Git commit sign

[lukeburciu]

git-commit-sign

This PR introduces the use of SSH to sign commits. The PR includes configuration handling, and a workflow for setting up and managing commit signing via ssh keys. It also includes a script to handle a signing workflow

purpose of action is based on the premise that this project seems to revolve around the use of keycutter to cut, manage and set up how a yubikey can be utilised for ssh, git is a primary component of this - in that commits are pushed to remotes using ssh.

core inclusions

1. gpg commit signing abstraction via ssh

• git-signing-setup:
  • A guided function for setting up SSH-based commit signing.
  • Allows users to select an SSH key interactively using fzf or a manual selection fallback (can keep or remove but i think its nice)
  • Applies configurations like gpg.format, gpg.ssh.program, and user.signingkey

example with local config (local means this only applies to the current git repository)

$ keycutter git-signing-setup
No scope specified. Defaulting to 'local' config.
Proposed Git SSH signing configuration:
 Scope: local
 SSH Key: /Users/lukeb/.ssh/keycutter/keys/github.com_lukeburciu@lukeb
 gpg.ssh.program: ~/.ssh/keycutter/scripts/git-commit-sign
 gpg.format: ssh

❓ Do you want to apply these changes? (y/N)  y
Setting up Git SSH signing (local config)...
Set gpg.format to ssh (local config)
Set gpg.ssh.program to /Users/lukeb/.ssh/keycutter/scripts/git-commit-sign (local config)
Set user.signingkey to /Users/lukeb/.ssh/keycutter/keys/github.com_lukeburciu@lukeb (local config)
Git SSH signing basic setup complete for local config!  

2. commit signing management

• Enable/Disable Signing:
  • Functions to toggle commit signing with the commit.gpgsign flag.
  • Supports both local and global configurations for flexibility.
  • User defined, and not applied by default (this is optional)

$ keycutter git-commit-signing-disable
No scope specified. Defaulting to local config.
Disabled commit signing for local config

$ keycutter git-signing-config
Checking local Git SSH signing configuration for directory: /Users/lukeb/.local/share/keycutter
gpg.format: ssh
gpg.ssh.program: /Users/lukeb/.ssh/keycutter/scripts/git-commit-sign
user.signingkey: /Users/lukeb/.ssh/keycutter/keys/github.com_lukeburciu@lukeb
commit.gpgsign: Not set (local config)

$ keycutter git-commit-signing-enable
No scope specified. Defaulting to local config.
Enabled commit signing for local config

$ keycutter git-signing-config
Checking local Git SSH signing configuration for directory: /Users/lukeb/.local/share/keycutter
gpg.format: ssh
gpg.ssh.program: /Users/lukeb/.ssh/keycutter/scripts/git-commit-sign
user.signingkey: /Users/lukeb/.ssh/keycutter/keys/github.com_lukeburciu@lukeb
commit.gpgsign: true

4. checks

• git-version-check:
  • Git version is 2.34 or higher is needed to support SSH signing.

5. validation

• git-signing-config:
  • Displays current signing config in a structured and clear format.
  • audits existing setups and identify potential issues.

$ keycutter git-signing-config
Checking local Git SSH signing configuration for directory: /Users/lukeb/.local/share/keycutter
gpg.format: ssh
gpg.ssh.program: /Users/lukeb/.ssh/keycutter/scripts/git-commit-sign
user.signingkey: /Users/lukeb/.ssh/keycutter/keys/github.com_lukeburciu@lukeb
commit.gpgsign: true

6. git-commit-sign via scripts/git-commit-sign

• provide functionality for signing commits, prompt user to touch yubikey
• Retrieve Configurations: Fetches user.signingkey from local or global Git settings.
• Validation:
  • Verifies the presence of the signing key in the Git configuration.
  • Checks the existence of the signing key file before proceeding.
  • Forces a check for user presence before signing (this is somewhat required on macOS for some reason)

[mbailey]

Thanks, this works and it a great simple solution.

Was reviewing and playing around with naming this morning. WIP #10

Will continue when I next find time.