I stopped signing stuff because I just couldn’t deal with gpg any more. At some point it broke for mysterious reasons I couldn’t figure out, and I just gave up. I’ve been wanting a better signing scheme for a long time.
For anyone wanting to try it out:
signingKey = ~/.ssh/id_ed25519
format = ssh
% git commit -am 'Sign me!' --gpg-sign
% git log --format=raw
author Martin Tournoij email@example.com 1635225059 +0800
committer Martin Tournoij firstname.lastname@example.org 1635225059 +0800
gpgsig —–BEGIN SSH SIGNATURE—–
—–END SSH SIGNATURE—–
The gpg in a lot of the settings and flags is somewhat odd since you’re not using gpg at all, but I can see how it makes sense to group it there.
It doesn’t really integrate well with GitHub, but that’s hardly surprising given that this feature is about five hours old 🙃
You may find signify of interest. See this post from @tedu for elaboration.
There’s also minisign, which has a few improvements. But can you use it with git (or email for that matter)? Because last time I checked you couldn’t. Nothing standing in the way in principle, but the tooling/integration just isn’t there.
But not as nice UX.
Ah nice, but it’s a bit too hacky for my taste to be honest 😅 Also somewhat hard and non-obvious to verify for other people (philosophical question: “if something is securely cryptographically signed but no one can verify it, then is it signed at all?”)
Does it only support ed25519? I am still on rsa, btw, you format is screwed due to markdown.
Presumably it supports all key types; it just calls external ssh binaries like with gpg. There’s no direct gpg or ssh integration in git (as in, it doesn’t link against libgpg or libssh) and leaves everything up to the external tools. It’s just that I have an ed25519 key.
Looks like I forgot to indent some lines; can’t fix the formatting it now as it’s too late to edit 🤷
One fewer set of keys to worry about sounds like a win to me.
Worth mentioning https://without.boats/blog/signing-commits-without-gpg/ and https://github.com/withoutboats/bpb
In short - signed commits with gpg, using a rust binary