Sign git commits with SSH keys
OpenSSH 8.0 or newer is required and Git 2.34.0.
If no key exists yet, it can be created;
ssh-keygen -t ed25519
Today, the RSA is the most widely used public-key algorithm for SSH key. But compared to Ed25519, it's slower and even considered not safe if it's generated with the key smaller than 2048-bit length. If you are using Yubikey make sure you use ed25519-sk.
Create an allowed_signers file. I recommend naming it ~/.ssh/allowed_signers, which will store public keys allowed to sign commits.
The format of the file should be:
email-address key-type publickey
So in my case:
# ~/.ssh/allowed_signers
wieger.bxxxxxxx@gxxxxl.com sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1N [ ... ] vAAAABHNzaDo= wiege@laptop
Now update your settings for the repository
git config gpg.format ssh
git config commit.gpgsign true
git config tag.gpgsign true
git config gpg.ssh.allowedSignersFile "$HOME/.ssh/allowed_signers"
git config user.signingkey "$HOME/.ssh/id_ed25519_sk.pub"
git config user.email wieger.bxxxxxxx@gxxxxl.com
If you want it to apply to all commits, use the global flag:
--global