GitHub announced today that they have added support for signing commits and tags with SSH keys. Here’s how I set it up on my Mac.
First I created a new SSH key for this purpose:
ssh-keygen -t ed25519 -C "firstname.lastname@example.org"
Next, git needs to be configured to use it:
git config --global user.signingkey "$(cat ~/.ssh/id_ed25519_gitsigning.pub)"
git config --global gpg.format ssh
ssh-agent needs to be informed of the key. On Mac:
ssh-add --allow-use-keychain ~/.ssh/id_ed25519_gitsigning
ssh-add -K ~/.ssh/id_ed25519_gitsigning
Finally, to sign a commit:
git commit -S ...
Or to sign a tag:
git tag -s ...
And if you want to always sign (yes, this works for SSH in spite of the GPG name):
git config --global commit.gpgSign true
I attempted this a while back with GPG but it was a pain. Hopefully this works better 🤞