1. 45

  2. 23

    I stopped signing stuff because I just couldn’t deal with gpg any more. At some point it broke for mysterious reasons I couldn’t figure out, and I just gave up. I’ve been wanting a better signing scheme for a long time.

    For anyone wanting to try it out:


    signingKey = ~/.ssh/id_ed25519
    format = ssh


    % git commit -am 'Sign me!' --gpg-sign
    % git log --format=raw

    commit 74d2eb36642937c31b096419fe882259572e42e3 tree 7a6a8614e03d217dea76f28edbc6652666932df8 parent 8c8db6f1bd0ec29cfffc1cf0d0f91f637e8fbd26 author Martin Tournoij martin@arp242.net 1635225059 +0800 committer Martin Tournoij martin@arp242.net 1635225059 +0800 gpgsig —–BEGIN SSH SIGNATURE—– U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAg6w5WB1nhvFYmOIc/hxLj2dkuME 4oQcQrLs1oQsRdZ68AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQDPTXV5wPb0Yzt0VaVpk5/83TKw5MklAb0DkQkVT99Ib+MwaTIirb1kG1m54akzfn+ Bb3vV9YYRjjCHnie5ziwU= —–END SSH SIGNATURE—–

    Sign me!

    The gpg in a lot of the settings and flags is somewhat odd since you’re not using gpg at all, but I can see how it makes sense to group it there.

    It doesn’t really integrate well with GitHub, but that’s hardly surprising given that this feature is about five hours old 🙃

    1. 2

      You may find signify of interest. See this post from @tedu for elaboration.

      1. 2

        There’s also minisign, which has a few improvements. But can you use it with git (or email for that matter)? Because last time I checked you couldn’t. Nothing standing in the way in principle, but the tooling/integration just isn’t there.

          1. 1

            Ah nice, but it’s a bit too hacky for my taste to be honest 😅 Also somewhat hard and non-obvious to verify for other people (philosophical question: “if something is securely cryptographically signed but no one can verify it, then is it signed at all?”)

      2. 1

        Does it only support ed25519? I am still on rsa, btw, you format is screwed due to markdown.

        1. 2

          Presumably it supports all key types; it just calls external ssh binaries like with gpg. There’s no direct gpg or ssh integration in git (as in, it doesn’t link against libgpg or libssh) and leaves everything up to the external tools. It’s just that I have an ed25519 key.

          Looks like I forgot to indent some lines; can’t fix the formatting it now as it’s too late to edit 🤷

      3. 4

        One fewer set of keys to worry about sounds like a win to me.

        1. 1

          Worth mentioning https://without.boats/blog/signing-commits-without-gpg/ and https://github.com/withoutboats/bpb

          In short - signed commits with gpg, using a rust binary