Skip to content

Instantly share code, notes, and snippets.

@vegaasen

vegaasen/signing-commits-github.md

Last active May 7, 2024 09:05
Show Gist options
  • Save vegaasen/ce11bf1ad17c2aad820a5ab3946507b8 to your computer and use it in GitHub Desktop.
Save vegaasen/ce11bf1ad17c2aad820a5ab3946507b8 to your computer and use it in GitHub Desktop.
Download ZIP
Add signature to github for existing SSH keys! 😁
Raw
signing-commits-github.md

How to /sign your commits by an existing SSH key

πŸ‘‹ Intro

Signing commits is useful for verifying that the commit is actually made by the source it says. Anyone can commit and give it any name and email address. Verification is a way to tell the difference between commits made by someone pretending to be us and commits we’ve actually made.

1. Set public key as an allowed signer

  1. Copy the contents of your public key (the one already in GitHub - I use ./ssh/id_rsa.pub)
  2. Create a new file: ~/.git-signing
  3. On the first line, add the email you use in your commits that matches your GitHub profile, hit space and paste the content of your public key

The contents of the file (.git-signing), should now look like something like this:

me@email.com ssh-rsa AAZZZZZZZZzaC1yc2XXDDDZZZABAAACAQDH7TL1soc9E5mkZVDj9... ... ... ... .. PunvTGXBzzL1hKZsmxRRQ== Me Me Me@Me

Note

The email does not have to match the one you might have at the end of your key file; that is just a comment, if you remember from when generating it, you used a -C flag.

2. Update .gitconfig

Update your gitconfig with the following (git config --global --edit):

[user]
    ..
    name = Me Me Me
    email = me@email.com
    signingkey = ~/.ssh/id_rsa.pub
    ..
[gpg]
    format = ssh
[gpg "ssh"]
    allowedsignersfile = ~/.git-signing
[commit]
    ..
    gpgsign = true
    ..

2.1 Explanation

  • Signingkey points to your public key
  • The GPG format is set to SSH. Since we have a SSH key and not a GPG key
  • We tell GPG about the allowedsigners file that we just made so that git can match it to the signingkey
  • Lastly, we tell git to always sign our commits. This can be omitted, but then we would have to add -S to every commit we want to sign. We can also do the same for tags.

3. Verify

We can verify that signing works by making a commit and running:

git log --show-signature

We should then get:

commit b4836c2d8cdflipflop99dac249693f73607e (HEAD -> my-sick-branch)
Good "git" signature for me@email.com with RSA key SHA256:qC4F+1GuxcuAdZjcPflipflop2nLA02x4iHef5KEsDCyQ
Author: Me Me Me <me@email.com>
Date:   Fri May 01 13:00:33 2000 +0200

    Update readme

4. Add key to GitHub!

With that, we have local signing, and we need to add our public key to GitHub to get the verified badge on our commits there as well.

  1. Navigate to profile > settings > SSH and GPG keys
  2. Add a new SSH key
    1. Give it a fitting name, select Signing Key, and use the public key from earlier
  3. Save it!

5. Verify on GitHub

Push the change, and look for the green badge on your commits!

You're done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment