Git can use ssh-keygen(1) to sign commits and tags. The problem is that if you want to avoid entering passphrases it requires a running ssh-agent(1). This is the case even if you configured ssh to automatically decrypt keys using iCloud Keychain, as ssh-keygen(1) will not read ~/.ssh/config.

We're going to make git(1) run a helper script that temporarily loads the required key into the ssh agent, setting a short timeout.

Create helper script

Create this file and put it in your PATH, I'm using ~/bin/git-config-helper-gpg.ssh.defaultKeyCommand.

#/bin/bash

ssh-add -q -t 5 --apple-load-keychain ~/.ssh/id_ed25519
KEY=$(ssh-add -L | head -n 1)
echo key::$KEY

Configure Git to use SSH for signing

git config --global gpg.format ssh
git config --global gpg.ssh.defaultKeyCommand ~/bin/git-config-helper-gpg.ssh.defaultKeyCommand

This configures git(1) to use SSH signing (as opposed to GPG) and instructs it to run our helper when it needs to sign.

Configure Git to verify signatures

Record a list of known email-signature pairs in .ssh/allowed_signers (file name and location is arbitrary):

aram@mgk.ro ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRc0UWKrFpCv/EOUo2jpEQt+C/pa0tc1rUWKgjbKTp7 aram@edengate.local

Then configure git(1) to use this file for verification:

git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers

Sign every commit

Optionally, you might want to automatically sign every commit and tag:

git config --global commit.gpgsign true
git config --global tag.gpgsign true

How to use

Sign your commits using git commit -S (or enable autosigning). To check signatures use git log --show-signature.

GitHub needs to be aware of signing keys. A SSH key has to be specifically marked as a signing key in order for GitHub to show "verified" status.

• git-config(1)
• ssh-keygen(1)
• ssh-agent(1)
• GitHub:About commit signature verification