diff --git a/assets/images/help/commits/ssh-signed-commit-verified-details.png b/assets/images/help/commits/ssh-signed-commit-verified-details.png new file mode 100644 index 0000000000..63b69cfa4f Binary files /dev/null and b/assets/images/help/commits/ssh-signed-commit-verified-details.png differ diff --git a/assets/images/help/settings/ssh-add-key.png b/assets/images/help/settings/ssh-add-key.png index 0a007fb5e7..76ddfce73e 100644 Binary files a/assets/images/help/settings/ssh-add-key.png and b/assets/images/help/settings/ssh-add-key.png differ diff --git a/assets/images/help/settings/ssh-add-ssh-key-with-auth.png b/assets/images/help/settings/ssh-add-ssh-key-with-auth.png new file mode 100644 index 0000000000..f3fa237335 Binary files /dev/null and b/assets/images/help/settings/ssh-add-ssh-key-with-auth.png differ diff --git a/assets/images/help/settings/ssh-key-paste-with-type.png b/assets/images/help/settings/ssh-key-paste-with-type.png new file mode 100644 index 0000000000..1790631343 Binary files /dev/null and b/assets/images/help/settings/ssh-key-paste-with-type.png differ diff --git a/content/authentication/connecting-to-github-with-ssh/about-ssh.md b/content/authentication/connecting-to-github-with-ssh/about-ssh.md index a411922d2f..53b7c7225e 100644 --- a/content/authentication/connecting-to-github-with-ssh/about-ssh.md +++ b/content/authentication/connecting-to-github-with-ssh/about-ssh.md @@ -1,6 +1,6 @@ --- title: About SSH -intro: 'Using the SSH protocol, you can connect and authenticate to remote servers and services. With SSH keys, you can connect to {% data variables.product.product_name %} without supplying your username and personal access token at each visit.' +intro: 'Using the SSH protocol, you can connect and authenticate to remote servers and services. With SSH keys, you can connect to {% data variables.product.product_name %} without supplying your username and personal access token at each visit.{% ifversion ssh-commit-verification %} You can also use an SSH key to sign commits.{% endif %}' redirect_from: - /articles/about-ssh - /github/authenticating-to-github/about-ssh @@ -16,7 +16,7 @@ topics: {% data reusables.ssh.about-ssh %} For more information about SSH, see [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell) on Wikipedia. -When you set up SSH, you will need to generate a new private SSH key and add it to the SSH agent. You must also add the public SSH key to your account on {% data variables.product.product_name %} before you use the key to authenticate. For more information, see "[Generating a new SSH key and adding it to the ssh-agent](/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent)" and "[Adding a new SSH key to your {% data variables.product.prodname_dotcom %} account](/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account)." +When you set up SSH, you will need to generate a new private SSH key and add it to the SSH agent. You must also add the public SSH key to your account on {% data variables.product.product_name %} before you use the key to authenticate{% ifversion ssh-commit-verification %} or sign commits{% endif %}. For more information, see "[Generating a new SSH key and adding it to the ssh-agent](/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent)"{% ifversion ssh-commit-verification %}, {% else %} and{% endif %} "[Adding a new SSH key to your {% data variables.product.prodname_dotcom %} account](/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account){% ifversion ssh-commit-verification %}" and "[About commit signature verification](/articles/about-commit-signature-verification){% endif %}." You can further secure your SSH key by using a hardware security key, which requires the physical hardware security key to be attached to your computer when the key pair is used to authenticate with SSH. You can also secure your SSH key by adding your key to the ssh-agent and using a passphrase. For more information, see "[Working with SSH key passphrases](/github/authenticating-to-github/working-with-ssh-key-passphrases)." @@ -33,7 +33,6 @@ Organizations that use {% data variables.product.prodname_ghe_cloud %} can provi {% else ghec or ghes or ghae %} If you're a member of an organization that provides SSH certificates, you can use your certificate to access that organization's repositories without adding the certificate to your account on {% data variables.product.product_name %}. You cannot use your certificate to access forks of the organization's repositories, if the forks is owned by your personal account. For more information, see "[About SSH certificate authorities](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities)." {% endif %} - ## Further reading - "[Troubleshooting SSH](/articles/troubleshooting-ssh)" diff --git a/content/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account.md b/content/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account.md index 0d0d83bc2c..a4569d589d 100644 --- a/content/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account.md +++ b/content/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account.md @@ -19,6 +19,8 @@ shortTitle: Add a new SSH key {% data reusables.ssh.about-ssh %} For more information, see "[About SSH](/authentication/connecting-to-github-with-ssh/about-ssh)." +{% ifversion ssh-commit-verification %}You can also use SSH to sign commits and tags. For more information about commit signing, see "[About commit signature verification](/articles/about-commit-signature-verification)."{% endif %} + After you generate an SSH key pair, you must add the public key to {% ifversion fpt or ghec or ghes %}{% data variables.product.product_location %}{% elsif ghae %}{% data variables.product.product_name %}{% endif %} to enable SSH access for your account. ## Prerequisites @@ -30,120 +32,46 @@ Before adding a new SSH key to your account on {% ifversion ghae %}{% data varia ## Adding a new SSH key to your account -After adding a new SSH key to your account on {% ifversion ghae %}{% data variables.product.product_name %}{% else %}{% data variables.product.product_location %}{% endif %}, you can reconfigure any local repositories to use SSH. For more information, see "[Switching remote URLs from HTTPS to SSH](/github/getting-started-with-github/managing-remote-repositories/#switching-remote-urls-from-https-to-ssh)." +After adding a new SSH authentication key to your account on {% ifversion ghae %}{% data variables.product.product_name %}{% else %}{% data variables.product.product_location %}{% endif %}, you can reconfigure any local repositories to use SSH. For more information, see "[Switching remote URLs from HTTPS to SSH](/github/getting-started-with-github/managing-remote-repositories/#switching-remote-urls-from-https-to-ssh)." {% data reusables.ssh.key-type-support %} -{% mac %} - {% webui %} -1. Copy the SSH public key to your clipboard. - - If your SSH public key file has a different name than the example code, modify the filename to match your current setup. When copying your key, don't add any newlines or whitespace. - - ```shell - $ pbcopy < ~/.ssh/id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub - # Copies the contents of the id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub file to your clipboard - ``` - - {% tip %} - - **Tip:** If `pbcopy` isn't working, you can locate the hidden `.ssh` folder, open the file in your favorite text editor, and copy it to your clipboard. - - {% endtip %} - +{% data reusables.gpg.copy-ssh-public-key %} {% data reusables.user-settings.access_settings %} {% data reusables.user-settings.ssh %} 4. Click **New SSH key** or **Add SSH key**. +{% ifversion ssh-commit-verification %} + ![SSH Key button](/assets/images/help/settings/ssh-add-ssh-key-with-auth.png) +{% else %} ![SSH Key button](/assets/images/help/settings/ssh-add-ssh-key.png) -5. In the "Title" field, add a descriptive label for the new key. For example, if you're using a personal Mac, you might call this key "Personal MacBook Air". -6. Paste your key into the "Key" field. +{% endif %} +5. In the "Title" field, add a descriptive label for the new key. For example, if you're using a personal laptop, you might call this key "Personal laptop". +{% ifversion ssh-commit-verification %} +6. Select the type of key, either authentication or signing. For more information about commit signing, see "[About commit signature verification](/articles/about-commit-signature-verification)." +{% endif %} +7. Paste your key into the "Key" field. +{% ifversion ssh-commit-verification %} + ![The key field](/assets/images/help/settings/ssh-key-paste-with-type.png) +{% else %} ![The key field](/assets/images/help/settings/ssh-key-paste.png) -7. Click **Add SSH key**. +{% endif %} +8. Click **Add SSH key**. ![The Add key button](/assets/images/help/settings/ssh-add-key.png) {% data reusables.user-settings.sudo-mode-popup %} {% endwebui %} -{% endmac %} - -{% windows %} - -{% webui %} - -1. Copy the SSH public key to your clipboard. - - If your SSH public key file has a different name than the example code, modify the filename to match your current setup. When copying your key, don't add any newlines or whitespace. - - ```shell - $ clip < ~/.ssh/id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub - # Copies the contents of the id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub file to your clipboard - ``` - - {% tip %} - - **Tip:** If `clip` isn't working, you can locate the hidden `.ssh` folder, open the file in your favorite text