Sign git commits with SSH keys

OpenSSH 8.0 or newer is required and Git 2.34.0.

If no key exists yet, it can be created;

ssh-keygen -t ed25519

Today, the RSA is the most widely used public-key algorithm for SSH key. But compared to Ed25519, it's slower and even considered not safe if it's generated with the key smaller than 2048-bit length. If you are using Yubikey make sure you use ed25519-sk.

Create an allowed_signers file. I recommend naming it ~/.ssh/allowed_signers, which will store public keys allowed to sign commits.

The format of the file should be:

email-address key-type publickey

So in my case:

# ~/.ssh/allowed_signers                                    
wieger.bxxxxxxx@gxxxxl.com sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1N [ ... ] vAAAABHNzaDo= wiege@laptop

Now update your settings for the repository

git config gpg.format ssh
git config commit.gpgsign true
git config tag.gpgsign true
git config gpg.ssh.allowedSignersFile "$HOME/.ssh/allowed_signers"
git config user.signingkey "$HOME/.ssh/id_ed25519_sk.pub"
git config user.email wieger.bxxxxxxx@gxxxxl.com

If you want it to apply to all commits, use the global flag:

--global