gurfin / Using Yubieys for SSH and commit signing

Created Fri, 26 Jun 2026 21:44:00 +0100 Modified Sat, 27 Jun 2026 09:28:47 +0000
515 Words
Git Yubikey

Have you ever felt a bit concerned regarding the security of you SSH-keys? Not only for accessing critical infrastructure, but also for pushing code to Github or Gitlab.
Furthermore, have you considered starting to sign your own commits to ensure that your commits are actually yours?

Fear not! Hopefully you will feel a lot better after following this guide, and spending some hard earned money’s on Yubikey’s.

The Yubikey

First of all, the Yubikey. This is just one option for a hardware authentication device, but it is the most popular on the market. They have a bunch of different models and you should pick one that works for your specific use-case. You must ensure however, that the modell you pick supports the FIDO2 standard.
I would also recommend picking up at least one extra Yubikey, to have as a backup. You are kind of fucked if you lose your one and only Yubikey…

Once you have your Yubikey in hand you can connect it to your computer. Start by setting it upp using the Yubico app on your device. This includes setting up a PIN for the Yubikey. DO NOT forget the pin.

After the initial setup, you can start by generating the SSH-key.

Generating the SSH-key

To do this follow these steps:

  1. Connect the Yubikey to your computer.
  2. Run
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "[email protected]" -f ~/.ssh/id_ed25519_yubikey1
  1. You will likely need to interact with the Yubikey during this phase.
  2. Once the setup is complete you will have a private and a public key in your ~/.ssh/ folder.

Uploading the public key

Next you need to spread the public key to the different systems you want to authenticate to. We will be focusing on Github in this tutorial.

  1. Ensure that you are signed in to Github and then navigate to https://github.com/settings/keys.
  2. Once there you can click New SSH key.
  3. Enter a title of your key - something for you to identify this particular key.
  4. Select Signing Key as the Key type.
  5. Then paste the public key into the Key field.
  6. Click Add SSH key.

Boom!
Now you have added that SSH-key as a signing key. You should repeat the step but select Authentication Key.

Signing commits using SSH-key

To do this you must modify your .gitconfig file.

git config --global gpg.format ssh
git config --global user.signingkey "~/.ssh/id_ed25519_yubikey1.pub"
git config --global gpg.ssh.allowedSignersFile "~/.ssh/allowed_signers"
git config --global commit.gpgsign true
git config --global tag.gpgsign true

Then create the allowed signers file:

echo "[email protected] $(cat ~/.ssh/id_ed25519_yubikey1.pub)" > ~/.ssh/allowed_signers

Using the setup

Now it is time to use this whole setup. These steps you can follow in the future whenever you wish to commit and/or push code.

  1. Connect the Yubikey to your computer.
  2. In the terminal you run git in, ensure you have a SSH agent running. Otherwise run
eval "$(ssh-agent -s)"
  1. Then add the residential key to your SSH agent. You will be prompted to enter the Yubikey PIN.
ssh-add -K
  1. Now you can get to committing and pushing! :)
  2. You will likely have to interact with your Yubikey every time you commit and push code.