Earlier github only supported signing commits via gpg. Recently (Nov 2021), they started allowing SSH signing.
Assumptions:
- running linux
- have already generated a ssh key (RSA or ED25519).
- files
id_ed25519
andid_ed25519.pub
exist in~/.ssh/
- files
- have installed git 2.34.0 or newer
- have installed openssh 8.0 or newer
On your cmd:
|
|
After this if you commit, git should ask you a passphrase for signing.
One can check if signature is properly applied or not:
|
|
However, if you get an error:
|
|
then follow below instructions or from this link:
|
|
The reason for error is:
The reason why this signature cannot be verified is because Git does not know which SSH keys
to trust. In contrast to PGP, there is no "web of trust" where keys can be signed. Instead,
you manage a list of trusted keys on your computer, the "allowed signers file" which works
very similar to the "authorized keys file" used by SSH.
see `man 1 ssh-keygen`