summaryrefslogtreecommitdiffstats
path: root/Documentation/config/gpg.txt
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--Documentation/config/gpg.txt85
1 files changed, 85 insertions, 0 deletions
diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt
new file mode 100644
index 0000000..5cf32b1
--- /dev/null
+++ b/Documentation/config/gpg.txt
@@ -0,0 +1,85 @@
+gpg.program::
+ Use this custom program instead of "`gpg`" found on `$PATH` when
+ making or verifying a PGP signature. The program must support the
+ same command-line interface as GPG, namely, to verify a detached
+ signature, "`gpg --verify $signature - <$file`" is run, and the
+ program is expected to signal a good signature by exiting with
+ code 0. To generate an ASCII-armored detached signature, the
+ standard input of "`gpg -bsau $key`" is fed with the contents to be
+ signed, and the program is expected to send the result to its
+ standard output.
+
+gpg.format::
+ Specifies which key format to use when signing with `--gpg-sign`.
+ Default is "openpgp". Other possible values are "x509", "ssh".
++
+See linkgit:gitformat-signature[5] for the signature format, which differs
+based on the selected `gpg.format`.
+
+gpg.<format>.program::
+ Use this to customize the program used for the signing format you
+ chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still
+ be used as a legacy synonym for `gpg.openpgp.program`. The default
+ value for `gpg.x509.program` is "gpgsm" and `gpg.ssh.program` is "ssh-keygen".
+
+gpg.minTrustLevel::
+ Specifies a minimum trust level for signature verification. If
+ this option is unset, then signature verification for merge
+ operations requires a key with at least `marginal` trust. Other
+ operations that perform signature verification require a key
+ with at least `undefined` trust. Setting this option overrides
+ the required trust-level for all operations. Supported values,
+ in increasing order of significance:
++
+* `undefined`
+* `never`
+* `marginal`
+* `fully`
+* `ultimate`
+
+gpg.ssh.defaultKeyCommand::
+ This command will be run when user.signingkey is not set and a ssh
+ signature is requested. On successful exit a valid ssh public key
+ prefixed with `key::` is expected in the first line of its output.
+ This allows for a script doing a dynamic lookup of the correct public
+ key when it is impractical to statically configure `user.signingKey`.
+ For example when keys or SSH Certificates are rotated frequently or
+ selection of the right key depends on external factors unknown to git.
+
+gpg.ssh.allowedSignersFile::
+ A file containing ssh public keys which you are willing to trust.
+ The file consists of one or more lines of principals followed by an ssh
+ public key.
+ e.g.: `user1@example.com,user2@example.com ssh-rsa AAAAX1...`
+ See ssh-keygen(1) "ALLOWED SIGNERS" for details.
+ The principal is only used to identify the key and is available when
+ verifying a signature.
++
+SSH has no concept of trust levels like gpg does. To be able to differentiate
+between valid signatures and trusted signatures the trust level of a signature
+verification is set to `fully` when the public key is present in the allowedSignersFile.
+Otherwise the trust level is `undefined` and git verify-commit/tag will fail.
++
+This file can be set to a location outside of the repository and every developer
+maintains their own trust store. A central repository server could generate this
+file automatically from ssh keys with push access to verify the code against.
+In a corporate setting this file is probably generated at a global location
+from automation that already handles developer ssh keys.
++
+A repository that only allows signed commits can store the file
+in the repository itself using a path relative to the top-level of the working tree.
+This way only committers with an already valid key can add or change keys in the keyring.
++
+Since OpensSSH 8.8 this file allows specifying a key lifetime using valid-after &
+valid-before options. Git will mark signatures as valid if the signing key was
+valid at the time of the signature's creation. This allows users to change a
+signing key without invalidating all previously made signatures.
++
+Using a SSH CA key with the cert-authority option
+(see ssh-keygen(1) "CERTIFICATES") is also valid.
+
+gpg.ssh.revocationFile::
+ Either a SSH KRL or a list of revoked public keys (without the principal prefix).
+ See ssh-keygen(1) for details.
+ If a public key is found in this file then it will always be treated
+ as having trust level "never" and signatures will show as invalid.