I recently decided to stop being lazy and digitally sign my git commits, at least for the ones I do on projects for work with my work laptop. This was something that had actually been in the back of my mind for a while, but I kept forgetting about it almost as soon as I would think of it. However, I was reading the release notes for the lastest version of 1Password, and they mentioned git commit signing. The short of it is that 1Password can hook into git so that it will know when a commit is being made and will automatically sign that commit with the appropriate key. That key will be secured in 1Password so that if, for example, 1Password was locked, it would need to be unlocked before the commit could be signed successfully. It seemed like a handy feature, so I decided to dig in.
The high level of how to get the 1Password pieces is documented on the official site. The first step is to have an SSH key pair on the machine where this is being set up. By default that should exist in ~/.ssh on any real operating system (which is my way of saying I have no idea where it would exist on Windows.) If a key pair is needed, the instructions from GitHub are nice an succinct.
Once a key pair exists, go to 1Password and create a new item to save, being sure to specify that it’s an SSH Key rather than a Login or anything like that.
Give the key whatever friendly name you want so that you know what the heck it’s for, and then add the private key to 1Password.
Once that’s been saved, go to Settings > Developer. Enable the SSH Agent in 1Password, which will walk through a few simple steps to update the SSH config on the local machine, most of which it can do automatically. Once that’s done, go back to the SSH key that was saved in 1Password. Click the 3 dots and select Configure SSH Signing…
This will walk through a few more settings that will update the user-level git config, stored in ~/.gitconfig. Again, it can do this automatically.
This is all that’s needed locally, though if you were to push a new commit right now, GitHub would flag it as unverified because GitHub still needs to know the public key associated with the private key being used by 1Password. To do this, simply go to GitHub and navigate to Settings > SSH and GPG Keys. Click the New SSH key button. On the next screen, name the key whatever you like (I like to name it after the machine that’s using it if I’m not copying keys between devices), and be sure to flip the Key Type to Signing Key rather than Authentication Key. Copy the public key here, which should be in the same ~/.ssh directory as the private key but with a .pub suffix.
Click Add SSH key, and then everything should be good to go! On the next git commit, the commit will be signed with the appropriate key if the 1Password application is unlocked, or you’ll be prompted to first unlock 1Password. On git push, the commit will appear as verified in the GitHub UI.
