Add support for signing commits with GPG

[kripod]

VS Code should optionally be able to sign git commits with a given GPG key, as it is a good practice for authorization nowadays.

[Tyriar]

Doesn't GitHub's authentication basically do the same thing, since you need to auth with GitHub to push to repos you have access to?

[kripod]

GitHub auth is NOT related to GPG-signed commits if I know right.

[kripod]

Basically, I would like built-in functionality for appending the -S command line argument to git commit, as shown here.

[Tyriar]

Sure, but isn't what it's accomplishing done by GitHub account/email linking? You need to link your email to an account and need credentials to the account to push.

[kripod]

GPG can be used in any git environment (for instance: GitLab, BitBucket, etc.)

I though this could be actual after seeing the blog post of GitHub about verifying commits.

[Tyriar]

@joaomoreno thoughts?

[joaomoreno]

I'd argue that for any given repo, you'd either want to sign all commits or none. Based on that, I suggest to use the commit.gpgsign = true git configuration in your repo, available since 2.0, which will make git sign all commits by default.

Does that work for you @kripod?

[kripod]

I use exactly that, but when I try to commit from VS Code with that config attribute set, I get the following error output in the Git console of Code:

git fetch
git show HEAD:src/relation.js
git show HEAD:src/relation.js
git add -A -- .
git commit --quiet --allow-empty-message --file - --all
gpg: WARNING: unsafe permissions on homedir `C:\Users\user\AppData\Roaming\gnupg'
gpg: cannot open tty `no tty': No such file or directory
error: gpg failed to sign the data
fatal: failed to write commit object
git config --get-all user.name
git config --get-all user.email
git show HEAD:src/relation.js

[Tyriar]

I misread the issue, I thought you were talking about the vscode repo starting to sign commits, not adding the feature.

@joaomoreno while looking into signing commits yesterday, this I came across this http://stackoverflow.com/a/10166916/1156119

Signing each commit is totally stupid. It just means that you automate it, and you make the signature worth less. It also doesn't add any real value, since the way the git DAG-chain of SHA1's work, you only ever need one signature to make all the commits reachable from that one be effectively covered by that one. So signing each commit is simply missing the point.

[0x0ade]

@kripod Not just vscode is affected: Bazaar Launchpad bug #847388

If you're using an agent: As a workaround (a configuration change affecting not just vscode) it's possible to add no-tty to your gpg.conf. For example, run

echo 'no-tty' >> ~/.gnupg/gpg.conf

Snippet from gnupg docs explaining --no-tty:

--no-tty
Make sure that the TTY (terminal) is never used for any output. This option is needed in some cases because GnuPG sometimes prints warnings to the TTY even if --batch is used.

From what I've noticed, gpg is now less verbose (doesn't remind me that I "need my passphrase" on git commit; is completely silent on gpg -s). I don't know what else this affects and thus I feel bad for suggesting this, but it works.

If you're not using an agent: Again referring to Launchpad, this time the bzr (Bazaar) package, you seem to be out of luck.

[joaomoreno]

Thanks for that @0x0ade. Does it solve it for you, @kripod?

[kripod]

Well, having listened to @Tyriar, I'm not signing my commits anymore, but thank you for all the help provided!

[adamvoss]

This article does a good job of explaining the impact of differences and advantages of different signing policies.

It is not strictly accurate that signing each commit is "totally stupid."

[dmportella]

it would be nice if vscode gave me the opportunity to sign a commit.

[cpjolicoeur]

Signing commits is not "totally stupid" and, in fact, has very real security implications. Not all Git code happens to be "pushed" to Github or BitBucket. Many places use git internally for all sorts of things and git commit signing is a very needed feature and often a requirement.

I am using a gpg-agent and still am unable to sign commits in VSCode, for what it's worth.

[Marqin]

^ seems that git support is divided into two parts - one is git workbench that's in core and second is git extension (that's built-in?)

Is there any progress on this?

[dmportella]

i dont there is any work going on yet.
I will pick this up but not until this weekend

[dmportella]

I like to confirm I am starting work on this. I will a pull request with a WIP title to show progress soon

[LaurentTreguier]

Hello here, I recently tried committing with commit.gpgsign set to true. However the issue I encountered is related to my name: it contains an accented 'e' (é) and right now VSCode seems to have some encoding problem (at least with git):

Which prevents git from detecting the correct GPG key.

[pradyunsg]

@dmportella Hi! Any progress updates? :)

[dmportella]

got all the changes needed mapped now going to add menus items etc
should be done soon just lots of test and things to write

[dmportella]

I have the change almost complete just tidying up and getting ready to commit.

[dmportella]

Pull request #27136
Added support to GPG signing hope all is oke

[jens1o]

would love to see this.

[dmportella]

Me too, it was added to the June milestone that got me excited but now its back in the backlog.... So I don't know whats going on.

The pull request is this one: #27136

[rawkode]

@Tyriar Please, that comment, which is purely subjective, is very old and it's quoting achieves nothing, but FUD.

Impersonating authors on GitHub is easily done and signing ALL commits is good practice. Especially with hardware tokens, such as Yubikeys.

I mean no harm with 30912, I am merely showing how easy it is to submit a commit by another. I feel GitHub could do more here too.

On the main page, images are small and easily distracted (I could even change mine, I guess ... and my name). But the "Verified" means we've signed that commit. I believe it's important, as others seem to have commented also.

[dmportella]

I verify ALL my commit is important and we do use yubikeys here at my organisation

[nilbot]

@Tyriar GPG signing provides authentication on the commits themselves. What you said in #5065 (comment) and subsequent comments are irrelevant to the issue. Because without signing the commit, I can easily fake you as the author and submit a fraudulent patch (e.g. intentionally infringing copyright of your rival company) via other channels (e.g. email) to another committer, who will be having a hard time to know whether you actually wrote the patch or not. And if that committer push the CL to GitHub, GitHub will happily link that to your account.

See this commit for example:
jayphelps/git-blame-someone-else@e5cfe4b

[Tyriar]

Hi all, no need to try to convince me anymore 😄

[jens1o]

YEAHHHHH!

🎉 🎉 🎉 🎉

[dawidp]

This error

git commit --quiet --allow-empty-message --file - --all
git show :hinode/models/base.py
gpg: cannot open tty `no tty': No such file or directory
error: gpg failed to sign the data
fatal: failed to write commit object

can be cause by password protected gpg key.

[dmportella]

something related to the error you seen: isaacs/github#675

[JeremyLoy]

I got it to work for me, but only after signing a previous commit (~5 minutes prior) manually through the integrated terminal.

I have a hunch that the root cause of the error message gpg failed to sign the data, is that VS Code is requesting to open the prompt, and failing to do so.

If you already entered your password via prompt previously, VS Code signs the commits perfectly fine.

[pradyunsg]

You'll probably want to use a pinentry program that remembers the pass code or prompts graphically. (sorry if terse)

…

On Tue, 17 Oct 2017, 08:33 Jeremy Loy, ***@***.***> wrote: I got it to work for me, but only after signing a previous commit (~5 minutes prior) manually through the integrated terminal. I have a hunch that the root cause of the error message gpg failed to sign the data, is that VS Code is requesting to open the prompt, and failing to do so. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#5065 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADH7Sd07gVJgVSJ-XqzSoTMiKWgEDrWEks5stBjpgaJpZM4IBuGD> .

[dmportella]

usually you see this problem when you dont things set up properly for gpg signing. that has been my experience

[DrSensor]

In Linux, I solve /dev/tty problem by adding binary exec of gpg2 path to git global config
git config --global gpg.program $(which gpg2)