feat: Detect SSH signed objects
Support for signing Git objects with SSH keys was added in Git v2.34.0.
This change allows Gitaly to detect when an object was signed with an
SSH key and indicates the signature type of that object as SSH
.
This will allow GitLab to verify SSH signatures with the user's SSH public key and show the Verified badge for those commits. (gitlab#343879 (closed))
To setup git to perform SSH signing:
-
git --version
must begit version 2.34.0
or newer -
ssh -V
should be*OpenSSH_8.0p1
or newer -
Configure git to use SSH for signing:
git config gpg.format ssh
-
Configure your SSH key as the signing key:
git config user.signingkey ~/.ssh/id_ed25519
-
Sign a commit by passing the
-S
flag togit commit
:git commit -S -m 'message'
* Git release notes claim that 8.7 is broken, but I've verified it as working
with all versions of OpenSSH_8.Xp1
. (It also works with versions that are even older than this, but these are out-of-support.)
Example of an SSH signed commit:
$ git cat-file -p e82f510688571ec32aeb71f77817d6cd56566440
tree 464266731de68c694223ab5f73e9e70203f92a8b
author Brian Williams <bwilliams@gitlab.com> 1642081925 -0600
committer Brian Williams <bwilliams@gitlab.com> 1642081925 -0600
gpgsig -----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgtc+Qk8jhMwVZk/jFEFCM16LNQb
30q5kK30bbetfjyTMAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQLSyv010gOFwIs9QTtDvlfIEWiAw2iQL/T9usGcxHXn/W5l0cOFCd7O+WaMDg0t0nW
fF3T79iV8paT4/OfX8Ygg=
-----END SSH SIGNATURE-----
This commit was signed with SSH
Example of an SSH signed tag:
$ git cat-file -p v0.0.1 🐳 k3d-cluster-image-scanning
object e82f510688571ec32aeb71f77817d6cd56566440
type commit
tag v0.0.1
tagger Brian Williams <bwilliams@gitlab.com> 1642084455 -0600
This tag is signed with SSH
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgtc+Qk8jhMwVZk/jFEFCM16LNQb
30q5kK30bbetfjyTMAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQLIc5320afhaueq3HaCOnX4QslRH+6O1W7f0PpkUW9TBJlB68RxtWqnq1QWklXjWap
k/xjHFIrjfKKsDkCrNnwA=
-----END SSH SIGNATURE-----