gitpod
gitpod copied to clipboard
gitpod-io
Have Gitpod-based commits GPG-signed
There are some projects that requires commits to be GPG-signed to verify the authenticity of a contributor. Gitpod should be able make commits GPG-signed as a preference or automatically like browser-editing.
Hi,
If home directories were persistent (see #340) then gpg keys may be imported into a persistent home area./home/gitpod/.gnupg/ or /home/<github username>/.gnupg/
If home directories were persistent (see #340) then gpg keys may be imported into a persistent home area.
/home/gitpod/.gnupg/or/home/<github username>/.gnupg/
Good suggestion, thanks!
But since persisting the home directory seems a bit complicated, I have found a potential work-around (that I'd like to use for SSH keys):
- Set
SSH_PUBLIC_KEYandSSH_PRIVATE_KEYenvironment variables in https://gitpod.io/environment-variables/ (you may restrict this to repos you trust, e.g.yourname/*) - Add something like this to your projects'
.gitpod.yml:
tasks:
- before: >
mkdir -p ~/.ssh &&
echo $SSH_PUBLIC_KEY > ~/.ssh/id_rsa.pub &&
chmod 644 ~/.ssh/id_rsa.pub &&
echo $SSH_PRIVATE_KEY > ~/.ssh/id_rsa &&
chmod 600 ~/.ssh/id_rsa
This will re-setup your SSH keys automatically in every workspace for that project, and may be adapted for GPG keys too.
It's a bit cumbersome, because it requires a project configuration change, but may work. I wonder if SSH and GPG could also accept keys as environment variables, removing the need for creating special files in the home directory.
Hi,
The following would work for GPG keys so something similar will also work for .ssh.
-
Convert your source .gnugpg directory contents to base64 data:
tar -czvf - ./.gnupg | base64 -w 0 -
Place this data into a gitpod environment varaiable called GNUGPG
-
Add following to project's
.gitpod.yml:
tasks:
- before: >
[[ ! -z $GNUGPG ]] &&
cd ~ &&
rm -rf .gnupg &&
echo $GNUGPG | base64 -d | tar --no-same-owner -xzvf -
Thanks for the tip!
- Place this data into a gitpod environment varaiable called GNUGPG
You can even do this directly from a Gitpod Terminal, like so:
gp env GNUGPG=$(tar -czvf - ~/.gnupg | base64 -w 0)
I don't like to store my private GPG (or SSH) keys in a (unencrypted) third-party database (aka “not my computer”), but I really would like to sign my commits. I think one should rather use a secure solution like Krypton for that (see also #782, thx @Vlaaaaaaad for the hint). With Krypton, the private key never leaves the security chip on your phone.
We could add Krypton to the Gitpod base image gitpod/workspace-full. I was curious how well Krypton works in Gitpod. Thus, I created a simple sample repository (with some notes in the README.md): https://github.com/corneliusludmann/gitpod-krypton-example You still need to pair (kr pair + scan QR code with your phone) and enable (kr codesign) Krypton in every workspace via the terminal. (It's totally fine for me, however, it shouldn't be to hard to build a plugin/widget for GUI support for this.)
Pros of adding Krypton to the Gitpod base image:
- Having a secure (!) way to sign your commits.
- Little effort to support signed commits in Gitpod.
- Could encourage users to sign their commits.
Cons of adding Krypton to the Gitpod base image:
- Additional dependency in the base image for a feature that may not be used by many people.
- Feature is “hidden” behind the terminal. A proper documentation on the Gitpod website could help users to discover this useful feature. Or even a widget.
How do you feel about it? Any opinions?
(Probably there are even alternatives to Krypton?!?)
I very much like the idea( it's what I use now due to me switching tons of devices for work) and it also adds secure SSH for people who need that buuuuut krypt.co has been acquired and is now a part of Akamai. No comment has been made regarding the future of krypt.co so I would be against adding it in the base image until the future of the project is known.
CC @kcking and @agrinman for a comment on this.
