# Configure SSH Commit Signing

This recipe configures Git to sign every commit using an SSH key.

## Requirements

* Git 2.34+
* OpenSSH
* Existing ED25519 SSH key


## Configure Git

```bash
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config --global user.signingkey ~/.ssh/id_ed25519.pub
```

Replace `id_ed25519.pub` with your public signing key if necessary.

## Configure Allowed Signers

Create the directory.

```bash
mkdir -p ~/.config/git
```

Create the file.

```text
~/.config/git/allowed_signers
```

Example:

```text
jotaodiceu@odinetwork.com.br ssh-ed25519 ABCDEfghijk012345...
```

Configure Git.

```bash
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
```

## Verify Configuration

```bash
git config --global --list | grep signing
git config --global --list | grep gpg
```

## Test

Create an empty commit.

```bash
git commit --allow-empty -m "Test signed commit"
```

Verify the signature.

```bash
git log --show-signature -1
```

Expected output:

```text
Good "git" signature for ...
```

# Known Issues

## error: No private key found

Example:

```text
No private key found for ...
```

Possible causes:

* wrong `user.signingkey`
* missing private key
* unsupported private key format

Verify:

```bash
ssh-keygen -y -f ~/.ssh/id_ed25519
```

## error in libcrypto: unsupported

Example:

```text
Load key "...": error in libcrypto: unsupported
```

Cause:

The private key was saved with CRLF line endings.

Verify:

```bash
cat -A ~/.ssh/id_ed25519 | head
```

If lines end with `^M`, convert the file.

```bash
dos2unix ~/.ssh/id_ed25519
```

## Repository rejects unsigned commits

Check whether commit signing is enabled.

```bash
git config --global commit.gpgsign
```

Expected:

```text
true
```

## Gitea does not show "Verified"

Verify that:

* the public key was added as a Signing Key;
* the commit email matches the Gitea account;
* the commit was created after signing was configured.

## Verify Everything

```bash
git config --list --show-origin

git log --show-signature -1

ssh-keygen -y -f ~/.ssh/id_ed25519
```