Following this post, I’ve set up SSH key signing for my Git commits.

I created a new key and asked to use ~/.ssh/id_ed25519_git as the filename:

ssh-keygen -t ed25519 -C "git signing" -f ~/.ssh/id_ed25519_git

On my Macs, I told SSH to use the MacOS keychain to store the key:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519_git

I added the public key to my GitHub account.

Next, to configure Git. I don’t want this on every machine. I have this in ~/.gitconfig to load in a separate ~/.gitconfig.local file for machine-specific settings:

[include]
	path = ~/.gitconfig.local

Then in ~/.gitconfig.local:

[user]
	signingkey = ~/.ssh/id_ed25519_git.pub

[gpg]
	format = ssh

[gpg "ssh"]
	allowedSignersFile = ~/.ssh/allowed_signers

[commit]
	gpgsign = true

[tag]
	gpgsign = true

Git also needs to know which keys are allowed to sign commits.

cp ~/.ssh/id_ed25519_git.pub ~/.ssh/allowed_signers

I also found that I needed to have ZSH load the key, so I added this to ~/.zshenv:

(ssh-add --apple-load-keychain -q 2>/dev/null &)

Finally, to test:

mkdir test-repo
cd test-repo
git init
git commit --allow-empty -m "Test commit"
git verify-commit HEAD