GitHub announced today that they have added support for signing commits and tags with SSH keys. Here’s how I set it up on my Mac.

First I created a new SSH key for this purpose:

ssh-keygen -t ed25519 -C "gitsigning@priddle.xyz"

Next, git needs to be configured to use it:

git config --global user.signingkey "$(cat ~/.ssh/id_ed25519_gitsigning.pub)"
git config --global gpg.format ssh

ssh-agent needs to be informed of the key. On Mac:

ssh-add --allow-use-keychain ~/.ssh/id_ed25519_gitsigning

On Linux:

ssh-add -K ~/.ssh/id_ed25519_gitsigning

Finally, to sign a commit:

git commit -S ...

Or to sign a tag:

git tag -s ...

And if you want to always sign (yes, this works for SSH in spite of the GPG name):

git config --global commit.gpgSign true

I attempted this a while back with GPG but it was a pain. Hopefully this works better 🤞

Update 2022-09-14: I just came across this post and Hacker News thread that go more into this.