Git supports commit signatures with OpenSSH keys

Through new configuration options in newer GitLab versions I found out about the ability of git to use OpenSSH keys to sign commits and tags. This is a handy feature to proof the ownership of commits in a repository. Especially for my deployment method using ansible it is important that my deployment bot verifies commits using my public key such that a malicious actor can’t simply push commits to my infrastructure repository to gain access to the servers. It’s a nice alternative to OpenPGP that does not require an additional set of keys.

Use the following commands to make use of this:

$ git config [--global] gpg.format ssh
$ git config [--global] user.signingKey "ssh-ed25519 ..."
$ git commit -S -m 'This is an OpenSSH signed commit'

I found specifics about this in the git documentation looking at the gpg options. There is also a good blog post about this topic.

Any thoughts of your own?

Feel free to raise a discussion with me on Mastodon or drop me an email.