Support ssh-agent and external sign binaries for commit signing with ssh#2464
Support ssh-agent and external sign binaries for commit signing with ssh#2464chirpcel wants to merge 4 commits intogitui-org:masterfrom
Conversation
chirpcel
force-pushed
the
feature/external-ssh-signer
branch
from
14f71cc to
ebd8fc1
Compare
|
There's one drawback. Like before, we don't support encrypted private keys which are not loaded to agent. The error message isn't as clear as before, but from a functionality point of view it isn't different. I would make a new issue for this behavior and take a look into supporting encrypted private keys. |
cant we make it as clear as before and then followup
|
|
Actually I didn't figured out how to capture the passphrase prompt, as it's spawned directly on the tty. |
|
@extrawurst Worked, we now have a meaningful error message. I tested with 1Password SSH-Agent, Default SSH-Agent, non encrypted keys on disk and encrypted keys on disk. |
chirpcel
force-pushed
the
feature/external-ssh-signer
branch
2 times, most recently
from
19f0891 to
004b135
Compare
|
Any movement on this? This would allow me to use gitui without needing to fallback to shell to actually commit. |
|
@DaRacci Think maintainer is currently busy as asking for co-maintainers and migrating his repo to an org for better support by more people. |
There was a problem hiding this comment.
Hey @chirpcel. Thank you for this implementation. I support this fully and agree that this should be the way commit signing is implemented at the moment. It is almost in compliance with git commit's implementation. Where changes will be required for currently unsupported git commit signing features, I have remarked them in this review. I wouldn't say that these are blockers, though.
I also have minor questions and nitpicks, mostly about corner cases, here and there and some FYIs.
On which platforms have you tested this? I have tested it on Linux and it works as promised. It would be great if someone tested this on Windows and Mac, too, though. (A test should consist of at least signing a commit and checking whether that commit's signature can be validated.)
|
Thanks @naseschwarz for your cr! I commited your suggestions and commented on questions. I'll take a look at the remaining annotations of edge cases/optimizations. I'll update the pr soon. I've tested the implementation on linux and macOS. Windows currently missing, maybe I can test it in a VM. Currently don't know about license/activation. Keep you updated. |
|
Would simply like to add that I've been been running a compiled version of gitui with this pull request since August. So far I've had no issues on my Linux setup. For me, ssh-agent support was critical, so I'd also like to say thank you for this work. I hope we see this merged one day. |
|
@hazzuk Me too and I totally forgot that I have this PR open 😶🌫️ |
chirpcel
force-pushed
the
feature/external-ssh-signer
branch
from
cb6934e to
fdb461b
Compare
|
Open notes should now been solved. |
|
I didn't encounter problems on my machines. Tested on linux with openssh agent and pgp based ssh agent. |
|
Tested on MacOS using 1Password signing, worked perfectly! |
|
@extrawurst |
extrawurst
requested review from
cruessler
and removed request for
naseschwarz
|
I’ll have a look! |
|
(Just wanted to let you know that I haven’t forgotten this PR. I hope to be getting to it over the weekend.) |
cruessler
left a comment
cruessler
left a comment
There was a problem hiding this comment.
First of all, sorry for the long delay! (I wanted to make sure I had the time and focus needed for an actual review, and that took some time, unfortunately.)
Overall, this looks good to me, as far as I can tell. I just have a few questions.
| Ok(signer) | ||
| .map(|value| { | ||
| if value.starts_with("key::") { | ||
| value.replacen("key::", "", 1) |
There was a problem hiding this comment.
What do you think about value.strip_prefix("key::") instead (seems more idiomatic)?
| named_temp_file.path().display() | ||
| ); | ||
| pub_key_temp_file = Some(named_temp_file); | ||
| } |
There was a problem hiding this comment.
What do you think about changing to something like the following:
let (signing_key, pub_key_temp_file) = {
…
};
This could make the data flow easier to follow.
| .get_string("gpg.ssh.program") | ||
| .unwrap_or_else(|_| "ssh-keygen".to_string()); | ||
|
|
||
| let mut signing_key = config |
There was a problem hiding this comment.
What do you think about renaming to signing_key_path since that’s the field name in SSHSign?
| } | ||
| } | ||
|
|
||
| fn signing_key_into_temp_file( |
There was a problem hiding this comment.
What do you think about prefixing this with a verb so that it becomes write_signing_key_to_temp_file (or something similar)?
| } | ||
| } | ||
| signing_key_path: String, | ||
| _pub_key_temp_file: Option<NamedTempFile>, |
There was a problem hiding this comment.
Why is this prefixed with _? Does this warrant a comment?
7 participants
This Pull Request fixes/closes #2188.
It changes the following:
I followed the checklist:
make checkwithout errors