gpg docs: explain better use of ssh.defaultKeyCommand

Using `ssh-add -L` for gpg.ssh.defaultKeyCommand is not a good recommendation. It might switch keys depending on the order of known keys and it only supports ssh-* and no ecdsa or other keys. Clarify that we expect a literal key prefixed by `key::`, give valid example use cases and refer to `user.signingKey` as the preferred option. Signed-off-by: Fabian Stelzer <fs@gigacodes.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2022-06-08 17:24:37 +02:00 · 2022-06-08 17:24:37 +02:00 · ce18a30bb7
--- a/Documentation/config/gpg.txt
+++ b/Documentation/config/gpg.txt
@ -36,9 +36,12 @@ gpg.minTrustLevel::

 gpg.ssh.defaultKeyCommand::
 	This command that will be run when user.signingkey is not set and a ssh
-	signature is requested. On successful exit a valid ssh public key is
-	expected in the first line of its output. To automatically use the first
-	available key from your ssh-agent set this to "ssh-add -L".
+	signature is requested. On successful exit a valid ssh public key
+	prefixed with `key::` is expected in the first line of its output.
+	This allows for a script doing a dynamic lookup of the correct public
+	key when it is impractical to statically configure `user.signingKey`.
+	For example when keys or SSH Certificates are rotated frequently or
+	selection of the right key depends on external factors unknown to git.

 gpg.ssh.allowedSignersFile::
 	A file containing ssh public keys which you are willing to trust.