Skip to content

Instantly share code, notes, and snippets.

@paulmillr
Last active November 4, 2023 15:22
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save paulmillr/2be0416b4bc3b6d98b885122dbe967f9 to your computer and use it in GitHub Desktop.
Save paulmillr/2be0416b4bc3b6d98b885122dbe967f9 to your computer and use it in GitHub Desktop.
Sign git commits with ssh key

Sign git commits with ssh key

  • git version must be >= 2.34. Earlier versions don't support gpg.format ssh (signing commits with ssh keys).

    If you're printing signature keys in git log by using %GK %GF %GP %GT in git.format.pretty, earlier versions will crash when doing git log with following error:

    BUG: gpg-interface.c:284: bad signature

  • OpenSSH version must be >= 8.8. Earlier versions don't support valid-after,valid-before options.

The setup is as following:

git config --global gpg.format ssh
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
git config --global user.signingkey 'ssh-ed25519 AAAAC3N...'
echo 'user@email.com valid-after="20220501",valid-before="20220601" ssh-ed25519 AAAAC3N...' > ~/.ssh/allowed_signers

eval "$(ssh-agent -s)"
  • You need to have ~/.ssh/allowed_signers file with all keys, otherwise, the git log will fail, which is a huge UX mess
@T3sT3ro
Copy link

T3sT3ro commented Feb 15, 2023

You shouldn't put the public key content in the signingkey but instead add an ID of GPG key acquired from gpg --list-secret-keys --keyid-format=long as per the official docs when using GPG keys OR use a path to the public key file (if, for example, you use SSH keys). Pasting public key was a common thing some time ago because all tutorials in the web done it that way. Why? I don't know... More info here.

This is important, because it will bite you later when you, for example, create a cron job that does something on user's behalf. With the copy-paste method automation jobs fail with cryptic error: Load key "/tmp/.git_signing_key_tmpAyMvwp": error in libcrypto? message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment