SkillAgentSearch skills...

Gitsign

Keyless Git signing using Sigstore

GenerateConvertImprove

Install / Use

/learn @sigstore/Gitsign
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

Gitsign

CI E2E

<p align="center"> <img style="max-width: 100%;width: 300px;" src="https://raw.githubusercontent.com/sigstore/community/main/artwork/gitsign/horizontal/color/sigstore_gitsign-horizontal-color.svg" alt="Gitsign logo"/> </p>

Keyless Git signing with Sigstore!

This is heavily inspired by https://github.com/github/smimesign, but uses keyless Sigstore to sign Git commits with your own GitHub / OIDC identity.

Installation

Using Homebrew:

brew install gitsign

Using Go:

go install github.com/sigstore/gitsign@latest

Configuration

Single Repository:

cd /path/to/my/repository
git config --local gpg.x509.program gitsign  # Use gitsign for signing
git config --local gpg.format x509  # gitsign expects x509 args

# Warning: Setting this will make git commit/tag reliant on internet.
# Alternatively, don't use these settings and add the -S flag instead.
git config --local commit.gpgsign true  # Sign all commits
git config --local tag.gpgsign true  # Sign all tags

All respositories:

git config --global gpg.x509.program gitsign  # Use gitsign for signing
git config --global gpg.format x509  # gitsign expects x509 args


# Warning: Setting this will make git commit/tag reliant on internet.
# Alternatively, don't use these settings and add the -S flag instead.
git config --global commit.gpgsign true  # Sign all commits
git config --global tag.gpgsign true  # Sign all tags

To learn more about these options, see git-config.

File config

Gitsign can be configured with a standard git-config file. For example, to set the Fulcio option for a single repo:

$ git config --local gitsign.fulcio https://fulcio.example.com

The following config options are supported:

| Option | Default | Description | | ------------------ | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | fulcio | https://fulcio.sigstore.dev | Address of Fulcio server | | logPath | | Path to log status output. Helpful for debugging when no TTY is available in the environment. | | clientID | sigstore | OIDC client ID for application | | issuer | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token | | matchCommitter | false | If true, verify that the committer matches certificate user identity. See docs/committer-verification.md for more details. | | redirectURL | | OIDC Redirect URL | | rekor | https://rekor.sigstore.dev | Address of Rekor server | | connectorID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- https://github.com/login/oauth<br>- https://accounts.google.com<br>- https://login.microsoftonline.com | | tokenProvider | | Optional OIDC token provider to use to fetch tokens. If not set, any available providers are used. valid values are:<br>- interactive<br>- spiffe<br>- google-workload-identity<br>- google-impersonation<br>- github-actions<br>- filesystem<br>- buildkite-agent | | timestampServerURL | | Address of timestamping authority. If set, a trusted timestamp will be included in the signature. | | timestampCertChain | | Path to PEM encoded certificate chain for RFC3161 Timestamp Authority verification. | | autoclose | true | If true, autoclose the browser window after autocloseTimeout. In order for autoclose to work you must also set connectorID. | | autocloseTimeout | 6 | If autoclose is true, this is how long to wait until the window is closed. |

Environment Variables

| Environment Variable | Sigstore<br>Prefix | Default | Description | | ---------------------------- | ------------------ | -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | GITSIGN_CREDENTIAL_CACHE | | | Optional path to gitsign-credential-cache socket. | | GITSIGN_CONNECTOR_ID | ✅ | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- https://github.com/login/oauth<br>- https://accounts.google.com<br>- https://login.microsoftonline.com | | GITSIGN_TOKEN_PROVIDER | ✅ | | Optional OIDC token provider to use to fetch tokens. If not set, any available providers are used. valid values are:<br>- interactive<br>- spiffe<br>- google-workload-identity<br>- google-impersonation<br>- github-actions<br>- filesystem<br>- buildkite-agent | | GITSIGN_FULCIO_URL | ✅ | https://fulcio.sigstore.dev | Address of Fulcio server | | GITSIGN_LOG | ❌ | | Path to log status output. Helpful for debugging when no TTY is available in th

sigstore

View profile

View on GitHub
GitHub Stars1.1k
CategoryDevelopment
Updated18h ago
Forks72
sigstore/gitsign

Languages

Go

Security Score

85/100

Audited on Mar 31, 2026

No findings