Menu
I'm trying to set up automatic git commit signatures, however whenever I try to run git commit -am "example" it successfully makes the commit without signing it.
In my git config I have:
...
user.signingkey=/path/to/.ssh/id_ed25519.pub
gpg.format=ssh
commit.gpgsign=true
...
My SSH key and agent works correctly when I pull or push, however when using git commit -am "example" my git log shows the unsigned commit, it fails to sign and commits anyways. I have also tried setting commit.gpgsign to false and manually signing using -S with the same result.
It is as if the -S flag is just completely ignored.
When I run git log after the commit this is the output:
commit 4d3bd971f2bfbjdue0d8258e5fae982492082fcd (HEAD -> example)
Author: Example <[email protected]>
Date: Sun Feb 4 17:25:58 2024 +0200
example
When I run git cat-file -p HEAD this is the output:
tree 6f812a7caa9b36c25csg6650f469950eba8c9c7b
parent eaf107dadc57f93th87b4d5318896ce1bdc6df8f
author Example <[email protected]> 1707060358 +0200
committer Example <[email protected]> 1707060358 +0200
gpgsig -----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLrgkMjU1MTkAAAAgd+0zpC6Eq8X30s9cXSGFeROpzJ
xMZKyjlm+30PHKFwEAAAADZ2l0AAAAAAAAAAjdhtE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQM+kg8VUWOY6khCCpwvqZykNdtsyrHn7hYIuCYnycdKlriYSA5DQLBoXJG0U2ucQk3
T1nqGK3MKD5/7TVYV3owc=
-----END SSH SIGNATURE-----
example
If I push that and make a pull request, it fails saying my commit is unverified.
In order for git log or git show to validate ssh signatures, you must create an "allowed signers" file; see the documentation for gpg.ssh.allowedSignersFile.
For example, if I configure ssh signing like this:
git config gpg.format ssh
git config user.signingKey ~/.ssh/id_rsa.pub
git config commit.gpgsign true
And then commit a change in a test repository:
echo "This is a test" > example-file
git add example-file
git commit -m "Example commit"
git log will show "No signature":
$ git log --show-signature
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
commit 88d2772f8907d2b429140a466e7c97fa5e2d6e30 (HEAD -> master)
No signature
Author: lars <[email protected]>
Date: Sun Feb 4 14:43:31 2024 +0000
Example commit
Note the warning message in the output from that command:
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
We can confirm that the commit actually has a signature by using git cat-file:
$ git cat-file -p HEAD
tree 3f676eeca925687d55ce0be08dbb2923338f09ec
author lars <[email protected]> 1707057811 +0000
committer lars <[email protected]> 1707057811 +0000
gpgsig -----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAJyGND3BB04qrqyUITvVZh
9EBroH7YEZa9RE8Sn0TInwyMT4HNvkNyxTWFjlTC311cFid3HnoKLOH6L5QuGLlSYlJCPM
K9XmO+rlPifgpSi17ayfTO1t9/rLsNpyqfjBqMpVq5mpcn57KQTceZrEYyikD2R2gh9K01
lVF72QP87U+QEAIPVatdMrN/MZ1qRz7l8CBH46qj5BOLtfl8dCJinvduW8Y+gyPFqjBkbO
6Bj2luLDfffSV3BXUVNLhO43W5kkMwycZNqyWXCvVJsZbrn41z2+U138WQyLb6riQWai9r
9vG31dvPf/Vuqc7PnR1ZGM1ZWo/deaJySrF9xrvie1Vv3YmLEC645HCN9/tOvc6TllNmvs
B6wY373bUrtVT0Kun1OsIYDKBCuM9Xo6n6TSjUjkxkbwte/haPRcIGYNPoE5kVceVwgGvx
tBjoKJxe6eH6ugfh17/28QTJ0v1JUO+EgxWIc0FYtbbdyf/dl/rFtZsWL3bx9iMptbVp6Y
3QAAAANnaXQAAAAAAAAABnNoYTUxMgAAAZQAAAAMcnNhLXNoYTItNTEyAAABgIgBygW+mh
I1EsC2LoBtOaNjrZWtiisO+9KmDMBuAn2n15JHt3h+6BwODLqEqcLiBzTJVZoQZVgdlNrF
jKhY1PhNqewy9CvDF+n4j9V85+LbOOktWLodx7KJ8Epfv4z6QlqR4shohH12c7fAWRKsJ9
zH+bB9L29uuZqfqHyNJFlox9fZsPTAerY/VLoa/j/ij2uGgM+/18d93Gc13GMSdqf+CrF1
bVZ/j1SE4cneR/YbFI4A3n23iqqCwQoE07WtrYE9b27jnDkoURQi98QJ1YKUS0Jrv1+iap
ntnXwDSs25FxHQOytBPyf075rMsH6ZnKL/ycSRbGA8dezeivmJJ26uOwGjPEy9FXguqRk8
W1t4om6vh9BtKTiPVqwoISfQ7CZytZLZ4jzzG6+txjXQtSgVj0HaPXXsYXx8vTYOAkodxO
RtxQeoDhXk9ReX5QtqHpjR0Z7Ozo5f5PRyVkb/qI6p+Hbq/Qqrkg13OvFv1THrAL0Sxntk
vbg6zBTk+VB1Sg==
-----END SSH SIGNATURE-----
For git to verify that commit, we need to create an allowed signers file:
echo "[email protected] $(cat ~/.ssh/id_rsa.pub)" > ~/.config/git/allowed-signers
git config gpg.ssh.allowedSignersFile '~/.config/git/allowed-signers'
And now we see the signature verification in the output of git log --show-signature:
$ git log --show-signature
commit 88d2772f8907d2b429140a466e7c97fa5e2d6e30 (HEAD -> master)
Good "git" signature for [email protected] with RSA key SHA256:nqEzGFF0Z1rMkovqKg4yIbbyViKTuq4ugzhNIh8ggok
Author: lars <[email protected]>
Date: Sun Feb 4 14:43:31 2024 +0000
Example commit
If the problem is that GitHub is not verifying your signed commits, you need to be sure that you have added your public key to GitHub as a signing key. That means that from your "SSH and GPG keys" settings, when you add a key, ensure that "Key type" is set to "Signing":
Once added, the key will be listed under "Signing keys" on the "SSH and GPG keys" page:
You can find GitHub's documentation on this topic here.
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
