31a431b18b
This document only explains PGP signatures, but Git now supports X.509 signatures as of1e7adb9756
(gpg-interface: introduce new signature format "x509" using gpgsm, 2018-07-17), and SSH signatures as of29b315778e
(ssh signing: add ssh key format and signing code, 2021-09-10). Additionally, explain that these signature formats are controlled `gpg.format`, linking to its documentation, and explain in said `gpg.format` documentation that the underlying signature format is documented in signature-format.txt. Signed-off-by: Gwyneth Morgan <gwymor@tilde.club> Signed-off-by: Junio C Hamano <gitster@pobox.com>
86 lines
4.1 KiB
Plaintext
86 lines
4.1 KiB
Plaintext
gpg.program::
|
|
Use this custom program instead of "`gpg`" found on `$PATH` when
|
|
making or verifying a PGP signature. The program must support the
|
|
same command-line interface as GPG, namely, to verify a detached
|
|
signature, "`gpg --verify $signature - <$file`" is run, and the
|
|
program is expected to signal a good signature by exiting with
|
|
code 0, and to generate an ASCII-armored detached signature, the
|
|
standard input of "`gpg -bsau $key`" is fed with the contents to be
|
|
signed, and the program is expected to send the result to its
|
|
standard output.
|
|
|
|
gpg.format::
|
|
Specifies which key format to use when signing with `--gpg-sign`.
|
|
Default is "openpgp". Other possible values are "x509", "ssh".
|
|
+
|
|
See linkgit:gitformat-signature[5] for the signature format, which differs
|
|
based on the selected `gpg.format`.
|
|
|
|
gpg.<format>.program::
|
|
Use this to customize the program used for the signing format you
|
|
chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still
|
|
be used as a legacy synonym for `gpg.openpgp.program`. The default
|
|
value for `gpg.x509.program` is "gpgsm" and `gpg.ssh.program` is "ssh-keygen".
|
|
|
|
gpg.minTrustLevel::
|
|
Specifies a minimum trust level for signature verification. If
|
|
this option is unset, then signature verification for merge
|
|
operations require a key with at least `marginal` trust. Other
|
|
operations that perform signature verification require a key
|
|
with at least `undefined` trust. Setting this option overrides
|
|
the required trust-level for all operations. Supported values,
|
|
in increasing order of significance:
|
|
+
|
|
* `undefined`
|
|
* `never`
|
|
* `marginal`
|
|
* `fully`
|
|
* `ultimate`
|
|
|
|
gpg.ssh.defaultKeyCommand::
|
|
This command that will be run when user.signingkey is not set and a ssh
|
|
signature is requested. On successful exit a valid ssh public key
|
|
prefixed with `key::` is expected in the first line of its output.
|
|
This allows for a script doing a dynamic lookup of the correct public
|
|
key when it is impractical to statically configure `user.signingKey`.
|
|
For example when keys or SSH Certificates are rotated frequently or
|
|
selection of the right key depends on external factors unknown to git.
|
|
|
|
gpg.ssh.allowedSignersFile::
|
|
A file containing ssh public keys which you are willing to trust.
|
|
The file consists of one or more lines of principals followed by an ssh
|
|
public key.
|
|
e.g.: `user1@example.com,user2@example.com ssh-rsa AAAAX1...`
|
|
See ssh-keygen(1) "ALLOWED SIGNERS" for details.
|
|
The principal is only used to identify the key and is available when
|
|
verifying a signature.
|
|
+
|
|
SSH has no concept of trust levels like gpg does. To be able to differentiate
|
|
between valid signatures and trusted signatures the trust level of a signature
|
|
verification is set to `fully` when the public key is present in the allowedSignersFile.
|
|
Otherwise the trust level is `undefined` and git verify-commit/tag will fail.
|
|
+
|
|
This file can be set to a location outside of the repository and every developer
|
|
maintains their own trust store. A central repository server could generate this
|
|
file automatically from ssh keys with push access to verify the code against.
|
|
In a corporate setting this file is probably generated at a global location
|
|
from automation that already handles developer ssh keys.
|
|
+
|
|
A repository that only allows signed commits can store the file
|
|
in the repository itself using a path relative to the top-level of the working tree.
|
|
This way only committers with an already valid key can add or change keys in the keyring.
|
|
+
|
|
Since OpensSSH 8.8 this file allows specifying a key lifetime using valid-after &
|
|
valid-before options. Git will mark signatures as valid if the signing key was
|
|
valid at the time of the signature's creation. This allows users to change a
|
|
signing key without invalidating all previously made signatures.
|
|
+
|
|
Using a SSH CA key with the cert-authority option
|
|
(see ssh-keygen(1) "CERTIFICATES") is also valid.
|
|
|
|
gpg.ssh.revocationFile::
|
|
Either a SSH KRL or a list of revoked public keys (without the principal prefix).
|
|
See ssh-keygen(1) for details.
|
|
If a public key is found in this file then it will always be treated
|
|
as having trust level "never" and signatures will show as invalid.
|