Git Authentication on Windows — Credential Manager · SSH · Commit Signing

Git auth on Windows is slightly trickier than macOS/Linux — Git Credential Manager (GCM), OpenSSH, and 1Password agent can collide. This guide is a one-time clean setup so you don't touch it for a year.

Target: Windows 11 + Git for Windows + GitHub (post Windows initial setup).

TL;DR

1. Git Credential Manager (GCM) — OAuth (browser sign-in) for HTTPS clones
2. OpenSSH keys — for SSH clones. Ed25519 recommended
3. Commit signing — via SSH key (simpler than GPG)
4. Work/personal separation — Include.path or ~/.ssh/config Host aliases
5. 1Password SSH agent (optional) — keys in vault

Prerequisites

• Git for Windows 2.40+ — winget install --id Git.Git (Windows initial setup)
• OpenSSH client enabled (default on Win11) — check via Get-WindowsCapability -Online -Name "OpenSSH.Client*"

1. Git Credential Manager — HTTPS

GCM ships with Git for Windows. HTTPS clones/pushes open the OAuth browser flow automatically:

git clone https://github.com/user/repo.git
# Browser opens → GitHub login → token stored automatically

Storage: Windows Credential Manager (Control Panel → User Accounts → Credential Manager → Windows Credentials).

Verify

git config --global credential.helper
# manager

If you get manager, GCM is active. Otherwise:

git config --global credential.helper manager

Multi-account (work + personal GitHub)

Different helpers per URL:

git config --global --add credential.https://github.com.useHttpPath true

Now separate creds per path on the same host.

2. SSH Keys

SSH is smoother than HTTPS (no browser). Generate an Ed25519 key:

ssh-keygen -t ed25519 -C "you@example.com"
# Path: ~/.ssh/id_ed25519 (default)
# Passphrase: recommended (1Password agent auto-unlocks)

Show the public key:

Get-Content ~/.ssh/id_ed25519.pub
# ssh-ed25519 AAAA... you@example.com

GitHub → Settings → SSH and GPG keys → New SSH key → paste the public key.

Enable ssh-agent (auto-unlock passphrase)

# Administrator PowerShell
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent
 
# Regular PowerShell
ssh-add ~/.ssh/id_ed25519
# Enter passphrase once; auto thereafter

Verify SSH

ssh -T git@github.com
# Hi yourname! You've successfully authenticated, but GitHub does not provide shell access.

Switch remote URL (HTTPS → SSH)

git remote set-url origin git@github.com:user/repo.git

3. Commit Signing with SSH

Simpler than GPG and reuses the same key. Requires Git 2.34+.

git config --global gpg.format ssh
git config --global user.signingkey "ssh-ed25519 AAAA... you@example.com"
git config --global commit.gpgsign true
git config --global tag.gpgsign true

user.signingkey is the full public-key line. Or a file reference:

git config --global user.signingkey "C:/Users/me/.ssh/id_ed25519.pub"

Register the signing key with GitHub

Register the same public key on GitHub → SSH and GPG keys → Add new SSH key → Key type = Signing Key.

Test

git commit --allow-empty -m "test signed"
git log --show-signature -1
# Good "git" signature with ED25519 key SHA256:...

Check the "Verified" badge on the PR page.

allowed_signers file (needed for local verify)

~/.config/git/allowed_signers:

you@example.com ssh-ed25519 AAAA...
coworker@example.com ssh-ed25519 BBBB...

git config --global gpg.ssh.allowedSignersFile "$HOME/.config/git/allowed_signers"

git log --show-signature now verifies others' commits too.

4. Multi GitHub Account (Work + Personal)

4.1 SSH config — Host aliases

~/.ssh/config:

Host github.com-personal
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_ed25519_personal
  IdentitiesOnly yes

Host github.com-work
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_ed25519_work
  IdentitiesOnly yes

Clone:

git clone git@github.com-personal:personal-user/repo.git
git clone git@github.com-work:company/repo.git

4.2 Per-folder user.email — includeIf

~/.gitconfig:

[user]
    name = Your Name
    email = personal@example.com
 
[includeIf "gitdir:C:/Users/me/work/"]
    path = C:/Users/me/.gitconfig-work

~/.gitconfig-work:

[user]
    email = me@company.com
    signingkey = ssh-ed25519 AAAA... me@company.com

Repos under C:/Users/me/work/ automatically use the work email/key.

Verify:

cd C:\Users\me\work\some-repo
git config user.email
# me@company.com
 
cd C:\Users\me\personal\some-repo
git config user.email
# personal@example.com

5. 1Password SSH Agent (optional)

See password manager. On Windows, set the agent socket via env var:

1. 1Password desktop → Settings → Developer → "Use the SSH agent" ✅
2. Store SSH keys in 1Password vault + register with GitHub
3. PowerShell $PROFILE:

   $env:SSH_AUTH_SOCK = '\\.\pipe\openssh-ssh-agent'

4. New terminal → ssh -T git@github.com → Windows Hello once

Now SSH and commit signing work without ~/.ssh/id_* plaintext on disk.

6. Verification

1. ssh -T git@github.com — auth OK
2. git clone git@github.com:you/repo.git — no passphrase prompt (or one biometric tap)
3. git commit --allow-empty -m test && git log --show-signature -1 — "Good signature"
4. PR on GitHub shows the "Verified" badge
5. Different git config user.email in work vs personal folders

Troubleshooting

ssh: connect to host github.com port 22: Connection timed out

Corporate firewall blocks 22. Use SSH over 443:

# ~/.ssh/config
Host github.com
  HostName ssh.github.com
  Port 443

Permission denied (publickey)

• Key file permissions — icacls ~/.ssh/id_ed25519 /inheritance:r /grant:r "$($env:USERNAME):(R)"
• Public key not registered on GitHub

GCM disabled

git config --global credential.helper manager
git config --global credential.helperSelector prompt

1Password SSH agent not detected

• Desktop app running + signed in + Developer option ON
• SSH_AUTH_SOCK exact value (\\.\pipe\openssh-ssh-agent)
• Conflict: if OpenSSH agent service is running, its socket may win. Stop-Service ssh-agent or disable

Commit signing shows "Unverified"

• Register the SSH key on GitHub as a signing key (separate from auth)
• git config --global gpg.format ssh missing
• Key corrupted — regenerate + re-register

includeIf not firing

• Git 2.36+ required (older Git for Windows missing support)
• gitdir path needs trailing / (C:/Users/me/work/)
• Use / not \ on Windows

References

• Windows initial setup — Git for Windows pre-install
• Password manager — 1Password SSH agent integration
• Cross-OS dotfiles — same Git config on both machines with chezmoi
• GCM (official)

Changelog

• 2026-05-12: First draft. GCM + SSH keys + SSH signing + multi-account + 1Password agent + six troubleshooting cases.