[thirdparty/git.git] / Documentation / config / gpg.txt

gpg.program::
	Use this custom program instead of "`gpg`" found on `$PATH` when
	making or verifying a PGP signature. The program must support the
	same command-line interface as GPG, namely, to verify a detached
	signature, "`gpg --verify $signature - <$file`" is run, and the
	program is expected to signal a good signature by exiting with
	code 0, and to generate an ASCII-armored detached signature, the
	standard input of "`gpg -bsau $key`" is fed with the contents to be
	signed, and the program is expected to send the result to its
	standard output.

gpg.format::
	Specifies which key format to use when signing with `--gpg-sign`.
	Default is "openpgp". Other possible values are "x509", "ssh".
+
See linkgit:gitformat-signature[5] for the signature format, which differs
based on the selected `gpg.format`.

gpg.<format>.program::
	Use this to customize the program used for the signing format you
	chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still
	be used as a legacy synonym for `gpg.openpgp.program`. The default
	value for `gpg.x509.program` is "gpgsm" and `gpg.ssh.program` is "ssh-keygen".

gpg.minTrustLevel::
	Specifies a minimum trust level for signature verification.  If
	this option is unset, then signature verification for merge
	operations require a key with at least `marginal` trust.  Other
	operations that perform signature verification require a key
	with at least `undefined` trust.  Setting this option overrides
	the required trust-level for all operations.  Supported values,
	in increasing order of significance:
+
* `undefined`
* `never`
* `marginal`
* `fully`
* `ultimate`

gpg.ssh.defaultKeyCommand::
	This command that will be run when user.signingkey is not set and a ssh
	signature is requested. On successful exit a valid ssh public key
	prefixed with `key::` is expected in the first line of its output.
	This allows for a script doing a dynamic lookup of the correct public
	key when it is impractical to statically configure `user.signingKey`.
	For example when keys or SSH Certificates are rotated frequently or
	selection of the right key depends on external factors unknown to git.

gpg.ssh.allowedSignersFile::
	A file containing ssh public keys which you are willing to trust.
	The file consists of one or more lines of principals followed by an ssh
	public key.
	e.g.: `user1@example.com,user2@example.com ssh-rsa AAAAX1...`
	See ssh-keygen(1) "ALLOWED SIGNERS" for details.
	The principal is only used to identify the key and is available when
	verifying a signature.
+
SSH has no concept of trust levels like gpg does. To be able to differentiate
between valid signatures and trusted signatures the trust level of a signature
verification is set to `fully` when the public key is present in the allowedSignersFile.
Otherwise the trust level is `undefined` and git verify-commit/tag will fail.
+
This file can be set to a location outside of the repository and every developer
maintains their own trust store. A central repository server could generate this
file automatically from ssh keys with push access to verify the code against.
In a corporate setting this file is probably generated at a global location
from automation that already handles developer ssh keys.
+
A repository that only allows signed commits can store the file
in the repository itself using a path relative to the top-level of the working tree.
This way only committers with an already valid key can add or change keys in the keyring.
+
Since OpensSSH 8.8 this file allows specifying a key lifetime using valid-after &
valid-before options. Git will mark signatures as valid if the signing key was
valid at the time of the signature's creation. This allows users to change a
signing key without invalidating all previously made signatures.
+
Using a SSH CA key with the cert-authority option
(see ssh-keygen(1) "CERTIFICATES") is also valid.

