From cb7e44e3132287f1a93031c913a50ab026d38101 Mon Sep 17 00:00:00 2001
From: Chris Coley <chris@codingallnight.com>
Date: Fri, 27 Jan 2023 19:56:28 -0800
Subject: [PATCH] Add example configuration and docs for signing commits with
 SSH keys

---
 README.md               | 26 ++++++++++++++++++++++++++
 gitconfig.local.example | 10 ++++++++++
 2 files changed, 36 insertions(+)

diff --git a/README.md b/README.md
index 2090a9a..42d6be4 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@
 - [Updating](#updating)
 - [Customizing Your Bash Shell](#customizing-your-bash-shell)
 - [Git Configuration Overrides](#git-configuration-overrides)
+- [Git Commit Signing](#git-commit-signing)
 - [Miscellaneous Stuff](#miscellaneous-stuff)
 
 ## Installation
@@ -34,6 +35,31 @@ If you want to customize the **.bashrc** file, you can add a file to your home d
 
 You can customize the **.gitconfig** by creating a **.gitconfig.local** file in your home directory. It will be automatically included at the end of the **.gitconfig** file and will override any settings in that file. You can even include more configuration files from your **.gitconfig.local** file to support more advanced configurations or conditional includes. See the example in the [**gitconfig.local.example**](gitconfig.local.example) file in this repo.
 
+## Git Commit Signing
+
+> This requires Git v2.34.0 or newer and OpenSSH v8.0 or newer, excluding OpenSSH v8.7 which is broken.
+
+This repo contains default git configuration for signing commits with the default ED25519 SSH key. This configuration is not in the main **.gitconfig** file though, because it would break Git on unsupported versions or if referenced files did not exist. Instead, it exists in the [**gitconfig.local.example**](gitconfig.local.example).
+
+To use it, copy the example config file to your home directory and modify it as needed:
+
+```bash
+cp dotfiles/gitconfig.local.example ~/.gitconfig.local
+```
+
+The SSH key used for signing is defined by `user.signingKey`. This must point to an ED25519 or RSA private key.
+
+The SSH allowed signers file is defined by `gpg.ssh.allowedSignersFile`. This is highly recommended so that you can verify signed commits.
+
+You can create an allowed signers file with the correct email address and key using this command:
+
+```bash
+# Replace <signing-key>.pub with the public key matching your private key in user.signingKey
+echo "$(git config --get user.email) namespaces=\"git\" $(cat ~/.ssh/<signing-key>.pub)" >> ~/.ssh/allowed_signers
+```
+
+You can now use the `--show-signature` flag to view the signature status of commits in several commands, like `git log --show-signature` or `git show --show-signature`.
+
 ## Miscellaneous Stuff
 
 This repository also include several files/directories that are not installed and exist only for my convenience.
diff --git a/gitconfig.local.example b/gitconfig.local.example
index 2741a27..1e8aa64 100644
--- a/gitconfig.local.example
+++ b/gitconfig.local.example
@@ -1,3 +1,13 @@
+; Commit Signing
+[commit]
+    gpgSign = true
+[gpg]
+    format = ssh
+[gpg "ssh"]
+    allowedSignersFile = ~/.ssh/allowed_signers
+[user]
+    signingKey = ~/.ssh/id_ed25519
+
 ; Include work config first
 [includeIf "gitdir:~/projects/"]
     path = ~/.gitconfig.local.work
-- 
GitLab