My scrapbook about almost anything I stumble upon in my tech world. If you find anything useful don't forget to give thumbs-up :)


Friday, September 15, 2023

Let's Sign your Git Commit with your SSH key

I was fascinated when I see any git repo where commits shows with "Verified" status and curious how and why we need that tiny green "verified" status and idea is pretty straight forwards which to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG, SSH, or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified" or "Partially verified". 
    As mentioned, We can also have a verified status on our commits if configured git with GPG, SSH or S/MIME key but it does not make any sense to maintain a GPG key only for commit status. GPG Key maintenance can become a rabbit hole sometime so if you are not using it for Signing or Encryption, don't use it for git commit sign as well. 

Github Supports SSH key signing and the configuration is also pretty simple, we will go through the steps to achieve the same -  

  1. Generate the SSH Key Or You can use the any existing key as well.
    ssh-keygen -t ed25519 -C "" -f ~/.ssh/id_ed25519_github
    It's always a good idea to provide a passphrase to your SSH key but if you are not providing that is also fine.  
  2. Add your SSH key to Agent. 
    eval "$(ssh-agent -s)"
    ssh-add  ~/.ssh/id_ed25519_github

  3. Add Key to Github, Go to github --> settings --> --> keys --> new , Give a Title name, Key Type will be "Signing Key" and in the Key, paste your public key content (~/.ssh/ )

  4. Generate the Signer File
    awk '{ print $3 " " $1 " " $2 }' $HOME/.ssh/ >> $HOME/.ssh/allowed_signers
  5. Next, set these git configs (You can remove --global if not want the config for all the git repo)

    git config --global <your_githhub_username>
    git config --global "<your_email_id>"
    git config --global user.signingkey "$(cat $HOME/.ssh/"
    git config --global gpg.ssh.allowedSignersFile $HOME/.ssh/allowed_signers
    git config --global gpg.format ssh
    git config --global commit.gpgSign true
    git config --global tag.gpgSign true
    git config --global log.showSignature true

  6. You are set to sign your commit, make a commit. 
     git commi -m "commit msg" 
  7. You can check the sign on commit via below command - 
    git log --oneline --abbrev-commit -5 --show-signature
There is no problem to use the same key for SSH Auth and Sign or you can use different if want to. You are in control of your key and usage 😁

Like the below page to get the update  
Facebook Page      Facebook Group      Twitter Feed      

No comments:

Post a Comment


The postings on this site are my own and don't necessarily represent IBM's or other companies positions, strategies or opinions. All content provided on this blog is for informational purposes and knowledge sharing only.
The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of his information.