Skip to content

Download a list of SSH keys for validation with SSH Signing

License

Notifications You must be signed in to change notification settings

frankywahl/allowedSignersFile

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AllowedSignatures

This is a little script that allows you to use GitHub's API to download the public keys of GitHub collaborators and save them to a file for use with Git's SSH signing features.

Installation

You can download the binary from the Releases or use it directly with go, as described below

Example Usage

go run *.go --owner frankywahl --repository allowedSignersFile > .git/allowedSignersFile
git config gpg.ssh.allowedSignersFile .git/allowedSignersFile

Note: we can use the --use-contributors as a means to get all the contributors to a repo. However, this is much more expensive on GitHub requests.

Requirements

Limitations

There is an assumption that users do not have more that 100 SSH keys attached to their profile.

SSH Signing

# .git/config - can also be global configuration
[user]
        signingKey = $(cat ~/.ssh/id_ed25519.pub) # the output of the public key
[gpg]
        format = ssh
[gpg "ssh"]
        allowedSignersFile = .git/allowedSignatures
[commit]
        gpgsign = true
[tag]
        gpgsign = true

https://calebhearth.com/sign-git-with-ssh

SSH Signing Github Support

Github has supported SSH Signing since August 2022 That being said SSH Commit signing was part of Git beforehand

If commits were signed before the release on Github, they will still appear as verified provided the SSH public key was still uploaded as a Signing Key

community/community#7744 (comment)

About

Download a list of SSH keys for validation with SSH Signing

Resources

License

Stars

Watchers

Forks

Packages

No packages published