Signing git commits with a ssh key using 1Password
The Sign your Git commits with 1Password post is really useful but it does not tell you how to verify that signing works, how to troubleshoot it, or how to make it possible to verify the signatures locally. I will explain that here. The short story is that you need to set up gpg.ssh.allowedSignersFile and add your key there to be able to use git log --show-signature.
First of all, the setup as described in the blog post works and you can display the signature after having made a commit with git show --pretty=raw - notice the line with gpgsig … and those below it:
$ git show --pretty=raw
commit 38831e0affaae7876efec3feb989dceabf6b32da
tree ba036f1fe2c277ab48112dddbea2bb79cc65f0a8
parent b38f6af47cbfb87b4c493072cb2523a22ed66c0b
author Jakub Holy <me@jakubholy.net> 1665474441 +0200
committer Jakub Holy <me@jakubholy.net> 1665474441 +0200
gpgsig -----BEGIN SSH SIGNATURE---(1)
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgJAGxAyKOoLjk7gzI1vBntIddH3
CE7LoAB0f5ng/PVgEAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQJ7/ntGrmiD5qClr2TaUzThUbXmV9TJWX5fYDE4OuSJ/Xc/PDE+h0Kz550m70Y8/JY
1z3M8XL7GZnPFmKPmGHgg=
-----END SSH SIGNATURE-----
WIP Debugging display issues
...| 1 | The signature starts here |
You might also learn that you can display commit signatures with --show-signature but here you will get an ugly surprise:
$ git log -1 --show-signature
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification (2)
commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
No signature (1)
Author: Jakub Holy <me@jakubholy.net>
...| 1 | The misleading message |
| 2 | Indication of the root cause |
The No signature is misleading because the signature is there (as we have seen above), it is just not verified. The line "error: gpg.ssh.allowedSignersFile needs to be configured and exist" is the proof of that. Let’s set up the signers file:
$ git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_ssh_signersNow when we retry:
$ git log -1 --show-signature
commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
Good "git" signature with ED25519 key SHA256:c2CUY4sXBFJ/ARKz8lnMy4pqGqaCy1qjhAAUdEgtjfQ (1)
/Users/me/.config/git/allowed_ssh_signers:1: missing key (2)
No principal matched.
Author: Jakub Holy <me@jakubholy.net>
...| 1 | The signature is valid |
| 2 | But the key is unknown and thus not trusted (this can also happen if you forget to include your email in the signers file) |
The "missing key" tells us that we need to add the key to the allowed_ssh_signers file. The key is the one that we have used to sign the commit, so we can get it from 1Password - simply [copy] the public key there, which should be something like ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQBsQMijqC45O4MyNbwZ7SHXR9whOy6AAdH+Z4Pz1YB. However this is not enough for the signers file, we also need to include the user’s email - in my case I include all the emails I use with git (see git config --global user.email)
$ mkdir -p ~/.config/git/
$ echo "me@jakubholy.net,holy@ardoq.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQBsQMijqC45O4MyNbwZ7SHXR9whOy6AAdH+Z4Pz1YB" \
>> ~/.config/git/allowed_ssh_signersNow finally we get the expected "Good git signature":
$ git log -1 --show-signature
commit 38831e0affaae7876efec3feb989dceabf6b32da (HEAD -> main)
Good "git" signature for me@jakubholy.net with ED25519 key SHA256:c2CUY4sXBFJ/ARKz8lnMy4pqGqaCy1qjhAAUdEgtjfQ (1)
Author: Jakub Holy <me@jakubholy.net>| 1 | Finally, all is fine! |