Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GPG sign commits #97

Closed
nbigaouette opened this issue May 29, 2020 · 51 comments · Fixed by #1544
Closed

GPG sign commits #97

nbigaouette opened this issue May 29, 2020 · 51 comments · Fixed by #1544
Labels
feature-request help wanted Extra attention is needed nostale immune to stale-bot
Milestone

Comments

@nbigaouette
Copy link

All my commits are required to be signed at work. It would be awesome to be able to commit directly in gitui; for now I can stage files/hunk and commit using git directly.

Thanks!

@extrawurst extrawurst added the help wanted Extra attention is needed label May 30, 2020
@extrawurst
Copy link
Owner

Hi @nbigaouette thanks for your interest in the project. I did not even know that feature existed 🙈. I am going to need support by someone having experience with using signing in git for this.

@extrawurst
Copy link
Owner

extrawurst commented Jun 23, 2020

some docs on how git does gpg:

@extrawurst
Copy link
Owner

See rust-lang/git2-rs#507

@stale
Copy link

stale bot commented Oct 27, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added wontfix This will not be worked on and removed wontfix This will not be worked on labels Oct 27, 2020
@extrawurst
Copy link
Owner

extrawurst commented Oct 27, 2020 via email

@nils-a
Copy link
Contributor

nils-a commented Oct 27, 2020

Yes. I saw that after I commented. Hence the deletion of the comment. Sorry for that. 😇

@extrawurst
Copy link
Owner

@nils-a But as you can see in the PR it is non trivial and could use some support, so if you want to chime in...
so to your initial question: I posted references for people to pick up. as usual in open source: when you want something done - do it :)

@nils-a
Copy link
Contributor

nils-a commented Oct 27, 2020

yes.. love to. Need to buy a book on rust first :-)

@extrawurst
Copy link
Owner

@nils-a that's an easy step - see you soon then :P

@stale
Copy link

stale bot commented Jan 26, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Jan 26, 2021
@stale stale bot closed this as completed Feb 2, 2021
@dnaka91
Copy link

dnaka91 commented Feb 23, 2021

Is anybody still working on this?
For me this is currently a blocker as well because I usually sign all my commits.

I used gpgme with git2 in one of my projects before and could probably integrate this rather quick.

@nils-a
Copy link
Contributor

nils-a commented Feb 23, 2021

Not me. I'm still reading that book on rust to begin with... But there is also some discussion in #219

@extrawurst
Copy link
Owner

@dnaka91 absolutely have a go at it

@dnaka91
Copy link

dnaka91 commented Apr 9, 2021

Sorry, I didn't have a chance to continue on this as I'm currently quite occupied with other things.

I definitely have this on my to-do list though.

@jakobkmar
Copy link

jakobkmar commented May 26, 2021

Shouldn't the following lines in the .gitconfig cause all commits to be signed regardless of the program doing the commit?

[user]
  name = YOUR_NAME
  email = YOUR_EMAIL
  signingkey = YOUR_SIGNING_KEY
[gpg]
  program = GPG_BINARY_PATH
[commit]
  gpgsign = true

Any ideas why that isn't the case and does not with gitui?

@extrawurst
Copy link
Owner

@bluefireoly gitui uses libgit2 a c++ implementation of git and not the git-cli. libgit2 does not do anything automagically and the necessary implementation was not done yet

@extrawurst
Copy link
Owner

extrawurst commented May 27, 2021

@bluefireoly I added #740 - it should not even allow you to commit now iff you have this config defined. this way it prevents you from generating unsigned commits even though you expressed that you need them to be signed

@jakobkmar
Copy link

Alright thank you, maybe that will prevent some people from finding this out when it is too late.

@codebasu
Copy link

I came across this issue today as I was still on v0.15 and was surprised when it let me commit without signing even with config set.

Looking into it more, I came across this:
https://libgit2.org/libgit2/#HEAD/group/commit/git_commit_create_with_signature

Not sure if this issue is on libgit2 or the git2-rs, so not sure if any help or not.

@castarco
Copy link

castarco commented Jan 30, 2022

Hi, is there any way I could help? Although in a completely different context, I had to add support to GPG signatures to one of my own projects ( https://avatar-cli.dev ), so maybe I could help here.

I did it the "dirty way" (by relying on the external git binary), but I guess it wouldn't be too complicated if I have to rely on a librarized version of it for this project.

