NixOS Setup GnuPG Git Commit Signing

3 minute read

I have recently installed NixOS as i needed a slightly easier to manage work environment for work, And of course as i backed up my old Gentoo installation in preperation of this change i forgot to backup my GPG key and Git config like the silly saussage i am.

In this post ill show you how i recovered my GPG key from Keybase and configured Git to use that GPG key with home manager in NixOS, I am going to Assume in large parts you know how to use GPG, NixOS, Home-Manager and Git otherwise this post might end up taking a week.


So the problem is and what makes this post a thing outside of a normal commit signing key setup post (There are billions of these so i wont rehas it lol) is NixOS and its Atomic way of doing things.

For Example if i was to try and just add my signing key it would look somthing like this.

setkeh@Workstation ~> git config --global user.signingkey 0X123456789ABCD
error: could not lock config file /home/setkeh/.config/git/config: Read-only file system

The error is not terribly intuitive if your not familiar with Atomic systems but bassically this is a good thing because its stopping us from applying configuration that would be overwritten the next time we applied our config.

My config is not ideal but we will use it for this example bassically i would recomend not shitting up your configuration.nix as much as i have (plan better than i did and you system will be sexy)

First lets have a look at enabling git and the setup config i have in .config/nixpkgs/home.nix

# [Redacted]

programs.git = {
    enable = true;
    userName = "James <SETKEH> Griffis";
    userEmail = "";
    signing = { 
      signByDefault = true;
      key = "0x123456789ABCD";

# [Redacted]

This is basically the setup needed to get commit signing working using your git details of course not mine. There is however a caveat again assuming you have GPG installed (iirc nixos has it installed by default for package management) but NixOS GPG does not have a way to use a GUI or X password input so to fix that before we actually start trying to issue GPG commands else we will get some odd warning about Pinentry

gpg: public key decryption failed: No pinentry
gpg: decryption failed: No secret key

I have done this in my /etc/nixos/configuration.nix

# [Redacted]

# Pinentry.
programs.gnupg.agent.enable = true;

# [Redacted]

You will need to switch to the new config then reboot for this change to fully take effect in NixOS.


Ok great we have most of the configuration sorted out now we should be able to recover our GPG key from Keybase (Note you need to have your Key in keybase already if your not using Keybase you should then you can come and join TheSetkehProject community there and chat with us too)

We will use the keybase CLI to export the secret key and pipe that into the GPG cli’s STDIN for import.

keybase pgp export -s | gpg --allow-secret-key-import --import

This should first ask you to unlock your private key with your keybase password the shortly after ask you to set an unlock password for GPG and thats it key is now recovered you can verify with gpg --list-secret-keys --keyid-format LONG


And That is how i fixed my backup mistakes and configured NixOS to Sign all of my git commits, Because we used the signByDefault attribute we dont nee to parse any special flags to git commit -m "" to sign it will be done by default as it says on the tin :)

Hope this helps any other NixOS users setup key signing as it took me a little while to figure it out, Or helps anyone looking to recover their private key from Keybase.