Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I sign git commits with keybase.io?

Tags:

git

gnupg

keybase

I am setting up a new machine and would prefer to use keybase for various pgp activities like signing commits. I can run a command like

$ keybase pgp sign -m foo > x
$ gpg --verify x 2>&1 | grep -oF 'Good signature'
Good signature

I could sign things directly with gpg, but it's convenient to let keybase manage the thing. So can I somehow make git use keybase?

Git configuration doesn't seem to have a way to customize the gpg command that it uses to sign commits. All you can do is provide the key. Is there any way to do it?

like image 409
kojiro Avatar asked Oct 18 '19 00:10

kojiro

2 Answers

Thanks to the link in Xavier's answer I learned that I can override the gpg program with the gpg.program configuration:

git config --global gpg.program /path/to/something

So I can use this to write a wrapper around keybase.

But git is, as it turns out, pretty finicky about what that something is. Git expects to partially parse the output that results from the --fd-status flag, which causes gpg to output special status codes at an alternate filehandle.

Fortunately, at least for my first pass, git doesn't parse everything that gpg produces, so I was able to emulate it. Here's a gist with a functional wrapper, and here's the meat of it:

# Copy the commit message from stdin to a file. 
d=$(mktmp -d "${TMPDIR:-/tmp}/gitsig.XXXXXXXXX")
cat > "$d/commit.msg"

# Have Keybase write the signature to another file.
keybase pgp sign --detached \
                 --key "$1" \
                 --infile "$d/commit.msg" \
                 --outfile "$d/commit.sig"

# Have gpg verify the signature right away.
# Capture its status in a file.
gpg --verify --status-fd=2 \
    "$d/commit.sig" "$d/commit.msg" \
    > /dev/null 2> "$d/gpgstatus.txt"

# Copy the KEY_CONSIDERED lines to stderr. Git wants that.
grep '^\[GNUPG:\] KEY_CONSIDERED' "$d/gpgstatus.txt" >&2

# Produce a minimal SIG_CREATED line to stderr. Git also wants that.
printf '[GNUPG:] SIG_CREATED ' >&2
like image 177
kojiro Avatar answered Oct 21 '22 22:10

kojiro

There is a doc here on how to do it (with github) https://github.com/pstadler/keybase-gpg-github

like image 30
Xavier Avatar answered Oct 21 '22 20:10

Xavier
Sign in to Comment

Related questions

author not mapped to bitbucket user
Is it possible to change few files in submodule without creating fork?
What is the difference in Git between being in a directory (cd) and using the `work-tree` parameter?
How to store credentials locally per repo in Git Credential Manager for Windows?
GitLab: How to change merge commit message template?
Configure Gerrit with Git LFS examples please
How can I link multiple email address to one user in Azure DevOps?
Git Commit Daily or Commit when Feature is completed?
TortoiseGit icon overlays showing modified when it isn't
Git + libsecret throws "Cannot autolaunch D-Bus without X11 $DISPLAY"
Filter git log by author or branch
How to undo merge request with its commits?
Diff between commit deltas, not commits themselves
The good git process to work alternatively at home and at office [duplicate]
Recommended workflow for cloning git into a virtual Python environment
How to share SSH key through Docker secrets to access private Github repos?
minimize git diff by undoing trivial changes
Do csproj files in Git need xml tags SccProjectName, SccLocalPath, SccAuxPath, SccProvider with SAK values
creating a monorepo without hosting on a package registry and installing via bitbucket
K8S: How to reach pod with SSH service (Gitea) over the same host ingress-nginx exposes as HTTP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!