How to Sign git Commits with an SSH key

Development projects can get very busy. They can also grow to massive proportions. When projects do expand (especially those of an open-source nature), they take on more and more developers. That’s great… until it’s not.
For example, what happens if a rogue developer hops onto a project and adds a commit that injects malicious software into the code? No project wants to have to deal with such an issue.
To that end, projects must be very careful who they allow in. But what happens if someone sneaks under the radar? Maybe a rogue developer gains access to your project and adds a commit that injects malicious code and does so under the guise of another developer. When you see that developer’s name associated with the commit, you let it pass, assuming the code is solid and there’s no need to worry.
Famous last words.
Little do you know, that rogue developer just trashed your project and unless you do catch it, you could wind up with a massive problem on your hands.
What can you do to avoid this?
There are many things. You could constantly keep tabs on every line of code to make sure it’s worthy of the project and safe. Of course, you want to trust your developers and might not have time to comb through every single line of code for malicious intent.
If that describes your project, what can you do?
One thing is to enforce Secure Shell (SSH) signing for commits, which uses public-key cryptography to create a signature for yourself that can’t be forged.
A-ha! You’ve been hunting high and low for such a solution.
By using signing in SSH commits, you can more easily verify that each commit was submitted by a legitimate developer and not an impostor.
I’m here to show you how this is done.
Requirements
To use SSH keys in git commits, you’ll need the git version control software installed and an SSH key. I’ll show you how to do both and will demonstrate on Ubuntu Linux 22.04. If you’re working on a different operating system, make sure to alter the installation steps accordingly.
Ready? Let’s do this.
Installing Git
The first thing we’ll do is install git. For that, log in to your Ubuntu instance, open a terminal window, and issue the command:
1 |
sudo apt-get install git -y |
Huzzah!
Create Your SSH Key
Next, you must generate an SSH key that will be used. For this, issue the command:
1 |
ssh-keygen |
Answer the questions and make sure to type/verify a strong and unique password for the key. That key will be housed in your ~/.ssh directory by default. That’s fine as git can work with that.
Initialize a Local Repository
Next, we must initialize a local repository. Create a folder for this with the command:
1 |
mkdir ~/PROJECT |
You can name that directory whatever you like.
Change into the new directory with:
1 |
cd ~/PROJECT |
Initialize the empty repository with:
1 |
git init |
Configure Git
We now need to configure git to know who we are. This is accomplished with the following two commands:
1 2 |
git config --global user.email "EMAIL" git config --global user.name "NAME" |
Where EMAIL is your email address and NAME is your full name.
Our next configuration tells git we want to enable GPG singing and the format will be SSH. To do that, issue the following two commands:
1 2 |
git config --global commit.gpgsign true git config --global gpg.format ssh |
Next, list your SSH key(s) with:
1 |
ssh-add -L |
You should see something like this listed:
1 |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUlMZBvT363Qpg1PM9LzJHwP/ijaPD+0O7l24TchGoqVItu9N6PsnXigVT21VTNemltSfChS6A2qDPMsXKbeiK7It9tMcTDyeBJd2e9rdlzQ05cHQ65jerVIe9pyc/asbX0jtlm0+VcB0fim3gVHlVcR8a6DWrqijU5YXYt3jUzdleHv9XmRJANTRAOpPICTnkO4G9HyNgJeI9M2baFgSwiNohVFHG8KJI1rXM64ryr7Psgr/5DihYSbFfTinI731ZpA3qogIaUlyKDAP7t8Xt7ntSeIzsSfd8A8jiGeYdme+MyUBo/2ENb0UmKYI695Cf6Ua+DGR39j8kt2jGw3rgkkA3L9i2+v+6aHeMzzdgR1FFIsXHs3pfDO05+u1CUgclujamsJdreEbuEwLFHQGQ60m3it7J0T/JGRUcgvQeIukslCyFzz2Rj3j0aSsyVTeVTj7f3rZyWZJlSTVyFv5uMpfm62YzA5hPCPrMJg7XHpUbP4VkWkeTfAalTTtYz34= jack@docker1 |
Copy that entire string.
If you get an error after the ssh-add command, you might need to first run the command:
1 |
eval "$(ssh-agent)" |
We can now set our signing key with the command:
1 |
git config --global user.signingkey "KEY" |
Where KEY is the entire string you copied above.
You can then confirm the SSH signing has been set up correctly with the command:
1 |
git commit --allow-empty --message="Did SSH signing work?" |
For our next trick, we need to configure the SignersFile with the command:
1 |
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers |
Create the allowed signers file with:
1 |
touch ~/.ssh/allowed_signers |
Finally, we have to populate that new file with our key using the command:
1 |
echo "EMAIL ssh-rsa KEY" > ~/.ssh/allowed_signers |
Where EMAIL is your email address and KEY is the key you copied earlier.
How to Verify It’s Working
Now that everything is set up, let’s make sure everything works with the command:
1 |
git show --show-signature |
The output should look something like this:
1 2 3 4 5 6 |
commit efb59f739f141f29b4c63d9c43edc7f46243ea47 (HEAD -> master) Good "git" signature for EMAIL with RSA key SHA256:YgBNmIqR3Z2ff7XoVKptRkZffw6nHC5mDKF8g6AcjVQ Author: Jack Wallen <EMAIL> Date: Thu Sep 15 16:53:44 2022 +0000 Testing SSH signing |
Where EMAIL is the email address associated with your SSH key.
Congratulations, you now have SSH signing set up for your git commits. Everyone will know that it’s really you submitting to the project.