Use your SSH key to sign git objects

Git 2.34 added support for signing git objects, like commits, using an SSH key. Previously you could only choose between GPG and a X.509 certificate. Managing GPG keys is quite tedious in my experience, and every time I need to extend one my keys I cannot remember exactly how to do it. Lowering the bar to set up and maintain a working signing configuration could drive the adoption of git object signing, I think. Authenticating against a remote repository via SSH is probably the most common option, so most people who use git already have an SSH key available. Hence, let's use that to sign your git objects!

Configuration is pretty straightforward, all you need to know is the filename of the SSH public key you want to use for signing. On Linux you can just run ssh-add -L to list the public keys with filename known to your SSH agent. However, on macOS you won't see filenames in the output. If you're unsure check your ~/.ssh/config or the *.pub keys inside ~/.ssh.

After you've figured out which SSH key to use for singing just issue the following commands and you're good to go:

$ git config --global gpg.format ssh
$ git config --global user.signingKey ~/.ssh/some_ssh_key.pub

Note that ~/.ssh/some_ssh_key.pub must be adjusted to your setup, e.g. ~/.ssh/id_ed25519.pub. There's also a GitHub Docs page about the configuration process, in case you still have any questions.

Here's how I check that git object signing works:

$ cd $(mktemp -d)
$ git init
$ git commit --allow-empty --gpg-sign -m 'A test message'

You're good to go if git commit exits without an error.

Happy signing 🗝️