Skip to content

Create a GPG key

This section guides you through creating a GPG key for the GitHub machine user that it will use to sign commits in the GitHub Actions workflows.

Step 1: Create a passphrase

Create a strong passphrase for the GPG key and add it to your team's 1Password vault.

Step 2: Install

Install GnuPG:

brew install gnupg

Step 3: Generate the GPG key

Run the following commands and replace the values with your own. The GITHUB_USERNAME and GITHUB_EMAIL values should match the machine user's GitHub profile.

export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
export GITHUB_USERNAME="ok-pirates-bot"
export GITHUB_EMAIL="ok-pirates-bot@oslo.kommune.no"
export IAC_REPO="oslokommune/pirates-iac"

Run GnuPG to Generate the key. When prompted, paste in the passphrase you created earlier:

gpg --batch --gen-key <<EOF
%echo Generating a GPG key
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: $GITHUB_USERNAME
Name-Email: $GITHUB_EMAIL
Expire-Date: 0
%ask-passphrase
%commit
%echo done
EOF

Step 4: Add the key and passphrase as a secret

Add the private key to the infrastructure repository as a secret:

gpg --armor --export-secret-key "$GITHUB_EMAIL" \
    | gh secret set --repo "$IAC_REPO" GPG_PRIVATE_KEY_FOR_MACHINE_USER
Example output
✓ Set Actions secret GPG_PRIVATE_KEY_FOR_MACHINE_USER for oslokommune/pirates-iac

Add the passphrase to the infrastructure repository as a secret:

gh secret set --repo "$IAC_REPO" GPG_PASSPHRASE_FOR_MACHINE_USER
Example output
? Paste your secret ***
✓ Set Actions secret GPG_PASSPHRASE_FOR_MACHINE_USER for oslokommune/pirates-iac

Step 5: Add the public key to the GitHub account

Copy the GPG public key to the clipboard:

gpg --armor --export "$GITHUB_EMAIL" | pbcopy

Follow the official GitHub guide to add the GPG key to the machine user.

Step 6: Save in 1Password

Add the GPG public and private key to your team's 1Password vault:

gpg --armor --export "$GITHUB_EMAIL" | pbcopy
gpg --armor --export-secret-key "$GITHUB_EMAIL" | pbcopy

Step 7: Verify

Now that you've added both a PAT and a GPG key to the repository, you can try to trigger the chain of workflows again. It should now run without any errors and the metadata file __gp_config_app_image.auto.tfvars.json should be updated with the latest values from the application repository.

You can now move on to the next section to set up the Terraform workflow.

Next step

Deploy the image to AWS.