Security researcher Matthew Garrett has published a detailed guide on implementing SSH certificates for git commit signing, addressing supply chain security concerns in software development. The blog post outlines how SSH certificates can provide better authentication than traditional methods when validating code authorship.
Git supports cryptographic signing of commits and tags using OpenPGP keys, X.509 certificates, or SSH keys. However, Garrett notes that “bare cryptographic keys aren’t terribly helpful in isolation – you need some way to make a determination about which keys you trust.” He dismisses OpenPGP due to web of trust issues and calls X.509 certificates “an absolute nightmare.”
SSH certificates offer a solution by providing public keys signed by trusted parties, with metadata including “Principals” – a list of identities and potentially group membership information. The implementation requires setting two main git configuration parameters: git config set gpg.format ssh and either configuring user.signingkey to the certificate path or gpg.ssh.defaultKeyCommand to communicate with an SSH agent.
Garrett has developed a tool that “will talk to an SSH agent, find a certificate signed with the key provided with the -ca argument, and then pass that back to git.” This enables developers to use the -S flag with git commit commands for signing. The approach supports SSH agent forwarding, allowing developers to keep keys on local systems while accessing them on remote development environments.
Signature validation proves more complex, requiring ssh-keygen to validate against an authorized-keys format file. Garrett recommends adding entries like * cert-authority ssh-rsa AAAA… which “will match all principals (the wildcard) and succeed if the signature is made with a certificate that’s signed by the key following cert-authority.” The researcher warns against examining git’s implementation code for this functionality, though he doesn’t specify the reasons for this recommendation.
