This is a little script that allows you to use GitHub's API to download the public keys of GitHub collaborators and save them to a file for use with Git's SSH signing features.
You can download the binary from the Releases or use it directly with go, as described below
go run *.go --owner frankywahl --repository allowedSignersFile > .git/allowedSignersFile
git config gpg.ssh.allowedSignersFile .git/allowedSignersFileNote: we can use the --use-contributors as a means to get all the contributors to a repo. However, this is much more expensive on GitHub requests.
- GITHUB_API_TOKEN To use the Github API
- go (if you want to run if from source)
There is an assumption that users do not have more that 100 SSH keys attached to their profile.
# .git/config - can also be global configuration
[user]
signingKey = $(cat ~/.ssh/id_ed25519.pub) # the output of the public key
[gpg]
format = ssh
[gpg "ssh"]
allowedSignersFile = .git/allowedSignatures
[commit]
gpgsign = true
[tag]
gpgsign = true
https://calebhearth.com/sign-git-with-ssh
Github has supported SSH Signing since August 2022 That being said SSH Commit signing was part of Git beforehand
If commits were signed before the release on Github, they will still appear as verified provided the SSH public key was still uploaded as a Signing Key