EDIT: I see that there were at least 3 PRs focused on that, all of them stalled. So... maybe it is that complicated. My take on this is that maybe we should find a way to split this feature into smaller ones, if that's even possible, so we can go one small step at a time.

Also, for reference, I think that the last work on this topic actually belongs to this other PR: #910 , as #817 was closed.

@hendrikmaus
Copy link
Contributor

hendrikmaus commented Feb 11, 2022

@castarco indeed, this is not a trivial thing to implement. I'd like to second your idea of splitting the feature into multiple smaller parts; some could even be merged while hidden behind a feature toggle (can be as simple as a comment).


Before writing any code, I would propose to work on the following and sign each one off with @extrawurst:

  1. Define the requirements
  2. Evaluate technology to aid the implementation
  3. Verbally express the implementation path(s)

The following are my partial proposals for discussion:

1) Define the requirements

  • re-use existing configuration in a user's .gitconfig, i.e. user.signingKey
  • integrate with the gpg agent, including:
  • allowance for interactive pin-entry

2) Evaluate technology to aid the implementation

  • @extrawurst already mentioned that only solutions leveraging either gpgme or sequoia will be accepted
  • looking at the metric of open-source "stars", sequoia wins (gpgme 55, sequoia 306)
  • gpgme is a crate that provides bindings to lower level dependencies, while sequoia is a complete re-implementation in Rust; I'd prefer sequoia
  • sequoia has a positive testimonial from the creator of PGP, Phil Zimmermann
  • both crates provide plenty of examples
  • gpg-tui (~1 year old) uses gpgme

I'd propose to move forward with sequoia because of it being a Rust-native solution + being more popular.

3) Verbally express the implementation path(s)

To be honest, I did not yet dive into the codebase, because there are too many open questions.
Once we have more decisions, it would be nice to get the folks back into the loop who have already submitted pr's. No matter if they abandoned them or not, their feedback and input is valuable nontheless.

@extrawurst
Copy link
Owner

hi @hendrikmaus and thanks for wrapping this up. this topic is long running and arguably one of the most requested features. I am glad you are going to approach this with such a thought out structure.

since I am not using commit signing myself, my opinion on this is rather high level. my biggest concern is cross-platform support and testability. we need to make sure we come up with something that works on all three platforms and is well covered in tests, so that A) I can us the tests as a life raft if I need to maintain the code after potential contributors sailed away and B) to guarantee stability on the platforms I am not using myself.

your points so far seem reasonable to me. I personally had no tendency for either gpgme or sequoia but I can follow your assessment!

I assume in terms of slicing this I would make a first iteration without support of interactive pin entry, because adding that should be easy, we do a similar thing already for https credential input on demand.

@hendrikmaus
Copy link
Contributor

Update: I have started to study the source code of https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp which the Sequoia-based OpenPGP Backend for Thunderbird.
This is useful to get to know how the crate is supposed to be used in real life, as the project is driven by the engineers behind Sequoia itself. Also, the project demonstrates an integration with the local gpg agent.

@cedricschwyter
Copy link

Any updates/progress on this? Is this feature actively being worked on? Am considering to start working on this myself

@hendrikmaus
Copy link
Contributor

I am doing research on the side to then propose an implementation verbally before writing code.

@gszabo
Copy link

gszabo commented Sep 19, 2022

Commits now can also be signed with ssh keys, if you specify gpg.format=ssh in git config. Does that complicate or maybe simplify the problem somehow?

@extrawurst
Copy link
Owner

@gszabo see #1149

@hendrikmaus
Copy link
Contributor

My research on the topic is going slow, but steady.

@hendrikmaus
Copy link
Contributor

I want to share where I am currently at, so that I can gather feedback and we can iterate on the plan.

I think we can assume that a user already signs commits using the git binary and hence has gpg and likely also the gpg-agent setup. We should not interfere with it, but, as a first baby step, try to use this infra.
So let's assume the gpg-agent is there and we can relay all cryptographic operations to it. That includes decrypting the key if it is locked as a user will have configured their gpg-agent with a pinentry program. Gitui does not have to take of the password input and key decryption - great.
Also, a user does not have to store an unencrypted passphrase-less private key on disk, which many folks wouldn't be comfortable with anyway.

Aside: the git source code actually shells out to the gpg.progam, e.g. gpg itself, to do all this. Then gpg takes care of talking to its own agent.

