-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[git] Support GPG-signing & verifying commits #6299
Comments
This issue was discussed at today's dev-meeting, because of its number of up-votes. We realize it's an old one and the people who up-voted may have moved-on. But if others seek to do this, it's possible today. Here's how to set this up. Chose the section appropriate for your case: whether your Theia application uses the Theia-specific Either way you will need a Using vscode built-in git (2 extensions pulled from
|
@JonasHelming @jankeromnes Given my investigation above, showing this is possible, I think we can probably close this issue? |
I think this Issue text does not stress the most important part - of being able to remotly sign a commit in a workspace with a key from the local machine. Without putting sensitive information into the workspace. This is the reason I am subscribed to this issue, if that differs from what the author wanted I am sorry to interrupt and you can close this issue. |
Thanks for the info @DanielHabenicht - I will investigate and possibly re-open one of these or amend the title/description of this one here and keep it open. |
BTW, do you know whether this is possible today in the browser-accessible build of vscode/code-oss/VSCodium? It looks like the current mechanism relies on git triggering OS-level key signing, including an OS dialog popping-up, where the user enters the passphrase associated to the key (which may not work so well on a remote workspace, thinking of it). Normally, the web browser/app that runs on the local machine does not have file system access (through @theia/filesystem, the frontend Theia app has access the backend file system, but that doesn't help here). It could be possible to pop the "file open" browser dialog, and ask the user to select the private key file and then store it in browser local storage (to avoid asking all the time for it). Security of this key would be important, e.g. avoiding it being read/copied by other apps running on the same browser. |
Hi @DanielHabenicht ,
Sanity check: are you wishing for this feature as a Gitpod user? You mention "remote workspace" and also the issues referenced in the description are from Gitpod. At the time this issue was open, Gitpod used a Theia-based IDE. But they switched to a vscode-based IDE probably a couple of years ago. If that's the case, any feature we might offer in Theia, to help with your use-case, would not benefit you. BTW, one of these referenced Gitpod issues is still open and there are what look to be good suggestions, that you might try depending on your setup and willingness to go outside the beaten path. |
There's this workaround https://adangel.org/2021/11/07/gitpod-gpg-signed-commits where you need to upload your private key to gitpod (not ideal) |
Description
Many developers like to GPG-sign their commits, using a personal GPG key pair, which will show their commits as "Verified" on GitHub. Some projects even require all commits to be verified as a rule.
Currently, you can achieve this via the Terminal, by using the
git commit -S[<keyid>]
flag (a.k.a.git commit --gpg-sign[=<keyid>]
). But it would be nice to be able to do that via the Git UI as well.Reproduction Steps
OS and Theia version:
master
Diagnostics: N/A
Notes: Originally filed as gitpod-io/gitpod#467 and gitpod-io/gitpod#666. Also, while discussing how to actually import GPG keys before commits can be signed, we identified the Krypton app which looks promising (but it also just got acquired by Akamai, adding some uncertainty about its continued operation).
The text was updated successfully, but these errors were encountered: