-
git version must be >= 2.34. Earlier versions don't support
gpg.format ssh
(signing commits with ssh keys).If you're printing signature keys in git log by using
%GK %GF %GP %GT
ingit.format.pretty
, earlier versions will crash when doinggit log
with following error:BUG: gpg-interface.c:284: bad signature
-
OpenSSH version must be >= 8.8. Earlier versions don't support
valid-after,valid-before
options.
The setup is as following:
git config --global gpg.format ssh
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
git config --global user.signingkey 'ssh-ed25519 AAAAC3N...'
echo '[email protected] valid-after="20220501",valid-before="20220601" ssh-ed25519 AAAAC3N...' > ~/.ssh/allowed_signers
eval "$(ssh-agent -s)"
- You need to have
~/.ssh/allowed_signers
file with all keys, otherwise, thegit log
will fail, which is a huge UX mess
You shouldn't put the public key content in the
signingkey
but instead add an ID of GPG key acquired fromgpg --list-secret-keys --keyid-format=long
as per the official docs when using GPG keys OR use a path to the public key file (if, for example, you use SSH keys). Pasting public key was a common thing some time ago because all tutorials in the web done it that way. Why? I don't know... More info here.This is important, because it will bite you later when you, for example, create a cron job that does something on user's behalf. With the copy-paste method automation jobs fail with cryptic
error: Load key "/tmp/.git_signing_key_tmpAyMvwp": error in libcrypto?
message.