Signing git commits with existing SSH key

Getting verified commits on GitHub by signing git commits using an existing SSH key requires specific steps that current documentation fails to explain clearly, especially if you don’t want to regenerate keys or make a GPG key.

How to sign and verify commits with an existing SSH key #

Anyone can commit using any name and email address they want. Signing and verifying commits enable us to confirm that the source is who they claim to be. The commit itself is signed, while the badge on GitHub says “verified”.

We will:

1. Need our public key, usually called "id_rsa.pub" (if we don’t have one, we can generate a new key)
2. Make an allowed signers file; this is more or less a copy of the public key
3. Update the .gitconfig with signingkey, gpg.format, commit.gpgsign and gpg.ssh.allowedsignersfile
4. Add the SSH to GitHub as a signing key
   

Start by making an allowed signers file in your user folder; I have named mine "git_allowed_signers". On the first line, add the email you use in your commits, hit space and paste the content of your public key.

Note that the email does not have to match the one you might have at the end of your key file. You might remember that when generating it, you used a -C flag, meaning it is a comment.

Update your .gitconfig file with the following:

[user]
	signingkey = /Users/YOURUSERFOLDER/.ssh/id_rsa.pub
[gpg]
	format = ssh
[gpg “ssh”]
	allowedsignersfile = /Users/YOURUSERFOLDER/git_allowed_signers
[commit]
	gpgsign = true

1. We point signing key to your public key
2. We set the GPG format to SSH, since we have an SSH key, not a GPG key.
3. We tell GPG about our allowed signers file we just made so that git matches it to the signing key.
4. Lastly, we tell git to sign all our future commits. If we omit this, we must use -S on every commit we want to sign.
5. Additionally, we can sign tags by duplicating the last two lines and changing “commit” to “tags”

We can verify that this works by making a commit and run git log --show-signature.

We should get Good “git” signature for YOUREMAIL with RSA key SHA256:YOURKEY

We have set up local signing and can get the verified badge on GitHub by adding our public key. Go to “settings” in your GitHub profile and then “SSH and GPG keys”. Add a new SSH key, give it a fitting name, select “signing key,” and paste in your public key again.

Our future commits will be signed, and we can look for the verified badge next to our commits in GitHub.

---

I did this on a Mac and have not had time to check if the process is much different on Windows, but I will eventually get to that because spending four hours figuring out how to sign commits for a code change that takes 15 minutes to do feels less wasteful if it can help others.

I figured this out with help from the following sources that can also tell more about the background and benefits of signing.

• Signing Git Commits with SSH Keys by Danilo Bargen
• Signing Git Commits with Your SSH Key by Caleb Hearth
• Signing and Verifying Git Commits on the Command Line and GitHub by Nick Janetakis
• About commit signature verification on GitHub