Switch to using SSH keys for commit signing

Signed-off-by: Knut Ahlers <knut@ahlers.me>
2023-12-16 18:48:15 +01:00 · 2023-12-16 18:48:15 +01:00 · 4a8f48e491
commit 4a8f48e491
parent 61a175cbfe
3 changed files with 28 additions and 14 deletions
--- a/.gitconfig
+++ b/.gitconfig
@ -48,7 +48,7 @@ smudge = git-filter-osslvault smudge
 required = true

 [gpg]
-program = gpg2
+format = ssh

 [push]
 default = upstream
@ -65,10 +65,13 @@ enabled = true
 # therefore to disable the directory safety check
 directory = *

+[gpg.ssh]
+allowedSignersFile = ~/.git_allowed_signers
+
 [user]
 email = knut@ahlers.me
 name = Knut Ahlers
-signingkey = 5D7EEBD183A1F4395D1ED038A5143194CB681B44
+signingkey = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGVbYCO34iJikI+nLxpu2zjrvIh92GQqiss3Bkt+CSo4 loki

 # Mappings for private repos and `go get`
 [url "git@bitbucket.org:"]
--- a/bin/git-c
+++ b/bin/git-c
@ -1,5 +1,4 @@
 #!/bin/bash
-
 set -euo pipefail

 source "${HOME}/bin/script_framework.sh"
@ -11,8 +10,14 @@ git committerconfig

 ### Commit

+signingkey=$(git config user.signingkey)
+if [[ $signingkey =~ ^(ssh|ecdsa) ]]; then
+  step "Loading ssh key into agent..."
+  vault-sshadd $(cut -d ' ' -f 3 <<<"${signingkey}")
+else
  step "Loading passphrase for GPG key..."
-vault-gpg $(git config user.signingkey)
+  vault-gpg ${signingkey}
+fi

 step "Execute pre-commit auto-hook"
 git autohook pre-commit
--- a/bin/git-committerconfig
+++ b/bin/git-committerconfig
@ -7,7 +7,7 @@
 #     {
 #       "match": ".*",
 #       "email": "mymail@example.com",
-#       "gpg-key": "...",
+#       "signingkey": "...",
 #     }
 #   ]

@ -26,7 +26,7 @@ def main():
                in subprocess.check_output(['git', 'remote', '-v'], universal_newlines=True).split('\n')
                if re.match('origin.*\(push\)', x)][0]
    except:
-        print('Could not find origin, not setting email.')
+        print('Could not find origin, not setting local git configuration.')
        return 0

    if os.path.isfile(CONFIG):
@ -37,18 +37,24 @@ def main():

    for combi in combinations:
        if re.search(combi['match'], repo):
-            subprocess.check_call(
-                ['git', 'config', '--local', 'user.email', combi['email']])
-            if 'gpg-key' in combi and combi['gpg-key'] != '':
-                subprocess.check_call(
-                    ['git', 'config', '--local', 'user.signingkey', combi['gpg-key']])
+            set_local_config('user.email', combi['email'])
+
+            if 'signingkey' in combi and combi['signingkey'] != '':
+                set_local_config('user.signingkey', combi['signingkey'])
+                set_local_config('gpg.format', 'ssh' if re.search(
+                    r'^(?:ssh|ecdsa)', combi['signingkey']) else 'openpgp')
+
            if 'commit-opts' in combi:
-                subprocess.check_call(
-                    ['git', 'config', '--local', 'commit.cliopts', combi['commit-opts']])
+                set_local_config('commit.cliopts', combi['commit-opts'])
+
            break

    return 0


+def set_local_config(param, value):
+    subprocess.check_call(['git', 'config', '--local', param, value])
+
+
 if __name__ == "__main__":
    exit(main())