sublime_merge icon indicating copy to clipboard operation
sublime_merge copied to clipboard

Published 20 hours ago verified publisher icon sublimehq

Signature validation does not work with gpg.format=ssh

Open tdanner opened this issue 1 year ago • 11 comments

Version info

  • OS: macOS 12.5.1
  • Build: 2077

Description

As of git 2.34, you can use an SSH key to sign commits. GitHub recently added support for verifying these signatures. Sublime Merge displays "Invalid" for these signatures, though the tooltip says otherwise.

image

Steps to reproduce

Steps to reproduce the behavior:

  1. Set up git commit signing using an SSH key according to these instructions.
  2. Make a commit.
  3. Verify the signature using git show --show-signature
  4. View the commit in Sublime Merge

Expected behavior

Sublime Merge shows "Valid" when the signature is valid.

tdanner avatar Sep 02 '22 15:09 tdanner

Hi @tdanner,

Thanks for reaching out and sharing this! This will be fixed in the next build.

Cheers, - Dylan from Sublime HQ

dpjohnst avatar Sep 14 '22 03:09 dpjohnst

This issue is still present in build 2083.

huornlmj avatar Mar 30 '23 11:03 huornlmj

For me, Sublime Merge started showing "Valid" for ssh signatures in build 2079.

tdanner avatar Mar 30 '23 12:03 tdanner

For me, in version 2083, it works, just like @tdanner said.

renatoliveira avatar Mar 30 '23 12:03 renatoliveira

I'm not using an Ed25519 key, though - just an ssh-rsa one. Could this be the reason? My installed git software (Windows) is git version 2.39.1.windows.1.

huornlmj avatar Mar 30 '23 14:03 huornlmj

I've seen it work with both Ed25519 and RSA ssh keys, so I don't think that is the issue. I have only tried this from macOS - maybe it is something specific to SM on Windows?

tdanner avatar Mar 30 '23 14:03 tdanner

Hi @huornlmj,

Thanks for reaching out!

If you hover over the "invalid signature" in Sublime Merge, does the output indicate that the validation was successful? e.g. the same message as shown in the original report?

Kind regards, - Dylan from Sublime HQ

dpjohnst avatar Mar 31 '23 06:03 dpjohnst

@dpjohnst I didn't know I could do this, so this is the message I get when I hover: image

huornlmj avatar Mar 31 '23 11:03 huornlmj

Hi @huornlmj,

Looks like Git hasn't been configured with an allowedSignersFile - see: https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgsshallowedSignersFile

In other words, you need to provide Git with a list of public keys it can trust. For more info take a look at this great blog post - specifically the verifying section: https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/

Thanks, - Dylan from Sublime HQ

dpjohnst avatar Apr 04 '23 01:04 dpjohnst

For me this issue is occurring with build 2091. I am just evaluating so it is unregistered. When I hover over invalid I see error: cannot run gpg: No such file or directory. The repo is set to use ssh. I do not have gpg installed because I don't use it for anything. The allowed signers file is properly set. Signing is correctly verified via git log --show-signature.

MikeJCusack avatar Mar 27 '24 15:03 MikeJCusack

I was able to get this working by adding export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my .zshenv.

MikeJCusack avatar Mar 27 '24 15:03 MikeJCusack