152 lines
2.1 KiB
Markdown
152 lines
2.1 KiB
Markdown
# Configure SSH Commit Signing
|
|
|
|
This recipe configures Git to sign every commit using an SSH key.
|
|
|
|
## Requirements
|
|
|
|
* Git 2.34+
|
|
* OpenSSH
|
|
* Existing ED25519 SSH key
|
|
|
|
|
|
## Configure Git
|
|
|
|
```bash
|
|
git config --global gpg.format ssh
|
|
git config --global commit.gpgsign true
|
|
git config --global user.signingkey ~/.ssh/id_ed25519.pub
|
|
```
|
|
|
|
Replace `id_ed25519.pub` with your public signing key if necessary.
|
|
|
|
## Configure Allowed Signers
|
|
|
|
Create the directory.
|
|
|
|
```bash
|
|
mkdir -p ~/.config/git
|
|
```
|
|
|
|
Create the file.
|
|
|
|
```text
|
|
~/.config/git/allowed_signers
|
|
```
|
|
|
|
Example:
|
|
|
|
```text
|
|
jotaodiceu@odinetwork.com.br ssh-ed25519 ABCDEfghijk012345...
|
|
```
|
|
|
|
Configure Git.
|
|
|
|
```bash
|
|
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
|
|
```
|
|
|
|
## Verify Configuration
|
|
|
|
```bash
|
|
git config --global --list | grep signing
|
|
git config --global --list | grep gpg
|
|
```
|
|
|
|
## Test
|
|
|
|
Create an empty commit.
|
|
|
|
```bash
|
|
git commit --allow-empty -m "Test signed commit"
|
|
```
|
|
|
|
Verify the signature.
|
|
|
|
```bash
|
|
git log --show-signature -1
|
|
```
|
|
|
|
Expected output:
|
|
|
|
```text
|
|
Good "git" signature for ...
|
|
```
|
|
|
|
# Known Issues
|
|
|
|
## error: No private key found
|
|
|
|
Example:
|
|
|
|
```text
|
|
No private key found for ...
|
|
```
|
|
|
|
Possible causes:
|
|
|
|
* wrong `user.signingkey`
|
|
* missing private key
|
|
* unsupported private key format
|
|
|
|
Verify:
|
|
|
|
```bash
|
|
ssh-keygen -y -f ~/.ssh/id_ed25519
|
|
```
|
|
|
|
## error in libcrypto: unsupported
|
|
|
|
Example:
|
|
|
|
```text
|
|
Load key "...": error in libcrypto: unsupported
|
|
```
|
|
|
|
Cause:
|
|
|
|
The private key was saved with CRLF line endings.
|
|
|
|
Verify:
|
|
|
|
```bash
|
|
cat -A ~/.ssh/id_ed25519 | head
|
|
```
|
|
|
|
If lines end with `^M`, convert the file.
|
|
|
|
```bash
|
|
dos2unix ~/.ssh/id_ed25519
|
|
```
|
|
|
|
## Repository rejects unsigned commits
|
|
|
|
Check whether commit signing is enabled.
|
|
|
|
```bash
|
|
git config --global commit.gpgsign
|
|
```
|
|
|
|
Expected:
|
|
|
|
```text
|
|
true
|
|
```
|
|
|
|
## Gitea does not show "Verified"
|
|
|
|
Verify that:
|
|
|
|
* the public key was added as a Signing Key;
|
|
* the commit email matches the Gitea account;
|
|
* the commit was created after signing was configured.
|
|
|
|
## Verify Everything
|
|
|
|
```bash
|
|
git config --list --show-origin
|
|
|
|
git log --show-signature -1
|
|
|
|
ssh-keygen -y -f ~/.ssh/id_ed25519
|
|
```
|