• ssh
  • security
  • validation
  • git
  • keys

Signing Git Commits with SSH

I was recently playing around with 1Password’s SSH key features. I have a few keys saved in my vault, but normally I use keys that were generated on the host and have never left the host. My curiosity led me to add a new key and utilize it as a login key for another system. (This works great, by the way!)

Once I had created that key, 1Password prompted me to use it to sign my git commits. What??

I have used GPG signing in the past, but the setup experience was painful enough that I mostly avoided it. I sign most everything on my main machine with a GPG key, but other hosts do not have signing enabled. Since I already have SSH keys created for those hosts, being able to just use those keys would be a nice little win.

[!note] Git introduced SSH signing in 2.34.0, so you will need to ensure your version of Git is that version or newer. Ubuntu Focal does not have that version yet, so I ended up adding the Git ppa.

If you are wondering why you might want to sign your commits, this post has a decent summary https://security.stackexchange.com/questions/134164/why-should-i-sign-git-commits-tags-should-i-sign-both-commits-and-tags

If you are using standard Git your ~/.gitconfig file will look like this

[user]
	name = [Your name]
	email = [Your email]
	signingkey = [Path to your public key]
[gpg]
	format = ssh
[commit]
	gpgsign = true
[core]
	editor = vim
[gpg "ssh"]
	allowedSignersFile = [Path to an allowed signers file]

If you want to use 1Password, it is a bit different. You point to the 1Password SSH binary and will authorize with 1Password when you need to sign.

[user]
	name = [Your name]
	email = [Your email]
	signingkey = [Path to your public key]
[gpg]
	format = ssh
[gpg "ssh"]
	  program = "/opt/1Password/op-ssh-sign"
[commit]
	gpgsign = true
[core]
	editor = vim
[gpg "ssh"]
	allowedSignersFile = [Path to an allowed signers file]

The final step is setting up an allowedSignersFile so you can actually verify commits.

The format for this file is an identifier + key. So mine looks like

conner@fungi ssh-ed25519 [Public key on host fungi]
conner@connermccall.com ssh-ed25519 [Public key on current host]

Now if you run git log --show-signature you should see info on the signed commits. Notice the Good "git" signature contains a SHA and the identifier. You can make the identifier be anything in your Allowed Signers File. Emails work great, but if you want use a collaborators nickname or full name go right ahead.

commit 612beb7b61b0137d50b5570f4b4c0514235ea4c4 (HEAD -> main, origin/main, origin/HEAD)
Good "git" signature for conner@fungi with ED25519 key SHA256:+YIFq85xEaWEk31Ri4Df83sk8
Author: Conner McCall <conner@connermccall.com>
Date:   Tue Feb 13 17:30:55 2024 +0000

    remove unnecessary env file

commit 793a53ee44471034fbfb0d4eafc3c67467ffa2fe
Good "git" signature for conner@connermccall.com with ED25519 key SHA256:5GYdL9pT2jFdLC7TJiZzJgtcXcBNEBSIX8
Author: Conner McCall <conner@connermccall.com>
Date:   Tue Feb 13 10:58:26 2024 -0600

    feat: add home dns entry

You can also enable verification of your keys on GitHub and other providers as well. This lets others see that you have signed your commits and that the provider has verified the signature. This can help improve trust between users.

Some resources I used when setting this up: https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/ https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key https://dev.to/janderssonse/git-signoff-and-signing-like-a-champ-41f3

How to reply to this post