The case for SSH signing
GPG is powerful but operationally painful. Since Git 2.34, you can sign commits and tags with the SSH keys you already use to push. No keyring, no passphrase juggling, no separate web of trust. GitHub, GitLab, Gitea, and Forgejo all accept SSH-signed commits.
Setup
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
git config --global tag.gpgsign trueNow git commit signs with your SSH private key. The "gpg" naming is historical — Git treats SSH as another signing format.
Allowed signers file
For git verify-commit to recognize signers, configure an allowed signers file mapping email addresses to their public keys:
cat > ~/.config/git/allowed_signers <<EOF
[email protected] ssh-ed25519 AAAA... alice
[email protected] ssh-ed25519 AAAA... bob
EOF
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signersVerifying
git log --show-signature
git verify-commit HEAD
git verify-tag v1.0.0Without an allowed signers file, Git can still verify mathematically but cannot map signatures to identities, so it reports "no principal matched."
Hardware-backed keys
OpenSSH supports FIDO/U2F keys (ssh-keygen -t ed25519-sk). These work transparently for signing, requiring a touch per signature. Combined with Git 2.34+, this provides hardware-attested commit signing without GPG ceremony.
Revocation
Maintain a revocation file:
git config --global gpg.ssh.revocationFile ~/.config/git/revoked_keysAdd compromised keys here; verification will reject signatures from them.
Common mistakes
Mismatched email between commit author and allowed signers entry. Use git log --pretty=fuller to inspect. Pointing user.signingkey at a private key path; you want the .pub. Forgetting to upload the public key to the host platform — without that, the platform shows "Unverified" even though the math is correct.
Mixed environments
SSH-signed and GPG-signed commits can coexist in one repo. Verifiers need both gpg.ssh.allowedSignersFile and a working GPG keyring. Choose one for new commits and document the policy.
Related
See "GPG signing commits and tags" for the older path, and "Advanced gitconfig techniques" for managing signing config across machines.