Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[git] Support GPG-signing & verifying commits #6299

Open
jankeromnes opened this issue Oct 1, 2019 · 7 comments
Open

[git] Support GPG-signing & verifying commits #6299

jankeromnes opened this issue Oct 1, 2019 · 7 comments
Labels
enhancement issues that are enhancements to current functionality - nice to haves git issues related to git help wanted issues meant to be picked up, require help

Comments

@jankeromnes
Copy link
Member

Description

Many developers like to GPG-sign their commits, using a personal GPG key pair, which will show their commits as "Verified" on GitHub. Some projects even require all commits to be verified as a rule.

Currently, you can achieve this via the Terminal, by using the git commit -S[<keyid>] flag (a.k.a. git commit --gpg-sign[=<keyid>]). But it would be nice to be able to do that via the Git UI as well.

Reproduction Steps

  1. Try to GPG-sign a commit from Theia
  2. Notice the option is missing from the Git UI

OS and Theia version: master

Diagnostics: N/A

Notes: Originally filed as gitpod-io/gitpod#467 and gitpod-io/gitpod#666. Also, while discussing how to actually import GPG keys before commits can be signed, we identified the Krypton app which looks promising (but it also just got acquired by Akamai, adding some uncertainty about its continued operation).
@akosyakov akosyakov added enhancement issues that are enhancements to current functionality - nice to haves git issues related to git help wanted issues meant to be picked up, require help labels Oct 1, 2019
@marcdumais-work
Copy link
Contributor

This issue was discussed at today's dev-meeting, because of its number of up-votes. We realize it's an old one and the people who up-voted may have moved-on. But if others seek to do this, it's possible today.

Here's how to set this up. Chose the section appropriate for your case: whether your Theia application uses the Theia-specific @theia/git, like the example application, or the vscode built-in git, like Theia Blueprint.

Either way you will need a GPG key before proceeding. If you need help creating one, see [1] and [3] below.

Using vscode built-in git (2 extensions pulled from open-vsx.org)

I tried this in Theia Blueprint, which uses the vscode built-in git extension, rather than @theia/git.

To enable the feature, "check" preference "Git: Enable Commit Signing" .
image

Proceed to the "testing this works" section below

Using @theia/git

For example the example application from the main Theia repo (this one here). Theia git does not at this time provide a preference similar to vscode's git, to force signing commits. In consequence, one needs to rely on some OS-level git setting to make that magic happen. You need to tell git about the GPG key you want used to sign commits and also configure it to force signing. See [4] below for a guide, how to set this up in git.

Getting started quick: built the example app from sources

cd theia
yarn && yarn electron build && yarn electron start

Proceed to the "testing this works" section below

testing this works

When you create a commit using the Theia or Blueprint git UI, as setup in their corresponding sections above, you should be prompted for the passphrase associated to your GPG key. Afterwards you can verify that the commit was signed using this git CLI command:

git log --show-signature

e.g.

commit d548027432fbc511d813ef898a914b93c67c9c36 (HEAD -> test-gpg-sign)
gpg: Signature made Tue 30 May 2023 03:22:03 PM EDT
gpg:                using RSA key 312172BCFB5CE3BFF63F121299F5FB779FF5A1C7
gpg: Good signature from "Marc dumais <marc.dumais@gmail.com>" [ultimate]
Author: Marc Dumais <marc.dumais@ericsson.com>
Date:   Tue May 30 15:22:03 2023 -0400

    sdfsdfsdfsdfsdfsfsf

This is what it looks like in the Theia example application:

Automatic-GPG-signing-Theia-Example_app

[1]: if like me you do not have a GPG key, or if it's not configured in your local git, or GitHub, see the following GitHub documentation links:
[2]: Adding a GPG key to your GitHub account
[3]: Generating a new GPG key
[4]: Telling Git about your signing key
[5]: Signing commits

@marcdumais-work
Copy link
Contributor

@JonasHelming @jankeromnes Given my investigation above, showing this is possible, I think we can probably close this issue?

@DanielHabenicht
Copy link

I think this Issue text does not stress the most important part - of being able to remotly sign a commit in a workspace with a key from the local machine. Without putting sensitive information into the workspace.
Which where requested in both issues which are referenced as duplicates to this issue.

This is the reason I am subscribed to this issue, if that differs from what the author wanted I am sorry to interrupt and you can close this issue.

@marcdumais-work
Copy link
Contributor

Thanks for the info @DanielHabenicht - I will investigate and possibly re-open one of these or amend the title/description of this one here and keep it open.

@marcdumais-work
Copy link
Contributor

being able to remotly sign a commit in a workspace with a key from the local machine

BTW, do you know whether this is possible today in the browser-accessible build of vscode/code-oss/VSCodium? It looks like the current mechanism relies on git triggering OS-level key signing, including an OS dialog popping-up, where the user enters the passphrase associated to the key (which may not work so well on a remote workspace, thinking of it).

Normally, the web browser/app that runs on the local machine does not have file system access (through @theia/filesystem, the frontend Theia app has access the backend file system, but that doesn't help here). It could be possible to pop the "file open" browser dialog, and ask the user to select the private key file and then store it in browser local storage (to avoid asking all the time for it). Security of this key would be important, e.g. avoiding it being read/copied by other apps running on the same browser.

@marcdumais-work
Copy link
Contributor

marcdumais-work commented May 31, 2023
edited
Loading

Hi @DanielHabenicht ,

I think this Issue text does not stress the most important part - of being able to remotly sign a commit in a workspace with a key from the local machine. Without putting sensitive information into the workspace.
Which where requested in both issues which are referenced as duplicates to this issue.

Sanity check: are you wishing for this feature as a Gitpod user? You mention "remote workspace" and also the issues referenced in the description are from Gitpod. At the time this issue was open, Gitpod used a Theia-based IDE. But they switched to a vscode-based IDE probably a couple of years ago. If that's the case, any feature we might offer in Theia, to help with your use-case, would not benefit you.

BTW, one of these referenced Gitpod issues is still open and there are what look to be good suggestions, that you might try depending on your setup and willingness to go outside the beaten path.

@JobaDiniz
Copy link

JobaDiniz commented Sep 21, 2023
edited
Loading

There's this workaround https://adangel.org/2021/11/07/gitpod-gpg-signed-commits where you need to upload your private key to gitpod (not ideal)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement issues that are enhancements to current functionality - nice to haves git issues related to git help wanted issues meant to be picked up, require help
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JobaDiniz @jankeromnes @akosyakov @DanielHabenicht @marcdumais-work