How to set default uid of gpg key to sign commits and tags in git?

Question

I used to have two separate gpg keys(pair of keys) - one to encrypt my personal emails that contained my gmail address in uid, and second key I used publicly to sign my commits and publish them with my another email.

I have recently changed this approach and just added both emails to one key, the other was just left to be expired. I am aware I made my gmail address public and it is fine for me.

Now, here is the problem: when I code and want to sign tags/commits, I have to have my 'dev' mail to be set as primary. However, when using thunderbird or gajim, the private gmail address shall be listed as first to avoid confusion.

At the moment I have to manually set one uid or the other as primary by writing in terminal:

gpg2 --edit <keyid>
uid 1 (or 2)
primary
save

Does anyone now any more efficient way? I am aware of setting git config --global or editing ~/.gitconfig file. I know I can put signingkey option there and it is what I did since I always generate separate (third) key just to sign to avoid using primary key (so I can revoke just the subkey).

But this option only refers to key fingerprint, not the uid. Git config user.email and user.name sounds as a solution, however they do not correspond to the gpg identity.

In short: is there a way to set default gpg uid to be used by git or am I doomed to manually switching / having two separate keys?

Answer 1

When a developer verifies your git commits, the primary uid that appears for them is the one on their local copy of your public key, not the primary uid set when you signed the commit. For example:

# Setup test key
export GNUPGHOME=./test_gpg_home
mkdir -m700 "$GNUPGHOME"
gpg --quick-gen-key "personal" ed25519 cert
# Set $FPR to be the test key fingerprint (40 char identifier)
FPR="0000000000000000000000000000000000000000"
gpg --quick-add-uid "$FPR" "developer"
gpg --quick-add-key "$FPR" cv25519 encr
gpg --quick-add-key "$FPR" ed25519 sign

# Send a personal contact a public key with personal as primary
mkdir -m700 ./personal_gpg_home
gpg --quick-set-primary-uid "$FPR" "personal"
gpg --output ./personal.gpg --export "$FPR"
gpg --homedir=./personal_gpg_home --import < ./personal.gpg

# Send a dev contact a public key with developer as primary
mkdir -m700 ./dev_gpg_home
gpg --quick-set-primary-uid "$FPR" "developer"
gpg --output ./dev.gpg --export "$FPR"
gpg --homedir=./dev_gpg_home --import < ./dev.gpg

# Add new uid and set it to primary
gpg --quick-add-uid "$FPR" "unshared"
gpg --quick-set-primary-uid "$FPR" "unshared"

# Encryption
echo "my message" > msg.txt
gpg --homedir=./personal_gpg_home --recipient "personal" --encrypt msg.txt
# ... (should show personal as recipient)
gpg --homedir=./dev_gpg_home --recipient "developer" --encrypt msg.txt
# ... (should show developer as recipient)
gpg --decrypt msg.txt.gpg
# ... (should show unshared as recipient)

# Verification
gpg --default-key "$FPR" --sign msg.txt
# ... (will appear as if you are signing as unshared)
gpg --homedir=./personal_gpg_home  --verify msg.txt.gpg
# ... (should show personal as primary uid)
gpg --homedir=./dev_gpg_home  --verify msg.txt.gpg
# ... (should show developer as primary uid)

You could give your personal contacts a public key with your personal uid set as primary, and other developers a public key with your developer uid set as primary, but if they refresh their copy of your key, the primary uid will be the one most recently set.