{"id":20398496,"url":"https://github.com/keeper-security/git-ssh-sign","last_synced_at":"2025-07-21T23:33:36.024Z","repository":{"id":190284354,"uuid":"674736059","full_name":"Keeper-Security/git-ssh-sign","owner":"Keeper-Security","description":"Git SSH sign feature for Keeper Secrets Manager","archived":false,"fork":false,"pushed_at":"2025-03-03T16:15:38.000Z","size":108,"stargazers_count":7,"open_issues_count":2,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-12T13:14:04.167Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keeper-Security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-08-04T16:31:36.000Z","updated_at":"2024-11-29T16:17:06.000Z","dependencies_parsed_at":"2024-01-19T18:43:18.983Z","dependency_job_id":"f006b42a-ec35-4fea-8cfa-a1d46890148b","html_url":"https://github.com/Keeper-Security/git-ssh-sign","commit_stats":null,"previous_names":["keeper-security/git-ssh-sign"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/Keeper-Security/git-ssh-sign","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Fgit-ssh-sign","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Fgit-ssh-sign/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Fgit-ssh-sign/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Fgit-ssh-sign/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keeper-Security","download_url":"https://codeload.github.com/Keeper-Security/git-ssh-sign/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Fgit-ssh-sign/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266403106,"owners_count":23923404,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-21T11:47:31.412Z","response_time":64,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T04:22:18.572Z","updated_at":"2025-07-21T23:33:35.993Z","avatar_url":"https://github.com/Keeper-Security.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![GitHub](https://img.shields.io/github/license/Keeper-Security/git-ssh-sign)\n![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/Keeper-Security/git-ssh-sign/test.yml)\n![GitHub release (with filter)](https://img.shields.io/github/v/release/Keeper-Security/git-ssh-sign)\n\n\n# Git commit signing with SSH Keys in Keeper\n\nSign Git commits using an SSH key stored in Keeper.\n\nSigning Git commits is an important security measure that verifies authorship,\nand ensures the integrity of the changes.\nJust as importantly,\nsigning commits shows a commitment to authenticity and security,\nhelping to build trust in the community.\n\n## Requirements\n\nDevelopment requires:\n\n- Git \u003e 2.34.0\n- Go \u003e 1.20\n\nUsage requires:\n\n- [Keeper Secrets Manager](https://docs.keeper.io/secrets-manager/secrets-manager/overview)\n  (KSM) [enabled](https://docs.keeper.io/secrets-manager/secrets-manager/quick-start-guide)\n- A Secrets Manager Application with read-only access to an SSH key\n\n## KSM Set up\n\nThe integration expects a KSM Application Configuration file at either\n`.config/keeper/ssh-sign.json` or\n`ssh-sign.json`\nrelative to the user's home directory.\nIt must have access to a Shared Folder that contains the SSH key.\nFor help in obtaining a KSM configuration in JSON format, \n[follow these instructions](https://docs.keeper.io/secrets-manager/secrets-manager/about/secrets-manager-configuration#creating-a-secrets-manager-configuration).\n\n\u003e For help setting up the KSM and creating an application, head to the \n\u003e [official docs](https://docs.keeper.io/secrets-manager/secrets-manager/quick-start-guide).\n\n### CLI-based Configuration\n\n#### Scripts\n\nThe `configure-git.sh` script will build the integration and configure Git (globally) to use it.\nThe `Update-GitConfig.ps1` will do the same using PowerShell.\n\nRun one or the other then skip ahead to [Repositories](#repositories)\n\n#### Step-by-step\n\nAlternatively, build the binary:\n\n```shell\ngo build -o ssh-sign ./cmd/ssh-sign\n```\n\nThen set the `TOKEN` variable and run the Bash **or** PowerShell below to create the configuration:\n\n```bash\nTOKEN=\"One-time Access Token from Keeper\"\nCONFDIR=\"${HOME}/.config/keeper\"\ntest -d $CONFDIR || mkdir -m 0700 -p \"${CONFDIR}\"\nksm init default --plain $TOKEN \u003e| \"${CONFDIR}/ssh-sign.json.new\"\ntest $? -eq 0 \u0026\u0026 mv -f $CONFDIR/ssh-sign.json{.new,}\n```\n\n```PowerShell\n$TOKEN = \"One-time Access Token from Keeper\"\nif (!