Guia de Assinatura de Commits com SSH
Commits não assinados podem ser criados por qualquer pessoa. A assinatura comprova:
Por que assinar commits?
- Identidade — o commit foi feito pelo detentor da chave.
- Integridade — o commit não foi alterado desde a assinatura.
- Confiança — plataformas exibem um selo "Verificado".
Pré-requisitos
- Git 2.34+ (
git --version) - SSH (Ed25519)
- GitHub / GitLab
Passo 1: Gerar uma chave de assinatura
bash
# Generate an Ed25519 key for signing
ssh-keygen -t ed25519 -C "your@email.com" -f ~/.ssh/id_signing
# Verify the key was created
ls -la ~/.ssh/id_signing*Passo 2: Configurar o Git
bash
# Set the signing format to SSH
git config --global gpg.format ssh
# Point to your signing key
git config --global user.signingkey ~/.ssh/id_signing.pub
# Enable automatic commit signing
git config --global commit.gpgsign true
# Enable automatic tag signing
git config --global tag.gpgsign trueini
[gpg]
format = ssh
[user]
signingkey = ~/.ssh/id_signing.pub
[commit]
gpgsign = true
[tag]
gpgsign = truePasso 3: Configurar signatários autorizados
bash
# Create the allowed signers file
mkdir -p ~/.config/git
echo "your@email.com $(cat ~/.ssh/id_signing.pub)" > ~/.config/git/allowed_signers
# Tell Git where to find it
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signersPasso 4: Assinar e verificar
bash
# Commits are now signed automatically
git commit -m "feat: add new feature"
# Or sign a single commit explicitly
git commit -S -m "feat: signed commit"
# Sign a tag
git tag -s v1.0.0 -m "Release v1.0.0"
# Verify the last commit
git log --show-signature -1
# Verify a tag
git tag -v v1.0.0Passo 5: Registrar no GitHub / GitLab
GitHub
- Settings → SSH and GPG keys → New SSH key
- Key type: Signing Key
~/.ssh/id_signing.pub
GitLab
- Preferences → SSH Keys
- Usage type: Signing
~/.ssh/id_signing.pub
Integração com Chezmoi
bash
# Add your Git config
chezmoi add ~/.gitconfig
# Add your allowed signers file
chezmoi add ~/.config/git/allowed_signers
# Add your signing key (encrypt it!)
chezmoi add --encrypt ~/.ssh/id_signingini
[gpg]
format = ssh
[user]
signingkey = {{ .chezmoi.homeDir }}/.ssh/id_signing.pub
[gpg "ssh"]
allowedSignersFile = {{ .chezmoi.homeDir }}/.config/git/allowed_signers
[commit]
gpgsign = true
[tag]
gpgsign = trueSolução de problemas
| Problem | Solution |
|---|---|
error: unsupported value: ssh | Git 2.34+ |
error: Load key: No such file | user.signingkey |
No principal matched | allowed_signers |
| SSH agent prompt | ssh-add ~/.ssh/id_signing |
Notas de plataforma
| Feature | macOS | Linux | WSL |
|---|---|---|---|
| Git 2.34+ | ✅ | ✅ | ✅ |
| ssh-agent | ✅ Keychain | ✅ systemd | ✅ |
| 1Password SSH agent | ✅ | ✅ | ⚠️ |
| Chezmoi | ✅ | ✅ | ✅ |