Prefer GPG(GnuPG) rather than SSH key to sign commits

.gitignore

@@ -13,3 +13,5 @@ tmp/
 .DS_Store
 
 winget-pkgs-*-raw.json
+
+*.bak

home-manager/bash.nix

@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 
 {
+  services.gpg-agent.enableBashIntegration = true;
   programs.starship.enableBashIntegration = true;
   programs.direnv.enableBashIntegration = true;
   programs.zoxide.enableBashIntegration = true;

home-manager/fish.nix

@@ -1,6 +1,7 @@
 { pkgs, ... }:
 
 {
+  services.gpg-agent.enableFishIntegration = true;
   programs.starship.enableFishIntegration = true;
   # Settled by default and readonly https://github.com/nix-community/home-manager/blob/8c731978f0916b9a904d67a0e53744ceff47882c/modules/programs/direnv.nix#L65-L68
   # programs.direnv.enableFishIntegration = true;

home-manager/git.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ ... }:
 
 {
   # https://github.com/nix-community/home-manager/blob/master/modules/programs/git.nix
@@ -25,24 +25,23 @@
     extraConfig = {
       user = {
         # https://stackoverflow.com/questions/48065535/should-i-keep-gitconfigs-signingkey-private
-        # TODO: Consider to replace with GPG key, see https://github.com/kachick/dotfiles/issues/289
-        signingkey = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
-      };
-
-      core = {
-        editor = "vim";
-        quotepath = false;
+        signingkey = "EF6E574D040AE2A5";
       };
 
       gpg = {
-        format = "ssh";
+        format = "openpgp";
       };
 
       commit = {
         # https://stackoverflow.com/questions/10161198/is-there-a-way-to-autosign-commits-in-git-with-a-gpg-key
         gpgsign = true;
       };
 
+      core = {
+        editor = "vim";
+        quotepath = false;
+      };
+
       init = {
         defaultBranch = "main";
       };

home-manager/gpg.nix

@@ -0,0 +1,27 @@
+{ config, ... }:
+
+{
+  # https://github.com/nix-community/home-manager/blob/master/modules/services/gpg-agent.nix
+  services.gpg-agent.enable = true;
+
+  # https://github.com/nix-community/home-manager/blob/master/modules/programs/gpg.nix
+  programs.gpg = {
+    enable = true;
+
+    # How to backup the private key?
+    # `gpg --export-secret-keys --armor > gpg-private.keys.bak`
+
+    # Preferring XDG_DATA_HOME rather than XDG_CONFIG_HOME from following examples
+    #   - https://wiki.archlinux.org/title/XDG_Base_Directory
+    #   - https://github.com/nix-community/home-manager/blob/5171f5ef654425e09d9c2100f856d887da595437/modules/programs/gpg.nix#L192
+    homedir = "${config.xdg.dataHome}/gnupg";
+
+    # Ed448 in GitHub is not yet supported - https://github.com/orgs/community/discussions/45937
+    settings = {
+      # https://unix.stackexchange.com/questions/339077/set-default-key-in-gpg-for-signing
+      default-key = "EF6E574D040AE2A5";
+
+      personal-digest-preferences = "SHA512";
+    };
+  };
+}

home-manager/home.nix

@@ -6,6 +6,7 @@
     ./bash.nix
     ./zsh.nix
     ./fish.nix
+    ./gpg.nix
     ./ssh.nix
     ./git.nix
     ./zellij.nix

home-manager/packages.nix

@@ -38,6 +38,9 @@
     lazygit
     gh
 
+    # GPG
+    gnupg
+
     dprint
     shellcheck
     shfmt

home-manager/zsh.nix

@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 
 {
+  services.gpg-agent.enableZshIntegration = true;
   programs.starship.enableZshIntegration = true;
   programs.direnv.enableZshIntegration = true;
   programs.zoxide.enableZshIntegration = true;