Skip to content

Draft: Add support for SSH signed commits

Brian Williams requested to merge 343879-ssh-signed-commits into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Support for signing Git objects with SSH keys was added in Git v2.34.0. This change allows GitLab to verify SSH signatures with the user's SSH public key and show the Verified badge for those commits. (#343879 (closed))

To setup git to perform SSH signing:

  1. git --version must be git version 2.34.0 or newer

  2. ssh -V should be* OpenSSH_8.0p1 or newer

  3. Configure git to use SSH for signing:

    git config gpg.format ssh

  4. Configure your SSH key as the signing key:

    git config user.signingkey ~/.ssh/id_ed25519

* Git release notes claim that 8.7 is broken, but I've verified it as working with all versions of OpenSSH_8.Xp1. (It also works with versions that are even older than this, but these are out-of-support.)

Example of an SSH signed commit:

$ git cat-file -p e82f510688571ec32aeb71f77817d6cd56566440
tree 464266731de68c694223ab5f73e9e70203f92a8b
author Brian Williams <bwilliams@gitlab.com> 1642081925 -0600
committer Brian Williams <bwilliams@gitlab.com> 1642081925 -0600
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgtc+Qk8jhMwVZk/jFEFCM16LNQb
 30q5kK30bbetfjyTMAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQLSyv010gOFwIs9QTtDvlfIEWiAw2iQL/T9usGcxHXn/W5l0cOFCd7O+WaMDg0t0nW
 fF3T79iV8paT4/OfX8Ygg=
 -----END SSH SIGNATURE-----

This commit was signed with SSH

Example of an SSH signed tag:

$ git cat-file -p v0.0.1                                                                                              🐳 k3d-cluster-image-scanning
object e82f510688571ec32aeb71f77817d6cd56566440
type commit
tag v0.0.1
tagger Brian Williams <bwilliams@gitlab.com> 1642084455 -0600

This tag is signed with SSH
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgtc+Qk8jhMwVZk/jFEFCM16LNQb
30q5kK30bbetfjyTMAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQLIc5320afhaueq3HaCOnX4QslRH+6O1W7f0PpkUW9TBJlB68RxtWqnq1QWklXjWap
k/xjHFIrjfKKsDkCrNnwA=
-----END SSH SIGNATURE-----

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #343879 (closed)

Edited by Brian Williams

Merge request reports