DEV Community

Md. Shamim Rahman
Md. Shamim Rahman

Posted on

Sign Git Commits and Authenticate to GitHub with SSH Keys

This image represents the logo of Git and SSH

In software development we have to use git in daily basis. We also have to use a remote repository location to work collaboratively with our team. And while we are working collaboratively with our team or in a public repository, we need to make sure that commits are coming from a verified user. Just like we would authenticate our bank accounts or social accounts with credentials, git commits has to be verified in that case. And there SSH technology comes in handy.

Another use case of SSH is that, if we are using GitHub for our remote repository then we may have to push changes frequently from our local repository to GitHub and that will require to authenticate with credentials of GitHub account. Every time the session time expires we have to authenticate again with the credentials while with SSH we just have configure once, which saves a lot of time in the development process.

For signing commits, GPG keys are more reliable but for simplicity and doing two operations using one technology I'll just go with the SSH.

To generate SSH keys and make it working follow the code below in your Linux terminal window. Mac has almost similar process as Linux, since it is a UNIX system. In windows WSL is fine.

ssh-keygen -t ed25519 -C ""
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
cat ~/.ssh/
Enter fullscreen mode Exit fullscreen mode
  1. First line of code will generate SSH key pairs in your system. Use your email at quote.

  2. Start's the ssh-agent in the background.

  3. Adds newly generated SSH keys to the agent to perform operations.

  4. Display's the public key code in the terminal.

Now copy the public key code from the terminal window and open your GitHub account's Settings > SSH and GPG Keys > New SSH key. Add the copied public key for both authentication and signing key.

To attempt SSH into GitHub account:

ssh -T
Enter fullscreen mode Exit fullscreen mode

This may say warning message like this:

> The authenticity of host ' (IP ADDRESS)' can't be established.
> ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.
> Are you sure you want to continue connecting (yes/no)?
Enter fullscreen mode Exit fullscreen mode

Type: yes to continue and save the key for the future authentication.

> Hi USERNAME! You've successfully authenticated, but GitHub does not
> provide shell access.
Enter fullscreen mode Exit fullscreen mode

Now you have authenticated to your GitHub account with SSH and you can pull/push to your remote GitHub repository without further authentication.

So we have another work to do with SSH key and that is signing our local git commits, and that indicates commits are authorized by the original user. We already have saved our SSH public key into GitHub account for both authentication and signing. For that, now we just have to configure the git in our local machine. Just as we configure our git user name, email, and branch name.

Execute the following commands in your terminal:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/
git config --global commit.gpgsign true
Enter fullscreen mode Exit fullscreen mode

And that, finally our work has done. Now your future git commits are signed with your SSH key as well you are authenticated to your GitHub repository without further need of authentication.

Top comments (2)

ccoveille profile image
Christophe Colombier

Good guide. I wrote mine a few weeks ago. Yours is good and concise.

One side note, I would recommend anyone to read this

msrhmn profile image
Md. Shamim Rahman