SSH Git Signing
Recently I needed to automate a git signer setup and wanted to explore the new ssh-signing approach. It turns out to be relatively easy:
You can utilize an ED key or an RSA key. I included an example RSA key setup below:
This is an example ~/.gitconfig
[user]
name = Your Name
email = [email protected]
signingkey = /Users/username/.ssh/id_rsa.pub
[commit]
gpgsign = true
[gpg]
format = ssh
alternatively, these commands will edit the ~/.gitconfig
file for you
git config --global user.signingkey $HOME/.ssh/id_rsa.pub
git config --global commit.gpgsign true
git config --global gpg.format ssh
After the config is present in ~/.gitconfig
, you need to add this key to your GitHub profile for GitHub to recognize your commits as signed correctly.
Once configured, all future commits will be signed with this ssh key! In the event you don’t want to sign a specific commit, you can do so by adding this flag: -c commit.gpgsign=false
, e.g. git -c commit.gpgsign=false commit -m 'no sig'
.
Additionally, I recommend signing with a GPG key on a TPM with physical confirmation for “commits that matter”; however, this is a quick way to sign less critical commits.
Allowed Signers File
If you run into the following error:
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
you may need to perform the following steps:
echo "your@email_address_in_gitconfig.com $(cat $HOME/.ssh/id_rsa.pub)" >> ~/.ssh/allowed_signers
and edit your ~/.gitconfig
to refer to the allowed_signers
file:
[gpg "ssh"]
allowedSignersFile = ~/.ssh/allowed_signers
or run
git config --global gpg.ssh.allowedSignersFile "$HOME/.ssh/allowed_signers"