gitsshdigital-signature

Verify SSH commit is signed (not verifying the validity of the signature)

Is there a quick command to check if I signed a specific commit?

(notice I'm not asking how to verify a signature. I just want to know: is the commit signed? yes or no)

I tried the following, but all of them tell me the commit is NOT signed:

 git log --show-signature HEAD -1
 git verify-commit HEAD
 git log --pretty="format:%h (%aN) %G? %GG %GK %GF" HEAD -1

All of the above show something for GPG signatures, but tell me "No signature" if the commit was signed with an SSH key.

The only command that tells the whole truth is cat-file commit:

$ git cat-file commit HEAD
tree 896fba0491baa9f122a2eae5bcd8b052c6481272
parent 97031bccd6744e24028be294059e5a24a454cb58
author [...]
committer [...]
gpgsig -----BEGIN SSH SIGNATURE-----
[...]
 -----END SSH SIGNATURE-----

[...]

My signed commits get marked as Verified on GitHub, as expected.

I am guessing SSH signature checks are not as well supported by as GPG signature checks. I can even imagine why more security-conscious maintainers of git may dislike SSH signing support.

But my original, practical question remains. Is there a more convenient way than cat-file to verify I signed a commit?

Solution

  • If you only need to verify the signature of some users (eg, double check if your commit is signed before pushing it to GitHub). These are the steps.

    When I run git verify-commit HEAD the error message gives a hint of the necessary actions:

    error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification

    It seems git ignores a signature it cannot verify, ie, it does not report an existing signature that could not be verified.

    In order to allow git to recognize the SSH signature, you need to tell if that SSH key is valid for a given user. For that need to create a file in the format of "ALLOWED SIGNERS" from man ssh-keygen.

    For example, create a file ~/.config/git/allowed_signers with content:

    user@example.com ssh-ed25519 AAAB4..

    Then configure git to use it for SSH signature verification:

    git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers

    Now, git log --show-header would show that a commit is signed:

    $ git log --show-signature -1
commit 9c4cbb031d1d6c49dee19713747a828702a8e42a
Good "git" signature for user@exaple.com with ED25519 key ...
Author: User <user@example.com>
Date:   ...

    Also, git would report if a commit has a valid SSH signature.

    $ git verify-commit HEAD
Good "git" signature for user@example.com with ED25519 key ...

    Or course, you would need to add each trusted user and its key.

    Source: https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/