Skip to content

Instantly share code, notes, and snippets.

@foreignmeloman

foreignmeloman/git-ssh-signing.md

Last active April 23, 2025 09:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save foreignmeloman/6754656c43cd6644b7256b6dee752c0f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save foreignmeloman/6754656c43cd6644b7256b6dee752c0f to your computer and use it in GitHub Desktop.
Download ZIP
Signing git commits and tags with an SSH key
Raw
git-ssh-signing.md

Imperative configuration example:

git config gpg.format ssh
git config user.signingKey /path/to/private/ed25519key
git commit -S -m "signed commit"
git tag --sign --annotate -m "signed tag" v0.1.0

Now we can verify the signatures with allowed_signers file:

git config gpg.ssh.allowedSignersFile /path/to/allowed_signers
git verify-tag v0.1.0
echo $?

Format of the allowed_signers file can be found in man page of ssh-keygen

alice@example.com valid-after="202401011200Z",valid-before="202512311159Z" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfExampleKeyDataHere

Declarative configuration example:

[user]
	name = alice
	email = alice@example.com
	signingKey = ~/.ssh/id_ed25519.pub
[gpg]
	format = ssh
[gpg "ssh"]
	allowedSignersFile = ~/.ssh/allowed_signers
[commit]
	gpgsign = true
[tag]
	gpgsign = true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment