GitSSH Signing

SSH Key Signing (Git 2.34+)

Git 2.34 (released November 2021) introduced support for signing commits and tags with SSH keys — the same keys most developers already use for authentication. SSH signing is simpler than GPG: there is no keyserver to manage, no web of trust, no key expiry complexity, and no need to install GnuPG. If you already have an SSH key for pushing to GitHub, you can start signing commits with minimal additional configuration.

Initial Setup

Configure Git to use SSH for signing

Bash
# Tell Git to use SSH format instead of GPG
git config --global gpg.format ssh

# Point Git to your public key (path to .pub file)
git config --global user.signingKey ~/.ssh/id_ed25519.pub

# Enable automatic signing for all commits
git config --global commit.gpgsign true

# Enable automatic signing for all tags
git config --global tag.gpgsign true
Tip
If you do not have an SSH key yet, generate one: `ssh-keygen -t ed25519 -C "your@email.com"`. Ed25519 keys are modern, fast, and recommended over RSA for SSH signing.
Signing a Commit

The signing command is identical to GPG — Git automatically uses the configured format.

Sign a commit

Bash
# Manual signing (if gpgsign is not set globally)
git commit -S -m "feat: add payment integration"

# With gpgsign=true, just commit normally
git commit -m "feat: add payment integration"
Setting Up the Allowed Signers File

Unlike GPG, which uses a public keyring, SSH signature verification requires an allowed signers file that maps email addresses to public keys. You must create this file and configure Git to use it for verification to work.

Create the allowed signers file

Bash
# Create the file (put your public key in it)
mkdir -p ~/.config/git
echo "$(git config user.email) namespaces="git" $(cat ~/.ssh/id_ed25519.pub)" >> ~/.config/git/allowed_signers

# Configure Git to use the file
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers

Example allowed_signers file format

Text
jane@example.com namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...publickey...
bob@example.com namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...anotherkeyhere...

For team verification, include all team members' public keys in a shared allowed signers file (for example, committed to the repository at .gitsigners). Each team member points their local config at that file.

Verifying a Signed Commit

Verify a commit signature

Bash
git verify-commit HEAD

Good SSH signature output

Text
Good "git" signature for jane@example.com with ED25519 key SHA256:abc123defgh456ij789klmno012pqrst345uvwxyz

View signatures in git log

Bash
git log --show-signature -1

Log output with SSH signature

Text
commit 7d3e5f2a1b9c4d6e8f0a2b4c6d8e0f1a3b5c7d9e
Good "git" signature for jane@example.com with ED25519 key SHA256:abc123...
Author: Jane Smith <jane@example.com>
Date:   Tue Jan 15 14:32:45 2023

    feat: add payment integration
Adding SSH Signing Key to GitHub

GitHub requires you to add your SSH key as a signing key separately from your authentication key. They can be the same key, but they are registered separately in GitHub Settings.

  • Go to GitHub → Settings → SSH and GPG keys

  • Click New SSH key

  • Set the Key type dropdown to Signing Key (not Authentication Key)

  • Paste your public key content (from cat ~/.ssh/id_ed25519.pub)

  • GitHub will now show a Verified badge on your SSH-signed commits

SSH Signing vs GPG Signing

Dimension

SSH Signing

GPG Signing

Git version required

Git 2.34+ (Nov 2021)

All versions

Key generation

ssh-keygen -t ed25519

gpg --full-generate-key

Key management

Simple file-based

GPG keyring, complex

Keyserver

Not needed

Optional but used for key distribution

Key expiry

No built-in expiry

Can set expiry date during generation

Verification

Requires allowed_signers file

Requires GPG public key imported

GitHub support

Yes (mark as signing key)

Yes (upload public key)

Revocation

Remove from allowed_signers

Revocation certificate + keyserver

Existing key reuse

Yes — use your auth key

Separate key required

Windows compatibility

Excellent (OpenSSH built-in)

Requires GPG for Windows

Why SSH Signing is Becoming Preferred

  • Zero new tooling — if you already push via SSH, you already have everything you need

  • No keyserver complexity — GPG's web of trust is powerful but overkill for most development teams

  • No expiry surprises — GPG keys expire by default; SSH keys don't unless you add custom logic

  • Simpler team setup — an allowed_signers file in the repo is easier to maintain than distributing GPG public keys

  • Cross-platform — OpenSSH ships on macOS, Linux, and Windows 10+ out of the box

  • GitHub recommends it — as of 2022, GitHub's own documentation prefers SSH signing for new setups

Note
Both SSH and GPG signing are valid and produce the "Verified" badge on GitHub. The choice mainly comes down to what tooling your team already has and how comfortable you are with GPG's more complex key management. For new setups, SSH signing is the simpler path.