github
Add `ssh-add` requirement for ssh commit signing
Code of Conduct
- [X] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key
What part(s) of the article would you like to see updated?
Add steps on adding the SSH key to the agent,
e.g.
ssh-add -K ~/.ssh/id_ed25519
Additional information
Without this step I was getting:
❯ git commit -S -m "Updates"
error: Load key "/var/folders/lj/3mfl0jk16xzfh_f3nvw6skw00000gn/T//.git_signing_key_tmpN8TBYo": invalid format?
fatal: failed to write commit object
```
I found the solution on https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/
also see https://github.com/github/docs/pull/19157 for some information on `-K` vs `--apple-use-keychain`
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
@timja Thanks for opening an issue! ✨
I think this is covered in the PR you are referencing, but I'm going to triage this for review to make sure.
Thanks for your interest in improving our docs!
I think this is covered in the PR you are referencing
It's not as far as I know, it's just handling MacOS changing -K to a different arg. This is another step needed for this page specifically: https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key
I was just about to file a bug about this.
It is not remotely obvious that I had to run an ssh-agent.
https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key
Has a throwaway section:
You can use an existing SSH key to sign commits and tags, or generate a new one specifically for signing. For more information, see "Generating a new SSH key and adding it to the ssh-agent."
It does not say:
In order for signing to work, your session must have access to an active
ssh-agentand thatssh-agentmust have access to the key with which you're configuringgitto perform signing."
Note that the linked article is Generating a new SSH key and adding it to the ssh-agent. There is no reason to expect that a page which appears to be focused on Generating a new SSH key is actually responsible for a wholly unrelated task namely Enabling git to use your ssh key for signing. That should really be in a reusable fragment and included in both pages instead of only in this article.
The article really is mostly focussed on generating keys, or generating keys and storing them in hardware tokens. And appears to tangentially mention using an agent in cases where you've stashed them into a token or added a password to make them harder to use. -- It isn't obvious that you actually must use the agent to get signing to work.
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
👋 hi from Git Systems product management. This would be a good step to add unless we decide to do my option 1 from https://github.com/github/docs/pull/20172#issuecomment-1277870414. I believe if you give Git the path to your private key, you don't need to have ssh-agent running.
(Edit: I said the wrong option before. Fixed inline.)
Okay mnandi I'm at the right place
On Thu, 13 Oct 2022, 21:24 Matt Cooper, @.***> wrote:
👋 hi from Git Systems product management. This would be a good step to add unless we decide to do my option 2 from #20172 (comment) https://github.com/github/docs/pull/20172#issuecomment-1277870414. I believe if you give Git the path to your private key, you don't need to have ssh-agent running.
— Reply to this email directly, view it on GitHub https://github.com/github/docs/issues/20912#issuecomment-1278080595, or unsubscribe https://github.com/notifications/unsubscribe-auth/AV73JDXIFPNFHP3EH2YAFYDWDBOXJANCNFSM6AAAAAAQWXESUE . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I've verified on MacOS BigSur
with:
❯ ssh -V
OpenSSH_9.0p1, OpenSSL 1.1.1q 5 Jul 2022
❯ git --version
git version 2.37.3
Using file path only means you don't need to pass the key inline or have an ssh agent running
diff --git a/config/git/config b/config/git/config
index 7aedf53..0df39fb 100755
--- a/config/git/config
+++ b/config/git/config
@@ -3,7 +3,7 @@
# Please adapt and uncomment the following lines:
name = Tim Jacomb
useConfigOnly = true
- signingkey = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnTfTt8lqJdcucKu538C6EvPNruiO9r67Jvfrbokear (omitted)\n
+ signingkey = ~/.ssh/id_ed25519.pub
Fwiw, I was able to make this work using:
git config --global user.signingkey '~/.ssh/id_rsa.pub'
Something like this should work well enough for most users.
There still should be information about ssh-agent for users whose private keys are encrypted (either on an external device or as password protected local files).
This is a gentle bump for the docs team that this issue is waiting for technical review.
I reviewed the deployed fix from https://github.com/github/docs/pull/20172
but the issue isn't fully fixed as the document no longer makes complete sense, see https://github.com/github/docs/pull/20172#issuecomment-1311934477
This is a gentle bump for the docs team that this issue is waiting for technical review.
This is a gentle bump for the docs team that this issue is waiting for technical review.