ssh signing git commits

Earlier github only supported signing commits via gpg. Recently (Nov 2021), they started allowing SSH signing.

Assumptions:

running linux
have already generated a ssh key (RSA or ED25519).
- files id_ed25519 and id_ed25519.pub exist in ~/.ssh/
have installed git 2.34.0 or newer
have installed openssh 8.0 or newer

On your cmd:

1
2
3
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519
git config --global commit.gpgsign=true

After this if you commit, git should ask you a passphrase for signing.

One can check if signature is properly applied or not:

1
2
3
4
5
6
7
lnxbox:~/repo$ git log --show-signature
commit c4d9cc5cb0a162024eac09bfc813f5d1fbc3e3c3 (HEAD -> source)
Good "git" signature for ********@users.noreply.github.com with ED25519 key SHA256:*******************************************
Author: Sarang Baheti <********@users.noreply.github.com>
Date:   Sat Jul 1 08:06:32 2023 +0000

    added ssh-signing notes

However, if you get an error:

1
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification

then follow below instructions or from this link:

1
2
3
4
5
lnxbox:~/repo$ mkdir -p ~/.config/git
lnxbox:~/repo$ echo "********@users.noreply.github.com" | cat - ~/.ssh/id_ed25519.pub > ~/.config/git/allowed_signers
lnxbox:~/repo$ git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
lnxbox:~/repo$
lnxbox:~/repo$ git log --show-signature

The reason for error is:

The reason why this signature cannot be verified is because Git does not know which SSH keys
to trust. In contrast to PGP, there is no "web of trust" where keys can be signed. Instead, 
you manage a list of trusted keys on your computer, the "allowed signers file" which works 
very similar to the "authorized keys file" used by SSH.
see `man 1 ssh-keygen`

Links (click to expand..)

git utils