logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

forgeless-ssh-signed-commit.xml (2562B)

    

  1. <entry>
  2. <title>Forge-less SSH-signed git commits</title>
  3. <link rel="alternate" type="text/html" href="https://hacktivis.me/articles/forgeless-ssh-signed-commit"/>
  4. <id>https://hacktivis.me/articles/forgeless-ssh-signed-commit</id>
  5. <published>2025-05-02T06:43:26Z</published>
  6. <updated>2025-05-02T06:43:26Z</updated>
  7. <!--
  8. <link rel="external replies" type="application/activity+json" href="https://queer.hacktivis.me/objects/50be9d37-dee6-4c69-818e-013fa3b010d0" />
  9. <link rel="external replies" type="text/html" href="https://queer.hacktivis.me/objects/50be9d37-dee6-4c69-818e-013fa3b010d0" />
  10. -->
  11. <content type="xhtml">
  12. <div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
  14. <p>
  15. 	One key difference I found useful when git added support for ssh-signature is the fact that you now can just drop an <code>authorized_keys</code> file in the repository, and configure it as a source of public keys.<br />
  16. 	No more horribly unreliable OpenPGP keyservers where getting trust is rather questionable (<a href="https://hacktivis.me/articles/real%20names">ID Cards are for citizenship and border-control</a>), and no more "Verified" badge in forges that you can't check yourself.
  17. </p>
  19. <p>
  20. 	For this you want a file in the repository containing the git email followed by the ssh-public key, and set it as a trusted source via <code>gpg.ssh.allowedSignersFile</code>, like so with naming it <code>authorized_keys.git</code>:
  21. <code><pre>
  22. # How to setup: git config gpg.ssh.allowedSignersFile authorized_keys.git
  23. contact@hacktivis.me ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAxeQh6KJGg89yivTtmUtjxp80inHBrL5sMdt+Kg1ed haelwenn@NightmareMoon
  24. contact@hacktivis.me ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6LRxSNagh9NlEYLUqA8o/4HiUStEymeyvjFtNZeEIe haelwenn@cloudchaser
  25. </pre></code>
  26. 	<br />
  27. 	As can be seen in <a href="https://hacktivis.me/git/utils-std/file/authorized_keys.git.html">utils-std's <code>authorized_keys.git</code></a>.
  28. </p>
  30. <p>
  31. 	This way everyone with a copy of the git repository can verify the commit signatures on their own, entirely offline.
  32. 	And there is also a much clearer link between the keys and repository identity.
  33. </p>
  35. <p>
  36. 	One thing I haven't done but would be interesting is verifying said signatures via git-hooks when new commits are pulled, meaning that keys needs to be added by someone already authorized.<br />
  37. 	<a href="https://guix.gnu.org/en/blog/2024/authenticate-your-git-checkouts/">Guix has done something like this</a>, but sadly it's lispy and built into the guix ecosystem.
  38. </p>
  40. </div>
  41. </content>
  42. </entry>