Problem with ssh signing

nightcat · February 20, 2026, 7:46pm

SSH always makes me want to tear my hair out, i must be doing something wrong. But i have set

 programs.git = {
    signing = {
      format = "ssh";
      signByDefault = true;
      key = "./../.ssh/id_ed25519_sk.pub";
    };
  };

and of course i enalbes ssh-agent to run at startup. but i need to add the key to ~/.config/git/allowed-signers and i can’t find a way to do it declaratively. I hope someone can help me and that i provided enough context.

TornaxO7 · February 20, 2026, 8:19pm

I assume that you are using home-manager and you are trying to use the programs.git option from home-manager.

In this case, you need to set programs.git.settings.user.signingkey:

program.git = {
  signing = { 
    format = "ssh";
    signByDefault = true;
  };

  settings.user = {
    signingkey = "~/.ssh/id_ed25519_sk.pub";
  };
}

nightcat · February 21, 2026, 7:12am

I have been doing it wrong. Thank you soo much. Now i just need to know how to add a second key since i have 2 hardware keys, one primary and a backup

TLATER · February 21, 2026, 7:23am

You can’t. Either back up a copy of your key, or use subkeys of the same key (e.g. if you’re exporting them to yubikeys). Don’t try to use multiple keys.

nightcat · February 21, 2026, 7:43am

I can’t why is that? is there a good reason for it. I guess it’s fine since i can do 2fa with both on github, so i can change the ssh key at any point. But im just wondering. But it works now and i am so relieved thank you so much for your help

TLATER · February 21, 2026, 8:20am

Well, git only signs a commit with one key.

Technically it’s possible to sign messages with multiple keys, but that’s an and relation - the meaning becomes that a commit is invalid unless both signatures are valid.

This means it’s completely pointless to sign a commit with two keys; if you lose your main key, having the backup doesn’t help at all; you’ll anyway have to switch to only signing with your backup key, you gain nothing from having signed with two keys in the past.

Signing with two keys only makes sense if you want to express something with it, e.g. that there are two authors. But git doesn’t support this anyway AFAIK.

What you want to do clearly comes from a misunderstanding of pgp. I don’t know why you have two keys, but the relation that you’re trying to express is probably either subkeys or a backup of your main key.

If you can explain why you have two keys, I can tell you how that is supposed to be done.

nightcat · February 21, 2026, 8:24am

it could be possible that i have a misunderstanding of pgp, but i sign with ssh since i found gpg so hard to understand. Thank you for the explanation though. The reason for me having 2 keys is because i use hardware keys and one is intended to be backup. I use SSH keys for signing, since that is easier

TLATER · February 21, 2026, 8:42am

Yeah, I figured.

You have two options:

Sign with only one key at a time; if you ever need to switch to your backup key, just change the key you sign with in the configuration. As long as both public keys are known to be yours (e.g. by adding both to GitHub) you won’t have any issues.
Switch to gpg and create separate subkeys for each hardware key.

TornaxO7 · February 21, 2026, 1:15pm

I would simply use your main key in your setting because for me a backup key is something which I only use, if I don’t have access to my main key. So if I have to use my backup key, I’d swap it out in my config and rebuild my system.