Signing git commits with a ssh key using 1Password

The Sign your Git commits with 1Password post is really useful but it does not tell you how to verify that signing works, how to troubleshoot it, or how to make it possible to verify the signatures locally. I will explain that here. The short story is that you need to set up gpg.ssh.allowedSignersFile and add your key there to be able to use git log --show-signature.

First of all, the setup as described in the blog post works and you can display the signature after having made a commit with git show --pretty=raw - notice the line with gpgsig …​ and those below it:

Show a commit’s signature
$ git show --pretty=raw
commit 38831e0affaae7876efec3feb989dceabf6b32da
tree ba036f1fe2c277ab48112dddbea2bb79cc65f0a8
parent b38f6af47cbfb87b4c493072cb2523a22ed66c0b
author Jakub Holy <> 1665474441 +0200
committer Jakub Holy <> 1665474441 +0200
gpgsig -----BEGIN SSH SIGNATURE---(1)

    WIP Debugging display issues
1The signature starts here

You might also learn that you can display commit signatures with --show-signature but here you will get an ugly surprise:

show-signature’s misleading 'No signature'
$ git log -1 --show-signature

error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification (2)
commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
No signature (1)
Author: Jakub Holy <>
1The misleading message
2Indication of the root cause

The No signature is misleading because the signature is there (as we have seen above), it is just not verified. The line "error: gpg.ssh.allowedSignersFile needs to be configured and exist" is the proof of that. Let’s set up the signers file:

$ git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_ssh_signers

Now when we retry:

show-signature with an empty allowedSignersFile
$ git log -1 --show-signature

commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
Good "git" signature with ED25519 key SHA256:c2CUY4sXBFJ/ARKz8lnMy4pqGqaCy1qjhAAUdEgtjfQ (1)
/Users/me/.config/git/allowed_ssh_signers:1: missing key (2)
No principal matched.
Author: Jakub Holy <>
1The signature is valid
2But the key is unknown and thus not trusted (this can also happen if you forget to include your email in the signers file)

The "missing key" tells us that we need to add the key to the allowed_ssh_signers file. The key is the one that we have used to sign the commit, so we can get it from 1Password - simply [copy] the public key there, which should be something like ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQBsQMijqC45O4MyNbwZ7SHXR9whOy6AAdH+Z4Pz1YB. However this is not enough for the signers file, we also need to include the user’s email - in my case I include all the emails I use with git (see git config --global

Adding your ssh key to the allowedSignersFile:
$ mkdir -p ~/.config/git/
$ echo ", ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQBsQMijqC45O4MyNbwZ7SHXR9whOy6AAdH+Z4Pz1YB" \
  >> ~/.config/git/allowed_ssh_signers

Now finally we get the expected "Good git signature":

show-signature with the key in the allowedSignersFile
$ git log -1 --show-signature

commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
Good "git" signature for with ED25519 key SHA256:c2CUY4sXBFJ/ARKz8lnMy4pqGqaCy1qjhAAUdEgtjfQ (1)
Author: Jakub Holy <>
1Finally, all is fine!

Tags: security

Copyright © 2023 Jakub Holý
Powered by Cryogen
Theme by KingMob