2.1 KiB
2.1 KiB
Configure SSH Commit Signing
This recipe configures Git to sign every commit using an SSH key.
Requirements
- Git 2.34+
- OpenSSH
- Existing ED25519 SSH key
Configure Git
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config --global user.signingkey ~/.ssh/id_ed25519.pub
Replace id_ed25519.pub with your public signing key if necessary.
Configure Allowed Signers
Create the directory.
mkdir -p ~/.config/git
Create the file.
~/.config/git/allowed_signers
Example:
jotaodiceu@odinetwork.com.br ssh-ed25519 ABCDEfghijk012345...
Configure Git.
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
Verify Configuration
git config --global --list | grep signing
git config --global --list | grep gpg
Test
Create an empty commit.
git commit --allow-empty -m "Test signed commit"
Verify the signature.
git log --show-signature -1
Expected output:
Good "git" signature for ...
Known Issues
error: No private key found
Example:
No private key found for ...
Possible causes:
- wrong
user.signingkey - missing private key
- unsupported private key format
Verify:
ssh-keygen -y -f ~/.ssh/id_ed25519
error in libcrypto: unsupported
Example:
Load key "...": error in libcrypto: unsupported
Cause:
The private key was saved with CRLF line endings.
Verify:
cat -A ~/.ssh/id_ed25519 | head
If lines end with ^M, convert the file.
dos2unix ~/.ssh/id_ed25519
Repository rejects unsigned commits
Check whether commit signing is enabled.
git config --global commit.gpgsign
Expected:
true
Gitea does not show "Verified"
Verify that:
- the public key was added as a Signing Key;
- the commit email matches the Gitea account;
- the commit was created after signing was configured.
Verify Everything
git config --list --show-origin
git log --show-signature -1
ssh-keygen -y -f ~/.ssh/id_ed25519