How to Sign git Commits with an SSH key

Development projects can be very labor intensive. They can also grow to massive proportions. As projects expand (particularly those of an open-source nature), they take on more and more developers. That’s great… until it’s not.

For example, what happens when a rogue developer jumps into a project and adds a commit that injects malicious software into the code? No project wants to have to deal with such a problem.

To that end, projects need to be very careful about who they let in. But what happens when someone sneaks under the radar? Perhaps a rogue developer gains access to your project and adds a commit that injects malicious code, and does so under the guise of another developer. If you see the developer’s name associated with the commit, let it pass, assuming the code is sound and you don’t have anything to worry about.

Famous Last Words.

Don’t you know, this rogue developer just destroyed your project and if you don’t catch it, you could end up with a massive problem.

What can you do to avoid this?

There are many things. You could keep a constant eye on each line of code to make sure it’s appropriate and safe for the project. Of course, you want to trust your developers and you may not have time to examine every single line of code for malicious intent.

If this describes your project, what can you do?

One thing is to enforce Secure Shell (SSH) signing for commits, which uses public-key cryptography to create a signature for itself that can’t be forged.

Aha! You’ve been looking everywhere for a solution like this.

By signing SSH commits, you can more easily verify that each commit was submitted by a legitimate developer and not a scammer.

I’m here to show you how.

requirements

To use SSH keys in Git commits, you need to install Git version control software and an SSH key. I’ll show you how to do both and demonstrate it on Ubuntu Linux 22.04. If you are working with another operating system, make sure to change the installation steps accordingly.

Ready? Let us do this.

Install Git

First we install git. To do this, log in to your Ubuntu instance, open a terminal window and enter the command:

Hooray!

Create your SSH key

Next you need to generate an SSH key that will be used. To do this, issue the command:

Answer the questions and make sure you enter/verify a strong and unique password for the key. This key is stored in your ~/.ssh directory by default. That’s fine, since Git can work with it.

Initialize a local repository

Next we need to initialize a local repository. For this, create a folder with the command:

You can name this directory anything you like.

Change to the new directory with:

Initialize the empty repository with:

Configure Git

We now need to configure git to know who we are. This is achieved with the following two commands:

Where EMAIL is your email address and NAME is your full name.

Our next configuration tells git that we want to enable GPG singing and the format will be SSH. To do this, issue the following two commands:

Next, list your SSH keys with:

You should see something like the following listed:

Copy this entire string.

If you get an error after running the ssh-add command, you may need to run the command first:

We can now set our signing key with the command:

Where KEY is the entire string you copied above.

You can then confirm that SSH signing was set up correctly with the command:

For our next trick we need to configure the SignersFile with the command:

Create the allowed signers file with:

Finally we need to populate this new file with our key using the following command:

Where EMAIL is your email address and KEY is the key you copied earlier.

How to check if it works

After everything is set up, let’s make sure everything is working with the command:

The output should look something like this:

Where EMAIL is the email address associated with your SSH key.

Congratulations, you’ve now set up SSH signing for your Git commits. Everyone will know that you really care about the project.