Getting “verified” commits on GitHub the easy way
I have always known about commit signing. But who wants to manage GPG keys all the time? So ever since Git 2.34 launched with support for SSH signing I have been wanting to get this done.
I will have to do this for different GitHub accounts (my personal and my work account), on different machines (personal, work, …), and potentially even per repository. To make it easier for myself, I will quickly document everything I did.
I have not used any --global
flags, so this was all done to test on a singular repository. Add --global
to make these settings stick for all repositories.
Make sure Git will use OpenSSH:
git config gpg.format ssh
Enable commit signing by default, else it would require
--gpg-sign
(-S
) ongit commit
:git config commit.gpgsign true
Set my signing key, I just used the same key as I am using to authenticate to GitHub anyway:
git config user.signingkey ~/.ssh/github_ed25519.pub
At this point my commits were getting signed automatically. Including those I am making within Lazygit.
A small Lazygit usability problem came up where it would hang waiting for a passphrase on every commit. Usually the key is already unlocked and I do not need to enter anything. Thankfully there is a config available to get back to the default behaviour (h/t Stefan Haller):
git:
overrideGpg: true
However, neither GitHub nor local Git are able to verify it.
For GitHub, navigate to SSH and GPG keys. Press New SSH key and re-add the contents of github_ed25519.pub, make sure to select ‘Signing Key’ as Key type.
Locally, create a file that mirrors SSH’s known_hosts (h/t Danilo Bargen):
mkdir -p "$HOME/.config/git/"
touch "$HOME/.config/git/allowed_signers"
Add the contents of the github_ed25519.pub on a line here as well. Then tell Git about the existence of this file:
git config gpg.ssh.allowedSignersFile "$HOME/.config/git/allowed_signers"
All done!