This error occurs when you try to sign a Git commit or tag with SSH but haven't configured the required signing settings. The fix involves setting `gpg.format` to ssh and specifying your SSH public key as `user.signingkey`.
This error indicates that Git is attempting to use SSH for signing commits or tags, but the necessary configuration is missing. Git 2.34 and later supports signing commits with SSH keys as an alternative to GPG keys. When you run `git commit -S` or have `commit.gpgsign` enabled, Git tries to sign the commit. If `gpg.format` is set to `ssh` but `user.signingkey` is not configured, or vice versa, Git cannot proceed with signing and displays this error. SSH signing is simpler than GPG because most developers already have SSH keys for authenticating with GitHub, GitLab, or Bitbucket. Using the same keys for signing reduces the overhead of managing separate GPG keys.
First, inspect your current Git signing settings to understand what's configured:
# Check all signing-related configuration
git config --list | grep -E "(gpg|signing)"
# Check specific settings
git config --get gpg.format
git config --get user.signingkey
git config --get commit.gpgsignExpected output for SSH signing:
gpg.format=ssh
user.signingkey=/home/user/.ssh/id_ed25519.pub
commit.gpgsign=trueIf gpg.format shows ssh but user.signingkey is empty or missing, that's your problem.
Configure Git to use SSH for signing instead of GPG:
# Set SSH as the signing format
git config --global gpg.format sshThis tells Git to use SSH keys for signing rather than GPG keys. The setting name gpg.format is historical - Git originally only supported GPG, so the configuration namespace remained even when SSH support was added.
Point Git to your SSH public key for signing:
# For Ed25519 keys (recommended)
git config --global user.signingkey ~/.ssh/id_ed25519.pub
# For RSA keys
git config --global user.signingkey ~/.ssh/id_rsa.pub
# You can also use the literal public key content
git config --global user.signingkey "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... [email protected]"Important notes:
- Use the public key file (ending in .pub), not the private key
- Git uses the public key to find the corresponding private key via ssh-agent
- The path can be absolute or relative to your home directory
Verify the key file exists:
ls -la ~/.ssh/id_ed25519.pub
cat ~/.ssh/id_ed25519.pubIf you want all commits to be signed automatically without using the -S flag:
# Sign all commits automatically
git config --global commit.gpgsign true
# Sign all tags automatically
git config --global tag.gpgsign trueWith these settings, every git commit and git tag will be signed using your SSH key.
To sign a single commit manually:
git commit -S -m "Your commit message"SSH signing requires your private key to be loaded in the ssh-agent:
# Start the SSH agent
eval "$(ssh-agent -s)"
# Add your private key
ssh-add ~/.ssh/id_ed25519
# Verify the key is loaded
ssh-add -lOn macOS, persist the key across restarts:
# Add to keychain
ssh-add --apple-use-keychain ~/.ssh/id_ed25519Create or update ~/.ssh/config for automatic key loading:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519Verify that signing works correctly:
# Make a test commit
echo "test" >> test.txt
git add test.txt
git commit -S -m "Test signed commit"Verify the signature:
# Show commit with signature
git log --show-signature -1If successful, you'll see output indicating the commit was signed. If you get an error, check that your ssh-agent has the key loaded.
To verify SSH signatures locally, set up an allowed signers file:
# Create the allowed signers file
mkdir -p ~/.config/git
touch ~/.config/git/allowed_signers
# Configure Git to use it
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signersAdd your public key to the allowed signers file:
# Format: email-address key-type public-key
echo "[email protected] $(cat ~/.ssh/id_ed25519.pub)" >> ~/.config/git/allowed_signersThis enables Git to verify signatures from yourself and others whose keys you add to the file.
For commits to show as "Verified" on GitHub or GitLab, add your SSH key as a signing key:
GitHub:
1. Go to https://github.com/settings/keys
2. Click "New SSH key"
3. Select Key type: Signing Key (not Authentication)
4. Paste your public key
5. Click "Add SSH key"
Note: You can use the same SSH key for both authentication and signing, but you must add it twice - once as an Authentication key and once as a Signing key.
GitLab:
1. Go to https://gitlab.com/-/profile/keys
2. Paste your public key
3. Under "Usage type", select "Signing" or "Authentication and signing"
4. Click "Add key"
Bitbucket:
Bitbucket doesn't currently support SSH commit signing verification, but commits will still be signed locally.
If you're still getting errors, there might be conflicting local settings:
# Check for local overrides
git config --local --list | grep -E "(gpg|signing)"
# Remove local signing settings to use global ones
git config --local --unset gpg.format
git config --local --unset user.signingkey
git config --local --unset commit.gpgsign
# Verify global settings apply
git config --get gpg.format
git config --get user.signingkeyIf switching from GPG to SSH signing:
# Remove GPG-specific settings
git config --global --unset gpg.program### Requirements for SSH Signing
SSH commit signing requires:
- Git 2.34.0 or later (released November 2021)
- OpenSSH 8.1 or later (avoid OpenSSH 8.7 which has a signing bug - use 8.8+)
Check your versions:
git --version
ssh -V### SSH vs GPG Signing Comparison
| Aspect | SSH Signing | GPG Signing |
|--------|-------------|-------------|
| Key management | Use existing SSH keys | Separate GPG keyring |
| Setup complexity | Simpler | More complex |
| Key expiration | No built-in expiration | Supports expiration |
| Web of trust | Not supported | Supported |
| Platform support | Git 2.34+ | All Git versions |
### Complete Configuration Example
Here's a complete setup for SSH signing:
# Set up SSH signing
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Set up signature verification
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
mkdir -p ~/.config/git
echo "$(git config user.email) $(cat ~/.ssh/id_ed25519.pub)" >> ~/.config/git/allowed_signers### Signing with a Specific Key
If you have multiple SSH keys and want to use a specific one:
# Use absolute path to avoid ambiguity
git config --global user.signingkey /home/username/.ssh/id_ed25519_signing.pub### Using SSH Signing in CI/CD
For CI/CD pipelines, ensure the signing key is available:
# GitHub Actions example
- name: Configure Git signing
run: |
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519### Reverting to GPG Signing
To switch back from SSH to GPG signing:
git config --global --unset gpg.format
# or explicitly set GPG
git config --global gpg.format openpgp
git config --global user.signingkey YOUR_GPG_KEY_ID
git config --global gpg.program gpg### Troubleshooting
"error: Load key ... invalid format"
- Make sure you're pointing to the public key (.pub), not the private key
- Verify the key file isn't corrupted
Signature shows as "Unverified" on GitHub
- Ensure you added the key as a "Signing Key" (not just "Authentication Key")
- Verify the email in your commit matches the email on your GitHub account
"error: unable to sign data"
- Check ssh-agent is running: ssh-add -l
- Add your key: ssh-add ~/.ssh/id_ed25519
warning: BOM detected in file, this may cause issues
UTF-8 Byte Order Mark (BOM) detected in file
fatal: Server does not support --shallow-exclude
Server does not support --shallow-exclude
warning: filtering out blobs larger than limit
Git partial clone filtering large blobs warning
fatal: Server does not support --shallow-since
Server does not support --shallow-since in Git
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server