editor, and copy it to your clipboard. - - {% endtip %} - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.ssh %} -4. Click **New SSH key** or **Add SSH key**. - ![SSH Key button](/assets/images/help/settings/ssh-add-ssh-key.png) -5. In the "Title" field, add a descriptive label for the new key. For example, if you're using a personal Mac, you might call this key "Personal MacBook Air". -6. Paste your key into the "Key" field. - ![The key field](/assets/images/help/settings/ssh-key-paste.png) -7. Click **Add SSH key**. - ![The Add key button](/assets/images/help/settings/ssh-add-key.png) -{% data reusables.user-settings.sudo-mode-popup %} - -{% endwebui %} - -{% endwindows %} - -{% linux %} - -{% webui %} - -1. Copy the SSH public key to your clipboard. - - If your SSH public key file has a different name than the example code, modify the filename to match your current setup. When copying your key, don't add any newlines or whitespace. - - ```shell - $ cat ~/.ssh/id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub - # Then select and copy the contents of the id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub file - # displayed in the terminal to your clipboard - ``` - - {% tip %} - - **Tip:** Alternatively, you can locate the hidden `.ssh` folder, open the file in your favorite text editor, and copy it to your clipboard. - - {% endtip %} - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.ssh %} -4. Click **New SSH key** or **Add SSH key**. - ![SSH Key button](/assets/images/help/settings/ssh-add-ssh-key.png) -5. In the "Title" field, add a descriptive label for the new key. For example, if you're using a personal Mac, you might call this key "Personal MacBook Air". -6. Paste your key into the "Key" field. - ![The key field](/assets/images/help/settings/ssh-key-paste.png) -7. Click **Add SSH key**. - ![The Add key button](/assets/images/help/settings/ssh-add-key.png) -{% data reusables.user-settings.sudo-mode-popup %} - -{% endwebui %} - -{% endlinux %} - {% cli %} {% data reusables.cli.cli-learn-more %} Before you can use the {% data variables.product.prodname_cli %} to add an SSH key to your account, you must authenticate to the {% data variables.product.prodname_cli %}. For more information, see [`gh auth login`](https://cli.github.com/manual/gh_auth_login) in the {% data variables.product.prodname_cli %} documentation. -To add an SSH key to your GitHub account, use the `ssh-key add` subcommand, specifying your public key. +{% ifversion ssh-commit-verification %}At present, you can only use {% data variables.product.prodname_cli %} to add SSH authentication keys, you cannot add SSH signing keys.{% endif %} + +To add an SSH authentication key to your GitHub account, use the `ssh-key add` subcommand, specifying your public key. ```shell gh ssh-key add key-file diff --git a/content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md b/content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md index adb05a61f9..b2287d3a5e 100644 --- a/content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md +++ b/content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md @@ -1,6 +1,6 @@ --- title: About commit signature verification -intro: 'Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on {% data variables.product.product_name %} so other people can be confident that the changes come from a trusted source.' +intro: 'Using GPG{% ifversion ssh-commit-verification %}, SSH,{% endif %} or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on {% data variables.product.product_name %} so other people can be confident that the changes come from a trusted source.' redirect_from: - /articles/about-gpg-commit-and-tag-signatures - /articles/about-gpg @@ -19,10 +19,18 @@ shortTitle: Commit signature verification --- ## About commit signature verification -You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag {% ifversion fpt or ghec %}"Verified" or "Partially verified."{% else %}"Verified."{% endif %} +You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG{% ifversion ssh-commit-verification %}, SSH,{% endif %} or S/MIME signature that is cryptographically verifiable, {% data variables.product.product_name %} marks the commit or tag {% ifversion fpt or ghec %}"Verified" or "Partially verified."{% else %}"Verified."