(Test-Path \"${env:USERPROFILE}\\.config\\keeper\")) {\n    New-Item -Type Directory \"${env:USERPROFILE}\\.config\\keeper\"\n}\n$Config = if (ksm init default --plain $TOKEN) {\n    Set-Content -Path \"${env:USERPROFILE}\\.config\\keeper\\ssh-sign.json\" -Value $Config\n}\n```\n\n##### Notes\n\n- The executable is standalone and can exist anywhere that Git can access.\n\n- The KSM documentation details the process of getting a\n  [One-time Access Token](https://docs.keeper.io/secrets-manager/secrets-manager/about/one-time-token).\n\n### UI-based Configuration\n\nThe [Secrets Manager Configuration](https://docs.keeper.io/secrets-manager/secrets-manager/about/secrets-manager-configuration)\npage walks through creating a KSM Application Configuration via the UI.\n\n### Git Configuration\n\n### Global\n\nFirst, globally configure Git to use the binary to sign SSH format commits:\n\n```shell\ngit config --global gpg.ssh.program path/to/ssh-sign\n```\n\nAfterward, `~/.gitconfig` should contain:\n\n```ini\n[gpg \"ssh\"]\n    program = path/to/ssh-sign\n```\n\n### Repositories\n\nNext, configure a Git repository to sign your commits using the SSH key from the Keeper Vault.\n\n```shell\ngit config gpg.format ssh\ngit config user.signingkey SSH-Key-UID\n```\n\nNote that the executable expects the Git signing key to be the UID of the SSH key in the Keeper Vault.\n\nThe resulting Git configuration should look something like this:\n\n```ini\n[gpg]\n    format = ssh\n[user]\n    signingKey = SSH-Key-UID\n[gpg \"ssh\"]\n    program = path/to/ssh-sign\n```\n\n## Usage\n\nSimply run `git commit` with the `-S` switch to sign a commit!\nYou can confirm your commit has been signed with `git show --pretty=raw`.\n\n### Automatic signing\n\nTo sign commits automatically, i.e., without the `-S` run:\n\n```shell\ngit config commit.gpgsign true\n```\n\n### Local verification\n\nTo verify signatures locally with a command such as `git log --show-signature -1`, you must create an `allowed_signers` file with trusted SSH public keys. Typically this file is saved either globally at `.ssh/allowed_signers` or in the local repo at `.git/allowed_signers`. The path to this file needs then to be added to your `.gitconfig` or `.git/config` file. \n\n```shell\ngit config gpg.ssh.allowedSignersFile path/to/file\n```\n\nEach line of your `allowed_signers` file should be a prinicipal of an authorized signing key. The line should start with the email address associated with the public key, seperated by a space.\n\n```text\ntest@example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQvSrBv28KLAjYO7pD91prhlenrm3hZ4B7DdcB/4/H+\n```\n\n\u003e The format of the allowed signers file is documented in full [here](https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html#:~:text=key%20was%20revoked.-,ALLOWED%20SIGNERS,-top). \n\nWhile it is correct syntax to have more than one email address associate with a single public key, it is not recommend or currently supported.\n\n## Troubleshooting\n\nGit will execute `path/to/ssh-sign -Y sign -Y sign -n git -f SSH-Key-UID some-input.txt`.\nIt expects to write an output file with the same path as the input file with the extension `.sig`.\nSo to test whether the signing operation will work after creating the configuration,\nrun the aforementioned command on a file in a folder you can write to.\n\nAs an example, assuming `some-input.txt` exists in the current directory\nthen running the above command exactly will create a file named `some-input.txt.sig`\nthat will contain a signature, e.g.:\n\n```PEM\n-----BEGIN SSH SIGNATURE-----\nU1NIU0lHAAAAAQAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAL9iBpy9EFG4T9c3\n...\n...\n...\nrIalDYl8KKK+DPrwiF4KCKoovNN2xXu04ljxLH9O3byUcA==\n-----END SSH SIGNATURE-----\n```\n\n## Contributing\n\nPlease read and refer to the [contribution guide](https://github.com/Keeper-Security/git-ssh-sign/blob/main/CONTRIBUTING.md) before making your first PR.\n\nThis module uses the built-in Golang tooling for building and testing:\n\n```shell\n# Run unit tests\ngo test ./...\n\n# Build a local binary\ngo build -o ssh-sign ./cmd/ssh-sign/main.go\n```\n\nFor bugs, changes, etc., please submit an [issue](https://github.com/Keeper-Security/git-ssh-sign/issues/new)!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeeper-security%2Fgit-ssh-sign","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeeper-security%2Fgit-ssh-sign","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeeper-security%2Fgit-ssh-sign/lists"}