diff --git a/common/tooling/git.nix b/common/tooling/git.nix
index 991e1a9..28b3e8b 100644
--- a/common/tooling/git.nix
+++ b/common/tooling/git.nix
@@ -12,6 +12,8 @@ let
     getExe
     mkIf
     ;
+
+  inherit (builtins) toString readFile;
 in
 {
   config = mkIf (enable && tooling.enable) {
@@ -27,10 +29,16 @@ in
     programs.git = {
       enable = true;
       lfs.enable = true;
-      config = {
+      config = let 
+        key_file = ../../ssh/id_ed25519_sk.pub;
+        allowed_signers_file = pkgs.writeText "allowed_signers" ''${tooling.git_email} namespaces="git" ${readFile key_file}'';
+      in {
 
         init.defaultBranch = "main";
         credential.username = tooling.git_user;
+        gpg.format = "ssh";
+        user.signingkey = toString key_file;
+        gpg.ssh.allowedSignersFile = toString allowed_signers_file;
         user.name = tooling.git_user;
         user.email = tooling.git_email;
         push.autoSetupRemote = true;
diff --git a/ssh/id_ed25519_sk b/ssh/id_ed25519_sk
new file mode 100644
index 0000000..5a69d12
--- /dev/null
+++ b/ssh/id_ed25519_sk
@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBCVqu7bW
+JXmNfwjGd1xpahAAAAGAAAAAEAAABKAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t
+AAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDoAAACgig1MsV
+LNCxt4ktfo7rMgPmBdBRmETuj08L/3XGD5A668Y7q4GfC731ghAuBlJ9YtnU1PwbbyLNmU
+xszcWVAVOqc5Ntq1R1Hk3bJnSIVV8HTR1Zxkj9JkYy0jpfC+7PbNbFq3/u7bbyWfrw5vSH
+26GE2kZOk79ArdNOCxcjx+o9i+AE4svF2WUrRLf9s8rDNm2tu5BAn5yCCkaQv75h9bsA==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/ssh/id_ed25519_sk.pub b/ssh/id_ed25519_sk.pub
new file mode 100644
index 0000000..6a70669
--- /dev/null
+++ b/ssh/id_ed25519_sk.pub
@@ -0,0 +1 @@
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDo= Yubi ssh