Issue
According to git you can now sign your commits using your existing ssh key.
https://github.blog/2021-11-15-highlights-from-git-2-34/#tidbits
Following that: https://unix.stackexchange.com/questions/269188/use-my-ssh-key-to-sign-git-commits.
I've also been going through this documentation: https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgprogram, but it's very unclear how to use it.
I've set my gpg format to ssh and signining to true, so currently it is trying to sign it and fails. I believe I need to also set the user.signingKey but I can't figure out what the format is, i.e. git config --global user.signingKey <what-is-supposed-to-go-here>?
I sort of have a second question to that. If in 1 year from now I format my PC and lose my keys, I would have no way to verify that those commits still belong to me. Is there a good standard for saving that key somewhere other than just dumping it into some online drive somewhere (where I'm likely to lose it anyways)?
Edit: I've at least managed to get gpg working. Following: Git error - gpg failed to sign data, my gpg was breaking with:
gpg: signing failed: Inappropriate ioctl for device gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device
Then adding export GPG_TTY=$(tty) to bash, from "gpg: signing failed: Inappropriate ioctl for device" on MacOS with Maven, ended up working for me so it at least signs it using gpg.
Edit: Thought I managed to get it working but no. Following https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent, I created a new ed25519 ssh key.
After that you need git config --global gpg.format "ssh", along with git config --global user.signingkey "<key>".
I used ssh-ed25519 ASD9s8df79AASDa8sd79as7d9a8s7d89ASDASD98a7sd98a7sdASA/sd [email protected] as the key, from ~/.ssh/id_ed25519.pub.
But then I go to github and see:
Now I have no idea any more.
Solution
I presented that new option here, where I mention:
The
user.signingKeyconfig for ssh signing supports either a path to a file containing the key or for the sake of convenience a literal string with the ssh public key.To differentiate between those two cases we check if the first few characters contain "
ssh::" which is unlikely to be the start of a path.
However, it is possible GitHub does not yet recognize an SSH-based signature.
This was mentioned in this thread and added to github-community/community discussion 7744.
Early June 2022 you had:
git does provide direct support for revoking SSH signing keys, beyond the valid-after|before flags mentioned above:
gpg.ssh.revocationFileEither a SSH KRL or a list of revoked public keys (without the principal prefix).
See ssh-keygen(1) for details.If a public key is found in this file then it will always be treated as having trust level "
never" and signatures will show as invalid.
Hopefully GitHub will surface a similar capability.
David Staheli (Product Manager at GitHub) answered:
Thanks for these great suggestions. We might get a first version released and then quickly follow up with some of these ideas. I'll try to share more details once the final scope is set. Though GitHub already recognizes when GPG keys are expired or revoked, I want to make sure we'll support the same for SSH, and if not in v1, how soon thereafter.
Answered By - VonC Answer Checked By - Candace Johnson (WPSolving Volunteer)
