When you want to make sure your commits are yours, or you want to make sure only people that are really on your team are the ones making changes. Sign your commits!

These are the steps I took on a mac because I didn’t want to install a bunch of software that I wasn’t going to use.

brew install gpg pinentry-mac

Add the following to your .bash_profile

export GPG_TTY=$(tty)

Create a gpg key (assuming you have at least gpg 2.1.17)

gpg --full-generate-key

Choose the default RSA, and a key with 4096 length.

Find the id of your key

gpg --list-secret-keys --keyid-format LONG

The id will be right after the rsa4096/ part. Now register the key

git config --global user.signingkey <id_from_above>
git config --global commit.gpgsign true

You can test it out by doing

echo test | gpg --clearsign

If it asks for the passphrase, but it isn’t for the keyid you want, add the default-key param

echo test | gpg --clearsign --default-key <id_from_above>

Export the key so you can copy it into github

gpg --armor --export <id_from_above>

Now add pinentry by creating ~/.gpg-agent.conf

pinentry-program /usr/local/bin/pinentry-mac

You might need to reboot to have this take effect.

Read more here: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

But can you extend expired keys?

Yes, you can renew them.

gpg --list-keys
gpg --edit-key (keyid)

Now change the expiration:

gpg> expire
(go through the prompts to extend it, for example 1 year: 1y)
gpg> save

If you have to also change a subkey, enter

gpg> key 1
gpg> expire
gpg> save

Remember to export the key and re-add it to github.