690
edits
Changes
Created page with "== Introduction == Git can use '''ssh-keygen(1)''' to sign commits and tags. The problem is that if you want to avoid entering passphrases it requires a running '''ssh-agent(..."
== Introduction ==
Git can use '''ssh-keygen(1)''' to sign commits and tags. The problem is that if you want to avoid entering passphrases it requires a running '''ssh-agent(1)'''. This is the case even if you configured ssh to [[Use the Apple Keychain for ssh key passphrases|automatically decrypt keys using iCloud Keychain]], as '''ssh-keygen(1)''' will not read <code>~/.ssh/config</code>.
== How to ==
We're going to make '''git(1)''' run a helper script that temporarily loads the required key into the ssh agent, setting a short timeout.
=== Create helper script ===
Create this file and put it in your <code>PATH</code>, I'm using <code>~/bin/git-config-helper-gpg.ssh.defaultKeyCommand</code>.
#/bin/bash
ssh-add -q -t 5 --apple-load-keychain ~/.ssh/id_ed25519
KEY=$(ssh-add -L | head -n 1)
echo key::$KEY
=== Configure Git to use SSH for signing ===
git config --global gpg.format ssh
git config --global gpg.ssh.defaultKeyCommand ~/bin/git-config-helper-gpg.ssh.defaultKeyCommand
This configures '''git(1)''' to use SSH signing (as opposed to GPG) and instructs it to run our helper when it needs to sign.
=== Configure Git to verify signatures ===
Record a list of known email-signature pairs in <code>.ssh/allowed_signers</code> (file name and location is arbitrary):
aram@mgk.ro ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRc0UWKrFpCv/EOUo2jpEQt+C/pa0tc1rUWKgjbKTp7 aram@edengate.local
Then configure '''git(1)''' to use this file for verification:
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
=== Sign every commit ===
Optionally, you might want to automatically sign every commit and tag:
git config --global commit.gpgsign true
git config --global tag.gpgsign true
=== How to use ===
Sign your commits using <code>git commit -S</code> (or enable autosigning). To check signatures use <code>git log --show-signature</code>.
== GitHub ==
GitHub needs to be aware of signing keys. [https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account A SSH key has to be specifically marked as a signing key] in order for GitHub to show "verified" status.
== References ==
* [https://git-scm.com/docs/git-config git-config(1)]
* [https://man.openbsd.org/ssh-keygen.1 ssh-keygen(1)]
* [https://man.openbsd.org/ssh-agent.1 ssh-agent(1)]
* [https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification GitHub:About commit signature verification]
Git can use '''ssh-keygen(1)''' to sign commits and tags. The problem is that if you want to avoid entering passphrases it requires a running '''ssh-agent(1)'''. This is the case even if you configured ssh to [[Use the Apple Keychain for ssh key passphrases|automatically decrypt keys using iCloud Keychain]], as '''ssh-keygen(1)''' will not read <code>~/.ssh/config</code>.
== How to ==
We're going to make '''git(1)''' run a helper script that temporarily loads the required key into the ssh agent, setting a short timeout.
=== Create helper script ===
Create this file and put it in your <code>PATH</code>, I'm using <code>~/bin/git-config-helper-gpg.ssh.defaultKeyCommand</code>.
#/bin/bash
ssh-add -q -t 5 --apple-load-keychain ~/.ssh/id_ed25519
KEY=$(ssh-add -L | head -n 1)
echo key::$KEY
=== Configure Git to use SSH for signing ===
git config --global gpg.format ssh
git config --global gpg.ssh.defaultKeyCommand ~/bin/git-config-helper-gpg.ssh.defaultKeyCommand
This configures '''git(1)''' to use SSH signing (as opposed to GPG) and instructs it to run our helper when it needs to sign.
=== Configure Git to verify signatures ===
Record a list of known email-signature pairs in <code>.ssh/allowed_signers</code> (file name and location is arbitrary):
aram@mgk.ro ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRc0UWKrFpCv/EOUo2jpEQt+C/pa0tc1rUWKgjbKTp7 aram@edengate.local
Then configure '''git(1)''' to use this file for verification:
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
=== Sign every commit ===
Optionally, you might want to automatically sign every commit and tag:
git config --global commit.gpgsign true
git config --global tag.gpgsign true
=== How to use ===
Sign your commits using <code>git commit -S</code> (or enable autosigning). To check signatures use <code>git log --show-signature</code>.
== GitHub ==
GitHub needs to be aware of signing keys. [https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account A SSH key has to be specifically marked as a signing key] in order for GitHub to show "verified" status.
== References ==
* [https://git-scm.com/docs/git-config git-config(1)]
* [https://man.openbsd.org/ssh-keygen.1 ssh-keygen(1)]
* [https://man.openbsd.org/ssh-agent.1 ssh-agent(1)]
* [https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification GitHub:About commit signature verification]
