Sign git commits with ssh key

guide.md

Sign git commits with ssh key

• git version must be >= 2.34. Earlier versions don't support gpg.format ssh (signing commits with ssh keys).

  If you're printing signature keys in git log by using %GK %GF %GP %GT in git.format.pretty, earlier versions will crash when doing git log with following error:

  BUG: gpg-interface.c:284: bad signature

• OpenSSH version must be >= 8.8. Earlier versions don't support valid-after,valid-before options.

The setup is as following:

git config --global gpg.format ssh
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
git config --global user.signingkey 'ssh-ed25519 AAAAC3N...'
echo 'user@email.com valid-after="20220501",valid-before="20220601" ssh-ed25519 AAAAC3N...' > ~/.ssh/allowed_signers

eval "$(ssh-agent -s)"

• You need to have ~/.ssh/allowed_signers file with all keys, otherwise, the git log will fail, which is a huge UX mess

You shouldn't put the public key content in the signingkey but instead add an ID of GPG key acquired from gpg --list-secret-keys --keyid-format=long as per the official docs when using GPG keys OR use a path to the public key file (if, for example, you use SSH keys). Pasting public key was a common thing some time ago because all tutorials in the web done it that way. Why? I don't know... More info here.

This is important, because it will bite you later when you, for example, create a cron job that does something on user's behalf. With the copy-paste method automation jobs fail with cryptic error: Load key "/tmp/.git_signing_key_tmpAyMvwp": error in libcrypto? message.