Why doesn't changing my SSH key make the correct author be shown for my commits?

Question

I'm having some issues juggling two different SSH keys on my machine. I have two GitHub accounts with distinct usernames and ssh keys.

I have a private directory on my GitHub @ zshap/test-push and mysteriously, when I change the readme and push it up, I'm seeing commits from my zackshapiro user, who is not a collaborator and has not been invited to that repo.

I don't understand how my other user would even be able to push to the private repo of zshap.

For good measure, the accounts have different profile pictures as well so it's easy to identify that zackshapiro has pushed to the zshap repo.

Also for good measure, I use these aliases to set my ssh key in terminal:

alias ssh-personal="ssh-add -D; ssh-add -K ~/.ssh/key1"

alias ssh-zshap="ssh-add -D; ssh-add -K ~/.ssh/key3"

Also for good measure, I've deleted the SSH key, key2, and created a new key3 using GitHub's tutorial in case I'd accidentally uploaded an existing key to GitHub. Additionally, I've ensured that the signatures shown in the SSH and GPG Keys section of GitHub settings are all different.

My ~/.ssh/config:

Host zackshapiro
    HostName github.com
    User git
    IdentityFile ~/.ssh/key1
    IdentitiesOnly yes

Host zshap
    HostName github.com
    User git
    IdentityFile ~/.ssh/key3
    IdentitiesOnly yes

Host *
  AddKeysToAgent yes
  UseKeychain yes

This is very confusing and the other answers to how to use multiple ssh keys on one machine don't seem to address this particular case. I'd love some help here so I'm not crossing these wires.

Thanks!

Edit

If I run ssh -T, I get a correct username here so it's extra strange that the commits are coming from my other user and ssh key

$ ssh -T git@github.com
Hi zshap! You've successfully authenticated, but GitHub does not provide shell access.

Edit 2

In my foo repo directory, I can run ssh-personal and then git push to push a new commit and I get the error (correctly):

ERROR: Repository not found. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.

Then when I run ssh-zshap and git push, I can successfully push but the commit message is from the wrong user! It's by the zackshapiro GitHub user instead of the zshap user.

Don't add the keys to the agent. The agent will just try the keys in order, regardless of which host alias you are trying to connect to. — chepner, Oct 09 '21 at 16:31
Your last one doesn't use `ssh` at all. It's establishing an anonymous, unauthenticated connection via HTTP. — chepner, Oct 09 '21 at 16:39
The `git clone` command in Edit 2. That doesn't use `ssh` at all, so unless `zshap/foo.git` is publicly visible, you won't see it, because GitHub doesn't know who is requesting it. — chepner, Oct 09 '21 at 16:52
I've updated the original question to remove Edit 2. I was able to clone with `git clone git@github.com:zshap/foo.git`. The issue remains: when I _push_, the commit shows the author as zackshapiro rather than zshap and again, zackshapiro does not have permissions to access or push to this private repo. — Zack Shapiro, Oct 09 '21 at 17:13
Double check the public keys you uploaded to the two github accounts. Is it `key1.pub` for zackshapiro and `key2.pub` for zshap ? — Philippe, Oct 09 '21 at 17:26
For good measure, I deleted key2 for zshap and made a new ssh key and uploaded it to Github, following their tutorial to make sure they didn't overlap. I'm still getting the same issue. — Zack Shapiro, Oct 09 '21 at 17:31
The _author_ has nothing to do with SSH authentication. Both the author and committer fields are set at commit time; github _can't_ change them without modifying the commit hash. — Charles Duffy, Oct 09 '21 at 17:46
Ah, interesting! Thanks @CharlesDuffy. I just figured that the SSH'd user's author data would come through as the other author wouldn't be authenticated to push to the repo. How can I ensure that my push's metadata includes the correct author info? — Zack Shapiro, Oct 09 '21 at 17:47
I'd suggest looking at the header to your commits, and at the `[user]` section's `name` and `email` fields in `~/.gitconfig` (which can be overridden by your individual project's `.git/config` file). — Charles Duffy, Oct 09 '21 at 17:48
`git config --global user.name "Zack Shapiro"; git config --global user.email "zshap@example.com"` f/e for global settings; leave out the `--global` to make the change only for the one repo whose directory you're currently in. — Charles Duffy, Oct 09 '21 at 17:49
You can use `git log` before trying to do any kind of push to see what name and email were used during a commit. (Personally, my preferred history-viewing tool is `tig`, but this is functionality anything in the genre should support). — Charles Duffy, Oct 09 '21 at 17:51
That did the trick! Thank you! Do I need to set that manually in each project's `.git/config` file to ensure the right author info is coming through? — Zack Shapiro, Oct 09 '21 at 17:51
If you have the right settings globally, you don't need to do anything per-project. — Charles Duffy, Oct 09 '21 at 17:52
Since I'm using multiple profiles, does it make sense to remove the `[user]` from the global git config altogether? — Zack Shapiro, Oct 09 '21 at 17:52
BTW, _because_ github doesn't have a way to tag commits with proof of who uploaded them, using signed commit functionality is all the more important. (Personally, I use a Yubikey-backed PGP key to sign all my commits to demonstrate that they were made by a machine I was physically at... or one I ssh'd into with gpg agent forwarding enabled, but that's a bit of work to set up). — Charles Duffy, Oct 09 '21 at 17:53
@CharlesDuffy That information would make a great answer, rather than being spread across comments, IMO. — IMSoP, Oct 09 '21 at 17:53
Your call -- either you set up the right thing globally, or you configure per-repo, or you can have multiple global configs and do some environment-variable twiddling to indicate which one is active at a given time. — Charles Duffy, Oct 09 '21 at 17:54

Charles Duffy · Accepted Answer · 2021-10-10T01:22:37.283

The Author and Committer fields are set by git itself, not by github, when you first run git commit to create a commit. Everything in that commit becomes part of the commit's hash, and therefore can't be changed without invalidating both that commit and every other commit that refers to it (or at least, rewriting all the impacted commits to be identified by a new and different hash). Consequently, the SSH keys used to authenticate to github can't change the commit itself.

If you want to set your identity for git's purpose, you can do that several ways, shown below in order of precedence (so if more than one of these are set, the one earlier in the list wins):

Via the environment with GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GIT_COMMITTER_NAME and GIT_COMMITTER_EMAIL. One important note: Using these can override preexisting values for both author and committer when doing a git commit --amend; normally only committer is updated during an amend.
Via per-project configuration in yourproject/.git/config, which can be modified with git config user.name "Your Name"; git config user.email "your.email@example.com"
Via user-specific "global" configuration in ~/.gitconfig (or $XDG_CONFIG_HOME/git/config), which can be modified with git config --global user.name "Your Name"; git config --global user.email "your.email@example.com". The location used to retrieve this can be overridden with the environment variable GIT_CONFIG_GLOBAL.
Via systemwide configuration in /etc/gitconfig. The location used to retrieve this can be overridden with the environment variable GIT_CONFIG_SYSTEM.

If you want to have multiple global configuration profiles you swap between, consider using the GIT_CONFIG_GLOBAL configuration file to specify an alternate location for ~/.gitconfig depending on which profile you want to have active at a given time.

If you want to prove your identity to others, that's the purpose of signed commits, a feature that requires you to set up an OpenPGP keypair.

Thanks for your help, Charles. I really appreciate it. I also found [this comment](https://stackoverflow.com/a/43654115/602210) helpful when I was searching for hassle-free ways to change your Author info without having to remember to manually set a `.git/config` file — Zack Shapiro, Oct 09 '21 at 18:02

Why doesn't changing my SSH key make the correct author be shown for my commits?

1 Answers1