Board 97 baked the entire flow into install.bat Step 5b
(calls Go.Sign.bat). If you curl-installed metal, signing
is already wired. The manual recipe below is preserved for repair
scenarios — running C:\metal\Go.Sign.bat standalone
fixes a borked laptop without re-running the whole install.
Go.Sign.ps1 handles key discovery / generation, git config,
and GitHub registration automatically. The only thing it can't do is
the one-time OAuth browser approval — that's your one step,
and it happens inline during install.
If You Need To Run It Manually
One command
Run Go.Sign on the laptop that's broken
Go.Sign is idempotent — safe on healthy laptops (no-op),
self-heals broken ones.
C:\metal\Go.Sign.bat
Mac / Linux: bash ~/metal/Go.Sign.sh
What Go.Sign Does — Step By Step
Step 1 — the only manual moment
Grant GitHub CLI the GPG scope
Run automatically by Go.Sign when needed. Opens a browser —
you approve it, control returns. Equivalent command:
gh auth refresh -h github.com -s write:gpg_key
Interactive — opens your browser with a device code. Approve it on GitHub. One-time per laptop.
Step 2
Go.Sign continues automatically
After the browser approval, Go.Sign continues without further input:
auto Find an existing local key matching your GitHub email, OR generate a fresh 4096-bit RSA key auto Configure git to sign all commits with the chosen key auto Upload the public key to your GitHub account (when generated) auto Smoke-test with an empty signed commit in a scratch repo
Result: every commit from this machine shows the green "Verified" badge on GitHub.
If Something Breaks
gpg failed to sign the data
Git is pointing to a key that doesn't exist on this machine.
Run C:\metal\Go.Sign.bat — it finds an existing
key or generates a new one and rewires git config.
insufficient OAuth scopes
gh hasn't been granted write:gpg_key yet.
Go.Sign runs the refresh automatically on first key gen,
or run it yourself: gh auth refresh -h github.com -s write:gpg_key.
New machine?
Just curl-install metal. install.bat runs
Go.Sign.bat at Step 5b automatically. Fresh key per
laptop; GitHub aggregates them all under your account.