On Mon, Sep 16, 2024 at 1:37 PM Jonathan Wakely via Gcc <gcc@gcc.gnu.org> wrote: > > Git supports signing commits with a GPG key, and more recently (since > Git 2.34) also started supporting signing with an SSH key. The latter > is IMHO much easier to set up, because anybody who can push to the GCC > repo already has an SSH key configured. > > To start signing your git commits, just enable commit.gpgsign (which > also enables signing with SSH, despite the name) and tell Git where to > find your public key. To use SSH keys instead of GPG, set > gpg.format=ssh. I suggest the ssh key you sign with should be the same > key that you use to push to gcc.gnu.org / sourceware.org > > i.e. > > git config --global gpg.format ssh > git config user.signingKey ~/.ssh/id_your_gcc_key.pub > git config commit.gpgsign true > > More info online e.g. > https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html
What is the benefit of having a SSH signature in addition to sourceware verifying the SSA key upon commit? Richard. > You can see the signature on a signed commit using git log --show-signature > e.g. > > $ git log --show-signature origin/master | head -6 > commit eb67e2396f3ee834bf3a8299f5b6d93ba82d3950 > Good "git" signature for jwak...@redhat.com with RSA key > SHA256:8rFaYhDWn09c3vjsYIg2JE9aSpcxzTnCqajoKevrUUo > Author: Jonathan Wakely <jwak...@redhat.com> > Date: Mon Sep 16 10:04:40 2024 > > If a signature is not recognised you'll see something like this: > > commit 323291c29c77e3214f4850129bb8a3d0d8da6a45 > gpg: Signature made Wed 11 Sep 2024 22:53:40 BST > gpg: using RSA key E5E9554C5B7F774F55B28733BF63C1BC3FA43540 > gpg: Can't check signature: No public key > Author: Martin Jambor <mjambor@...> > Date: Wed Sep 11 22:53:21 2024 > > This says it's signed, but by a key my machine doesn't know, maybe > because it's a GPG key and I have no GPG keychain? But somebody who > does know Martin's key would probably see this as a good signature. > > For SSH keys, you can configure git to use a file of known keys, e.g. > git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers > I have my own SSH public key in that file (see 'man ssh-keygen' or the > gitlab URL above for the format of that file) so git log shows my > signed commits in happy colours without a warning. > > Because I've also uploaded my public key to github, when you view the > commit there (in any fork of the GCC repo) it shows as "verified" e.g. > in the unofficial mirror: > https://github.com/gcc-mirror/gcc/commit/eb67e2396f3ee834bf3a8299f5b6d93ba82d3950 >