Do you want your commits to appear as "verified" on GitHub?
The easiest way is to sign them with the SSH key you're already using. For that, you can run:
$ git config --global gpg.format ssh
In my case, though, I do all my development inside a LXD virtual machine. This is very nice because it isolates my environment and I can nuke it and rebuild it with cloud-init if something goes wrong.
Since I'm working inside a VM, I actually don't have any SSH keys inside the VM!
$ ls ~/.ssh
authorized_keys known_hosts known_hosts.old
Instead, I use SSH agent forwarding:
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZD... comment
So you can tell git to use forwarded keys as follows:
$ git config --global gpg.ssh.defaultKeyCommand "ssh-add -L"
Last thing, now you will want to verify locally your own commits. But if you don't do anything else, you will see this:
$ git show --show-signature --stat
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
commit 7bbebcb0b65ae704cdf8b54361f1287c9b95d1f0 (HEAD -> juanlu/...)
No signature
Author: ...
So the last step is configuring such file:
$ mkdir ~/.config/git
$ echo "$(git config user.email) $(ssh-add -L)" >> ~/.config/git/allowed_signers
$ git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
And now, finally:
$ git show --show-signature --stat
commit 7bbebcb0b65ae704cdf8b54361f1287c9b95d1f0 (HEAD -> juanlu/...)
Good "git" signature for user@domain with ED25519 key SHA256:4RdE/O/mv3Y/YjC07RatbWtmak5tzx9HUdYR3RZFjNg
Author: ...
And that's it! You can now push and your commits will be verified ✨
If you discovered this in the middle of writing a pull request, well, you can sign all the commits with a rebase:
$ git rebase --exec 'git commit --amend --no-edit -n -S' main
...
Happy coding!
Top comments (0)