When you want to make sure your commits are yours, or you want to make sure only people that are really on your team are the ones making changes. Sign your commits!
These are the steps I took on a mac because I didn’t want to install a bunch of software that I wasn’t going to use.
brew install gpg pinentry-mac
Add the following to your .bash_profile
export GPG_TTY=$(tty)
Create a gpg key (assuming you have at least gpg 2.1.17)
gpg --full-generate-key
Choose the default RSA, and a key with 4096 length.
Find the id of your key
gpg --list-secret-keys --keyid-format LONG
The id will be right after the rsa4096/ part. Now register the key
git config --global user.signingkey <id_from_above>
git config --global commit.gpgsign true
You can test it out by doing
echo test | gpg --clearsign
If it asks for the passphrase, but it isn’t for the keyid you want, add the default-key param
echo test | gpg --clearsign --default-key <id_from_above>
Export the key so you can copy it into github
gpg --armor --export <id_from_above>
Now add pinentry by creating ~/.gpg-agent.conf
pinentry-program /usr/local/bin/pinentry-mac
You might need to reboot to have this take effect.
Read more here: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
But can you extend expired keys?
Yes, you can renew them.
gpg --list-keys
gpg --edit-key (keyid)
Now change the expiration:
gpg> expire
(go through the prompts to extend it, for example 1 year: 1y)
gpg> save
If you have to also change a subkey, enter
gpg> key 1
gpg> expire
(prompts)
gpg> save
Remember to export the key and re-add it to github.