SSH and Commit Signing

This tutorial will guide you through setting up an SSH key and commit signing for GitHub. SSH keys are a more secure way to connect to GitHub, rather than other protocols like HTTPS. Commit signing is used to verify that commits are coming from you and have not been tampered with.

Warning

You must have a verified email address on GitHub to add SSH keys and sign commits.

Create an SSH Key

In a bash terminal, enter the following command:

WindowsLinux/Mac

ssh-keygen -t ed25519 -C "your_github_email@example.com"

When prompted, save to the default location c:/Users/YOU/.ssh/id_ed25519 and do not enter a passphrase. This will allow you to use the key without entering a password every time you push to GitHub.

Continue with the following commands:

cat c:/Users/YOU/.ssh/id_ed25519 | clip
eval "$(ssh-agent -s)"
ssh-add c:/Users/YOU/.ssh/id_ed25519

ssh-keygen -t ed25519 -C "your_github_email@example.com"

When prompted, save to the default location ~/.ssh/id_ed25519 and do not enter a passphrase. This will allow you to use the key without entering a password every time you push to GitHub.

Continue with the following commands:

pbcopy < ~/.ssh/id_ed25519.pub
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

To add the key to your GitHub account, go to https://github.com/settings/ssh/new.

• Name your key something descriptive.
• Select "Authentication Key" as the key type.
• Paste the contents of id_ed25519.pub into the "Key" box.
• Click "Add SSH Key".

Open another terminal to test your connection to GitHub by entering the following command:

ssh -T git@github.com

Type "yes" when it asks if you want to continue connecting. You should see a message like "Hi username! You've successfully authenticated, but GitHub does not provide shell access."

Enable Commit Signing

To add a signing key to your GitHub account, go to https://github.com/settings/ssh/new.

• Name your key something descriptive.
• Select "Signing Key" as the key type.
• Paste the contents of id_ed25519.pub into the "Key" box.
• Click "Add SSH Key."

Update your git configuration in your terminal to automatically sign commits with your key:

WindowsLinux/Mac

git config --global user.signingkey c:/Users/YOU/.ssh/id_ed25519
git config --global gpg.format ssh
git config --global commit.gpgsign true

git config --global user.signingkey ~/.ssh/id_ed25519
git config --global gpg.format ssh
git config --global commit.gpgsign true

Enable Vigilant Mode

Go to https://github.com/settings/ssh and scroll down to the "Vigilant Mode" section. Enable "Enable Vigilant Mode".

This will now mark and display all of your commits with a signature verification status tag.

Verify your commits are signed by checking your commit history on GitHub for "Verified" tags.

Set Repo to Use SSH

It is likely your repository is using HTTPS to connect to GitHub. To check which remote URL is currently being used, run the following terminal command inside of a repository:

git remote -v

To convert to SSH, run the following command, replacing orgname and reponame with your GitHub organization and repository names (i.e. macformula and racecar):

git remote set-url origin git@github.com:orgname/reponame.git

To avoid this manual configuration in the future, clone repositories using their SSH URL instead of HTTPS.

Resources

• Generating a new SSH key

• Testing your SSH connection

• Managing commit signature verification