Merge pull request #4 from lildude/use-ssh-commit-signing

lildude · web-flow · commit 3ba3183a8d84 · 2024-10-17T17:07:45.000+01:00
Use ssh commit signing
diff --git a/chezmoi/.chezmoiignore b/chezmoi/.chezmoiignore
@@ -28,7 +28,10 @@ Library/
 .mozilla
 .netrc
 .secrets
-.ssh/
+.ssh/**
+!.ssh/
+!.ssh/allowed_signers
+!.ssh/git_signing_ed25519.pub
 dev
 tmp
 {{ end -}}
diff --git a/chezmoi/dot_config/git/config.tmpl b/chezmoi/dot_config/git/config.tmpl
@@ -16,7 +16,8 @@
   useConfigOnly = true
   name = Colin Seymour
   email = colin@symr.io
-  signingkey = 88109C73073E7080
+  #signingkey = 88109C73073E7080
+  signingkey = ~/.ssh/git_signing_ed25519.pub
 
 # Override default when working in work repos
 [includeIf "hasconfig:remote.*.url:ssh://git@github.com/github/*"] # Requires git 2.36.0 later
@@ -127,11 +128,15 @@
   gpgSign = true
 
 [gpg]
-  {{- if .codespaces }}
-  program = /.codespaces/bin/gh-gpgsign
-  {{- else }}
-  program = {{- lookPath "gpg" }}
-  {{- end }}
+  format = ssh
+  # {{- if .codespaces }}
+  # program = /.codespaces/bin/gh-gpgsign
+  # {{- else }}
+  # program = {{- lookPath "gpg" }}
+  # {{- end }}
+
+[gpg "ssh"]
+  allowedSignersFile = ~/.ssh/allowed_signers
 
 [merge]
   {{- $v := output "git" "--version" | trim | split " " }}{{ if semverCompare ">2.35.0" $v._2 }}
diff --git a/chezmoi/dot_ssh/allowed_signers b/chezmoi/dot_ssh/allowed_signers
@@ -0,0 +1 @@
+colin@symr.io,colin@github.com namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCyapwMY7+HjM6tOs/PS7s+VTtYRhcophPUauHMjm90
diff --git a/chezmoi/dot_ssh/create_private_git_signing_ed25519.tmpl b/chezmoi/dot_ssh/create_private_git_signing_ed25519.tmpl
@@ -0,0 +1 @@
+{{- onepasswordRead "op://Dotfiles/git_signing_ed25519/private key" }}
diff --git a/chezmoi/dot_ssh/private_git_signing_ed25519.pub b/chezmoi/dot_ssh/private_git_signing_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCyapwMY7+HjM6tOs/PS7s+VTtYRhcophPUauHMjm90
diff --git a/script/codespaces-post-start b/script/codespaces-post-start
@@ -17,9 +17,12 @@ if [ "$(command -v rg)" = "" ]; then
   $sudo apt-get -q update && $sudo apt-get -q install -y ripgrep most gh
 fi
 
-if [ -f "${HOME}/.netrc" ] && grep -q "goproxy.githubapp.com" "${HOME}/.netrc"; then
-  exit 0
-else
+if [ ! -f "${HOME}/.netrc" ] || grep -vq "goproxy.githubapp.com" "${HOME}/.netrc"; then
   echo "machine goproxy.githubapp.com login nobody password $GITHUB_TOKEN" >> "$HOME/.netrc"
 fi
 
+if [ ! -f "${HOME}/.ssh/git_signing_ed25519" ]; then
+  # Takes this from my Codespaces secrets config on GitHub
+  echo "$GIT_SIGNING_KEY" > "${HOME}/.ssh/git_signing_ed25519"
+  chmod 600 "${HOME}/.ssh/git_signing_ed25519"
+fi

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+[email protected],[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCyapwMY7+HjM6tOs/PS7s+VTtYRhcophPUauHMjm90`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{{- onepasswordRead "op://Dotfiles/git_signing_ed25519/private key" }}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCyapwMY7+HjM6tOs/PS7s+VTtYRhcophPUauHMjm90`