Git supports commit signatures with OpenSSH keys
Through new configuration options in newer GitLab versions I found out about the ability of git to use OpenSSH keys to sign commits and tags. This is a handy feature to proof the ownership of commits in a repository. Especially for my deployment method using ansible it is important that my deployment bot verifies commits using my public key such that a malicious actor can’t simply push commits to my infrastructure repository to gain access to the servers. It’s a nice alternative to OpenPGP that does not require an additional set of keys.
Use the following commands to make use of this:
$ git config [--global] gpg.format ssh $ git config [--global] user.signingKey "ssh-ed25519 ..." $ git commit -S -m 'This is an OpenSSH signed commit'