Signing git commits with a ssh key using 1Password

The Sign your Git commits with 1Password post is really useful but it does not tell you how to verify that signing works, how to troubleshoot it, or how to make it possible to verify the signatures locally. I will explain that here. The short story is that you need to set up gpg.ssh.allowedSignersFile and add your key there to be able to use git log --show-signature.

First of all, the setup as described in the blog post works and you can display the signature after having made a commit with git show --pretty=raw - notice the line with gpgsig …​ and those below it:

Show a commit’s signature
$ git show --pretty=raw
commit 38831e0affaae7876efec3feb989dceabf6b32da
tree ba036f1fe2c277ab48112dddbea2bb79cc65f0a8
parent b38f6af47cbfb87b4c493072cb2523a22ed66c0b
author Jakub Holy <me@jakubholy.net> 1665474441 +0200
committer Jakub Holy <me@jakubholy.net> 1665474441 +0200
gpgsig -----BEGIN SSH SIGNATURE---(1)
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgJAGxAyKOoLjk7gzI1vBntIddH3
 CE7LoAB0f5ng/PVgEAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQJ7/ntGrmiD5qClr2TaUzThUbXmV9TJWX5fYDE4OuSJ/Xc/PDE+h0Kz550m70Y8/JY
 1z3M8XL7GZnPFmKPmGHgg=
 -----END SSH SIGNATURE-----

    WIP Debugging display issues
...
1The signature starts here

You might also learn that you can display commit signatures with --show-signature but here you will get an ugly surprise:

show-signature’s misleading 'No signature'
$ git log -1 --show-signature

error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification (2)
commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
No signature (1)
Author: Jakub Holy <me@jakubholy.net>
...
1The misleading message
2Indication of the root cause

The No signature is misleading because the signature is there (as we have seen above), it is just not verified. The line "error: gpg.ssh.allowedSignersFile needs to be configured and exist" is the proof of that. Let’s set up the signers file:

$ git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_ssh_signers

Now when we retry:

show-signature with an empty allowedSignersFile
$ git log -1 --show-signature

commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
Good "git" signature with ED25519 key SHA256:c2CUY4sXBFJ/ARKz8lnMy4pqGqaCy1qjhAAUdEgtjfQ (1)
/Users/me/.config/git/allowed_ssh_signers:1: missing key (2)
No principal matched.
Author: Jakub Holy <me@jakubholy.net>
...
1The signature is valid
2But the key is unknown and thus not trusted (this can also happen if you forget to include your email in the signers file)

The "missing key" tells us that we need to add the key to the allowed_ssh_signers file. The key is the one that we have used to sign the commit, so we can get it from 1Password - simply [copy] the public key there, which should be something like ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQBsQMijqC45O4MyNbwZ7SHXR9whOy6AAdH+Z4Pz1YB. However this is not enough for the signers file, we also need to include the user’s email - in my case I include all the emails I use with git (see git config --global user.email)

Adding your ssh key to the allowedSignersFile:
$ mkdir -p ~/.config/git/
$ echo "me@jakubholy.net,holy@ardoq.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQBsQMijqC45O4MyNbwZ7SHXR9whOy6AAdH+Z4Pz1YB" \
  >> ~/.config/git/allowed_ssh_signers

Now finally we get the expected "Good git signature":

show-signature with the key in the allowedSignersFile
$ git log -1 --show-signature

commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
Good "git" signature for me@jakubholy.net with ED25519 key SHA256:c2CUY4sXBFJ/ARKz8lnMy4pqGqaCy1qjhAAUdEgtjfQ (1)
Author: Jakub Holy <me@jakubholy.net>
1Finally, all is fine!

Tags: security


Copyright © 2022 Jakub Holý
Powered by Cryogen
Theme by KingMob