diff options
author | Fabian Stelzer <fs@gigacodes.de> | 2021-09-10 20:07:36 +0000 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2021-09-10 14:15:51 -0700 |
commit | 29b315778e958417a411f02b6d4b5a0fc9d731e2 (patch) | |
tree | 647bc9f83957790eed589a177511ebc6bafdb0c5 /Documentation/config | |
parent | ssh signing: add test prereqs (diff) | |
download | tgif-29b315778e958417a411f02b6d4b5a0fc9d731e2.tar.xz |
ssh signing: add ssh key format and signing code
Implements the actual sign_buffer_ssh operation and move some shared
cleanup code into a strbuf function
Set gpg.format = ssh and user.signingkey to either a ssh public key
string (like from an authorized_keys file), or a ssh key file.
If the key file or the config value itself contains only a public key
then the private key needs to be available via ssh-agent.
gpg.ssh.program can be set to an alternative location of ssh-keygen.
A somewhat recent openssh version (8.2p1+) of ssh-keygen is needed for
this feature. Since only ssh-keygen is needed it can this way be
installed seperately without upgrading your system openssh packages.
Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation/config')
-rw-r--r-- | Documentation/config/gpg.txt | 4 | ||||
-rw-r--r-- | Documentation/config/user.txt | 5 |
2 files changed, 7 insertions, 2 deletions
diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt index d94025cb36..88531b15f0 100644 --- a/Documentation/config/gpg.txt +++ b/Documentation/config/gpg.txt @@ -11,13 +11,13 @@ gpg.program:: gpg.format:: Specifies which key format to use when signing with `--gpg-sign`. - Default is "openpgp" and another possible value is "x509". + Default is "openpgp". Other possible values are "x509", "ssh". gpg.<format>.program:: Use this to customize the program used for the signing format you chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still be used as a legacy synonym for `gpg.openpgp.program`. The default - value for `gpg.x509.program` is "gpgsm". + value for `gpg.x509.program` is "gpgsm" and `gpg.ssh.program` is "ssh-keygen". gpg.minTrustLevel:: Specifies a minimum trust level for signature verification. If diff --git a/Documentation/config/user.txt b/Documentation/config/user.txt index 59aec7c3ae..2155128957 100644 --- a/Documentation/config/user.txt +++ b/Documentation/config/user.txt @@ -36,3 +36,8 @@ user.signingKey:: commit, you can override the default selection with this variable. This option is passed unchanged to gpg's --local-user parameter, so you may specify a key using any method that gpg supports. + If gpg.format is set to "ssh" this can contain the literal ssh public + key (e.g.: "ssh-rsa XXXXXX identifier") or a file which contains it and + corresponds to the private key used for signing. The private key + needs to be available via ssh-agent. Alternatively it can be set to + a file containing a private key directly. |