bash/zsh functions for easier SSH signing and verification

I have been using SSH signed git commits from 8 months and started signing things with my SSH key instead of PGP keys and thought to share how to do that more easily

If you didn’t know that SSH can be used for this, I suggest reading

• Andrew Ayer: It’s Now Possible To Sign Arbitrary Data With Your SSH Keys
• Caleb Hearth: Signing Git Commits with Your SSH Key (web.archive.org)

Signing

Usually you do ssh-keygen -Y sign -f MYPUBLICKEY -n TYPE filename, but that is a bit of effort, why not make an alias for it? In my shellrc’s I have:

alias ssh-sign-file="ssh-keygen -Y sign -f ~/.ssh/signingkey.pub -n file"

As I don’t change which key I use so often, I can export my public key to ~/.ssh/signingkey.pub or symlink it to the right place and now when I need to sign something, I can just ssh-sign-file file.txt to generate a file.txt.sig. Of course this assumes that I always sign files, but I don’t remember signing other things as git handles the commits for me.

Thus to sign file, I simply say ssh-sign-file hello.txt to receive hello.txt.sig containing my signature.

Signing file hello.txt
Write signature to hello.txt.sig

Verifying

There isn’t much point in signing things, unless you are able to verify them. The command for this is ssh-keygen -Y verify -f $allowed_signers -I $EMAIL -n file -s SIGNATUREFILE < $2, isn’t that a bit much to keep in mind? In my opinion it is and thus the function gets a bit more complicated:

sshAllowedSigners=$HOME/src/gitea.blesmrt.net/Mikaela/ssh-allowed_signers/allowed_signers
ssh-verify-file () {
    echo "$1 ${2:?Usage: ssh-verify-file <email> <file-to-verify>}" > /dev/null
    ssh-keygen -Y verify -f $sshAllowedSigners -I $1 -n file -s $2.sig < $2
}

First I specify where is my allowed_signers file so I don’t have to repeat it and in case I misuse the function, it reminds me how to use it:

% ssh-verify-file hello.txt
ssh-verify-file:1: 2: Usage: ssh-verify-file <email> <file-to-verify>

I again don’t remember verifying other types of files as git handles it for me and I think it’s a safe assumption that the signature ends to .sig.

So to use it properly and verify the previously signed file ssh-verify-file noreply@aminda.eu hello.txt

Good "file" signature for noreply@aminda.eu with ED25519 key SHA256:y2OpGEbett3Fqn8XFrP0X4mWfCVKf4rWkxERzqPY81U

Extra: having git handle it for me

When git is configured properly with gpg.ssh.allowedSignersFile the usual git verification commands work with SSH as well:

• git log --show-signature for the usual git log with signatures visbile
• git verify-tag 1.0 for verifying a specific tag signature.
• git verify-commit HEAD to verify the latest commit signature or just to see that git signing is working.

Isn’t the last command again effort? What if I could just say git verify?

% git verify
Good "git" signature for *@mikaela.info with RSA key SHA256:CXLULpqNBdUKB6E6fLA1b/4SzG0HvKD19PbIePU175Q

This is possible too, git config --global alias.verify verify-commit HEAD