make a test commit in any repository:

$ echo "test" >> test.txt
$ git add test.txt
$ git commit -m "test: verify GPG signing"

If prompted for your passphrase, enter it. Then verify the commit is signed:

$ git log --show-signature -1
commit abc1234... (HEAD -> main)
gpg: Signature made Thu 13 Mar 2026 03:00:00 PM HKT
gpg:                using RSA key C1CB417F5F2F9E4D147F01C4ABCDEF1234567890
gpg: Good signature from "John Doe <john.doe@datawords.asia>" [ultimate]
Author: John Doe <john.doe@datawords.asia>
Date:   Thu Mar 13 15:00:00 2026 +0800

    test: verify GPG signing

Push to Gitea and check the commit page — you should see a green "Verified" badge next to your commit.

Done! All your future commits will be automatically signed and verified on Gitea.
Problem Solution
error: gpg failed to sign the data Run export GPG_TTY=$(tty) and try again. Add it to your shell profile.
Commit shows as "Unverified" on Gitea The email in your GPG key must match your Gitea account email exactly. Check with gpg --list-keys.
GPG asks for passphrase every commit Use gpg-agent to cache your passphrase. Add default-cache-ttl 3600 to ~/.gnupg/gpg-agent.conf.
Key expired Extend it: gpg --edit-key KEY_IDexpire → set new date → save. Re-export and update on Gitea.
Multiple GPG keys, wrong one used Set the correct key per repo: git config user.signingkey CORRECT_KEY_ID (without --global).
Datawords Hong Kong — IT Team — Last updated: March 2026