How to Use SSH Keys and 1Password to Sign Git Commits

1Password makes it easier for GitHub users to set up signed commits using SSH keys. Signed commits confirm that the person making the code change is who they say they are.

Normally, when code is checked into a Git repository, the change is saved with the name of the person submitting the code. While the committer’s name is usually set by the user’s client, it can easily be changed to something else, allowing someone to forge the commit messages and names. This can have security implications if developers don’t really know who submitted a particular piece of code.

The fundamental, unsolved problem that underlies all cybersecurity problems on the internet is the lack of good tools to truly authenticate a living human, says John Bambenek, principal threat hunter at Netenrich. The simplification of cryptographic signing, or signed commits, allows organizations to have a higher level of certainty about the identity of the person.

“Without that, you’re trusting that the committer is who they say they are and that the person accepting the commit understands the commit and is checking for problems,” he adds.

Bambenek notes that as criminals look seriously for code in open-source libraries, the ability to truly authenticate people pushing code means the window for using their repositories to compromise other organizations is much smaller.

Easier, scalable key management

Michael Skelton, senior director of security operations at Bugcrowd, points out that managing SSH and GPG keys to sign commits across multiple developer and host virtual machines can be a cumbersome and confusing process. Previously, developers interested in signed commits managed with key pairs stored them in their GitHub accounts and on their local machines.

“This can complicate the mass adoption of signed commits and impact your organization’s ability to make the most of this feature,” he says. “Having 1Password manage this on your behalf makes it easier for you to deploy these keys and update configurations with ease.”

Because 1Password stores the SSH keys, it becomes easier and less confusing to manage keys across multiple devices. This feature also allows for more scalable management of GitHub signing keys for developers, according to Skelton.

“By resolving this issue, organizations can then attempt to enforce signed commits across their repositories using GitHub’s vigilant mode, which helps limit the possibility of committer names being misrepresented and thus misinterpreted.” , says Skelton.

With signed commits, it’s easier to see when a commit isn’t signed. It is also possible to create an application security policy that rejects unsigned commits.

How to set up signed commits

How to set up GitHub to use SSH keys for verification.

  1. Update to Git 2.34.0 or later, then go to and select “New SSH Key” and then “Signing Key”.
  2. From there, navigate to the “Keys” field and select the 1Password logo, select “Create SSH Key”, enter a title, and then select “Create and Fill”.
  3. In the last step, choose “Add SSH Key” and the GitHub part of the process is complete.

Once the key is set up in GitHub, go to 1Password on your desktop to configure yours .gitconfig Sign the file with your SSH key.

  1. From the banner above, select the “Configure” option, which will open a window with a snippet for you to add .gitconfig File.
  2. Select the Auto-edit option to have 1Password update the .gitconfig file with one click.
  3. Users who need advanced configuration can copy the snippet and do things manually.

A green verification badge for easy verification visibility is then added to the timeline when you push to GitHub.

Leave a Reply

Your email address will not be published. Required fields are marked *