logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

forgeless-ssh-signed-commit.xml (2649B)

    

  1. <!--
  2. Copyright © 2014 Haelwenn (lanodan) Monnier
  3. SPDX-License-Identifier: LAL-1.3
  4. -->
  5. <entry>
  6. <title>Forge-less SSH-signed git commits</title>
  7. <link rel="alternate" type="text/html" href="https://hacktivis.me/articles/forgeless-ssh-signed-commit"/>
  8. <id>https://hacktivis.me/articles/forgeless-ssh-signed-commit</id>
  9. <published>2025-05-02T06:43:26Z</published>
  10. <updated>2025-05-02T06:43:26Z</updated>
  11. <!--
  12. <link rel="external replies" type="application/activity+json" href="https://queer.hacktivis.me/objects/50be9d37-dee6-4c69-818e-013fa3b010d0" />
  13. <link rel="external replies" type="text/html" href="https://queer.hacktivis.me/objects/50be9d37-dee6-4c69-818e-013fa3b010d0" />
  14. -->
  15. <content type="xhtml">
  16. <div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
  18. <p>
  19. 	One key difference I found useful when git added support for ssh-signature is the fact that you now can just drop an <code>authorized_keys</code> file in the repository, and configure it as a source of public keys.<br />
  20. 	No more horribly unreliable OpenPGP keyservers where getting trust is rather questionable (<a href="https://hacktivis.me/articles/real%20names">ID Cards are for citizenship and border-control</a>), and no more "Verified" badge in forges that you can't check yourself.
  21. </p>
  23. <p>
  24. 	For this you want a file in the repository containing the git email followed by the ssh-public key, and set it as a trusted source via <code>gpg.ssh.allowedSignersFile</code>, like so with naming it <code>authorized_keys.git</code>:
  25. <code><pre>
  26. # How to setup: git config gpg.ssh.allowedSignersFile authorized_keys.git
  27. contact@hacktivis.me ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAxeQh6KJGg89yivTtmUtjxp80inHBrL5sMdt+Kg1ed haelwenn@NightmareMoon
  28. contact@hacktivis.me ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6LRxSNagh9NlEYLUqA8o/4HiUStEymeyvjFtNZeEIe haelwenn@cloudchaser
  29. </pre></code>
  30. 	<br />
  31. 	As can be seen in <a href="https://hacktivis.me/git/utils-std/file/authorized_keys.git.html">utils-std's <code>authorized_keys.git</code></a>.
  32. </p>
  34. <p>
  35. 	This way everyone with a copy of the git repository can verify the commit signatures on their own, entirely offline.
  36. 	And there is also a much clearer link between the keys and repository identity.
  37. </p>
  39. <p>
  40. 	One thing I haven't done but would be interesting is verifying said signatures via git-hooks when new commits are pulled, meaning that keys needs to be added by someone already authorized.<br />
  41. 	<a href="https://guix.gnu.org/en/blog/2024/authenticate-your-git-checkouts/">Guix has done something like this</a>, but sadly it's lispy and built into the guix ecosystem.
  42. </p>
  44. </div>
  45. </content>
  46. </entry>