Goodbye GPG, Hello SSH Key Signing
I was using a GPG key to sign Git commits but I’ve now swiched to an SSH key. GPG keys are a pain to manage on macOS. Going full SSH is one less concern to remember. GitHub added support for SSH signing back in August last year.
My process was to generate a new key called
ssh-keygen -t rsa -f ~/.ssh/signingkey
It’s good practice to use unique SSH keys per machine for authorisation. I think. Seems sensible to use a different key for signing.
I then updated the global
~/.gitconfig in my home directory:
[user] signingkey = /path/to/home/.ssh/signingkey.pub [gpg] format = ssh
It’s also possible to update local
.git/config files for repo-specific changes if needed.
In the same global config I checked to make sure Git is signing stuff:
[commit] gpgsign = true [tag] gpgsign = true
As a bonus I added the key to macOS keychain to avoid typing the password on every commit:
ssh-add --apple-use-keychain ~/.ssh/signingkey
Finally I added my new public key to GitHub etc; job done.
On the topic of SSH keys, it’s been over 10 years — ten! — since I wrote “Multiple Accounts and SSH Keys”. I haven’t used analytics in years but I’m pretty sure that was my most searched blog post. Check back in 2033 for another SSH tip.
Update – 20th June 2023
There’s a little more; see “Verify Signed Git Commits” for additional usage.