Guía de Firma de Commits con SSH
Los commits sin firmar pueden ser creados por cualquiera. La firma demuestra:
¿Por qué firmar commits?
- Identidad — el commit fue realizado por el titular de la clave.
- Integridad — el commit no ha sido alterado.
- Confianza — las plataformas muestran una insignia "Verificado".
Requisitos previos
- Git 2.34+ (
git --version) - SSH (Ed25519)
- GitHub / GitLab
Paso 1: Generar una clave de firma
bash
# Generate an Ed25519 key for signing
ssh-keygen -t ed25519 -C "your@email.com" -f ~/.ssh/id_signing
# Verify the key was created
ls -la ~/.ssh/id_signing*Paso 2: Configurar Git
bash
# Set the signing format to SSH
git config --global gpg.format ssh
# Point to your signing key
git config --global user.signingkey ~/.ssh/id_signing.pub
# Enable automatic commit signing
git config --global commit.gpgsign true
# Enable automatic tag signing
git config --global tag.gpgsign trueini
[gpg]
format = ssh
[user]
signingkey = ~/.ssh/id_signing.pub
[commit]
gpgsign = true
[tag]
gpgsign = truePaso 3: Configurar firmantes autorizados
bash
# Create the allowed signers file
mkdir -p ~/.config/git
echo "your@email.com $(cat ~/.ssh/id_signing.pub)" > ~/.config/git/allowed_signers
# Tell Git where to find it
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signersPaso 4: Firmar y verificar
bash
# Commits are now signed automatically
git commit -m "feat: add new feature"
# Or sign a single commit explicitly
git commit -S -m "feat: signed commit"
# Sign a tag
git tag -s v1.0.0 -m "Release v1.0.0"
# Verify the last commit
git log --show-signature -1
# Verify a tag
git tag -v v1.0.0Paso 5: Registrar en GitHub / GitLab
GitHub
- Settings → SSH and GPG keys → New SSH key
- Key type: Signing Key
~/.ssh/id_signing.pub
GitLab
- Preferences → SSH Keys
- Usage type: Signing
~/.ssh/id_signing.pub
Integración con Chezmoi
bash
# Add your Git config
chezmoi add ~/.gitconfig
# Add your allowed signers file
chezmoi add ~/.config/git/allowed_signers
# Add your signing key (encrypt it!)
chezmoi add --encrypt ~/.ssh/id_signingini
[gpg]
format = ssh
[user]
signingkey = {{ .chezmoi.homeDir }}/.ssh/id_signing.pub
[gpg "ssh"]
allowedSignersFile = {{ .chezmoi.homeDir }}/.config/git/allowed_signers
[commit]
gpgsign = true
[tag]
gpgsign = trueSolución de problemas
| Problem | Solution |
|---|---|
error: unsupported value: ssh | Git 2.34+ |
error: Load key: No such file | user.signingkey |
No principal matched | allowed_signers |
| SSH agent prompt | ssh-add ~/.ssh/id_signing |
Notas de plataforma
| Feature | macOS | Linux | WSL |
|---|---|---|---|
| Git 2.34+ | ✅ | ✅ | ✅ |
| ssh-agent | ✅ Keychain | ✅ systemd | ✅ |
| 1Password SSH agent | ✅ | ✅ | ⚠️ |
| Chezmoi | ✅ | ✅ | ✅ |