This error occurs when Git attempts to sign a commit using SSH but encounters a format incompatibility between your SSH key and the ssh-keygen tool. The fix typically involves adding your SSH key to the ssh-agent, updating your OpenSSH version, or reconfiguring your Git signing settings.
This error indicates that Git's SSH commit signing process failed because `ssh-keygen` could not interpret your SSH key in the expected format for creating a cryptographic signature. When you configure Git to sign commits with SSH keys (using `gpg.format ssh`), Git invokes `ssh-keygen -Y sign` to create the signature. This process requires access to your private key, either directly or through an SSH agent. If `ssh-keygen` cannot find your key in the agent, it falls back to reading the key file directly. When this fallback fails due to format issues, you see the "invalid format for SSH signature" error. Common scenarios that trigger this error include: - The SSH key is not loaded in your ssh-agent - Your OpenSSH version is too old and lacks the `-U` flag for agent-based signing - The key file has incorrect format (e.g., generated by PuTTY instead of OpenSSH) - Line ending issues (Windows CRLF vs Unix LF) - Git is using its bundled ssh-keygen instead of your system's OpenSSH
First, check your current Git configuration for SSH signing:
# Check signing format (should be 'ssh')
git config --get gpg.format
# Check which key is configured for signing
git config --get user.signingKey
# Check if commit signing is enabled
git config --get commit.gpgsignExpected configuration:
gpg.format = ssh
user.signingKey = /path/to/your/key.pub (or ~/.ssh/id_ed25519.pub)
commit.gpgsign = true (if auto-signing is enabled)If gpg.format is not set to ssh, configure it:
git config --global gpg.format sshThe most common fix is ensuring your SSH key is loaded in the ssh-agent:
# Start the SSH agent
eval "$(ssh-agent -s)"
# Output: Agent pid 12345
# Add your private key to the agent
ssh-add ~/.ssh/id_ed25519
# For RSA keys:
ssh-add ~/.ssh/id_rsaVerify the key is loaded:
ssh-add -l -E sha256You should see your key fingerprint listed. If you see "The agent has no identities", the key wasn't added successfully.
On macOS, persist the key across restarts:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
# Add to ~/.ssh/config:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519For Windows PowerShell:
# Start the ssh-agent service
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent
# Add your key
ssh-add $env:USERPROFILE\.ssh\id_ed25519SSH commit signing requires OpenSSH 8.2 or later. Some versions have known issues:
# Check your ssh-keygen version
ssh-keygen -V
# or
ssh -VVersion requirements:
- Minimum: OpenSSH 8.2p1 (introduces ssh-keygen -Y sign)
- Avoid: OpenSSH 8.7 (has a known signing bug)
- Recommended: OpenSSH 9.1+ (includes the -U fix for agent-based signing)
OpenSSH 9.1 fix: This version passes an additional -U option to ssh-keygen -Y sign, which tells it to always look for the private key in the agent rather than trying to read the file directly.
If your version is too old, upgrade OpenSSH:
# Ubuntu/Debian
sudo apt update && sudo apt install openssh-client
# macOS (via Homebrew)
brew install openssh
# Fedora/RHEL
sudo dnf install openssh-clientsOn Windows, Git often bundles its own ssh-keygen that may be incompatible with Windows OpenSSH:
Option 1: Reinstall Git with external OpenSSH
1. Download the latest Git for Windows installer
2. During installation, uncheck "Only show new options"
3. Select "Use external OpenSSH" instead of the bundled OpenSSH
4. Complete the installation
Option 2: Configure Git to use Windows OpenSSH:
# Point Git to Windows' ssh
git config --global core.sshCommand "C:/Windows/System32/OpenSSH/ssh.exe"Update Windows OpenSSH to 8.6+:
1. Open Settings > Apps > Optional Features
2. Find "OpenSSH Client" and check the version
3. If outdated, download from: https://github.com/PowerShell/Win32-OpenSSH/releases
4. Install to C:\Program Files\OpenSSH and add to PATH
Verify Windows is using the correct ssh-keygen:
where.exe ssh-keygen
# Should show: C:\Windows\System32\OpenSSH\ssh-keygen.exeEnsure your user.signingKey is set correctly:
# Check current setting
git config --get user.signingKeyImportant: The user.signingKey should point to your public key file (.pub):
# Set the signing key (use full path)
git config --global user.signingKey ~/.ssh/id_ed25519.pub
# On Windows, use forward slashes or escaped backslashes:
git config --global user.signingKey "C:/Users/YourName/.ssh/id_ed25519.pub"
# or
git config --global user.signingKey "C:\\Users\\YourName\\.ssh\\id_ed25519.pub"Alternative: Use the key directly in the config:
# You can also embed the public key content directly
git config --global user.signingKey "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... [email protected]"Verify the public key file exists and is readable:
cat ~/.ssh/id_ed25519.pub
# Should output: ssh-ed25519 AAAAC3... [email protected]If your key was generated with PuTTY or has format issues:
Convert PuTTY key to OpenSSH format:
