YAGNI
You are(n't)? gonna need it…

This post will show different ways to integrate GPG with external tools to encrypt and/or sign different types of data.

The following sections assume that the reader owns a personal GPG key.

The Emacs manual explains that the auth-source library is used to keep password information persistent for providing it to services that might require it, this information is kept secure in the ~/.authinfo.gpg file.

The reason why this file is secure by default is because Emacs treats files with extension gpg as encrypted files; this means that when a file with this extension is opened inside Emacs, it'll prompt users for their "gpg" passphrase (required for decrypting); similarly when the user saves such files they're stored encrypted.

Of course the decryption only works if the user opening the file is the actual recipient of the encrypted file.

Git supports signing commits using GPG. To achieve this, configure the commit.gpgsign setting as in:

git config --global commit.gpgsign true

This setting will sign the commits using the user's default key, but in order to be specific about which key to use then configure the user.signingkey using the key's identifier:

git config --global user.signingkey me@email.com

With these settings in place, new commits will be GPG signed.

It's also possible to share the public keys with services such as Github so they can verify the signatures of the pushed commits.

1. The authentication section in the Emacs manual
2. Previous post about encrypting data