March 21, 2026
Keys, certs & chaos
SSH Certificates and Git Signing
Coders clash over new way to prove who wrote code with SSH
TLDR: Git can sign code using SSH certificates, making it easier to verify who really wrote a change and fight supply chain tampering. Commenters cheered the practicality, argued for Sigstore or sticking with old methods, and roasted X.509 complexity—turning a security upgrade into a full-on culture war.
Forget mystery authors—this week’s dev drama is all about proving who actually wrote the code. A new explainer says Git can sign changes with SSH certificates (a trusted stamp on your key), and the crowd immediately split into camps. Security fans cheered, calling it a practical fix for fake author names and hacked accounts. Old-school cryptography diehards clutched their OpenPGP (pretty good privacy) manuals like vinyl collectors, while corporate folks defended X.509 (the complicated office badge of certificates) with “because compliance.” Meanwhile, everyone laughed/cry-reacted at Git putting all the settings under “gpg” even if you don’t use it—“we live in a house of labels,” one joked.
Hot takes flew fast: some said this solves the real problem—“stop trusting GitHub profiles, trust signed keys”—while others pushed Sigstore like it’s the cool new password-less club. Skeptics warned that if your account gets hijacked, your trust list goes poof, and meme lords dubbed the old “web of trust” the “web of rust.” Devs celebrated forwarding their SSH certs like VIP wristbands and praised the tiny helper tool that auto-finds your cert. Jokes peaked with “author fields are cosplay, signatures are receipts” and “X.509 is escape room: enterprise edition.” The vibe? Relieved, riled, and very, very online.
Key Points
- •Git author fields can be falsified and account compromise can mask malicious commits, increasing supply chain risk.
- •Git supports signing commits and tags with OpenPGP, X.509, or SSH keys; trust management is required for SSH keys.
- •OpenSSH supports SSH certificates with Principals metadata and agent forwarding, enabling trusted identities for signing.
- •Git can be configured for SSH signing via gpg.format ssh and either user.signingkey or gpg.ssh.defaultKeyCommand.
- •Signature verification uses ssh-keygen against an authorized_keys-style file listing trusted certificate authorities.