Commit `8df0fab9c963`

Vincent Demeester <vincent@sbr.pm>

2026-01-29 19:39:48

feat(git): use no-touch FIDO2 key for commit signing

Create dedicated ssh:signing resident key with no-touch-required flag for seamless commit signing without YubiKey touch confirmation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

main

1 parent 98ca48a

Changed files (1)

home

common

shell

git.nix

@@ -28,8 +28,8 @@ let
     "src/knative-sandbox"
   ];
   sshkeyPerHost = {
-    # FIDO2 resident key (ssh:personal) - no touch required for signing
-    kyushu = "${pkgs.writeText "yubikey5-fido2" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ0HEuDwEL1fX0VR35ttJQNRYYFjIiOv8ZWtl419Ddt0AAAADHNzaDpwZXJzb25hbA== ssh:personal"}";
+    # FIDO2 resident key (ssh:signing) - no touch required for signing
+    kyushu = "${pkgs.writeText "yubikey5-fido2-signing" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGF/BoGqFc5/pM40bF/2UhWzRFaDmS4hJ45VtpXjUh36AAAAC3NzaDpzaWduaW5n"}";
     aomi = "${pkgs.writeText "aomi" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3 vincent@aomi"}";
   };
   defaultSSHKey = sshkeyPerHost.kyushu;
@@ -42,7 +42,7 @@ let
   # List of allowed SSH signing keys for git commit verification
   allowedSigners = ''
     vincent@aomi ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3
-    vincent@kyushu sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ0HEuDwEL1fX0VR35ttJQNRYYFjIiOv8ZWtl419Ddt0AAAADHNzaDpwZXJzb25hbA==
+    vincent@kyushu sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGF/BoGqFc5/pM40bF/2UhWzRFaDmS4hJ45VtpXjUh36AAAAC3NzaDpzaWduaW5n
   '';
 in
 {

Commit 8df0fab9c963

Commit `8df0fab9c963`