# Using puttygen (PuTTY Key Generator)
# 1. Load your .ppk file
# 2. Go to Conversions > Export OpenSSH key
# 3. Save as id_ed25519 (no extension)Regenerate public key from private key:
ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pubFix line endings (Windows):
# Convert CRLF to LF
sed -i 's/\r$//' ~/.ssh/id_ed25519
sed -i 's/\r$//' ~/.ssh/id_ed25519.pub
# Or using dos2unix
dos2unix ~/.ssh/id_ed25519
dos2unix ~/.ssh/id_ed25519.pubEnsure file has trailing newline:
# Add newline if missing
echo "" >> ~/.ssh/id_ed25519Verify file encoding is UTF-8:
file ~/.ssh/id_ed25519
# Should show: ASCII text or UTF-8 Unicode textIf your key is corrupted or in an incompatible format, generate a fresh key:
# Generate Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"
# Accept default location or specify custom path
# Enter a passphrase when prompted (optional but recommended)After generating:
# Add to ssh-agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
# Configure Git to use the new key
git config --global user.signingKey ~/.ssh/id_ed25519.pub
# Add the public key to GitHub/GitLab
cat ~/.ssh/id_ed25519.pub
# Copy output and add to your Git hosting providerGitHub SSH signing key setup:
1. Go to https://github.com/settings/keys
2. Click "New SSH key"
3. Change key type to "Signing Key"
4. Paste your public key
5. Click "Add SSH key"
If you use 1Password, Secretive, or other SSH agent managers:
1Password configuration:
# Set the SSH_AUTH_SOCK environment variable
export SSH_AUTH_SOCK=~/.1password/agent.sock
# Add to your shell profile (~/.bashrc, ~/.zshrc)
export SSH_AUTH_SOCK=~/.1password/agent.sock
# Or run git with the socket specified:
SSH_AUTH_SOCK=~/.1password/agent.sock git commit -m "Signed commit"Secretive (macOS):
export SSH_AUTH_SOCK=/Users/yourusername/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.sshVerify the agent socket is working:
SSH_AUTH_SOCK=~/.1password/agent.sock ssh-add -l
# Should list your keysGit configuration for 1Password:
# Tell Git to use the 1Password SSH agent
git config --global core.sshCommand "ssh -o IdentityAgent=~/.1password/agent.sock"Verify everything is working correctly:
# Create a test signed commit
git commit --allow-empty -S -m "Test signed commit"If successful, verify the signature:
# Show the signature on the last commit
git log --show-signature -1Set up an allowed signers file for verification:
# Create allowed signers file
mkdir -p ~/.config/git
echo "[email protected] $(cat ~/.ssh/id_ed25519.pub)" > ~/.config/git/allowed_signers
# Configure Git to use it
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
# Verify signature
git verify-commit HEADExpected output:
Good "git" signature for [email protected] with ED25519 key SHA256:...### Understanding the SSH Signing Process
When Git signs a commit with SSH, it:
1. Writes your public key to a temporary file
2. Calls ssh-keygen -Y sign -n git -f /tmp/key_file
3. ssh-keygen looks for the corresponding private key in the agent
4. If not found in agent, it tries to read the temp file as a private key (this fails!)
The error occurs because the temp file contains a public key, but ssh-keygen's fallback treats it as a private key and can't parse it.
The OpenSSH 9.1 Fix:
OpenSSH 9.1 introduced the -U flag which tells ssh-keygen to *always* use the agent and never try to read the file as a private key. Git 2.34+ uses this flag when available.
### GPG vs SSH Signing
If you previously used GPG signing and want to switch back:
# Remove SSH signing format
git config --global --unset gpg.format
# Or explicitly set to GPG
git config --global gpg.format openpgp
git config --global user.signingKey YOUR_GPG_KEY_ID### Debugging SSH Signing
Enable debug output to understand what's happening:
# Set SSH debug environment variable
GIT_TRACE=1 git commit -S -m "Debug commit"
# More verbose SSH debugging
SSH_AUTH_SOCK=$SSH_AUTH_SOCK ssh-keygen -Y sign -n git -f ~/.ssh/id_ed25519.pub -v < /dev/null### SSH Signing in CI/CD
For CI/CD pipelines, you need to:
1. Add the SSH private key as a secret
2. Start the ssh-agent and load the key
3. Configure Git signing
# GitHub Actions example
steps:
- name: Setup SSH signing
run: |
eval "$(ssh-agent -s)"
echo "${{ secrets.SSH_SIGNING_KEY }}" | ssh-add -
git config --global gpg.format ssh
git config --global user.signingKey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true### Signing Key vs Authentication Key
You can use:
- Same key for both authentication and signing
- Separate keys for enhanced security
GitHub allows you to add a key specifically as a "Signing Key" in SSH settings, separate from authentication keys.
### Key Algorithm Recommendations
| Algorithm | Support | Recommendation |
|-----------|---------|----------------|
| Ed25519 | Modern systems | Best choice for signing |
| RSA 4096 | Universal | Good fallback option |
| ECDSA | Most systems | Less common for signing |
### Troubleshooting Checklist
If you're still having issues, verify:
- [ ] ssh-add -l shows your key
- [ ] ssh -V shows OpenSSH 8.2+
- [ ] git config gpg.format returns ssh
- [ ] user.signingKey points to .pub file
- [ ] Key file has correct permissions (600)
- [ ] Key file has Unix line endings
- [ ] On Windows: using external OpenSSH, not Git's bundled version
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git