bash/zsh functions for easier SSH signing and verification
I have been using SSH signed git commits from 8 months and started signing things with my SSH key instead of PGP keys and thought to share how to do that more easily
If you didn’t know that SSH can be used for this, I suggest reading
- Andrew Ayer: It’s Now Possible To Sign Arbitrary Data With Your SSH Keys
- Caleb Hearth: Signing Git Commits with Your SSH Key (web.archive.org)
Signing
Usually you do ssh-keygen -Y sign -f MYPUBLICKEY -n TYPE filename, but that is
a bit of effort, why not make an alias for it? In my shellrc’s I have:
alias ssh-sign-file="ssh-keygen -Y sign -f ~/.ssh/signingkey.pub -n file"
As I don’t change which key I use so often, I can export my public key to
~/.ssh/signingkey.pub or symlink it to the right place and now when I need to
sign something, I can just ssh-sign-file file.txt to generate a
file.txt.sig. Of course this assumes that I always sign files, but I don’t
remember signing other things as git handles the commits for me.
Thus to sign file, I simply say ssh-sign-file hello.txt to receive
hello.txt.sig containing my signature.
Signing file hello.txt
Write signature to hello.txt.sig
Verifying
There isn’t much point in signing things, unless you are able to verify them.
The command for this is
ssh-keygen -Y verify -f $allowed_signers -I $EMAIL -n file -s SIGNATUREFILE < $2,
isn’t that a bit much to keep in mind? In my opinion it is and thus the function
gets a bit more complicated:
sshAllowedSigners=$HOME/src/gitea.blesmrt.net/Mikaela/ssh-allowed_signers/allowed_signers
ssh-verify-file() {
echo "$1 ${2:?Usage: ssh-verify-file <email> <file-to-verify>}" > /dev/null
ssh-keygen -Y verify -f $sshAllowedSigners -I $1 -n file -s $2.sig < $2
}
First I specify where is my allowed_signers file so I don’t have to repeat it
and in case I misuse the function, it reminds me how to use it:
% ssh-verify-file hello.txt
ssh-verify-file:1: 2: Usage: ssh-verify-file <email> <file-to-verify>
I again don’t remember verifying other types of files as git handles it for me
and I think it’s a safe assumption that the signature ends to .sig.
So to use it properly and verify the previously signed file
ssh-verify-file noreply@aminda.eu hello.txt
Good "file" signature for noreply@aminda.eu with ED25519 key SHA256:y2OpGEbett3Fqn8XFrP0X4mWfCVKf4rWkxERzqPY81U
Extra: having git handle it for me
When git is configured properly with gpg.ssh.allowedSignersFile the usual git
verification commands work with SSH as well:
git log --show-signaturefor the usual git log with signatures visbilegit verify-tag 1.0for verifying a specific tag signature.git verify-commit HEADto verify the latest commit signature or just to see that git signing is working.
Isn’t the last command again effort? What if I could just say git verify?
% git verify
Good "git" signature for *@mikaela.info with RSA key SHA256:CXLULpqNBdUKB6E6fLA1b/4SzG0HvKD19PbIePU175Q
This is possible too, git config --global alias.verify verify-commit HEAD
Privacy Badger will take care of third-party tracking the best, but hiding this message takes a more targeted filter such as uBlock Origin (for Firefox) or uBlock Origin Lite (for everything else).
Additionally considering adblocking DNS services such as DNS4EU Protective Resolution With Ad blocking or public AdGuard DNS may be a good idea to clean up your modern internet.
Learn more about targeted advertising!
PS. I am not sorry if this cosmetic filtering targeting script doesn't detect your protection, because this message brings me too many amused messages and smiles for that (and thus this message is here to stay) 🐾