From 4a8f48e49163d136c25abcc37dfc9f0ed7719607 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Sat, 16 Dec 2023 18:48:15 +0100
Subject: [PATCH] Switch to using SSH keys for commit signing

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 .gitconfig              |  7 +++++--
 bin/git-c               | 11 ++++++++---
 bin/git-committerconfig | 24 +++++++++++++++---------
 3 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/.gitconfig b/.gitconfig
index 7f3c382..76eea3a 100644
--- a/.gitconfig
+++ b/.gitconfig
@@ -48,7 +48,7 @@ smudge = git-filter-osslvault smudge
 required = true
 
 [gpg]
-program = gpg2
+format = ssh
 
 [push]
 default = upstream
@@ -65,10 +65,13 @@ enabled = true
 # therefore to disable the directory safety check
 directory = *
 
+[gpg.ssh]
+allowedSignersFile = ~/.git_allowed_signers
+
 [user]
 email = knut@ahlers.me
 name = Knut Ahlers
-signingkey = 5D7EEBD183A1F4395D1ED038A5143194CB681B44
+signingkey = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGVbYCO34iJikI+nLxpu2zjrvIh92GQqiss3Bkt+CSo4 loki
 
 # Mappings for private repos and `go get`
 [url "git@bitbucket.org:"]
diff --git a/bin/git-c b/bin/git-c
index b87be4c..0a13189 100755
--- a/bin/git-c
+++ b/bin/git-c
@@ -1,5 +1,4 @@
 #!/bin/bash
-
 set -euo pipefail
 
 source "${HOME}/bin/script_framework.sh"
@@ -11,8 +10,14 @@ git committerconfig
 
 ### Commit
 
-step "Loading passphrase for GPG key..."
-vault-gpg $(git config user.signingkey)
+signingkey=$(git config user.signingkey)
+if [[ $signingkey =~ ^(ssh|ecdsa) ]]; then
+  step "Loading ssh key into agent..."
+  vault-sshadd $(cut -d ' ' -f 3 <<<"${signingkey}")
+else
+  step "Loading passphrase for GPG key..."
+  vault-gpg ${signingkey}
+fi
 
 step "Execute pre-commit auto-hook"
 git autohook pre-commit
diff --git a/bin/git-committerconfig b/bin/git-committerconfig
index aa94b6a..77792ca 100755
--- a/bin/git-committerconfig
+++ b/bin/git-committerconfig
@@ -7,7 +7,7 @@
 #     {
 #       "match": ".*",
 #       "email": "mymail@example.com",
-#       "gpg-key": "...",
+#       "signingkey": "...",
 #     }
 #   ]
 
@@ -26,7 +26,7 @@ def main():
                 in subprocess.check_output(['git', 'remote', '-v'], universal_newlines=True).split('\n')
                 if re.match('origin.*\(push\)', x)][0]
     except:
-        print('Could not find origin, not setting email.')
+        print('Could not find origin, not setting local git configuration.')
         return 0
 
     if os.path.isfile(CONFIG):
@@ -37,18 +37,24 @@ def main():
 
     for combi in combinations:
         if re.search(combi['match'], repo):
-            subprocess.check_call(
-                ['git', 'config', '--local', 'user.email', combi['email']])
-            if 'gpg-key' in combi and combi['gpg-key'] != '':
-                subprocess.check_call(
-                    ['git', 'config', '--local', 'user.signingkey', combi['gpg-key']])
+            set_local_config('user.email', combi['email'])
+
+            if 'signingkey' in combi and combi['signingkey'] != '':
+                set_local_config('user.signingkey', combi['signingkey'])
+                set_local_config('gpg.format', 'ssh' if re.search(
+                    r'^(?:ssh|ecdsa)', combi['signingkey']) else 'openpgp')
+
             if 'commit-opts' in combi:
-                subprocess.check_call(
-                    ['git', 'config', '--local', 'commit.cliopts', combi['commit-opts']])
+                set_local_config('commit.cliopts', combi['commit-opts'])
+
             break
 
     return 0
 
 
+def set_local_config(param, value):
+    subprocess.check_call(['git', 'config', '--local', param, value])
+
+
 if __name__ == "__main__":
     exit(main())