Add GnuPG Support to sign git commits

[strausmann]

Problem this feature will solve

The signing of Git commits currently has to be set up again each time the workspace is restarted.

Background

Restarting the workspace does not preserve the local information of the workspace, thus the GPG Privatekey and the Git Config are not preserved.

Proposed Solution

With the start of the workspace, the Git configuration should want to automatically sign each commit and the GnuPG private key is imported into the workspace. So that with a Git commit only the password of the GPG key is requested and the commit is signed with it.

Constraints and Assumptions

• GPG support should only be set up if GPG_KEY and GPG_KEY_ID are stored in the Gitpod environments.
• The GPG private key should be Base64 encoded in the GitPod environments.
• GPG signed commits will not be marked as verified in the github UI if the email ~/.gitconfig doesnt match that of the GPG key.

Alternatives or Workarounds

Since this is not a rarely relevant feature, a project-based implementation is less likely to be considered if necessary.

Additional context

Add any other context or screenshots about the feature request here.

[apolopena]

@strausmann For documentation and testing can you give an example of the proper values for $GNUPG_KEY and $GNUPG_SIGNING_KEY?

[apolopena]

I merged in your changes to the development branch and enhanced them, now I would like to test and document this great feature.

[apolopena]

Depends on #176

[apolopena]

@strausmann ready to test in the development branch
https://gitpod.io/#/https://github.com/apolopena/gitpod-laravel-starter/tree/development

Please test on multiple workspace restarts to be safe.

[strausmann]

Could be used successfully even after several restarts of the workspace.

[apolopena]

Awesome. Perhaps we should quiet the gpg stdout and only show stderr since we have so much output already. We report on SUCCESS or ERROR already. What do you think?

[strausmann]

I like, I had also already considered

[apolopena]

Great. I just added that in blind. Test if you like.

[strausmann]

Does not work as expected 3614991

[apolopena]

Ok please try again

[strausmann]

Looks better...

[strausmann]

[apolopena]

I am pretty sure this existed before my fix for supressing output. Please revert those fixes and run git log --show-signature -1 again to verify.

[strausmann]

All good, this was the output of git log --show-signature -1
just wanted to clarify that now signing works again.

[apolopena]

oh ok, haha. It looked like a failure with that warning but I take it that is because the key you are testing with is just a dummy. If you used your true key would the warning go away?

[apolopena]

Yeah so the last thing on the list before release is #176. Please see my last comment.

[apolopena]

oh yeah the intellisense feature needs to be documented in the README as well. I will add that to #176

[strausmann]

git log --show-signature -1

No, even with my own key the warning is not gone, because after importing the key, you would still have to set it trusted.

You would have to execute an edit-key interactively to trust the key.

But everything ok. You still need the passphrase for the private key anyway.

[apolopena]

You would have to execute an edit-key interactively to trust the key.

Can you give me this or a link that shows how its done so I can put it in the documentation?

[strausmann]

yes, sure.

https://blog.tersmitten.nl/how-to-ultimately-trust-a-public-key-non-interactively.html

[apolopena]

Renaming GNUPG_SIGNING_KEY to GPG_KEY_ID and GNUPG_KEY to GPG_KEY, will document this in #176

[apolopena]

GPG Key for git commit signing is implemented properly and logged however pushes to remote still show up as unverified.

[apolopena]

This is related to the fact that a GPG key can have an email address that doesn't match the git commiters address such as in the case where a github no-reply email address is used such as 3060702+apolopena@users.noreply.github.com

[apolopena]

I will add support for a third environment variable: GPG_MATCH_GIT_TO_EMAIL
The value should be set to the email that your GPG key uses.
Setting this environment variable will set git config --global user.email $GPG_MATCH_GIT_TO_EMAIL

[apolopena]

I will add support for a fourth environment variable: $GPG_AUTO_ULTIMATE_TRUST
If the value is set to yes or YES then the GPG_KEY with GPG_KEY_ID will be programatically given ultimate trust.

[strausmann]

@apolopena
Perfect... thank you