Now, Sequoia comes with a crate for IPC (inter process communication), which in turn comes with an implementation to talk to an existing gpg-agent. So gitui can try to connect and error out if there is an issue on the way.

If we can connect, Sequoia needs the public key to sign with. This is where we have to deviate from what git usually does: it reads the keyid from .gitconfig (last 8 bytes of the key fingerprint) and passes that to gpg which is able retrieve the public key somehow.

I talked to the folks in the Sequoia IRC and, so far, the conclusion was that one technically only needs the keygrip (which is yet another thing gpg --list-keys --with-keygrip if you're curious), but Sequoia IPC always needs the public key. So, if gitui doesn't have it already, I would propose we create a custom config section in .gitconfig that allows us to retrieve:

  • method of signing, e.g. gpg-agent
    • this key could indicate other methods in the future, like one that iusses another keystore backend etc.
  • if method of signing is set to gpg-agent, then the path to the public key pem data to use on disk

So, if gitui is instructed to sign the commit, we reach out to the .gitconfig to read our config. If that is good, we try to reach out to the gpg-agent. If that is good, we tell the gpg-agent to sign our buffer. After some more implementation details, we are able to write the commit.

@hendrikmaus
Copy link
Contributor

A suggestion from the Sequoia IRC was to not store the gpg public key on disk. Because it might get out of sync and/or cause additional confusion later when the extra step for gitui is forgotten.

The proposal was to do at least one shellout to gpg in this case to get the public key pem data by the normal user.signingKey config value from .gitconfig, i.e. we'd call gpg --export --armor <keyid> and grab the pem data.

What do you think?
a. no shellout, user has to export public key to disk
b. a single shellout to gpg to have it "just work"?

@hendrikmaus
Copy link
Contributor

I had another chat with @extrawurst and we concluded to start with the existing shellout implementations. Anyone with an existing gpg signing setup can then start to use gitui without any additional setup. In #1544 gpg itself is added.

The PR provides entrypoints for ssh as well as x509 signing.

However, we discussed to add a new option to gitconfig, which will gate pure Rust implementations (or as close as we can reasonably get).

@extrawurst
Copy link
Owner

thanks @hendrikmaus for taking a crack at it. Everyone subscribed here please take a go at the PR: #1544

@alexanderkjall
Copy link

I realize that I'm very late to the party, but I also had some trouble implementing signed commit's in ripasso ( https://github.com/cortex/ripasso/blob/master/src/git.rs#L50 ) and wrote this blog post about it: https://blog.hackeriet.no/signing-git-commits-in-rust/

It might help someone.

@kuboon
Copy link

kuboon commented Feb 19, 2024

How about signing with SSH key. Is this easier than use GPG?

Git 2.34 includes support to take advantage of this feature and allows you to sign your work using SSH keys.

https://github.blog/2021-11-15-highlights-from-git-2-34/#tidbits

github also supports it https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key

@totikom
Copy link

totikom commented Feb 19, 2024

How about signing with SSH key?

AFAIK, it is much less popular than gpg signing.

@matthiasbeyer
Copy link

AFAIK, it is much less popular than gpg signing.

I disagree. We simply don't know IMO.

@extrawurst
Copy link
Owner

SSH signing has a PR: #2047

@extrawurst
Copy link
Owner

This is merged, please everyone give the recent master a try to make the next release rock solid!

@storopoli
Copy link

This works just tested on master with the default config (I haven't installed gitui or tried out since GPG-signing is a must for me).
Looking forward for a tag release so I can ditch lazygit.

@extrawurst
Copy link
Owner

Hey everyone in case you were hesitant to test this by having to build from source, please use our new nightly releases to give it a spin: https://github.com/extrawurst/gitui/blob/master/NIGHTLIES.md

@mlabbe
Copy link

mlabbe commented Mar 30, 2024

I am happy to report that the nightly gitui.exe was compatible with my signed commit on Windows! (The link to the windows versions in nightlies.md is wrong but that's really a footnote here).

@extrawurst
Copy link
Owner

@mlabbe thanks for the hint, fixed the windows links

@mlabbe
Copy link

mlabbe commented Apr 8, 2024

I can also report that this worked for me on my Linux workstation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request help wanted Extra attention is needed nostale immune to stale-bot
Projects
None yet
Development

Successfully merging a pull request may close this issue.