{% endif %} ![Verified commit](/assets/images/help/commits/verified-commit.png) +{% ifversion ghes or ghae %} +If a commit or tag has a signature that can't be verified, {% data variables.product.product_name %} marks the commit or tag "Unverified." +{% endif %} + +{% ifversion ssh-commit-verification %} +For most individual users, GPG or SSH will be the best choice for signing commits. S/MIME signatures are usually required in the context of a larger organization. SSH signatures are the simplest to generate. You can even upload your existing authentication key to {% data variables.product.product_name %} to also use as a signing key. Generating a GPG signing key is more involved than generating an SSH key, but GPG has features that SSH does not. A GPG key can expire or be revoked when no longer used. {% data variables.product.product_name %} shows commits that were signed with such a key as "Verified" unless the key was marked as compromised. SSH keys don't have this capability. +{% endif %} + {% ifversion fpt or ghec %} Commits and tags have the following verification statuses, depending on whether you have enabled vigilant mode. By default vigilant mode is not enabled. For information on how to enable vigilant mode, see "[Displaying verification statuses for all of your commits](/github/authenticating-to-github/displaying-verification-statuses-for-all-of-your-commits)." @@ -47,10 +55,9 @@ For more information, see "[Rebasing and merging your commits](/repositories/con {% data reusables.identity-and-permissions.vigilant-mode-verification-statuses %} -{% else %} -If a commit or tag has a signature that can't be verified, {% data variables.product.product_name %} marks the commit or tag "Unverified." {% endif %} + Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-signed-commits)." {% data reusables.identity-and-permissions.verification-status-check %} @@ -59,7 +66,7 @@ Repository administrators can enforce required commit signing on a branch to blo {% ifversion ghes %}If a site administrator has enabled web commit signing, {% data variables.product.product_name %} will automatically use GPG to sign commits you make using the web interface. Commits signed by {% data variables.product.product_name %} will have a verified status. You can verify the signature locally using the public key available at `https://HOSTNAME/web-flow.gpg`. For more information, see "[Configuring web commit signing](/admin/configuration/configuring-your-enterprise/configuring-web-commit-signing)." {% else %}{% data variables.product.prodname_dotcom %} will automatically use GPG to sign commits you make using the web interface. Commits signed by {% data variables.product.prodname_dotcom %} will have a verified status. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg. The full fingerprint of the key is `5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23`. -You can optionally choose to have {% data variables.product.prodname_dotcom %} sign commits you make in {% data variables.product.prodname_github_codespaces %}. For more information about enabling GPG verification for your codespaces, see "[Managing GPG verification for {% data variables.product.prodname_github_codespaces %}](/codespaces/managing-your-codespaces/managing-gpg-verification-for-github-codespaces)."{% endif %} +You can optionally choose to have {% data variables.product.prodname_dotcom %} GPG sign commits you make in {% data variables.product.prodname_github_codespaces %}. For more information about enabling GPG verification for your codespaces, see "[Managing GPG verification for {% data variables.product.prodname_github_codespaces %}](/codespaces/managing-your-codespaces/managing-gpg-verification-for-github-codespaces)."{% endif %} {% endif %} ## GPG commit signature verification @@ -77,6 +84,26 @@ To sign commits using GPG and have those commits verified on {% data variables.p 5. [Sign commits](/articles/signing-commits) 6. [Sign tags](/articles/signing-tags) +{% ifversion ssh-commit-verification %} +## SSH commit signature verification + +You can use SSH to sign commits with an SSH public key that you generate yourself. If you already use an SSH key to authenticate with {% data variables.product.product_name %}, +you can also upload that same key again for use as a signing key. There's no limit on the number of signing keys you can add to your account. + +{% data variables.product.product_name %} uses [ssh_data](https://github.com/github/ssh_data), an open source Ruby library, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your account on {% ifversion ghae %}{% data variables.product.product_name %}{% else %}{% data variables.product.product_location %}{% endif %}. + +{% data reusables.gpg.ssh-git-version %} + +To sign commits using SSH and have those commits verified on {% data variables.product.product_name %}, follow these steps: + +1. [Check for existing SSH keys](/articles/checking-for-existing-ssh-keys) +2. [Generate a new SSH key](/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) +3. [Add a SSH signing key to your GitHub account](/articles/adding-a-new-ssh-key-to-your-github-account) +4. [Tell Git about your signing key](/articles/telling-git-about-your-signing-key) +5. [Sign