Sign git commits with SSH keys
OpenSSH 8.0 or newer is required and Git 2.34.0.
If no key exists yet, it can be created;
ssh-keygen -t ed25519
Today, the RSA is the most widely used public-key algorithm for SSH key. But compared to Ed25519, it's slower and even considered not safe if it's generated with the key smaller than 2048-bit length. If you are using Yubikey make sure you use ed25519-sk.
Create an allowed_signers file. I recommend naming it ~/.ssh/allowed_signers, which will store public keys allowed to sign commits.
The format of the file should be:
email-address key-type publickey
So in my case:
# ~/.ssh/allowed_signers [email protected] [email protected] AAAAGnNrLXNzaC1lZDI1N [ ... ] vAAAABHNzaDo= [email protected]
Now update your settings for the repository
git config gpg.format ssh git config commit.gpgsign true git config tag.gpgsign true git config gpg.ssh.allowedSignersFile "$HOME/.ssh/allowed_signers" git config user.signingkey "$HOME/.ssh/id_ed25519_sk.pub" git config user.email [email protected]
If you want it to apply to all commits, use the global flag: