💾 Archived View for gemini.mcgillij.dev › git-sign-with-ssh.gmi captured on 2024-02-05 at 09:33:05. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
:author:
mcgillij
:category:
Linux
:date:
2022-08-23 20:00
:tags:
Linux, Git, Github, Signing, SSH, GPG, Verified
:slug:
git-sign-commits-with-ssh
:summary:
How to sign your git commits with SSH instead of GPG
:cover_image:
battery.jpg
the ability to show signed commits from SSH, which is nice since it was a bit of a pain to sign with GPG (to be fair **git** has supported this for quite a while, Github just didn’t show the signed commits properly).
Getting this setup involved a bit of trial and error on my part, below are the steps I ended up taking to get it working.
First we need to configure git to use SSH keys instead of GPG to sign commits.
git config --global gpg.format ssh
Below we indicate which public keys are allowed to sign commits. Replace with your public keys, unless you want me to be verified on your commits.
git config --global user.signingKey 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSsJjYL0PNE8/ahTdQXbiOS4Fdg/rY8pafH2YWjmpJM mcgillivray.jason@gmail.com' git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers echo "mcgillivray.jason@gmail.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSsJjYL0PNE8/ahTdQXbiOS4Fdg/rY8pafH2YWjmpJM" >> ~/.config/git/allowed_signers
Checking to make sure which private keys are loaded in your **ssh-agent**.
ssh-add -L
This was empty for me since I had previously **killed** my "ssh-agent". So I needed to re-add my keys. Which can be done with the following command.
ssh-add ~/.ssh/id_ed25519 # now we can check again to make sure our key is present ssh-add -L > ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSsJjYL0PNE8/ahTdQXbiOS4Fdg/rY8pafH2YWjmpJM mcgillivray.jason@gmail.com
When you are ready to commit your changes you can use the following git flag **-S** for commits or **-s** for tags to sign them with your newly configured SSH signing key.
Example:
git commit -S -m "Commit message" git tag -s -m "Tag message" v1.0.0
Alternatively you can set the following **git.config** option to auto-sign your commits.
git config --global commit.gpgsign true
If you are having some troubles and you need to debug what *git* is doing behind the scenes for signing (or really any other issues your having with git, you can enable GIT_TRACE logging).
GIT_TRACE=1 git commit -S -m 'test' > 20:18:49.302765 git.c:460 trace: built-in: git commit -S -m test > 20:18:49.304053 run-command.c:654 trace: run_command: ssh-keygen -Y sign -n git -f /tmp/.git_signing_key_tmpHx7vuE /tmp/.git_signing_buffer_tmpEwDNMQ > error: Load key "/tmp/.git_signing_key_tmpHx7vuE": invalid format? > fatal: failed to write commit object
If you get an error message like the above, you will need to add your private key to your **ssh-agent** with the **ssh-add** command as indicated in the above steps.
Once you have a commit staged you can verify that the signature is working by running the following command:
git show --show-signature
You should see something like this:
[image: git show --show-signature]
You will need to add your public signing key to your github accounts settings.
When you commit your changes to a github repo, you will be able to see the verified badge to go along with your commits similarly to when you had to jump through a bunch of hoops to use GPG.
Some people believe that there’s plausible deniability that goes along with not signing commits, but at the end of the day it’s up-to you. I choose to sign my commits when I can either with GPG or SSH keys.
Anyways let me know what you think, is signing good / bad, do you have an opinion on this?