-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with 1password SSH commit signing #290
Comments
Happy to take this on if you verify this issue @drewdeponte |
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
When a signing program is defined in the gitconfig, respect that and use it instead of openssh. This will make using 1password ssh integration possible, since it's using a custom binary. #290 <!-- ps-id: 29c4b5fd-26b1-4ab1-bcce-8a114faddf76 -->
@alondahari the proper thing for us to do here is to switch to external execution of whatever the configured command is. The same way that git proper does. So we may need to reference git proper. This will allow us to remove the ssh signing dependencies which is good but will also give us the flexibility to behave the same way that Git proper does. |
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
If the user's config specifies a program to use to sign the commits, use that over the default openssh. This allows users to use custom binaries even when the desired format is SSH. This is necessary to allow the 1Password SSH integration. #290 <!-- ps-id: 0809fc9d-09e9-4eb8-b339-fa072b978cd1 -->
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
Add a function that returns a signing key if it is a literal value in gitconfig, or None if it's not (would be a path). This is done since with SSH signing, the user.signingKey in gitconfig can either be a path to a file with the key, or a literal key (like with gpg). See: https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey #290 <!-- ps-id: 46319555-2a7b-44a4-ac17-c1e1fd8cd72b -->
Update the ssh signer methods to support both literal and path signing strings in gitconfig. #290 <!-- ps-id: eee809a0-baba-4965-8364-b045a3f8e8a3 -->
We will use the tempfile crate to create a tempfile to be used when signing commits with SSH, so we will need to use this dependency outside of the test utils. #290 <!-- ps-id: 7bfe5444-fccf-4ed9-bca2-f451e8ad1828 -->
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
Getting the signing key from the config should be identical no matter what the format is, so take it out of the match. This is done in a general effort to improve the readability and maintainability of this piece of code. #290 <!-- ps-id: b24c7a77-97d3-48ff-8e32-2956148724ba -->
When signing commits with SSH, we need to use the program in gitconfig if specified. Otherwise, fallback to ssh-keygen. This aligns with how git proper is doing it. #290 <!-- ps-id: 7c04af23-f05d-43f3-91aa-8ebac634ffdf -->
Add a function that returns a signing key if it is a literal value in gitconfig, or None if it's not (would be a path). This is done since with SSH signing, the user.signingKey in gitconfig can either be a path to a file with the key, or a literal key (like with gpg). See: https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey #290 <!-- ps-id: 46319555-2a7b-44a4-ac17-c1e1fd8cd72b -->
Add a function to create a temp file containing a ssh key if one is supplied literally in the gitconfig. The function accepts a path, since it will be in a temp dir that we need to live long enough to complete the signing. #290 <!-- ps-id: eee809a0-baba-4965-8364-b045a3f8e8a3 -->
We will use the tempfile crate to create a tempfile to be used when signing commits with SSH, so we will need to use this dependency outside of the test utils. #290 [changelog] added: tempfile crate dependency <!-- ps-id: 7bfe5444-fccf-4ed9-bca2-f451e8ad1828 -->
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
Getting the signing key from the config should be identical no matter what the format is, so take it out of the match. This is done in a general effort to improve the readability and maintainability of this piece of code. #290 <!-- ps-id: b24c7a77-97d3-48ff-8e32-2956148724ba -->
When signing commits with SSH, we need to use the program in gitconfig if specified. Otherwise, fallback to ssh-keygen. This aligns with how git proper is doing it. #290 [changelog] updated: ssh commit signing respects literal keys in config updated: ssh commit signing respects custom program updated: default ssh commit signing uses ssh-keygen <!-- ps-id: 7c04af23-f05d-43f3-91aa-8ebac634ffdf -->
The ss-key dependency is no longer used, since ssh-keygen is used instead. #290 [changelog] removed: ssh-key crate dependency <!-- ps-id: 112c8505-5862-4da8-b9e4-ba0d62549997 -->
Add a function that returns a signing key if it is a literal value in gitconfig, or None if it's not (would be a path). This is done since with SSH signing, the user.signingKey in gitconfig can either be a path to a file with the key, or a literal key (like with gpg). See: https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey #290 <!-- ps-id: 46319555-2a7b-44a4-ac17-c1e1fd8cd72b -->
Add a function to create a temp file containing a ssh key if one is supplied literally in the gitconfig. The function accepts a path, since it will be in a temp dir that we need to live long enough to complete the signing. #290 <!-- ps-id: eee809a0-baba-4965-8364-b045a3f8e8a3 -->
We will use the tempfile crate to create a tempfile to be used when signing commits with SSH, so we will need to use this dependency outside of the test utils. #290 [changelog] added: tempfile crate dependency <!-- ps-id: 7bfe5444-fccf-4ed9-bca2-f451e8ad1828 -->
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
Getting the signing key from the config should be identical no matter what the format is, so take it out of the match. This is done in a general effort to improve the readability and maintainability of this piece of code. #290 <!-- ps-id: b24c7a77-97d3-48ff-8e32-2956148724ba -->
When signing commits with SSH, we need to use the program in gitconfig if specified. Otherwise, fallback to ssh-keygen. This aligns with how git proper is doing it. #290 [changelog] updated: ssh commit signing respects literal keys in config updated: ssh commit signing respects custom program updated: default ssh commit signing uses ssh-keygen <!-- ps-id: 7c04af23-f05d-43f3-91aa-8ebac634ffdf -->
The ss-key dependency is no longer used, since ssh-keygen is used instead. #290 [changelog] removed: ssh-key crate dependency <!-- ps-id: 112c8505-5862-4da8-b9e4-ba0d62549997 -->
Following how git does things, we will default to openpgp if the signing format is not defined in gitconfig #290 <!-- ps-id: 4e68a19d-bdc5-40f9-8e01-8dbb8d6f3b3f -->
Hey! Hope you're doing well. I was having this same issue after switching to 1Password. Is there any ETA on the next release that includes the fix? |
@edgarjs if you build from source what is in the So, I will try and cut a release tonight or tomorrow and we can just go from there. |
@drewdeponte I tried that, but I get this error now (the blurred part is an array of numbers): |
@edgarjs @alondahari this issue has been actually resolved now in the latest release, v7.1.1. |
After setting up SSH signing with 1password, trying to integrate or request a review on a patch results in an error:
Seems like the issue comes from the fact that the 1password setup agent is adding the public key directly to
user.signingkey
, not the path to the key. What's more, I think we need to use the 1password binary to sign the commit, which they set ongpg.ssh.program
.We should also fix the unwrap in
cherry_picking.rs
to bubble up the issue instead of causing a panic if anything goes wrong with the signing process. We should probably print out a warning message and proceed without signing instead.The text was updated successfully, but these errors were encountered: