Sign Git commits using an SSH key stored in Keeper.
Signing Git commits is an important security measure that verifies authorship, and ensures the integrity of the changes. Just as importantly, signing commits shows a commitment to authenticity and security, helping to build trust in the community.
Development requires:
- Git > 2.34.0
- Go > 1.20
Usage requires:
- Keeper Secrets Manager (KSM) enabled
- A Secrets Manager Application with read-only access to an SSH key
The integration expects a KSM Application Configuration file at either
.config/keeper/ssh-sign.json
or
ssh-sign.json
relative to the user's home directory.
It must have access to a Shared Folder that contains the SSH key.
The configure-git.sh
script will build the integration and configure Git (globally) to use it.
The Update-GitConfig.ps1
will do the same using PowerShell.
Run one or the other then skip ahead to Repositories
Alternatively, build the binary:
go build -o ssh-sign ./cmd/ssh-sign
Then set the TOKEN
variable and run the Bash or PowerShell below to create the configuration:
TOKEN="One-time Access Token from Keeper"
CONFDIR="${HOME}/.config/keeper"
test -d $CONFDIR || mkdir -m 0700 -p "${CONFDIR}"
ksm init default --plain $TOKEN >| "${CONFDIR}/ssh-sign.json.new"
test $? -eq 0 && mv -f $CONFDIR/ssh-sign.json{.new,}
$TOKEN = "One-time Access Token from Keeper"
if (!(Test-Path "${env:USERPROFILE}\.config\keeper")) {
New-Item -Type Directory "${env:USERPROFILE}\.config\keeper"
}
$Config = if (ksm init default --plain $TOKEN) {
Set-Content -Path "${env:USERPROFILE}\.config\keeper\ssh-sign.json" -Value $Config
}
-
The executable is standalone and can exist anywhere that Git can access.
-
The KSM documentation details the process of getting a One-time Access Token.
The Secrets Manager Configuration page walks through creating a KSM Application Configuration via the UI.
First, globally configure Git to use the binary to sign SSH format commits:
git config --global gpg.ssh.program path/to/ssh-sign
Afterward, ~/.gitconfig
should contain:
[gpg "ssh"]
program = path/to/ssh-sign
Next, configure a Git repository to sign your commits using the SSH key from the Keeper Vault.
git config gpg.format ssh
git config user.signingkey SSH-Key-UID
Note that the executable expects the Git signing key to be the UID of the SSH key in the Keeper Vault.
The resulting Git configuration should look something like this:
[gpg]
format = ssh
[user]
signingKey = SSH-Key-UID
[gpg "ssh"]
program = path/to/ssh-sign
Simply run git commit
with the -S
switch to sign a commit!
You can confirm your commit has been signed with git show --pretty=raw
.
To sign commits automatically, i.e., without the -S
run:
git config commit.gpgsign true
Git will execute path/to/ssh-sign -Y sign -Y sign -n git -f SSH-Key-UID some-input.txt
.
It expects to write an output file with the same path as the input file with the extension .sig
.
So to test whether the signing operation will work after creating the configuration,
run the aforementioned command on a file in a folder you can write to.
As an example, assuming some-input.txt
exists in the current directory
then running the above command exactly will create a file named some-input.txt.sig
that will contain a signature, e.g.:
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAL9iBpy9EFG4T9c3
...
...
...
rIalDYl8KKK+DPrwiF4KCKoovNN2xXu04ljxLH9O3byUcA==
-----END SSH SIGNATURE-----
This module uses the built-in Golang tooling for building and testing:
# Run unit tests
go test ./...
# Build a local binary
go build -o ssh-sign ./cmd/ssh-sign/main.go
For bugs, changes, etc., please submit an issue!