commits](/articles/signing-commits) +6. [Sign tags](/articles/signing-tags) + +{% endif %} ## S/MIME commit signature verification You can use S/MIME to sign commits with an X.509 key issued by your organization. diff --git a/content/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md b/content/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md index d85519e441..0094597708 100644 --- a/content/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md +++ b/content/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md @@ -18,7 +18,7 @@ redirect_from: When you work locally on your computer, Git allows you to set the author of your changes and the identity of the committer. This, potentially, makes it difficult for other people to be confident that commits and tags you create were actually created by you. To help solve this problem you can sign your commits and tags. For more information, see "[Signing commits](/github/authenticating-to-github/signing-commits)" and "[Signing tags](/github/authenticating-to-github/signing-tags)." {% data variables.product.prodname_dotcom %} marks signed commits and tags with a verification status. -By default commits and tags are marked "Verified" if they are signed with a GPG or S/MIME key that was successfully verified. If a commit or tag has a signature that can't be verified by {% data variables.product.prodname_dotcom %}, we mark the commit or tag "Unverified." In all other cases no verification status is displayed. +By default commits and tags are marked "Verified" if they are signed with a GPG{% ifversion ssh-commit-verification %}, SSH,{% endif %} or S/MIME key that was successfully verified. If a commit or tag has a signature that can't be verified by {% data variables.product.prodname_dotcom %}, we mark the commit or tag "Unverified." In all other cases no verification status is displayed. However, you can give other users increased confidence in the identity attributed to your commits and tags by enabling vigilant mode in your {% data variables.product.prodname_dotcom %} settings. With vigilant mode enabled, all of your commits and tags are marked with one of three verification statuses. diff --git a/content/authentication/managing-commit-signature-verification/index.md b/content/authentication/managing-commit-signature-verification/index.md index cda54504d8..ba633a09a0 100644 --- a/content/authentication/managing-commit-signature-verification/index.md +++ b/content/authentication/managing-commit-signature-verification/index.md @@ -1,6 +1,6 @@ --- title: Managing commit signature verification -intro: 'You can sign your work locally using GPG or S/MIME. {% data variables.product.product_name %} will verify these signatures so other people will know that your commits come from a trusted source.{% ifversion fpt %} {% data variables.product.product_name %} will automatically sign commits you make using the {% data variables.product.product_name %} web interface.{% endif %}' +intro: '{% data variables.product.product_name %} will verify GPG{% ifversion ssh-commit-verification %}, SSH,{% endif %} or S/MIME signatures so other people will know that your commits come from a trusted source.{% ifversion fpt %} {% data variables.product.product_name %} will automatically sign commits you make using the {% data variables.product.product_name %} web interface.{% endif %}' redirect_from: - /articles/generating-a-gpg-key - /articles/signing-commits-with-gpg diff --git a/content/authentication/managing-commit-signature-verification/signing-commits.md b/content/authentication/managing-commit-signature-verification/signing-commits.md index 6363f778c0..cf7d059042 100644 --- a/content/authentication/managing-commit-signature-verification/signing-commits.md +++ b/content/authentication/managing-commit-signature-verification/signing-commits.md @@ -1,6 +1,6 @@ --- title: Signing commits -intro: You can sign commits locally using GPG or S/MIME. +intro: You can sign commits locally using GPG{% ifversion ssh-commit-verification %}, SSH,{% endif %} or S/MIME. redirect_from: - /articles/signing-commits-and-tags-using-gpg - /articles/signing-commits-using-gpg @@ -52,9 +52,5 @@ If you have multiple keys or are attempting to sign commits or tags with a key t ## Further reading -* "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" -* "[Generating a new GPG key](/articles/generating-a-new-gpg-key)" -* "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)" * "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)" -* "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)" * "[Signing tags](/articles/signing-tags)" diff --git a/content/authentication/managing-commit-signature-verification/signing-tags.md b/content/authentication/managing-commit-signature-verification/signing-tags.md