Sign Git commits with SSH keys
Contents
Introduction
Git can use ssh-keygen(1) to sign commits and tags. The problem is that if you want to avoid entering passphrases it requires a running ssh-agent(1). This is the case even if you configured ssh to automatically decrypt keys using iCloud Keychain, as ssh-keygen(1) will not read ~/.ssh/config.
How to
We're going to make git(1) run a helper script that temporarily loads the required key into the ssh agent, setting a short timeout.
Create helper script
Create this file and put it in your PATH, I'm using ~/bin/git-config-helper-gpg.ssh.defaultKeyCommand.
#/bin/bash ssh-add -q -t 5 --apple-load-keychain ~/.ssh/id_ed25519 KEY=$(ssh-add -L | head -n 1) echo key::$KEY
Configure Git to use SSH for signing
git config --global gpg.format ssh git config --global gpg.ssh.defaultKeyCommand ~/bin/git-config-helper-gpg.ssh.defaultKeyCommand
This configures git(1) to use SSH signing (as opposed to GPG) and instructs it to run our helper when it needs to sign.
Configure Git to verify signatures
Record a list of known email-signature pairs in .ssh/allowed_signers (file name and location is arbitrary):
aram@mgk.ro ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRc0UWKrFpCv/EOUo2jpEQt+C/pa0tc1rUWKgjbKTp7 aram@edengate.local
Then configure git(1) to use this file for verification:
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
Sign every commit
Optionally, you might want to automatically sign every commit and tag:
git config --global commit.gpgsign true git config --global tag.gpgsign true
How to use
Sign your commits using git commit -S (or enable autosigning). To check signatures use git log --show-signature.
GitHub
GitHub needs to be aware of signing keys. A SSH key has to be specifically marked as a signing key in order for GitHub to show "verified" status.