gpg.ssh.revocationFile::
	Either a SSH KRL or a list of revoked public keys (without the principal prefix).
	See ssh-keygen(1) for details.
	If a public key is found in this file then it will always be treated
	as having trust level "never" and signatures will show as invalid.
Commit	Line	Data
ea555d04 NTND	1	gpg.program::
	2	Use this custom program instead of "`gpg`" found on `$PATH` when
	3	making or verifying a PGP signature. The program must support the
	4	same command-line interface as GPG, namely, to verify a detached
f7bf24d4	5	signature, "`gpg --verify $signature - <$file`" is run, and the
ea555d04 NTND	6	program is expected to signal a good signature by exiting with
	7	code 0, and to generate an ASCII-armored detached signature, the
	8	standard input of "`gpg -bsau $key`" is fed with the contents to be
	9	signed, and the program is expected to send the result to its
	10	standard output.
	11
	12	gpg.format::
	13	Specifies which key format to use when signing with `--gpg-sign`.
29b31577	14	Default is "openpgp". Other possible values are "x509", "ssh".
31a431b1 GM	15	+
	16	See linkgit:gitformat-signature[5] for the signature format, which differs
	17	based on the selected `gpg.format`.
ea555d04 NTND	18
	19	gpg.<format>.program::
	20	Use this to customize the program used for the signing format you
	21	chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still
8d75a1d1	22	be used as a legacy synonym for `gpg.openpgp.program`. The default
29b31577	23	value for `gpg.x509.program` is "gpgsm" and `gpg.ssh.program` is "ssh-keygen".
54887b46 HJI	24
	25	gpg.minTrustLevel::
	26	Specifies a minimum trust level for signature verification. If
	27	this option is unset, then signature verification for merge
	28	operations require a key with at least `marginal` trust. Other
	29	operations that perform signature verification require a key
	30	with at least `undefined` trust. Setting this option overrides
	31	the required trust-level for all operations. Supported values,
	32	in increasing order of significance:
	33	+
	34	* `undefined`
	35	* `never`
	36	* `marginal`
	37	* `fully`
	38	* `ultimate`
fd9e2267	39
deb5407a	40	gpg.ssh.defaultKeyCommand::
fd9e2267	41	This command that will be run when user.signingkey is not set and a ssh
ce18a30b FS	42	signature is requested. On successful exit a valid ssh public key
	43	prefixed with `key::` is expected in the first line of its output.
	44	This allows for a script doing a dynamic lookup of the correct public
	45	key when it is impractical to statically configure `user.signingKey`.
	46	For example when keys or SSH Certificates are rotated frequently or
	47	selection of the right key depends on external factors unknown to git.
facca53a FS	48
	49	gpg.ssh.allowedSignersFile::
	50	A file containing ssh public keys which you are willing to trust.
	51	The file consists of one or more lines of principals followed by an ssh
	52	public key.
acd78728	53	e.g.: `user1@example.com,user2@example.com ssh-rsa AAAAX1...`
facca53a FS	54	See ssh-keygen(1) "ALLOWED SIGNERS" for details.
	55	The principal is only used to identify the key and is available when
	56	verifying a signature.
	57	+
	58	SSH has no concept of trust levels like gpg does. To be able to differentiate
	59	between valid signatures and trusted signatures the trust level of a signature
	60	verification is set to `fully` when the public key is present in the allowedSignersFile.
9fb391bf	61	Otherwise the trust level is `undefined` and git verify-commit/tag will fail.
facca53a FS	62	+
	63	This file can be set to a location outside of the repository and every developer
	64	maintains their own trust store. A central repository server could generate this
	65	file automatically from ssh keys with push access to verify the code against.
	66	In a corporate setting this file is probably generated at a global location
	67	from automation that already handles developer ssh keys.
	68	+
	69	A repository that only allows signed commits can store the file
	70	in the repository itself using a path relative to the top-level of the working tree.
	71	This way only committers with an already valid key can add or change keys in the keyring.
	72	+
6393c956 FS	73	Since OpensSSH 8.8 this file allows specifying a key lifetime using valid-after &
6393c956 FS	74	valid-before options. Git will mark signatures as valid if the signing key was
cbac0076	75	valid at the time of the signature's creation. This allows users to change a
6393c956 FS	76	signing key without invalidating all previously made signatures.
6393c956 FS	77	+
facca53a FS	78	Using a SSH CA key with the cert-authority option
	79	(see ssh-keygen(1) "CERTIFICATES") is also valid.
	80
	81	gpg.ssh.revocationFile::
	82	Either a SSH KRL or a list of revoked public keys (without the principal prefix).
	83	See ssh-keygen(1) for details.
	84	If a public key is found in this file then it will always be treated
	85	as having trust level "never" and signatures will show as invalid.