How to Sign git Commits with an SSH key
Development projects can be very labor intensive. They can also grow to massive proportions. As projects expand (particularly those of an open-source nature), they take on more and more developers. That’s great… until it’s not.
For example, what happens when a rogue developer jumps into a project and adds a commit that injects malicious software into the code? No project wants to have to deal with such a problem.
To that end, projects need to be very careful about who they let in. But what happens when someone sneaks under the radar? Perhaps a rogue developer gains access to your project and adds a commit that injects malicious code, and does so under the guise of another developer. If you see the developer’s name associated with the commit, let it pass, assuming the code is sound and you don’t have anything to worry about.
Famous Last Words.
Don’t you know, this rogue developer just destroyed your project and if you don’t catch it, you could end up with a massive problem.
What can you do to avoid this?
There are many things. You could keep a constant eye on each line of code to make sure it’s appropriate and safe for the project. Of course, you want to trust your developers and you may not have time to examine every single line of code for malicious intent.
If this describes your project, what can you do?
One thing is to enforce Secure Shell (SSH) signing for commits, which uses public-key cryptography to create a signature for itself that can’t be forged.
Aha! You’ve been looking everywhere for a solution like this.
By signing SSH commits, you can more easily verify that each commit was submitted by a legitimate developer and not a scammer.
I’m here to show you how.
requirements
To use SSH keys in Git commits, you need to install Git version control software and an SSH key. I’ll show you how to do both and demonstrate it on Ubuntu Linux 22.04. If you are working with another operating system, make sure to change the installation steps accordingly.
Ready? Let us do this.
Install Git
First we install git. To do this, log in to your Ubuntu instance, open a terminal window and enter the command:
sudo apt-get install git -y
sudo suitable–receive To install git –j |
Hooray!
Create your SSH key
Next you need to generate an SSH key that will be used. To do this, issue the command:
Answer the questions and make sure you enter/verify a strong and unique password for the key. This key is stored in your ~/.ssh directory by default. That’s fine, since Git can work with it.
Initialize a local repository
Next we need to initialize a local repository. For this, create a folder with the command:
You can name this directory anything you like.
Change to the new directory with:
Initialize the empty repository with:
Configure Git
We now need to configure git to know who we are. This is achieved with the following two commands:
git config –global user.email “EMAIL” git config –global user.name “NAME”
git config —global user.E-mail “E-MAIL” git config —global user.Surname “SURNAME” |
Where EMAIL is your email address and NAME is your full name.
Our next configuration tells git that we want to enable GPG singing and the format will be SSH. To do this, issue the following two commands:
git config –global commit.gpgsign true git config –global gpg.format ssh
git config —global oblige.gpgsign Is correct git config —global gpg.format sh |
Next, list your SSH keys with:
You should see something like the following listed:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUlMZBvT363Qpg1PM9LzJHwP/ijaPD+0O7l24TchGoqVItu9N6PsnXigVT21VTNemltSfChS6A2qDPMsXKbeiK7It9tMcTDyeBJd2e9rdlzQ05cHQ65jerVIe9pyc/asbX0jtlm0+VcB0fim3gVHlVcR8a6DWrqijU5YXYt3jUzdleHv9XmRJANTRAOpPICTnkO4G9HyNgJeI9M2baFgSwiNohVFHG8KJI1rXM64ryr7Psgr/5DihYSbFfTinI731ZpA3qogIaUlyKDAP7t8Xt7ntSeIzsSfd8A8jiGeYdme+MyUBo/2ENb0UmKYI695Cf6Ua+DGR39j8kt2jGw3rgkkA3L9i2+v+6aHeMzzdgR1FFIsXHs3pfDO05+u1CUgclujamsJdreEbuEwLFHQGQ60m3it7J0T/JGRUcgvQeIukslCyFzz2Rj3j0aSsyVTeVTj7f3rZyWZJlSTVyFv5uMpfm62YzA5hPCPrMJg7XHpUbP4VkWkeTfAalTTtYz34= jack@docker1
sh–rs AAAAB3NzaC1yc2EAAAADAQABAAABgQCUlMZBvT363Qpg1PM9LzJHwP/ijaPD+0O7l24TchGoqVItu9N6PsnXigVT21VTNemltSfChS6A2qDPMsXKbeiK7It9tMcTDyeBJd2e9rdlzQ05cHQ65jerVIe9pyc/asbX0jtlm0+VcB0fim3gVHlVcR8a6DWrqijU5YXYt3jUzdleHv9XmRJANTRAOpPICTnkO4G9HyNgJeI9M2baFgSwiNohVFHG8KJI1rXM64ryr7Psgr/5DihYSbFfTinI731ZpA3qogIaUlyKDAP7t8Xt7ntSeIzsSfd8A8jiGeYdme+MyUBo/2ENb0UmKYI695Cf6Ua+DGR39j8kt2jGw3rgkkA3L9i2+v+6aHeMzzdgR1FFIsXHs3pfDO05+u1CUgclujamsJdreEbuEwLFHQGQ60m3it7J0T/JGRUcgvQeIukslCyFzz2Rj3j0aSsyVTeVTj7f3rZyWZJlSTVyFv5uMpfm62YzA5hPCPrMJg7XHpUbP4VkWkeTfAalTTtYz34= Jack@Docker1 |
Copy this entire string.
If you get an error after running the ssh-add command, you may need to run the command first:
We can now set our signing key with the command:
git config –global user.signingkey “KEY”
git config —global user.signing key “KEY” |
Where KEY is the entire string you copied above.
You can then confirm that SSH signing was set up correctly with the command:
git commit –allow-empty –message=”Did the SSH signing work?”
git oblige —enable–empty —message=“Did the SSH signing work?” |
For our next trick we need to configure the SignersFile with the command:
git config –global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
git config —global gpg.sh.AllowedSignersFile ~/.sh/allowed_signers |
Create the allowed signers file with:
Tap ~/.ssh/allowed_signers
touch ~/.sh/allowed_signers |
Finally we need to populate this new file with our key using the following command:
echo “EMAIL-ssh-rsa-KEY” > ~/.ssh/allowed_signers
echo “EMAIL ssh-rsa KEY” > ~/.sh/allowed_signers |
Where EMAIL is your email address and KEY is the key you copied earlier.
How to check if it works
After everything is set up, let’s make sure everything is working with the command:
git show –show-signature
git show —show–signature |
The output should look something like this:
commit efb59f739f141f29b4c63d9c43edc7f46243ea47 (HEAD -> master) Good “git” signature for EMAIL with RSA key SHA256:YgBNmIqR3Z2ff7XoVKptRkZffw6nHC5mDKF8g6AcjVQ Author: Jack Wallen
oblige efb59f739f141f29b4c63d9c43edc7f46243ea47 (HEAD –> master) Good “git” signature to the E-MAIL With RSA key SHA256:YgBNmIqR3Z2ff7XoVKptRkZffw6nHC5mDKF8g6AcjVQ author: Jack waves <E-MAIL> date: do Sep fifteen 16:53:44 2022 +0000 Testing SSH signing |
Where EMAIL is the email address associated with your SSH key.
Congratulations, you’ve now set up SSH signing for your Git commits. Everyone will know that you really care about the project.