index 1809bef4ad..fac18fab40 100644 --- a/content/authentication/managing-commit-signature-verification/signing-tags.md +++ b/content/authentication/managing-commit-signature-verification/signing-tags.md @@ -1,6 +1,6 @@ --- title: Signing tags -intro: You can sign tags locally using GPG or S/MIME. +intro: You can sign tags locally using GPG{% ifversion ssh-commit-verification %}, SSH,{% endif %} or S/MIME. redirect_from: - /articles/signing-tags-using-gpg - /articles/signing-tags @@ -31,9 +31,6 @@ topics: ## Further reading - "[Viewing your repository's tags](/articles/viewing-your-repositorys-tags)" -- "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" -- "[Generating a new GPG key](/articles/generating-a-new-gpg-key)" -- "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)" - "[Telling Git about your signing key](/articles/telling-git-about-your-signing-key)" - "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)" - "[Signing commits](/articles/signing-commits)" diff --git a/content/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key.md b/content/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key.md index b86b173566..9bb8eff1b1 100644 --- a/content/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key.md +++ b/content/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key.md @@ -1,6 +1,6 @@ --- title: Telling Git about your signing key -intro: 'To sign commits locally, you need to inform Git that there''s a GPG or X.509 key you''d like to use.' +intro: 'To sign commits locally, you need to inform Git that there''s a GPG{% ifversion ssh-commit-verification %}, SSH,{% endif %} or X.509 key you''d like to use.' redirect_from: - /articles/telling-git-about-your-gpg-key - /articles/telling-git-about-your-signing-key @@ -51,8 +51,6 @@ If you have multiple GPG keys, you need to tell Git which one to use. $ killall gpg-agent ``` -{% data reusables.gpg.x-509-key %} - {% endmac %} {% windows %} @@ -74,8 +72,6 @@ If you have multiple GPG keys, you need to tell Git which one to use. {% data reusables.gpg.copy-gpg-key-id %} {% data reusables.gpg.paste-gpg-key-id %} -{% data reusables.gpg.x-509-key %} - {% endwindows %} {% linux %} @@ -100,15 +96,25 @@ If you have multiple GPG keys, you need to tell Git which one to use. ```bash $ [ -f ~/.bashrc ] && echo 'export GPG_TTY=$(tty)' >> ~/.bashrc ``` - {% endlinux %} +{% ifversion ssh-commit-verification %} +## Telling Git about your SSH key + +You can use an existing SSH key to sign commits and tags, or generate a new one specifically for signing. For more information, see "[Generating a new SSH key and adding it to the ssh-agent](/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent)." + +{% data reusables.gpg.ssh-git-version %} + +{% data reusables.command_line.open_the_multi_os_terminal %} +{% data reusables.gpg.configure-ssh-signing %} +{% data reusables.gpg.copy-ssh-public-key %} +{% data reusables.gpg.paste-ssh-public-key %} + +{% endif %} + +{% data reusables.gpg.x-509-key %} ## Further reading -- "[Checking for existing GPG keys](/articles/checking-for-existing-gpg-keys)" -- "[Generating a new GPG key](/articles/generating-a-new-gpg-key)" -- "[Using a verified email address in your GPG key](/articles/using-a-verified-email-address-in-your-gpg-key)" -- "[Adding a GPG key to your GitHub account](/articles/adding-a-gpg-key-to-your-github-account)" -- "[Associating an email with your GPG key](/articles/associating-an-email-with-your-gpg-key)" +- "[Adding a new SSH key to your GitHub account](/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account)." - "[Signing commits](/articles/signing-commits)" - "[Signing tags](/articles/signing-tags)" diff --git a/content/authentication/troubleshooting-commit-signature-verification/checking-your-commit-and-tag-signature-verification-status.md b/content/authentication/troubleshooting-commit-signature-verification/checking-your-commit-and-tag-signature-verification-status.md index 38e0b87865..df217b71a5 100644 --- a/content/authentication/troubleshooting-commit-signature-verification/checking-your-commit-and-tag-signature-verification-status.md +++ b/content/authentication/troubleshooting-commit-signature-verification/checking-your-commit-and-tag-signature-verification-status.md @@ -23,7 +23,12 @@ shortTitle: Check verification status 3. Next to your commit's abbreviated commit hash, there is a box that shows whether your commit signature is verified{% ifversion fpt or ghec %}, partially verified,{% endif %} or unverified. ![Signed commit](/assets/images/help/commits/gpg-signed-commit-verified-without-details.png) 4. To view more detailed information about the commit signature, click **Verified**{% ifversion fpt or ghec %}, **Partially verified**,{% endif %} or **Unverified**. -![Verified signed commit](/assets/images/help/commits/gpg-signed-commit_verified_details.png) + GPG signed commits will show the ID of the key that was used. + ![Verified GPG signed commit](/assets/images/help/commits/gpg-signed-commit_verified_details.png) +{% ifversion ssh-commit-verification %} + SSH signed commits will show the signature of the public key that was used. + ![Verified SSH signed commit](/assets/images/help/commits/ssh-signed-commit-verified-details.png) +{% endif %} ## Checking your tag signature verification status diff --git a/data/features/ssh-commit-verification.yml b/data/features/ssh-commit-verification.yml new file mode 100644 index 0000000000..87f1f3d243 --- /dev/null +++ b/data/features/ssh-commit-verification.yml @@ -0,0 +1,8 @@ +# Reference: github/docs-content#6709 +# Initial docs for showing SSH signed commits as verified and +# uploading SSH signing keys +versions: + fpt: '*' + ghec: '*' + ghes: '>= 3.7' + ghae: '*' diff --git a/data/reusables/gpg/configure-ssh-signing.md b/data/reusables/gpg/configure-ssh-signing.md new file mode 100644 index 0000000000..f0f489a73a --- /dev/null +++ b/data/reusables/gpg/configure-ssh-signing.md @@ -0,0 +1,4 @@ +1. Configure Git to use SSH to sign commits and tags: + ```bash + $ git config --global gpg.format ssh + ``` \ No newline at end of file diff --git a/data/reusables/gpg/copy-ssh-public-key.md b/data/reusables/gpg/copy-ssh-public-key.md new file mode 100644 index 0000000000..3306792aba --- /dev/null +++ b/data/reusables/gpg/copy-ssh-public-key.md @@ -0,0 +1,43 @@ +1. Copy the SSH public key to your clipboard. + + If your SSH public key file has a different name than the example code, modify the filename to match your current setup. When copying your key, don't add any newlines or whitespace. +{% mac %} + + ```shell + $ pbcopy < ~/.ssh/id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub + # Copies the contents of the id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub file to your clipboard + ``` + + {% tip %} + + **Tip:** If `pbcopy` isn't working, you can locate the hidden `.ssh` folder, open the file in your favorite text editor, and copy it to your clipboard. + + {% endtip %} +{% endmac %} +{% windows %} + + ```shell + $ clip < ~/.ssh/id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub + # Copies the contents of the id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub file to your clipboard + ``` + + {% tip %} + + **Tip:** If `clip` isn't working, you can locate the hidden `.ssh` folder, open the file in your favorite text editor, and copy it to your clipboard. + + {% endtip %} +{% endwindows %} +{% linux %} + + ```shell + $ cat ~/.ssh/id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub + # Then select and copy the contents of the id_{% ifversion ghae %}rsa{% else %}ed25519{% endif %}.pub file + # displayed in the terminal to your clipboard + ``` + + {% tip %} + + **Tip:** Alternatively, you can locate the hidden `.ssh` folder, open the file in your favorite text editor, and copy it to your clipboard. + + {% endtip %} +{% endlinux %} diff --git a/data/reusables/gpg/paste-ssh-public-key.md b/data/reusables/gpg/paste-ssh-public-key.md new file mode 100644 index 0000000000..1274a0acb5 --- /dev/null +++ b/data/reusables/gpg/paste-ssh-public-key.md @@ -0,0 +1,4 @@ +1. To set your SSH signing key in Git, paste the text below, substituting the contents of your clipboard for the key you'd like to use. Since the key contains spaces, you must wrap it in quotes: + ```bash + $ git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` \ No newline at end of file diff --git a/data/reusables/gpg/ssh-git-version.md b/data/reusables/gpg/ssh-git-version.md new file mode 100644 index 0000000000..00395fab29 --- /dev/null +++ b/data/reusables/gpg/ssh-git-version.md @@ -0,0 +1,6 @@ + +{% note %} + +**Note:** SSH signature verification is available in Git 2.34 or later. To update your version of Git, see the [Git](https://git-scm.com/downloads) website. + +{% endnote %} diff --git a/data/reusables/gpg/x-509-key.md b/data/reusables/gpg/x-509-key.md index 7bb93711ea..6848f78d42 100644 --- a/data/reusables/gpg/x-509-key.md +++ b/data/reusables/gpg/x-509-key.md @@ -1,5 +1,5 @@ -### Telling Git about your X.509 key +## Telling Git about your X.509 key You can use [smimesign](https://github.com/github/smimesign) to sign commits and tags using S/MIME instead of GPG. diff --git a/tests/meta/repository-references.js b/tests/meta/repository-references.js index 2626a15d32..261ce28119 100644 --- a/tests/meta/repository-references.js +++ b/tests/meta/repository-references.js @@ -59,6 +59,7 @@ const PUBLIC_REPOS = new Set([ 'roadmap', 'securitylab', 'semantic', + 'ssh_data', 'site-policy', 'smimesign', 'stack-graphs',