From: Fabian Stelzer Date: Wed, 8 Jun 2022 15:24:37 +0000 (+0200) Subject: gpg docs: explain better use of ssh.defaultKeyCommand X-Git-Tag: v2.37.0-rc1~13^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce18a30bb78720d90df42b9d9ee6b8b7dd33d7e6;p=thirdparty%2Fgit.git gpg docs: explain better use of ssh.defaultKeyCommand Using `ssh-add -L` for gpg.ssh.defaultKeyCommand is not a good recommendation. It might switch keys depending on the order of known keys and it only supports ssh-* and no ecdsa or other keys. Clarify that we expect a literal key prefixed by `key::`, give valid example use cases and refer to `user.signingKey` as the preferred option. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt index 86892ada77..86f6308c4c 100644 --- a/Documentation/config/gpg.txt +++ b/Documentation/config/gpg.txt @@ -36,9 +36,12 @@ gpg.minTrustLevel:: gpg.ssh.defaultKeyCommand:: This command that will be run when user.signingkey is not set and a ssh - signature is requested. On successful exit a valid ssh public key is - expected in the first line of its output. To automatically use the first - available key from your ssh-agent set this to "ssh-add -L". + signature is requested. On successful exit a valid ssh public key + prefixed with `key::` is expected in the first line of its output. + This allows for a script doing a dynamic lookup of the correct public + key when it is impractical to statically configure `user.signingKey`. + For example when keys or SSH Certificates are rotated frequently or + selection of the right key depends on external factors unknown to git. gpg.ssh.allowedSignersFile:: A file containing ssh public keys which you are willing to trust.