- Updated: March 22, 2026
- 5 min read
Secure Git Commits with SSH Certificates – A Modern Approach
SSH certificates provide a secure, hardware‑backed method for signing Git commits, guaranteeing code integrity and authentic author attribution while simplifying key management.
Why Git Commit Signing Is Critical for Modern Development
In today’s supply‑chain‑focused security landscape, a signed commit is the digital equivalent of a notarized contract. It proves that the code originated from a trusted identity and has not been tampered with in transit. Without cryptographic verification, attackers can inject malicious changes, and compromised accounts can masquerade as legitimate contributors. By signing each commit, teams gain an immutable audit trail that integrates seamlessly with CI/CD pipelines, code‑review tools, and compliance dashboards.
SSH Certificates vs. Traditional SSH Keys
Traditional SSH keys are static public‑private pairs. While they enable authentication, they lack built‑in trust metadata, making large‑scale key rotation and revocation cumbersome. SSH certificates, on the other hand, are public keys signed by a trusted Certificate Authority (CA). The certificate embeds:
- Principals (usernames, groups, or service identifiers)
- Validity periods (start and expiry timestamps)
- Custom extensions for policy enforcement
This extra context lets organizations enforce fine‑grained access controls and automate trust decisions without manually maintaining an ever‑growing authorized‑keys file.
Configuring SSH‑Based Git Signing
Setting up SSH certificates for Git signing involves three core steps: generating a CA, issuing user certificates, and configuring Git to use the certificate.
1. Create a Certificate Authority (CA)
ssh-keygen -f ca_key -C "Git CA" -t ed25519 -N ""2. Issue a User Certificate
ssh-keygen -s ca_key -I git_user -n git_user,dev-team -V +52w -z 1 ~/.ssh/id_ed25519.pubThe -V +52w flag sets a 52‑week validity window, while -n lists the principals that the certificate represents.
3. Configure Git to Use the Certificate
Git still uses the gpg namespace for signing configuration, even when the underlying mechanism is SSH. Add the following to your global .gitconfig:
[gpg]
format = ssh
[user]
signingkey = /path/to/id_ed25519-cert.pub
[commit]
gpgsign = trueIf the certificate lives on a hardware token (e.g., TPM or Secure Enclave), you can point Git to a helper script via gpg.ssh.defaultKeyCommand. This script queries the SSH agent for the appropriate certificate, enabling seamless signing without exposing private material on disk.
Validating and Verifying Signed Commits
When a signed commit is pushed, Git invokes ssh-keygen -Y verify under the hood. The verification process checks:
- Signature integrity against the public part of the certificate
- Certificate chain validity (signed by a trusted CA)
- Principal match between the certificate and the Git author/committer fields
- Expiration – the commit must be signed within the certificate’s validity window
For teams that require custom policy (e.g., restricting commits to specific directories), a lightweight verification script can be added to CI pipelines. The script extracts the certificate’s extensions and enforces additional rules before allowing a merge.
Hardware‑Backed Keys and Attestation: Raising the Security Bar
Storing the private key in a Trusted Platform Module (TPM) or Apple Secure Enclave eliminates the risk of key exfiltration. When a key is generated inside such hardware, the device can produce an attestation – a cryptographic proof that the key originated from a genuine TPM.
Attestation enables two powerful capabilities:
- Zero‑Trust Verification: CI systems can verify that a commit was signed by a TPM‑backed key, ensuring the signature was produced on a trusted device.
- Automated Revocation: If a device is decommissioned, its attestation certificate can be revoked centrally, instantly invalidating all associated SSH certificates.
UBOS’s Chroma DB integration can store attestation metadata alongside commit logs, providing a searchable audit trail for compliance teams.
SSH Certificates vs. OpenPGP & X.509: A Pragmatic Comparison
| Feature | OpenPGP | X.509 | SSH Certs |
|---|---|---|---|
| Trust Model | Web of Trust (complex) | PKI hierarchy (expensive) | Simple CA signing (lightweight) |
| Key Rotation | Manual, error‑prone | Certificate renewal cycles | Short‑lived certs, automated revocation |
| Hardware Support | Limited | Smart‑card friendly | Native TPM/Enclave attestation |
| Integration with Git | Supported, but requires extra tooling | Rarely used for Git | Built‑in via gpg.format ssh |
For most DevOps teams, SSH certificates strike the best balance between security, usability, and automation.
Practical Tips & Best Practices for Deploying SSH‑Based Git Signing
Adopting SSH certificates at scale requires disciplined processes. Below are proven practices drawn from real‑world deployments:
- Centralize CA Management: Use a dedicated service (e.g., Enterprise AI platform by UBOS) to issue, rotate, and revoke certificates.
- Enforce Short Validity: Set certificate lifetimes to 30‑90 days. Short windows limit exposure if a key is compromised.
- Leverage Agent Forwarding Securely: Forward only the certificate, never the private key. Combine with
ssh-add -cto require confirmation per use. - Audit Regularly: Store commit signatures and attestation logs in a searchable database; the UBOS portfolio examples showcase dashboards for this purpose.
- Integrate with CI/CD: Add a verification step in pipelines (GitHub Actions, GitLab CI) that rejects unsigned or expired commits.
- Document the Workflow: Provide developers with a quick‑start guide using UBOS templates for quick start to reduce friction.
Take the Next Step Toward Secure Code Signatures
Ready to modernize your Git signing strategy? Explore UBOS’s Web app editor on UBOS to prototype a custom certificate issuance portal, or join the UBOS partner program for dedicated support and integration services.
Whether you’re a startup looking for a lightweight solution (UBOS for startups) or an enterprise seeking a full‑stack AI‑driven security platform, the combination of SSH certificates, hardware attestation, and automated verification gives you the confidence that every line of code truly belongs to its author.
For a deeper technical dive, see the original analysis by Michael G. at SSH certificates and Git signing.