I tried to replace gpg with this setup last year and failed because I wanted to use FIDO2 ssh keys which are stored on a yubikey. It didn't work back then. My hope was that I could get to a setup where I only need a yubikey and the gitconfig to make this work. I stayed with gpg signing for now since my key is on the same yubikey as the ssh key now. Does this work now?
On that note I really like the FIDO ssh feature but would like to see more services support these. Arch User Repository still doesn't support these and I don't know what the status over at gitlab is now.
This is not what I meant. I used this setup before. But you need gpg, the right config, the ssh-agent from gpg etc. I did a setup like this on macOS, Linux, and windows. It was a nightmare to setup. MacOS starts an ssh-agent by default so one needs to rewrite the environment etc to inject gpg ssh-agent. Linux is a little simpler though.
What I wanted is to use the external ssh keys on a Fido key [1] in combination with the commit signing feature. With that I would skip the whole gpg part of the setup and only configure git and maybe ssh. But the generated keys (they have a -sk postfix) didn’t work with the signing feature.
And don’t get me started on windows and WSL. WSL has no access to USB. And there are no device pipes only file pipes. There is a solution for this with a custom process on windows which passes the Fido key over a file pipe/socket (not sure about the specifics anymore). There was no on click setup at the time when I did this. Maybe that has changed.
This works now, as of OpenSSH 8.9, even on Windows. I have this setup on Windows 11 + YubiKey 5C NFC + an SSH key. Signing pulls up the Windows Hello/FIDO2 PIN prompt and all.
On that note I really like the FIDO ssh feature but would like to see more services support these. Arch User Repository still doesn't support these and I don't know what the status over at gitlab is now.