Signing git commits with a ssh key using 1Password
The Sign your Git commits with 1Password post is really useful but it does not tell you how to verify that signing works, how to troubleshoot it, or how to make it possible to verify the signatures locally. I will explain that here. The short story is that you need to set up
gpg.ssh.allowedSignersFile and add your key there to be able to use
git log --show-signature.
First of all, the setup as described in the blog post works and you can display the signature after having made a commit with
git show --pretty=raw - notice the line with
gpgsig … and those below it:
$ git show --pretty=raw commit 38831e0affaae7876efec3feb989dceabf6b32da tree ba036f1fe2c277ab48112dddbea2bb79cc65f0a8 parent b38f6af47cbfb87b4c493072cb2523a22ed66c0b author Jakub Holy <email@example.com> 1665474441 +0200 committer Jakub Holy <firstname.lastname@example.org> 1665474441 +0200 gpgsig -----BEGIN SSH SIGNATURE---(1) U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgJAGxAyKOoLjk7gzI1vBntIddH3 CE7LoAB0f5ng/PVgEAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQJ7/ntGrmiD5qClr2TaUzThUbXmV9TJWX5fYDE4OuSJ/Xc/PDE+h0Kz550m70Y8/JY 1z3M8XL7GZnPFmKPmGHgg= -----END SSH SIGNATURE----- WIP Debugging display issues ...
|1||The signature starts here|
You might also learn that you can display commit signatures with
--show-signature but here you will get an ugly surprise:
$ git log -1 --show-signature error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification (2) commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main) No signature (1) Author: Jakub Holy <email@example.com> ...
|1||The misleading message|
|2||Indication of the root cause|
The No signature is misleading because the signature is there (as we have seen above), it is just not verified. The line "error: gpg.ssh.allowedSignersFile needs to be configured and exist" is the proof of that. Let’s set up the signers file:
$ git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_ssh_signers
Now when we retry:
$ git log -1 --show-signature commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main) Good "git" signature with ED25519 key SHA256:c2CUY4sXBFJ/ARKz8lnMy4pqGqaCy1qjhAAUdEgtjfQ (1) /Users/me/.config/git/allowed_ssh_signers:1: missing key (2) No principal matched. Author: Jakub Holy <firstname.lastname@example.org> ...
|1||The signature is valid|
|2||But the key is unknown and thus not trusted (this can also happen if you forget to include your email in the signers file)|
The "missing key" tells us that we need to add the key to the
allowed_ssh_signers file. The key is the one that we have used to sign the commit, so we can get it from 1Password - simply [copy] the public key there, which should be something like
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQBsQMijqC45O4MyNbwZ7SHXR9whOy6AAdH+Z4Pz1YB. However this is not enough for the signers file, we also need to include the user’s email - in my case I include all the emails I use with git (see
git config --global user.email)
$ mkdir -p ~/.config/git/ $ echo "email@example.com,firstname.lastname@example.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQBsQMijqC45O4MyNbwZ7SHXR9whOy6AAdH+Z4Pz1YB" \ >> ~/.config/git/allowed_ssh_signers
Now finally we get the expected "Good git signature":
$ git log -1 --show-signature commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main) Good "git" signature for email@example.com with ED25519 key SHA256:c2CUY4sXBFJ/ARKz8lnMy4pqGqaCy1qjhAAUdEgtjfQ (1) Author: Jakub Holy <firstname.lastname@example.org>
|1||Finally, all is fine!|