Use GPG signing on codespaces

Author: lildude

chezmoi/dot_config/git/config.tmpl

@@ -16,8 +16,11 @@
   useConfigOnly = true
   name = Colin Seymour
   email = [email protected]
-  #signingkey = 88109C73073E7080
+  {{- if .codespaces }}
+  signingkey = 88109C73073E7080 # GitHub doesn't play nice with verifying SSH signed commits from Codespaces due to it setting GIT_COMMITTER_EMAIL and GIT_COMMITTER_NAME
+  {{- else }}
   signingkey = ~/.ssh/git_signing_ed25519.pub
+  {{- end }}
 
 # Override default when working in work repos
 [includeIf "hasconfig:remote.*.url:ssh://[email protected]/github/*"] # Requires git 2.36.0 later
@@ -128,22 +131,20 @@
   gpgSign = true
 
 [gpg]
-  format = ssh
-  # {{- if .codespaces }}
-  # program = /.codespaces/bin/gh-gpgsign
-  # {{- else }}
+  {{- if .codespaces }}
+  program = /.codespaces/bin/gh-gpgsign
+  {{- else }}
+  format = ssh # Use SSH everywhere other than Codespaces for now.
   # program = {{- lookPath "gpg" }}
-  # {{- end }}
+  {{- end }}
 
+{{- if .codespaces }}
 [gpg "ssh"]
   allowedSignersFile = ~/.ssh/allowed_signers
+{{- end }}
 
 [merge]
-  {{- $v := output "git" "--version" | trim | split " " }}{{ if semverCompare ">2.35.0" $v._2 }}
-  conflictstyle = zdiff3  # Requires git 2.35 or later which isn't available on Codespaces by default
-  {{- else }}
-  conflictstyle = diff3
-  {{- end }}
+  conflictstyle = zdiff3
 
 [protocol]
   version = 2
@@ -156,9 +157,7 @@
 
 [pull]
   rebase = false
-  {{- $v := output "git" "--version" | trim | split " " }}{{ if semverCompare ">2.33.0" $v._2 }}
-  twohead = ort  # Requires git 2.33 or later which isn't available on Codespaces by default
-  {{- end }}
+  twohead = ort
 
 [advice]
   detachedHead = false

chezmoi/dot_config/git/gitconfig.work

@@ -1,3 +1,4 @@
+# vim: set filetype=ini
 [user]
   name = Colin Seymour
   email = [email protected]

chezmoi/dot_config/zsh/private_dot_zshrc

@@ -118,10 +118,6 @@ if [ -n "$CODESPACES" ]; then
   export GOPRIVATE=
   export GONOPROXY=
   export GONOSUMDB='github.com/github/*'
-  # Unset these as GitHub doesn't verify commits by the default GitHub <[email protected]> set by default in Codespaces
-  # This doesn't help things if you use the UI to commit
-  unset GIT_COMMITTER_EMAIL
-  unset GIT_COMMITTER_NAME
 fi
 export HOMEBREW_BUNDLE_FILE=$XDG_CONFIG_HOME/homebrew/Brewfile
 export IRBRC=$XDG_CONFIG_HOME/irb/irbrc

script/codespaces-post-start

@@ -21,12 +21,21 @@ if [ ! -f "${HOME}/.netrc" ] || grep -vq "goproxy.githubapp.com" "${HOME}/.netrc
   echo "machine goproxy.githubapp.com login nobody password $GITHUB_TOKEN" >> "$HOME/.netrc"
 fi
 
-if [ ! -f "${HOME}/.ssh/git_signing_ed25519" ]; then
-  # Takes this from my Codespaces secrets config on GitHub
-  echo "$GIT_SIGNING_KEY" > "${HOME}/.ssh/git_signing_ed25519"
-  chmod 600 "${HOME}/.ssh/git_signing_ed25519"
-fi
+# Commented out as Codespaces has this annoying habit of setting GIT_COMMITTER_EMAIL and GIT_COMMITTER_NAME
+# to GitHub <[email protected]> respectively. GitHub doesn't sign commits by this user and thus doesn't verify them
+# either. The verification also completely ignores the author attribute in the commit.
+#
+# Unsetting these env vars "works around" the issue but then the Codespace becomes quite unstable for some reason
+# so we're going to have to stick with GPG on Codespaces for now.
+#
+# Revisit this occasionally.
+#
+# if [ ! -f "${HOME}/.ssh/git_signing_ed25519" ]; then
+#   # Takes this from my Codespaces secrets config on GitHub
+#   echo "$GIT_SIGNING_KEY" > "${HOME}/.ssh/git_signing_ed25519"
+#   chmod 600 "${HOME}/.ssh/git_signing_ed25519"
+# fi
 
 # Unset these as GitHub doesn't verify commits by the default GitHub <[email protected]> set by default in Codespaces
-unset GIT_COMMITTER_EMAIL
-unset GIT_COMMITTER_NAME
+# unset GIT_COMMITTER_EMAIL
+# unset GIT_COMMITTER_NAME