Changing the recommended encryption and removing SSH instructions

chrisbloe · web-flow · commit 069f07d66503 · 2025-10-03T09:05:19.000+01:00
Updated the commit signing guide to focus on GPG and ECC methods, and removed SSH signing instructions.
diff --git a/practices/guides/commit-signing.md b/practices/guides/commit-signing.md
@@ -1,12 +1,10 @@
 # Git commit signing setup guide
 
-Using GPG, SSH, or S/MIME, you can sign commits and tags locally. These commits and tags are marked as verified on GitHub so other people can be confident that the changes come from a trusted source.
-
-The instructions on this page focus on GPG and SSH.
+Using GPG, SSH, or S/MIME, you can sign commits and tags locally. These commits and tags are marked as verified on GitHub so other people can be confident that the changes come from a trusted source (see the full GitHub documentation [here](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)).
 
 > You should only set up **one** of these options - **don't attempt to set up GPG and SSH commit signing**!
 
-See the full GitHub documentation [here](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification).
+The instructions on this page focus on the recommended method - GPG.
 
 ## GPG commit signing
 
@@ -38,8 +36,7 @@ If you have already committed and need to retrospectively sign commits, follow t
     gpg --full-generate-key
     ```
 
-    1. Pick `RSA and RSA`, or `RSA (sign only)` (there is no elliptic curve cryptography (ECC) support at the time of writing)
-    1. `keysize` `4096` bits (the minimum accepted for GitHub)
+    1. Pick `ECC (sign and encrypt)` then `Curve 25519` ([Ed25519](https://en.wikipedia.org/wiki/EdDSA#Ed25519) offers the strongest encryption at time of writing)
     1. Select a key expiry time (personal choice)
     1. `Real name` Your GitHub handle
     1. `Email address` Your GitHub account email [listed on your GitHub profile](https://github.com/settings/emails) (you can use the privacy *@users.noreply.github.com* email address): `Settings` -> `Emails` -> `Keep my email addresses private`)
@@ -98,8 +95,7 @@ If you have already committed and need to retrospectively sign commits, follow t
     gpg --full-generate-key
     ```
 
-    1. Pick `RSA and RSA`, or `RSA (sign only)` (there is no elliptic curve cryptography (ECC) support at the time of writing)
-    1. `keysize` = `4096` bits (the minimum accepted for GitHub)
+    1. Pick `ECC (sign and encrypt)` then `Curve 25519` ([Ed25519](https://en.wikipedia.org/wiki/EdDSA#Ed25519) offers the strongest encryption at time of writing)
     1. Select a key expiry time (personal choice)
     1. `Real name` = Your GitHub handle
     1. `Email address` = Your GitHub account email [listed on your GitHub profile](https://github.com/settings/emails) (you can use the privacy *@users.noreply.github.com* email address): `Settings` -> `Emails` -> `Keep my email addresses private`)
@@ -289,46 +285,3 @@ git push
 Re-run your git command prefixed with `GIT_TRACE=1`.
 
 A failure to sign a commit is usually because the name or email does not quite match those which were used to generate the GPG key, so git cannot auto-select a key. Ensure that these are indeed consistent. (If you added a comment when creating your GPG key, this *may* cause a mismatch: the comment will be visible when listing your GPG keys, e.g. `RealName (Comment) <EmailAddress>`.) You are able to [force a choice of signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key), though this should not be necessary.
-
-## SSH commit signing
-
-1. If you do not already have SSH key access set up on your GitHub account, first [generate a new SSH key](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). To create a new SSH key, you need to run the following command. This will generate a new SSH key of the type `ed25519` and associate it with your email address (replace `<my_email_address>` with your actual email address):
-
-    ```shell
-    ssh-keygen -t ed25519 -C "<my_email_address>" -f "~/.ssh/github-signing-key"
-    ```
-
-    > When you run this command, it will ask you to enter a passphrase. Choose a strong passphrase and make sure to remember it, as you will need to provide it when your key is loaded by the SSH agent.
-
-1. Signing commits with an SSH key is not the default method, so you need to [configure Git](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key) accordingly:
-
-    1. Run the following command to instruct Git to use the SSH signing key format, instead of the default GPG:
-
-        ```shell
-        git config --global gpg.format ssh
-        ```
-
-    1. Next, specify the private key for Git to use:
-
-        ```shell
-        git config --global user.signingkey ~/.ssh/github-signing-key
-        ```
-
-    1. Lastly, instruct Git to sign all of your commits:
-
-        ```shell
-        git config --global commit.gpgsign true
-        ```
-
-1. [Add the SSH public key to your GitHub account](https://github.com/settings/ssh/new) (`Settings` -> `SSH and GPG keys` -> `New SSH key`)
-
-    1. `Key type` = `Signing Key`
-    1. Copy the contents of your public key file and paste it into the `Key` field.
-
-        ```shell
-        cat ~/.ssh/github-signing-key.pub
-        ```
-
-    1. `Add SSH key`
-
-1. To ensure your configuration works as expected, make a commit to a branch locally and push it to GitHub. When you view the commit history of the branch on GitHub, [your latest commit](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#about-commit-signature-verification) should now display a `Verified` tag, which indicates successful signing with your GPG or SSH key.
