Enabling Automatic Commit Signing and Signature Verification
Just learned today that we can configure Git to sign commits automatically. Not something that happens out-of-the-box, but we need to configure it manually.
Information are taken from here.
Enable automatic commit signing
- Configure Git to always sign future commits
git config --global commit.gpgsign true
git config --global tag.gpgsign true
Check commits’ signature
- Verify commit signatures are present and valid
git log --show-signature
If we see No signature
and
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
,
it means that any signature even if present cannot be verified/trusted.
We need to tell Git who to trust. To do so, see the next step.
Adding allowed signers
- Create a allowed signer file e.g. $HOME/.git_allowed_signers
echo xxxxx+<USER>@users.noreply.github.com ssh-ed25519 AAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx username@host >> ~/.git_allowed_signers
The format is
<signer's email> <key algorithm> <public key> <user@host>
- Configure Git to use this file
git config --global gpg.ssh.allowedSignersFile "$HOME/.git_allowed_signers"
Repeat check commits’ signature again. This time around, it should
show Good "git" signature for <signer's email> with <key algorithm> key <public key>
We are done.