I, too, "value your privacy" but unlike most I think it is priceless and fundamental. Privacy Policy

Forge-less SSH-signed git commits

published on 2025-05-02T06:43:26Z, last updated on 2025-05-02T06:43:26Z

One key difference I found useful when git added support for ssh-signature is the fact that you now can just drop an authorized_keys file in the repository, and configure it as a source of public keys.
No more horribly unreliable OpenPGP keyservers where getting trust is rather questionable (ID Cards are for citizenship and border-control), and no more "Verified" badge in forges that you can't check yourself.

For this you want a file in the repository containing the git email followed by the ssh-public key, and set it as a trusted source via gpg.ssh.allowedSignersFile, like so with naming it authorized_keys.git: 

# How to setup: git config gpg.ssh.allowedSignersFile authorized_keys.git
contact@hacktivis.me ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAxeQh6KJGg89yivTtmUtjxp80inHBrL5sMdt+Kg1ed haelwenn@NightmareMoon
contact@hacktivis.me ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6LRxSNagh9NlEYLUqA8o/4HiUStEymeyvjFtNZeEIe haelwenn@cloudchaser

As can be seen in utils-std's authorized_keys.git.

This way everyone with a copy of the git repository can verify the commit signatures on their own, entirely offline. And there is also a much clearer link between the keys and repository identity.

One thing I haven't done but would be interesting is verifying said signatures via git-hooks when new commits are pulled, meaning that keys needs to be added by someone already authorized.
Guix has done something like this, but sadly it's lispy and built into the guix ecosystem.