-
Install Secretive using
brew install --cask secretive, then launch Secretive App. -
Create a new secret that requires authentication, named
gitsign. You will need to perform biometric authentication each time this key is used. -
Create a new secret that notify only, named
github. This key is used for performing git pull/push/fetch from GitHub. -
Add
gitsignpublic key to SSH "Signing keys" on Github Settings Page. Title is not required. -
Add
githubpublic key to SSH "Authentication keys" on Github Settings Page. Title is not required.
-
Install a newer version of git that supports
signingkey = key::xxxx. As of this writing, the latest macOS (Sequoia 15.5) comes with a pre-installed version of Git that is outdated.brew install git
-
(Recommended) Install podman to protect against exploits that triggers immediately upon opening a repository or workspace on your local machine's IDE (injected by any 3rd-party library or module dependencies).
# Install podman # See: https://podman.io/docs/installation#macos brew install podman # Create a virtual machine with no access to the host folders # See: https://docs.podman.io/en/latest/markdown/podman-machine-init.1.html#volume-v-source-target-options podman machine init -v ''
-
Edit
.zshenv.cat >> ~/.zshenv <<EOF # For git commit signing export SSH_AUTH_SOCK="$HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh" EOF # For some GPU-acceleration within podman # Setup: https://podman-desktop.io/docs/installation/macos-install#using-libkrun-as-machine-provider # Usage: https://podman-desktop.io/docs/podman/gpu cat >> ~/.zshenv <<EOF # For some GPU-acceleration within podman export CONTAINERS_MACHINE_PROVIDER=libkrun EOF
-
Edit
.ssh/config. You may omit the first section that enables VSCode or your IDE to perform Sandboxed Development via podman (including the ability to gitsign without revealing SSH private keys), though it’s strongly recommended.cat >> ~/.ssh/config <<EOF # For git commit signing within podman Host podman-machine-default HostName localhost # From: podman machine inspect | jq '.[0].SSHConfig' IdentityFile $(podman machine inspect | jq -r '.[0].SSHConfig.IdentityPath') Port $(podman machine inspect | jq -r '.[0].SSHConfig.Port') User $(podman machine inspect | jq -r '.[0].SSHConfig.RemoteUsername') IdentitiesOnly yes StrictHostKeyChecking no UserKnownHostsFile /dev/null CheckHostIP no LogLevel ERROR SetEnv LC_ALL= ForwardAgent yes # For git authentication Host * IdentityAgent $HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh EOF
-
Update
.gitconfigreplacing the name and email with your github account. Replace thesigningkeywith yourgitsignpublic key. Do remember to add back thekey::prefix.# Set user info git config --global user.name "heri16" git config --global user.email "[email protected]" # Ser user signingkey git config --global user.signingkey "key::ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMYmjVIE8ERSgs7EEHbYwhCgMx1v0ijKmmCt1ku0yBvjDIoddBi6P9QSALVXnTGp+PinT5l4JFWGV77QxfiypDw= [email protected]" git config --global gpg.format ssh # Push and signing settings git config --global commit.gpgSign true git config --global tag.gpgSign true git config --global tag.forceSignAnnotated true git config --global push.default current git config --global push.gpgSign if-asked # Enable git commit verification mkdir -p ~/.config/git echo "heri16 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMYmjVIE8ERSgs7EEHbYwhCgMx1v0ijKmmCt1ku0yBvjDIoddBi6P9QSALVXnTGp+PinT5l4JFWGV77QxfiypDw= [email protected]" >> ~/.config/git/allowed_signers git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
-
Confirm that Secretive Agent is running:
ssh-add -l. If not, restart your Terminal. -
Do a test commit. You should see
Good "git" signature for heri16 with ECDSA key SHA256:ZSJWE2tfNICQ92hpNZnfW7vihJB/ToZz5E1mil3GE10touch test.md && git add test.md && git commit -S -m "test commit" git log --show-signature git reset --soft HEAD~1
-
Ensure that your future commits on GitHub show a Green Verified badge
-
Retroactively sign your past commits:
git rebase -i --exec 'author=$(git show -s --format="%ae"); me=$(git config user.email); [ "$author" = "$me" ] && git commit --amend --no-edit -S || echo "Skip $author"' HEAD~NReplace
Nwith how many commits back you want to rebase (e.g., HEAD~10 for last 10 commits). -
Learn how to open a git repository within a Dev Container using your preferred IDE:
Last active
June 9, 2025 16:52
-
-
Save heri16/2d5166cb09810b92b6cd696318b25f53 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [user] | |
| name = heri16 | |
| email = [email protected] | |
| signingkey = key::ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMYmjVIE8ERSgs7EEHbYwhCgMx1v0ijKmmCt1ku0yBvjDIoddBi6P9QSALVXnTGp+PinT5l4JFWGV77QxfiypDw= [email protected] | |
| [push] | |
| default = current | |
| gpgSign = if-asked | |
| [commit] | |
| gpgSign = true | |
| [gpg] | |
| format = ssh | |
| [tag] | |
| gpgSign = true | |
| forceSignAnnotated = true | |
| [gpg "ssh"] | |
| allowedSignersFile = /Users/user0/.config/git/allowed_signers |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # For git commit signing within podman | |
| Host podman-machine-default | |
| HostName localhost | |
| # From: podman machine inspect | jq '.[0].SSHConfig' | |
| IdentityFile /Users/user0/.local/share/containers/podman/machine/machine | |
| Port 60877 | |
| User core | |
| IdentitiesOnly yes | |
| StrictHostKeyChecking no | |
| UserKnownHostsFile /dev/null | |
| CheckHostIP no | |
| LogLevel ERROR | |
| SetEnv LC_ALL= | |
| ForwardAgent yes | |
| # For git authentication | |
| Host * | |
| IdentityAgent /Users/user0/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # For git commit signing | |
| export SSH_AUTH_SOCK=/Users/user0/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh | |
| # For some GPU-acceleration within podman | |
| export CONTAINERS_MACHINE_PROVIDER=libkrun |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment