SSH Git Signing

Recently I needed to automate a git signer setup and wanted to explore the new ssh-signing approach. It turns out to be relatively easy:

You can utilize an ED key or an RSA key. I included an example RSA key setup below:

This is an example ~/.gitconfig

[user]
  name = Your Name
  email = [email protected]
  signingkey = /Users/username/.ssh/id_rsa.pub

[commit]
  gpgsign = true

[gpg]
  format = ssh

alternatively, these commands will edit the ~/.gitconfig file for you

git config --global user.signingkey $HOME/.ssh/id_rsa.pub
git config --global commit.gpgsign true
git config --global gpg.format ssh

After the config is present in ~/.gitconfig, you need to add this key to your GitHub profile for GitHub to recognize your commits as signed correctly.

Once configured, all future commits will be signed with this ssh key! In the event you don’t want to sign a specific commit, you can do so by adding this flag: -c commit.gpgsign=false, e.g. git -c commit.gpgsign=false commit -m 'no sig'.

Additionally, I recommend signing with a GPG key on a TPM with physical confirmation for “commits that matter”; however, this is a quick way to sign less critical commits.

Allowed Signers File

If you run into the following error:

error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification

you may need to perform the following steps:

echo "your@email_address_in_gitconfig.com $(cat $HOME/.ssh/id_rsa.pub)" >> ~/.ssh/allowed_signers

and edit your ~/.gitconfig to refer to the allowed_signers file:

[gpg "ssh"]
  allowedSignersFile = ~/.ssh/allowed_signers

or run

git config --global gpg.ssh.allowedSignersFile "$HOME/.ssh/allowed_signers"