Skip to main content
Devmino

SSH Keys for Commit Signature Verification

·381 words·2 mins
Git GitHub GitLab Security
Table of Contents

SSH keys are a simple way to sign commits in Git and ensure their authenticity. Let’s explore how to set this up.

SSH Keys for Signing in Git
#

Git added support for SSH keys for signing in version 2.34.0.

GitHub and GitLab support of SSH Key Signature Verification
#

GitHub introduced support for SSH key signature verification in Aug 2022 and GitLab followed in Nov 2022.

Adding Signatures Using SSH Keys
#

Generate an SSH Key
#

You can reuse the same SSH key you are already using for authentication or generate a new one:

ssh-keygen -t ed25519 -C "email@example.com"

Optionally add your key to the ssh-agent:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

Upload the public key to GitHub, GitLab, or your Git server (which supports SSH key signature verification) as a Signing Key.

Configure Git to use SSH Keys for Signing
#

To configure Git to use SSH keys for signing:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub

Signing Commits
#

To always sign commits:

git config --global commit.gpgsign true

Alternatively, sign individual commits using:

git commit -S -m "Your commit message"

Local Commit Verification
#

If you uploaded your SSH key to GitHub or GitLab, you should automatically see verified commits. To verify commits locally, you need to create an allowed_signers file to register public keys and associate them with email addresses.

Create allowed_signers file:

# `allowed_signers` can be in your git repository or also globally available
touch /PATH_TO/allowed_signers

Add an allowed signer by adding the following line to your allowed_signers file:

# each line has the following format: <email> <key type> <public key>
email@example.com ssh-ed25519 AAAA...

Configure Git to use allowed_signers:

git config --global gpg.ssh.allowedSignersFile "/PATH_TO/allowed_signers"

Verify commit:

git log --show-signature

If everything worked correctly, you should see something like:

commit ...
Good "git" signature for email@example.com with ED25519 key SHA256:...
Author: ...

Signing Tags
#

In addition to commits, tags can also be signed. Sign a tag by adding the -s flag:

git tag -s v1.0 -m "Release 1.0"

Verify tag:

git tag -v v1.0

Conclusion
#

Using SSH keys for signature verification in Git is a simple yet powerful way to enhance the security of your workflow. Both GitHub and GitLab provide seamless integration for SSH key verification, making it easier to use.

Amin Chawki
Author
Amin Chawki
Senior Software Engineer