gitpod
gitpod copied to clipboard
gitpod-io
1Password x Gitpod integration
Use 1Password to sign commits in Gitpod
As discussed with @Nancy-Chauhan, @pawlean, and Michael Aring.
1Password for SSH & Git lets you pull, push, and sign commits using Touch ID, Apple Watch or Windows Hello within a remote Gitpod workspace, without the private key ever leaving 1Password. If you exit the workspace or lock 1Password, all access gets voided.
Next to the Git use case, there are other SSH use cases that could be interesting as well:
- Uploading artifacts built within a Gitpod workspace over SFTP.
- Setting up a database tunnel within a Gitpod workspace.
- Logging into another remote VM within a Gitpod workspace.
What already works today
1. Automatically generate SSH keys and upload public keys to Gitpod, right from the browser:
https://user-images.githubusercontent.com/7430639/197740002-81c9e1c0-1d0e-4cd7-93ab-187f0dc18553.mov
2. Authenticate into a Gitpod workspace locally using an SSH key stored in 1Password:
https://user-images.githubusercontent.com/7430639/198065906-7475a1f9-80b4-463a-a504-98c7ae19995c.mov
3. Make a signed Git commit from within a Gitpod workspace:
https://user-images.githubusercontent.com/7430639/198073282-cbd562d0-6452-4188-b820-734faf26366a.mov
https://user-images.githubusercontent.com/7430639/198073309-a5b6633b-524a-48b0-b16e-7491bc4c7f35.mov
Opportunity to improve: onboarding flow
While the above videos technically already work, there are a few steps involved for the user to set this up:
- Locally enable SSH agent forwarding for Gitpod hosts in the SSH config:
Host *.gitpod.io
ForwardAgent yes
- Tell Git to use SSH for signing and which SSH key to use:
git config --global gpg.format ssh
git config --global user.signingkey "ssh-ed25519 <my public key>"
- Then, to authenticate pulls and pushes through the SSH agent as well, tell Git to use SSH instead of HTTPS:
git config --global url."ssh://git@".insteadOf https://
Have Gitpod configure a key in the Gitconfig
Gitpod already configures the Git commit author name and email in every Gitpod workspace:
To improve the commit signing setup, Gitpod could also autoconfigure user.signingkey, gpg.format = ssh, and commit.gpgsign = true.
This would need consent of the user, which could possibly be done from the the SSH Keys settings pane. Maybe through a checkbox: Use for commit signing, or a dropdown? Here's how GitHub solves it:
Opportunity to improve: Discoverability
Not a lot of people know that commit signing with SSH keys is now possible. So we could think of ways to bring this more to the forefront. For example:
- Create an entire
Commit Signingsettings pane just like the existingSSH Keyspane. - Cover it in the Gitpod SSH docs and other docs.
- GitHub offers an API to check what the configured commit signing requirements are. Could be interesting to add a warning or some sort of label in Gitpod to denote that you won't be able to contribute to that repo if you don't have commit signing set up (and point the user in the direction to set it up for their Gitpod workspace).
Limitations
Desktop IDE only
All of the above only works when using Gitpod in a Desktop IDE. In the future, I'd love to also explore a full browser integration, but that would require a bit more engineering work on the Gitpod side as well.
GitHub only
Commit signing currently only works (well) with GitHub, but GitLab support is coming real soon as well.