I don't like to store my private GPG (or SSH) keys in a (unencrypted) third-party database (aka “not my computer”),
@corneliusludmann If the keys are password protected then they are encrypted .
If the keys are password protected then they are encrypted .
You're right. That makes it much better. The only thing left is that you have to decrypt the keys in the (probably “untrusted”) workspace to sign your commits, don't you? It's still a (small) attack vector that services like Krypton solve.
I would prefer much to have an option to have Gitpod generate a one-time GPG key for me just like GitHub were they provide a GPG key for each account when you perform a browser-based edit as well.
There's reasons why this would be feasible since not everyone likes to provide their own keys and would probably prefer to have a service generate it for them.
while the solutions you have might be good, again, in my opinion, this increases complexity if we wanted Gitpod to be just a out of the box experience, meaning user should just code and test, and that's it. I think this should be a optional integration for services like Krypton since I don't feel like its worth the configuration for many just to have their commits authenticated. Having options is a nice little thing.
I agree with @sr229 the idea of the service is "frictionless coding" I feel it would compromise the goal of the project to force this it should be recommended but not forced upon users.
Any info on this? Gitpod being unable to sign the commits is quite annoying when i am trying to contribute to things that require CLA, etc.. alike https://github.com/tldr-pages/tldr/pull/4136
So for me i have to clone local and remake the commit..
Note that github has access token for this
So i would think that just adapting gitpod's logic to use this would be enough?
Note that github has access token for this
So i would think that just adapting gitpod's logic to use this would be enough?
Yep! That's what I was going for, We already have the API for it.
Hi @wusatosi and @crazyuploader!
While I agree this would definitely be more convenient with a built-in feature in Gitpod, you can already set up GPG-signed commits in Gitpod yourself as explained in https://github.com/gitpod-io/gitpod/issues/666#issuecomment-534347856
Please let me know if this doesn't work or if you're getting any errors.
Just wanna let you know @jankeromnes GitHub Codespaces now sign commits so you guys might want to catch up now.
Hi @wusatosi and @crazyuploader!
While I agree this would definitely be more convenient with a built-in feature in Gitpod, you can already set up GPG-signed commits in Gitpod yourself as explained in #666 (comment)
Please let me know if this doesn't work or if you're getting any errors.
Oh it worked, thanks!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
FWIW, I just tried the instructions on https://github.com/gitpod-io/gitpod/issues/666#issuecomment-534347856 and they don't work in the latest Gitpod builds (with rebranding and VS Code) via the gitpod user. It requires sudo to sign anything. Does anyone know how to fix this?
FWIW, I just tried the instructions on #666 (comment) and they don't work in the latest Gitpod builds (with rebranding and VS Code) via the
gitpoduser. It requires sudo to sign anything. Does anyone know how to fix this?
I'm having difficulty with this as well. Initially I had difficulty generating keys in the container without sudo. I learned that the gpg needed write access to the terminal (owned by root:nogroup with file mode 640) for the passphrase prompt. I can change the file mode with sudo chmod 666 $(tty) which allowed key generation to work. I've also seen errors when the terminal window was too small for the passphrase prompt. Even with gpg reporting access to the secret key, the terminal file mode changed, and the terminal window maximized I still dont get code signing to work.
Another solution here that I think is much closer to being a reality is to use Remote GPG Agent Forwarding (https://wiki.gnupg.org/AgentForwarding).
This would be the ideal solution for those already using the local VS Code feature.
We can piggy back on the SSH connection to forward the local gpg-agent to the remote gitpod.
I would also like to mention that I checked today GitLab access token and I couldn't find the GPG/PGP permission scope ( relates to https://github.com/gitpod-io/gitpod/issues/666#issuecomment-651321561)
That sounds like a viable solution, but it seems that would only work for the desktop Vscode and not for the browser ( no local system to connect to)
Another suggestion would be https://www.agwa.name/projects/git-crypt/ , where users can create repository-specific GPG keys ( for example I have a GPG key just for signing commits ) then share it with the repo. i know, it's cumbersome and prob not good, but it's an example.
