How to Enable and Verify Git SSH Signatures After GitHub Support

Git can sign commits to prevent identity spoofing, traditionally using GPG, which many users find cumbersome. Since Git 2.34, SSH signatures are supported, leveraging users' existing SSH keys. GitHub recently added support for displaying SSH signatures, making the feature practical.

Why Sign Git Commits?

Commit metadata (author name and email) can be arbitrarily set, allowing anyone to claim authorship. By signing commits with an asymmetric key pair and publishing the public key, others can verify that changes truly originate from the claimed author.

Generating an SSH Signature

Use ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n file /tmp/a.txt to sign a file. Parameters: -Y sign: compute a signature -f: specify the private key -n file: set a custom signature type to avoid conflicts file: the user‑defined type identifier

The command produces /tmp/a.txt.sig containing a PEM‑like SSH signature block.

Verifying an SSH Signature

Create an allowed_signers file listing trusted public keys, e.g.:

[email protected] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpSjbp5HFcYg82NMJqiaOKwBvSwpRkavZjHwPz6rCmJ ts@tc
...

Verify with:

ssh-keygen -Y verify -f allowed_signers -I [email protected] -n file -s /tmp/a.txt.sig < /tmp/a.txt

Successful verification prints a "Good \"file\" signature" line; failure reports "Signature verification failed".

Configuring Git to Use SSH Signing

Add the following settings:

# Use SSH signatures
git config gpg.format ssh
# Specify the SSH private key (public key file)
git config user.signingKey ~/.ssh/id_ed25519.pub
# Path to the allowed signers file
git config gpg.ssh.allowedSignersFile "$HOME/.config/git/allowed_signers"
# Optional: auto‑sign commits and tags
git config commit.gpgsign true
git config tag.gpgsign true

With auto‑signing enabled, every commit is signed; otherwise add -s to git commit to sign a single commit.

Viewing Signature Information

Use git show --show-signature (or add --show-signature to tig’s log/diff options) to display the embedded SSH signature line starting with gpgsig. The signature type appears as -n git for normal commits.

Where Git Stores the Signature

The signature is stored in the commit or tag object under the gpgsig header. You can inspect it with git cat-file commit <hash>, which shows the full -----BEGIN SSH SIGNATURE----- block.

GitHub Support

GitHub now displays SSH signatures after uploading the corresponding public key (specifying the key type). The key must be uploaded separately from authentication keys, even if they are the same.

References:

https://www.agwa.name/blog/post/ssh_signatures

https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/

https://git-scm.com/docs/signature-format