Aram Hăvărneanu 2025 4 1 https://xw.is/0003/ 0003 /0003/ Git › Sign Git commits with SSH keys Git can use ssh-keygen(1) to sign commits and tags. The problem is that if you want to avoid entering passphrases it requires a running ssh-agent(1). This is the case even if you configured ssh to automatically decrypt keys using the iCloud Keychain, as ssh-keygen(1) will not read ~/.ssh/config. We're going to make git(1) run a helper script that temporarily loads the required key into the ssh agent, setting a short timeout. Aram Hăvărneanu 2025 4 1 Create helper script Create this executable file and put it in your PATH, I'm using ~/bin/git-config-helper-gpg.ssh.defaultKeyCommand. #/bin/bash ssh-add -q -t 5 --apple-load-keychain ~/.ssh/id_ed25519 KEY=$(ssh-add -L | head -n 1) echo key::$KEY Aram Hăvărneanu 2025 4 1 Configure Git to use SSH for signing git config --global gpg.format ssh git config --global gpg.ssh.defaultKeyCommand ~/bin/git-config-helper-gpg.ssh.defaultKeyComma This configures git(1) to use SSH signing (as opposed to GPG) and instructs it to run our helper script when it needs to sign. Aram Hăvărneanu 2025 4 1 Configure Git to verify signatures Record a list of known email-signature pairs in .ssh/allowed_signers (file name and location is arbitrary): aram@mgk.ro ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRc0UWKrFpCv/EOUo2jpEQt+C/pa0tc1rUWKgjbKTp7 aram@edengate.local Then configure git(1) to use this file for verification: git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers Aram Hăvărneanu 2025 4 1 Sign every commit Optionally, you might want to automatically sign every commit and tag: git config --global commit.gpgsign true git config --global tag.gpgsign true Aram Hăvărneanu 2025 4 1 How to use Sign your commits using git commit -S (or enable autosigning). To check signatures use git log --show-signature. Aram Hăvărneanu 2025 4 1 GitHub GitHub needs to be aware of signing keys. The SSH key has to be specifically marked as a signing key in order for GitHub to show "verified" status. References Context Backlinks Related https://xw.is/git/ git /git/ Git distributed version control system Software https://git-scm.com Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. https://xw.is/openssh/ openssh /openssh/ OpenSSH Software https://www.openssh.com Premier connectivity tool for remote login with the SSH protocol. https://xw.is/git.1 git.1 /git.1 git(1) Manual https://git-scm.com/docs/git Git command line client. https://xw.is/ssh-agent.1 ssh-agent.1 /ssh-agent.1 ssh-agent(1) Manual https://man.openbsd.org/ssh-agent.1 OpenSSH authentication agent. https://xw.is/ssh-keygen.1 ssh-keygen.1 /ssh-keygen.1 ssh-keygen(1) Manual https://man.openbsd.org/ssh-keygen.1 OpenSSH authentication key utility. Aram Hăvărneanu 2022 7 28 https://xw.is/0004/ 0004 /0004/ macOS › Use the Apple Keychain for ssh key passphrases On modern macOS systems, you can set up your system such that your encrypted ssh keys get automatically decrypted using the passphrase stored in the Apple Keychain (which gets unlocked at login). Aram Hăvărneanu 2022 7 28 Add your passphrase to the Keychain Create your keys as usual, then do this once for every key: ssh-add --apple-use-keychain ~/.ssh/id_ed25519 You must use the full path your key, a relative path will not work! Note that we're adding the key to the ssh agent here, but we will not be using the ssh agent. Rather, this operation has the side effect that the key will be saved in the keychain. Aram Hăvărneanu 2022 7 28 Configure ssh to use the Keychain Add this to your ~/.ssh/config: Host * IgnoreUnknown UseKeychain UseKeychain yes IgnoreUnknown is there so that UseKeychain (an Apple-specific extension) will work with non-Apple ssh implementations. Contrary to Internet misinformation you do not need to use ssh-agent(1), or enable any special Apple-specific options for the ssh agent. Of course you can do this per-host, or per-key, but then IgnoreUnknown should come early in your configuration, before any use of UseKeychain. Contributions