I've been trying to reconfigure my SSH key

Question

I keep getting the following error:

 git commit -sam "blah blah blah"
fatal: either user.signingkey or gpg.ssh.defaultKeyCommand needs to be configured

I just updated Git completely trying to figure this out, so it's completely up to date, and then I successfully added all of my usual configurations to the new version now running in Git Bash. I've repeatedly gone to Github's SSH key generator and followed the directions one by one. AND AFTER ALL THAT, I'M STILL GETTING THIS ERROR.

I am unable to make commits ANYWHERE on my local machine (Git Bash, Terminal, GitKraken; I even broke down and tried Github Desktop), much less signed, annotated commits, as is my habit. I removed the expired keys from my Github account. I DON'T KNOW WHAT ELSE TO DO.

I wouldn't post that ASCII image, you can recreate the key from it — Flash Thunder, Nov 23 '22 at 15:10
The old image is still visible in the history of this question. — torek, Nov 24 '22 at 11:44
The only safe course of action for secret leaks like that is to immediately deactivate the secret (i.e. remove it from github or any other site where you use it and then delete it). — Joachim Sauer, Nov 24 '22 at 12:04

score 4 · Accepted Answer · answered Nov 24 '22 at 11:57

You're mixing together the concepts of ssh keys (which are somewhat generalized and apply across all of ssh, and which you can use to authenticate yourself to GitHub) and Git's signed commits (and signed annotated tags). These are different, although they use related mechanisms.

In particular, to use an ssh key to sign a Git commit, you must:

configure your ssh locally so that it can sign commits (this may or may not already be supported depending on your OpenSSH version);
tell Git how to use your ssh to sign commits (this depends on your ssh version); and
tell Git to use ssh to sign commits.

None of these three steps use or require anything on GitHub. But this is what is failing here: you have not set up user.signingkey or gpg.ssh.defaultKeyCommand in Git, which is where that second bullet point comes in. (You're already doing the third one, but Git doesn't know how to run your ssh yet!) You'll need to figure out how to get Git to invoke the right commands on your system (which will depend somewhat on your OS and OpenSSH version).

Once you have such signed commits, however, these digital signatures are useful only to you, not to anyone else, unless you have spread the key(s) involved in these digital signatures. This is where you get GitHub involved.

See How do I sign git commits using my existing ssh key and particularly VonC's answer here to Why does git sign with GPG keys rather than using SSH keys?, to see how to do the first part. See both VonC's and other answers, particularly Jakuje's here, for some cautions involving using ssh keys here.

I don't know any of the GitHub side details here, but VonC's answers have more.

In general, it's a lot easier to use GPG for signing commits and/or annotated tags.

score 1 · Answer 2 · answered May 31 '23 at 14:17

If you have an ssh key an want to sign your commits using SSH

Try this: {change jayrizzo or the path to your public key to your name/path.}

# windows
git config --global user.signingkey C:\Users\jayrizzo\.ssh\id_rsa.pub

# linux
git config --global user.signingkey ~/.ssh/id_rsa.pub

Then after running the above, try making the commit again.

Reference: https://stackoverflow.com/a/72852713/1896134

Cheers!

I've been trying to reconfigure my SSH key

2 Answers2