Use SSH to sign commits

Use SSH to sign commits

Hi there! This post provides a workaround for using the SSH key to sign commits on GitHub. I'm assuming you already know the fundamentals of SSH keys; if not, allow me to say this:

  • A network protocol called SSH (Secure Shell) allows two computers to communicate with each other, in this case, your local computer and the GitHub server.

  • You can connect to and authenticate against remote servers and services using the SSH protocol. Connecting services, such as the Visual Studio code service, from my virtual machine to my Mac is something I do frequently. Conversely, commits are signed using SSH keys.

So what does it mean to sign a commit?

The image you see represents a signed commit. And I used the SSH key to do that. Yes, your guess was correct. On Github, there are multiple methods for signing a commit. So let's dive into it together.

To sign a commit simply means adding a digital signature to the commit using either the GPG (GNU Privacy Guard) key, SSH key, or S/MIME (Secure/Multipurpose Internet Mail Extensions), which is just another protocol for sending digitally signed and encrypted messages.

These are the three ways to add a digital signature to a commit. This signature verifies that the person who made the commit is who they claim to be and that that commit has not been tampered with since it was signed.

You can imagine this as signing a document; without the signature of the president, the presidential decree is not valid. This is the same thing I hope I am bringing out to you here.

That said, we are going to focus on using SSH to add a digital signature to a commit.

How does this work?

Note: If you are already using an SSH key to authenticate, I will advise you to generate a new one for signing by following the steps below.

PS: I am working with a Linux system.

So, following my advice,

  1. Generate a new SSH Key.

    • Open the terminal (Ctrl+Alt+T)

    •     cd ~/.ssh
      
    •     ssh-keygen -t ed25519 -C "your_email@example.com"
      

      Use your GitHub email in place of the email.

      When prompted, enter the file in which you want to save the key. I advise you, in this case, to simply hit the Enter key.

    • You will be prompted to enter a secure phrase (which is just a password), and you will be asked to retype it again. If you don't want the secure phrase, hit the Enter key.

    • If you added a secure phrase to the SSH key and don't want to enter it every time you use the key, follow this link to add the SSH key to the SSH agent.

      Verify that the key is successfully created.

        ls
      

      You should see those two files.

  2. Now add the generated key to your GitHub account.

    •     cat id_ed25519.pub
      
    • Copy all the output.

    • Sign in to your GitHub account. Please follow the image.

    • Click on your profile picture or account icon, the last one at the top to your right. Then select Settings

    • Now select SSH and GPG Keys

    • Now click on New SSH key

    • In the "Title" field, add a descriptive label for the new key. For example, if you're using a personal laptop, you might call this key "Personal laptop".

    • In the Key Type field, choose, 'Signing Key'

    • In the "Key" field, paste your public key.

    • Hit the 'Add SSH key'

    • If prompted, confirm access to your GitHub account.

  3. Now tell Git about your signing key.

    • In the terminal, run the codes:

      PS: cd into a directory where git has been initialized before running these codes. else, you will have the error as below.

        git config -- global gpg.format ssh
      
        git config --global user.signingkey ~/.ssh/id_ed25519.pub
      
  4. Now sign your commits

     git commit -S -m "commit message"
    
     git push
    

Now go to your GitHub repository and check that your commit is verified.