For a long time, GPG (GNU Privacy Guard) keys were the industry standard for signing Git commits to prove identity and prevent tampering. However, setting up GPG involves generating keyrings, managing expiration dates, and debugging background agents, which introduces substantial friction for developers.
To eliminate this complexity, Git version 2.34 introduced the ability to use your existing SSH keys to sign commits directly, bypassing the need for GPG keys.
In this guide, we will explore how to configure Git to use your SSH keys for signing commits, verify keys locally, and enable trust relationships across development teams.
1. Why Switch from GPG to SSH Keys?
- No Key Redundancy: You can reuse the same SSH key (e.g.,
id_ed25519) that you already use to authenticate with GitHub, saving you from generating and maintaining a separate GPG key pair. - Simpler Setup: Requires only a few terminal commands to get running.
- Cleaner Backups: Standard SSH keys are lightweight, easy to migrate, and natively supported by modern terminal shells.
2. Configuring Git to Sign with SSH Keys
Step 1: Set the Cryptographic Format to SSH
Tell Git to use SSH instead of GPG for commit signing:
git config --global gpg.format ssh
Step 2: Associate Your SSH Public Key
Point Git to your SSH public key file (typically id_ed25519.pub or id_rsa.pub located in your ~/.ssh directory):
git config --global user.signingkey ~/.ssh/id_ed25519.pub
Step 3: Enable Global Signing
Ensure that Git signs every commit automatically:
git config --global commit.gpgsign true
3. Validating Colleagues’ SSH Signatures Locally
While GitHub automatically verifies your SSH-signed commits once you register your public key as a “Signing Key”, verifying signatures locally in your terminal via git log --show-signature requires setting up an allowed_signers file.
Step 1: Create the Allowed Signers File
Create a global configuration file to map email addresses to trusted public keys:
touch ~/.config/git/allowed_signers
Step 2: Populate the File
Add your team members’ emails and public keys in the following format:
# <email> namespaces="git" <SSH public key>
[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1...
[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1...
Step 3: Link the File to Git Configuration
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
Now, running git log --show-signature on your local machine will cross-reference this file and report signatures from Alice or Bob as trusted.
Conclusion
Leveraging SSH keys for Git signatures is a highly efficient way to secure your project’s commit history.
- Configure
gpg.format sshto use your existing credentials. - Register the key on GitHub as a “Signing Key” to display green verification badges.
- Use the
allowedSignersFileconfig to establish local trust circles within your team.
Adopt SSH signing today to upgrade your repository’s security posture with minimal configuration overhead.