Another example would be the Browser extension ( there is none ) that would hold or even connect to a local GPG agent and then sign then somehow let the VsCode ( browser ) know the result ...
I'm just throwing the ideas :)
maybe look into this https://keys.pub/ and their https://keys.pub/docs/specs/wormhole.html approach
Those also look like other possible solutions too.
However I’d like to point out that for those orgs which use PGP smartcards, remote forwarding the GPG agent will be required, none of the other solutions (gpg-agent in the browser, extra private keys, etc) will address that use case.
The use case for PGP in gitpod is not just for signing commits. It’s also for secrets management (e.g., with mozilla/sops and signing packages/releases.
Ok, good news :) I have managed to get gpg-agent forwarding working from my local workstation to the remote gitpod. I can successfully perform pgp operations (decrypting, signing) on my USB smartcard (plugged into to my local workstation) inside the gitpod.
The procedure is a bit of a manual one, and would greatly benefit with a little polish from the local companion I suspect.
- Copy your ~/.gnupg locally to the remote gitpod, or export/import a subset. In my case I needed to have my personal key to the gitpod. In my case I was not transferring any secret material, because that’s all on the smartcard. The key file I import on gitpod only has the secret “stubs”
- In the gitpod workspace, kill any existing gpg-agents with
gpgconf --kill gpg-agent - Open the gitpod workspace in a local VSCode
- In local VSCode, use the command palette (default: Ctrl+Shift+P) to run “Remote-SSH: Open SSH Configuration File”
- On your local workstation, copy the contents into another file, say
gitpod.ssh - On your local workstation, add the line
RemoteForward /home/gitpod/.gnupg/S.gpg-agent /path/to/your/local/gpg-agent/extra-socket(I assume you already are running gpg-agent locally)- To get the path to your local gpg-agent extra socket run this locally:
gpgconf --list-dir agent-extra-socket
- To get the path to your local gpg-agent extra socket run this locally:
- On your local workstation, SSH into the gitpod with
ssh -F gitpod.ssh <gitpod hostname> - Inside the gitpod you can then
gpg --list-secret-keysand try out decryption/signing operations
🎉
Security warning: this exposes your entire gnupg keyring and smartcard to the gitpod. So you probably don’t want to leave this open more than necessary, or configure a very short caching time for your smartcard pin.
You’ll need to perform this procedure every time you connect, because the ~/.gnupg folder is not persisted (you could put it in the workspace and use the GNUPG_HOME env var to workaround that). Also the connection details inside the ssh config file change every time you open the local vscode.
I implemented it as follows based on this blog post from @adangel.
But I made some changes:
tasks:
- before: >
[[ ! -z $GNUPG_KEY ]] &&
gpg --verbose --batch --import <(echo $GNUPG_KEY|base64 -d) &&
echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf &&
git config --global user.signingkey $GNUPG_SIGNING_KEY &&
git config commit.gpgsign true
I want to make a signed commit by default when there is a GPG key. For my GPG signed commits I use a subkey, so I need to include that.
The error message I get has been the following.
Note that github has access token for this
Yep! That's what I was going for, We already have the API for it.
This only gives you access to your public gpg key. Even GitHub doesn't have your private key, and to sign your commit you need your private key.
I don't think Gitpod would want to store your private key as well, due to security and compliance complications.
One possible solution would be for gitpod to generate gpg private key for each user, and you would add public key to your github account. Then gitpod would use that private key to sign your commits, with the idea that even user wouldn't be able to see that private key. I think github is probably doing something similar when you use web interface.
I personally do want to be able to sign my commits in gitpod as well, but would want this to be done securely.
@sagor999 thank you for the feedback and clear explanation :pray: :heart_eyes: !
@gitpod-io/engineering-meta , I've just added this item to your inbox for triage. In talking with @csweichel , this would need to be done in the web app space, so I've added to your inbox accordingly.
