search

AndreasNasman / .config

My dot-files for various systems.
1 stars 0 forks source link

Test if SSH keys can replace GPG keys for commit signing #53

Closed AndreasNasman closed 2 weeks ago

AndreasNasman commented 2 weeks ago

https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#ssh-commit-signature-verification

https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html

AndreasNasman commented 2 weeks ago

I followed the steps in the documentation above to set up SSH commit signing.

After pushing df331dfb85fe27ff15a7ee6875777f0b980c0f3e, the commit showed "Verified" in GitHub! 🎉

AndreasNasman commented 2 weeks ago

I noticed that git log --show-signature couldn't display the signature:

> git log --show-signature
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
commit df331dfb85fe27ff15a7ee6875777f0b980c0f3e (HEAD -> mac, origin/mac, origin/HEAD)
No signature
Author: Andreas Näsman <andreas.z.nasman@gmail.com>
Date:   Sat Nov 2 22:15:30 2024 +0200

    Test SSH commit signing

I found these sources that helped me solve the issue:

echo "andreas.z.nasman@gmail.com $(awk '{print $1, $2}' ~/.ssh/id_personal.pub )" >~/.ssh/allowed_signers
git config gpg.ssh.allowedSignersFile '~/.config/git/allowed-signers'

Running git log --show-signature now worked as expected! 🎉

> git log --show-signature
commit df331dfb85fe27ff15a7ee6875777f0b980c0f3e (HEAD -> mac, origin/mac, origin/HEAD)
Good "git" signature for andreas.z.nasman@gmail.com with ED25519 key SHA256:wcnaJHhAuqEbqKKRFyc5O04Tyr0BlC+LD9dXJV3k9t0
Author: Andreas Näsman <andreas.z.nasman@gmail.com>
Date:   Sat Nov 2 22:15:30 2024 +0200

    Test SSH commit signing
AndreasNasman commented 2 weeks ago

I noticed that GitHub (and probably also GitLab) can mark GPG-signed commits as "Verified" and expired. A considerable drawback with SSH keys is that they cannot expire. Also, to cache the password, you still need to use pinentry-mac, so you cannot get rid of GnuPG. Due to these reasons, I decided to stick to GPG but create keys (both a personal key and one for work on my Ã…A Mac) that expire after a year. https://javorszky.co.uk/2024/05/28/back-to-signing-git-commits-with-gpg/

AndreasNasman commented 2 weeks ago

I used this command to re-sign my projects to get up to date (not needed in the future):

git filter-branch -f --commit-filter '
if [ "$GIT_COMMITTER_NAME" = "Andreas Näsman" ]; then
    GIT_AUTHOR_NAME="Andreas Näsman"
    GIT_AUTHOR_EMAIL="andreas.z.nasman@gmail.com"
    GIT_COMMITTER_NAME="Andreas Näsman"
    GIT_COMMITTER_EMAIL="andreas.z.nasman@gmail.com"
    GIT_COMMITTER_DATE="$GIT_AUTHOR_DATE"
    git commit-tree -S "$@"
else
    git commit-tree "$@"
fi
' -- --all

I used this command prior when I needed to change multiple branches and with only partially my changes:

for branch in (git branch -r | grep origin/ | grep -v 'HEAD\|master')
    set trimmed_branch (string trim $branch)
    git branch --track (string replace 'origin/' '' $trimmed_branch) $trimmed_branch
end

(Source: Copilot)