| gpg.program:: |
| Use this custom program instead of "`gpg`" found on `$PATH` when |
| making or verifying a PGP signature. The program must support the |
| same command-line interface as GPG, namely, to verify a detached |
| signature, "`gpg --verify $signature - <$file`" is run, and the |
| program is expected to signal a good signature by exiting with |
| code 0. To generate an ASCII-armored detached signature, the |
| standard input of "`gpg -bsau $key`" is fed with the contents to be |
| signed, and the program is expected to send the result to its |
| standard output. |
| |
| gpg.format:: |
| Specifies which key format to use when signing with `--gpg-sign`. |
| Default is "openpgp". Other possible values are "x509", "ssh". |
| + |
| See linkgit:gitformat-signature[5] for the signature format, which differs |
| based on the selected `gpg.format`. |
| |
| gpg.<format>.program:: |
| Use this to customize the program used for the signing format you |
| chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still |
| be used as a legacy synonym for `gpg.openpgp.program`. The default |
| value for `gpg.x509.program` is "gpgsm" and `gpg.ssh.program` is "ssh-keygen". |
| |
| gpg.minTrustLevel:: |
| Specifies a minimum trust level for signature verification. If |
| this option is unset, then signature verification for merge |
| operations requires a key with at least `marginal` trust. Other |
| operations that perform signature verification require a key |
| with at least `undefined` trust. Setting this option overrides |
| the required trust-level for all operations. Supported values, |
| in increasing order of significance: |
| + |
| * `undefined` |
| * `never` |
| * `marginal` |
| * `fully` |
| * `ultimate` |
| |
| gpg.ssh.defaultKeyCommand:: |
| This command will be run when user.signingkey is not set and a ssh |
| signature is requested. On successful exit a valid ssh public key |
| prefixed with `key::` is expected in the first line of its output. |
| This allows for a script doing a dynamic lookup of the correct public |
| key when it is impractical to statically configure `user.signingKey`. |
| For example when keys or SSH Certificates are rotated frequently or |
| selection of the right key depends on external factors unknown to git. |
| |
| gpg.ssh.allowedSignersFile:: |
| A file containing ssh public keys which you are willing to trust. |
| The file consists of one or more lines of principals followed by an ssh |
| public key. |
| e.g.: `user1@example.com,user2@example.com ssh-rsa AAAAX1...` |
| See ssh-keygen(1) "ALLOWED SIGNERS" for details. |
| The principal is only used to identify the key and is available when |
| verifying a signature. |
| + |
| SSH has no concept of trust levels like gpg does. To be able to differentiate |
| between valid signatures and trusted signatures the trust level of a signature |
| verification is set to `fully` when the public key is present in the allowedSignersFile. |
| Otherwise the trust level is `undefined` and git verify-commit/tag will fail. |
| + |
| This file can be set to a location outside of the repository and every developer |
| maintains their own trust store. A central repository server could generate this |
| file automatically from ssh keys with push access to verify the code against. |
| In a corporate setting this file is probably generated at a global location |
| from automation that already handles developer ssh keys. |
| + |
| A repository that only allows signed commits can store the file |
| in the repository itself using a path relative to the top-level of the working tree. |
| This way only committers with an already valid key can add or change keys in the keyring. |
| + |
| Since OpensSSH 8.8 this file allows specifying a key lifetime using valid-after & |
| valid-before options. Git will mark signatures as valid if the signing key was |
| valid at the time of the signature's creation. This allows users to change a |
| signing key without invalidating all previously made signatures. |
| + |
| Using a SSH CA key with the cert-authority option |
| (see ssh-keygen(1) "CERTIFICATES") is also valid. |
| |
| gpg.ssh.revocationFile:: |
| Either a SSH KRL or a list of revoked public keys (without the principal prefix). |
| See ssh-keygen(1) for details. |
| If a public key is found in this file then it will always be treated |
| as having trust level "never" and signatures will show as invalid. |