It is now possible to sign git commits with SSH, and with it came the long awaited death knell of GPG. Combined with, it is now possible GPG-less solution for signing and authentication. My own personal GPG keys recently expired, so I took the opportunity.

For this I'll be using the recently announced NitroKey Passkey, which has a lovely little form-factor that you can leave permanently plugged into your computer. (I previously had a SoloKey 2 that I got during the kickstarter, though unfortunately I ran into reliability problems with the touch interface, and the project seems to be dead.)

https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html

Setting a Pin

chrome://settings/securityKeys

ssh-keygen -t ed25519-sk -f $HOME/.ssh/id_nitrokey -O application=ssh:nitrokey
ssh-copy-id -i .ssh/id_nitrokey.pub admin@escher

Can use the same page to reset the key.

https://weisser-zwerg.dev/posts/openssh-fido2-hardwarekey/ https://blog.frehi.be/2022/08/04/using-the-solo-v2-fido2-security-key/ https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/101

ssh-agent runs in the background and needs access to a window for you to enter you PIN. You can download an application for this, or just make it non-resident and require touch. That's what I do.

SSH_ASKPASS SSH_ASKPASS_REQUIRE=force to bypass $DISPLAY https://www.openssh.com/txt/release-8.9

Sign Commits and Tags

git config gpg.format ssh
git config user.signingkey ~/.ssh/<your-key>.pub

git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers