Skip to content

feat: Detect SSH signed objects

Brian Williams requested to merge bwill/add-ssh-signature-type into master

Support for signing Git objects with SSH keys was added in Git v2.34.0. This change allows Gitaly to detect when an object was signed with an SSH key and indicates the signature type of that object as SSH.

This will allow GitLab to verify SSH signatures with the user's SSH public key and show the Verified badge for those commits. (gitlab#343879 (closed))

To setup git to perform SSH signing:

  1. git --version must be git version 2.34.0 or newer

  2. ssh -V should be* OpenSSH_8.0p1 or newer

  3. Configure git to use SSH for signing:

    git config gpg.format ssh

  4. Configure your SSH key as the signing key:

    git config user.signingkey ~/.ssh/id_ed25519

  5. Sign a commit by passing the -S flag to git commit:

    git commit -S -m 'message'

* Git release notes claim that 8.7 is broken, but I've verified it as working with all versions of OpenSSH_8.Xp1. (It also works with versions that are even older than this, but these are out-of-support.)

Example of an SSH signed commit:

$ git cat-file -p e82f510688571ec32aeb71f77817d6cd56566440
tree 464266731de68c694223ab5f73e9e70203f92a8b
author Brian Williams <bwilliams@gitlab.com> 1642081925 -0600
committer Brian Williams <bwilliams@gitlab.com> 1642081925 -0600
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgtc+Qk8jhMwVZk/jFEFCM16LNQb
 30q5kK30bbetfjyTMAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQLSyv010gOFwIs9QTtDvlfIEWiAw2iQL/T9usGcxHXn/W5l0cOFCd7O+WaMDg0t0nW
 fF3T79iV8paT4/OfX8Ygg=
 -----END SSH SIGNATURE-----

This commit was signed with SSH

Example of an SSH signed tag:

$ git cat-file -p v0.0.1                                                                                              🐳 k3d-cluster-image-scanning
object e82f510688571ec32aeb71f77817d6cd56566440
type commit
tag v0.0.1
tagger Brian Williams <bwilliams@gitlab.com> 1642084455 -0600

This tag is signed with SSH
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgtc+Qk8jhMwVZk/jFEFCM16LNQb
30q5kK30bbetfjyTMAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQLIc5320afhaueq3HaCOnX4QslRH+6O1W7f0PpkUW9TBJlB68RxtWqnq1QWklXjWap
k/xjHFIrjfKKsDkCrNnwA=
-----END SSH SIGNATURE-----
Edited by Brian Williams

Merge request reports