GitHub - Setting up SSH

In our previous article, we created a public GitHub repository for our CI/CD pipeline. Now, we'll enhance our security posture by setting up SSH keys for authentication and commit signing. This crucial step ensures secure connections to GitHub and verifies the authenticity of your commits, which is especially important in collaborative CI/CD environments.

Understanding SSH Authentication and Signing

SSH keys provide stronger security than password authentication, allow seamless authentication without typing passwords, and enable cryptographic verification of your commits. This verification is essential for maintaining CI/CD pipeline integrity and ensuring that automated scripts can securely interact with your repository.

Setting Up SSH Keys

Let's set up SSH keys across all platforms using the terminal (Git Bash for Windows, Terminal for macOS/Linux).

Open your terminal application

Launch Git Bash on Windows, or Terminal on macOS/Linux.

Check for existing SSH keys first

ls -la ~/.ssh

If you see files named id_ed25519 and id_ed25519.pub, you already have SSH keys and can skip to the "Add your SSH private key" step.

Generate an SSH key pair by running

ssh-keygen -t ed25519 -C "[email protected]"

Use the same email address you've configured in Git. You can check your current Git email with:

git config --list | grep user.email

This should display your GitHub noreply email address, confirming it's been set correctly.

See Setting your commit email address for more detailed information.

When prompted for a file location

Press Enter to accept the default location (~/.ssh/id_ed25519). This is the standard location for SSH keys.

When prompted for a passphrase

Enter a secure passphrase (highly recommended). This adds an extra layer of security to protect your private key.

Start the SSH agent in the background

eval "$(ssh-agent -s)"

Add your SSH private key to the SSH agent

ssh-add ~/.ssh/id_ed25519

Note: On macOS Monterey (12.0) or later, you may need to use:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

View your public key to copy it

cat ~/.ssh/id_ed25519.pub

Your public key starts with ssh-ed25519 and ends with your email address. Copy the entire line. Never share your private key (the file without the .pub extension), which starts with -----BEGIN OPENSSH PRIVATE KEY-----.

Adding Your SSH Key to Your GitHub Account

Now add your public key to GitHub:

Log in to GitHub and navigate to your account settings

Open your browser and log in to your GitHub account, then click on your profile picture in the top-right corner and select "Settings".

Click on "SSH and GPG keys" in the left sidebar

Click "New SSH key" or "Add SSH key"

Look for the green button near the top of the SSH keys section.

Add a descriptive title for your key

For example, "Work Laptop"

Paste your public key into the "Key" field

Paste the entire string you copied from your terminal, starting with "ssh-ed25519" and ending with your email address.

Click "Add SSH key" to save

This finalizes adding your key to GitHub. You may be prompted to confirm your password.

Configuring Git to Use SSH for Signing Commits

Now configure Git to use this key for signing commits:

Configure Git to use your SSH key for signing

git config --global gpg.format ssh
git config --global user.signingkey "$(cat ~/.ssh/id_ed25519.pub)"

Enable automatic signing for all commits

git config --global commit.gpgsign true

Testing Your SSH Connection and Signing

Verify that your SSH setup works correctly:

Test your SSH connection to GitHub

ssh -T [email protected]

You should see a message like: "Hi username! You've successfully authenticated, but GitHub does not provide shell access."

Test commit signing by making a simple commit

# Navigate to your repository
cd your-repository-directory

# Create a test file
echo "# SSH Signing Test" > test.md

# Add and commit the file
git add test.md
git commit -m "Test SSH signing"

# Push to GitHub
git push

Verify the signed commit

Look for a "Verified" badge next to your recent commit in the repository's "Commits" tab on GitHub.

Troubleshooting SSH Issues

If you encounter problems with your SSH setup, GitHub provides excellent troubleshooting resources:

• Testing your SSH connection

• Using SSH agent forwarding

• Managing SSH keys in general

Conclusion and Next Steps

You've now set up SSH authentication and commit signing for your GitHub repository, enhancing the security of your CI/CD pipeline. This configuration ensures that your connections to GitHub are secure, your commits are verified, and your CI/CD pipeline can interact with the repository securely.

In our next article, we'll explore how to clone your GitHub repository via HTTPS and SSH.

Stay tuned for more practical CI/CD tips and techniques!