2 Use this custom program instead of "`gpg`" found on `$PATH` when
3 making or verifying a PGP signature. The program must support the
4 same command-line interface as GPG, namely, to verify a detached
5 signature, "`gpg --verify $signature - <$file`" is run, and the
6 program is expected to signal a good signature by exiting with
7 code 0, and to generate an ASCII-armored detached signature, the
8 standard input of "`gpg -bsau $key`" is fed with the contents to be
9 signed, and the program is expected to send the result to its
13 Specifies which key format to use when signing with `--gpg-sign`.
14 Default is "openpgp". Other possible values are "x509", "ssh".
16 gpg.<format>.program::
17 Use this to customize the program used for the signing format you
18 chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still
19 be used as a legacy synonym for `gpg.openpgp.program`. The default
20 value for `gpg.x509.program` is "gpgsm" and `gpg.ssh.program` is "ssh-keygen".
23 Specifies a minimum trust level for signature verification. If
24 this option is unset, then signature verification for merge
25 operations require a key with at least `marginal` trust. Other
26 operations that perform signature verification require a key
27 with at least `undefined` trust. Setting this option overrides
28 the required trust-level for all operations. Supported values,
29 in increasing order of significance:
37 gpg.ssh.defaultKeyCommand:
38 This command that will be run when user.signingkey is not set and a ssh
39 signature is requested. On successful exit a valid ssh public key is
40 expected in the first line of its output. To automatically use the first
41 available key from your ssh-agent set this to "ssh-add -L".
43 gpg.ssh.allowedSignersFile::
44 A file containing ssh public keys which you are willing to trust.
45 The file consists of one or more lines of principals followed by an ssh
47 e.g.: user1@example.com,user2@example.com ssh-rsa AAAAX1...
48 See ssh-keygen(1) "ALLOWED SIGNERS" for details.
49 The principal is only used to identify the key and is available when
50 verifying a signature.
52 SSH has no concept of trust levels like gpg does. To be able to differentiate
53 between valid signatures and trusted signatures the trust level of a signature
54 verification is set to `fully` when the public key is present in the allowedSignersFile.
55 Otherwise the trust level is `undefined` and git verify-commit/tag will fail.
57 This file can be set to a location outside of the repository and every developer
58 maintains their own trust store. A central repository server could generate this
59 file automatically from ssh keys with push access to verify the code against.
60 In a corporate setting this file is probably generated at a global location
61 from automation that already handles developer ssh keys.
63 A repository that only allows signed commits can store the file
64 in the repository itself using a path relative to the top-level of the working tree.
65 This way only committers with an already valid key can add or change keys in the keyring.
67 Since OpensSSH 8.8 this file allows specifying a key lifetime using valid-after &
68 valid-before options. Git will mark signatures as valid if the signing key was
69 valid at the time of the signatures creation. This allows users to change a
70 signing key without invalidating all previously made signatures.
72 Using a SSH CA key with the cert-authority option
73 (see ssh-keygen(1) "CERTIFICATES") is also valid.
75 gpg.ssh.revocationFile::
76 Either a SSH KRL or a list of revoked public keys (without the principal prefix).
77 See ssh-keygen(1) for details.
78 If a public key is found in this file then it will always be treated
79 as having trust level "never" and signatures will show as invalid.