Simplify signing Git commits and tags with SSH keys

@andyfeller

📣 Prerequisites • 💡 Motivation • 🎒 Exercises • 🚀 Beyond • 📚 Resources

In this workshop, participants learn how to secure Git commits using the new OpenSSH feature. This is an alternative to the traditional method of using GPG and maintaining keys which can be somewhat cumbersome.

Note This workshop was originally presented at Git Merge 2022.

📣 Prerequisites

• Git 2.34 or newer
  • Linux
  • MacOS
  • Windows
• OpenSSH 8.0 or newer
  • Linux
  • MacOS
  • Windows

🎒 Exercises

1. Setup workstation
2. Signing and verifying commits
3. Signing and verifying merges
4. Signing and verifying tags
5. Signing past commits and tags

🚀 Beyond

1. 🤔 Author opinion: Enterprise challenges
2. 🪙 bitcoin/bitcoin verify-commits

   Tooling for verification of PGP signed commits

   This is an incomplete work in progress, but currently includes a pre-push hook script (pre-push-hook.sh) for maintainers to ensure that their own commits are PGP signed (nearly always merge commits), as well as a Python 3 script to verify commits against a trusted keys list.

3. 💻 andyfeller/gh-ssh-allowed-signers

   A gh extension to generate SSH allowed users file from GitHub users' signing keys.

4. 🎉 Vendor support
   • GitHub: GA August 23rd 2022
   • GitLab: In progress #343879
   • BitBucket: In progress BCLOUD-3166
5. 🔑 1password "Sign your Git commits with 1Password"

   We’re excited to announce that 1Password now allows you to set up and use SSH keys to sign Git commits. And with GitHub supporting SSH key signing as well, you can get that verified badge next to your username in seconds. No GPG keys required.

📚 Resources

• Git commands used for signing and verifying
  • git commit
  • git merge
  • git tag
  • git verify commit
  • git verify tag
• Git 2.34.0 release notes

✨ Thanks

This effort couldn't have happened without the support from many people, so thank you to the following who helped throughout the creation of this workshop: