diff --git a/modules/misc/news.nix b/modules/misc/news.nix index 92d3e9f5..bc5bd8b4 100644 --- a/modules/misc/news.nix +++ b/modules/misc/news.nix @@ -1299,6 +1299,22 @@ in { ''; } + { + time = "2023-11-13T12:13:04+00:00"; + condition = config.programs.git.signing != {}; + message = '' + The Git module now supports signing via SSH and X.509 keys, in addition to OpenPGP/GnuPG, + via the `programs.git.signing.format` option. + + The format defaults to `openpgp` for now, due to backwards compatibility reasons — this is + not guaranteed to last! GPG users should manually set `programs.git.signing.format` to + `openpgp` as soon as possible. + + Accordingly, `programs.git.signing.gpgPath` has been renamed to the more generic option + `programs.git.signing.signer` as not everyone uses GPG. + Please migrate to the new option to suppress the generated warning. + ''; + } { time = "2023-11-22T22:42:16+00:00"; message = '' diff --git a/modules/programs/git.nix b/modules/programs/git.nix index 53728060..4e964e72 100644 --- a/modules/programs/git.nix +++ b/modules/programs/git.nix @@ -14,33 +14,6 @@ let supersectionType = attrsOf (either multipleType sectionType); in attrsOf supersectionType; - signModule = types.submodule { - options = { - key = mkOption { - type = types.nullOr types.str; - description = '' - The default GPG signing key fingerprint. - - Set to `null` to let GnuPG decide what signing key - to use depending on commit’s author. - ''; - }; - - signByDefault = mkOption { - type = types.bool; - default = false; - description = "Whether commits and tags should be signed by default."; - }; - - gpgPath = mkOption { - type = types.str; - default = "${pkgs.gnupg}/bin/gpg2"; - defaultText = "\${pkgs.gnupg}/bin/gpg2"; - description = "Path to GnuPG binary to use."; - }; - }; - }; - includeModule = types.submodule ({ config, ... }: { options = { condition = mkOption { @@ -132,10 +105,46 @@ in { description = "Git aliases to define."; }; - signing = mkOption { - type = types.nullOr signModule; - default = null; - description = "Options related to signing commits using GnuPG."; + signing = { + key = mkOption { + type = types.nullOr types.str; + description = '' + The default signing key fingerprint. + + Set to `null` to let the signer decide what signing key + to use depending on commit’s author. + ''; + }; + + format = mkOption ({ + type = types.enum [ "openpgp" "ssh" "x509" ]; + description = '' + The signing method to use when signing commits and tags. + Valid values are `openpgp` (OpenPGP/GnuPG), `ssh`, (SSH) and `x509` (X.509 certificates). + + Defaults to `openpgp` until state version 23.11 for backwards compatibility reasons. + ''; + } // optionalAttrs (versionOlder config.home.stateVersion "23.11") { + default = "openpgp"; + }); + + signByDefault = mkOption { + type = types.bool; + default = false; + description = "Whether commits and tags should be signed by default."; + }; + + signer = mkOption { + type = types.str; + + default = { + openpgp = getExe' pkgs.gnupg "gpg2"; + ssh = getExe pkgs.ssh; + x509 = getExe' pkgs.gnupg "gpgsm"; + }.${cfg.signing.format}; + + description = "Path to signer binary to use."; + }; }; extraConfig = mkOption { @@ -353,9 +362,19 @@ in { }; }; + imports = [ + (mkRenamedOptionModule [ "programs" "git" "signing" "gpgPath" ] [ + "programs" + "git" + "signing" + "signer" + ]) + ]; + config = mkIf cfg.enable (mkMerge [ { home.packages = [ cfg.package ]; + assertions = [{ assertion = let enabled = @@ -415,12 +434,16 @@ in { (filterAttrs hasSmtp config.accounts.email.accounts); } - (mkIf (cfg.signing != null) { - programs.git.iniContent = { + (mkIf (cfg.signing != { }) { + programs.git.iniContent = let inherit (cfg.signing) format; + in { user.signingKey = mkIf (cfg.signing.key != null) cfg.signing.key; commit.gpgSign = mkDefault cfg.signing.signByDefault; tag.gpgSign = mkDefault cfg.signing.signByDefault; - gpg.program = cfg.signing.gpgPath; + gpg = { + inherit format; + ${format}.program = cfg.signing.signer; + }; }; }) diff --git a/tests/modules/programs/git/default.nix b/tests/modules/programs/git/default.nix index 3b92b2ff..a1211f25 100644 --- a/tests/modules/programs/git/default.nix +++ b/tests/modules/programs/git/default.nix @@ -3,6 +3,7 @@ git-with-most-options = ./git.nix; git-with-msmtp = ./git-with-msmtp.nix; git-with-str-extra-config = ./git-with-str-extra-config.nix; + git-with-signing-key-id-legacy = ./git-with-signing-key-id-legacy.nix; git-with-signing-key-id = ./git-with-signing-key-id.nix; git-without-signing-key-id = ./git-without-signing-key-id.nix; git-with-hooks = ./git-with-hooks.nix; diff --git a/tests/modules/programs/git/git-expected.conf b/tests/modules/programs/git/git-expected.conf index 61e0a2cc..3d072b40 100644 --- a/tests/modules/programs/git/git-expected.conf +++ b/tests/modules/programs/git/git-expected.conf @@ -38,6 +38,9 @@ smudge = "git-lfs smudge -- %f" [gpg] + format = "openpgp" + +[gpg "openpgp"] program = "path-to-gpg" [interactive] diff --git a/tests/modules/programs/git/git-with-signing-key-id-expected.conf b/tests/modules/programs/git/git-with-signing-key-id-expected.conf index b26377aa..aefca414 100644 --- a/tests/modules/programs/git/git-with-signing-key-id-expected.conf +++ b/tests/modules/programs/git/git-with-signing-key-id-expected.conf @@ -2,7 +2,10 @@ gpgSign = true [gpg] - program = "path-to-gpg" + format = "ssh" + +[gpg "ssh"] + program = "path-to-ssh" [tag] gpgSign = true @@ -10,4 +13,4 @@ [user] email = "user@example.org" name = "John Doe" - signingKey = "00112233445566778899AABBCCDDEEFF" + signingKey = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" diff --git a/tests/modules/programs/git/git-with-signing-key-id-legacy-expected.conf b/tests/modules/programs/git/git-with-signing-key-id-legacy-expected.conf new file mode 100644 index 00000000..7c9bc1d0 --- /dev/null +++ b/tests/modules/programs/git/git-with-signing-key-id-legacy-expected.conf @@ -0,0 +1,16 @@ +[commit] + gpgSign = true + +[gpg] + format = "openpgp" + +[gpg "openpgp"] + program = "path-to-gpg" + +[tag] + gpgSign = true + +[user] + email = "user@example.org" + name = "John Doe" + signingKey = "00112233445566778899AABBCCDDEEFF" diff --git a/tests/modules/programs/git/git-with-signing-key-id-legacy.nix b/tests/modules/programs/git/git-with-signing-key-id-legacy.nix new file mode 100644 index 00000000..36f09229 --- /dev/null +++ b/tests/modules/programs/git/git-with-signing-key-id-legacy.nix @@ -0,0 +1,28 @@ +{ lib, options, ... }: { + config = { + programs.git = { + enable = true; + userName = "John Doe"; + userEmail = "user@example.org"; + + signing = { + gpgPath = "path-to-gpg"; + key = "00112233445566778899AABBCCDDEEFF"; + signByDefault = true; + }; + }; + + test.asserts.warnings.expected = [ + "The option `programs.git.signing.gpgPath' defined in ${ + lib.showFiles options.programs.git.signing.gpgPath.files + } has been renamed to `programs.git.signing.signer'." + ]; + + nmt.script = '' + assertFileExists home-files/.config/git/config + assertFileContent home-files/.config/git/config ${ + ./git-with-signing-key-id-legacy-expected.conf + } + ''; + }; +} diff --git a/tests/modules/programs/git/git-with-signing-key-id.nix b/tests/modules/programs/git/git-with-signing-key-id.nix index 8d182505..049f7f39 100644 --- a/tests/modules/programs/git/git-with-signing-key-id.nix +++ b/tests/modules/programs/git/git-with-signing-key-id.nix @@ -6,8 +6,10 @@ userEmail = "user@example.org"; signing = { - gpgPath = "path-to-gpg"; - key = "00112233445566778899AABBCCDDEEFF"; + signer = "path-to-ssh"; + format = "ssh"; + key = + "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; signByDefault = true; }; }; diff --git a/tests/modules/programs/git/git.nix b/tests/modules/programs/git/git.nix index fb949be0..29b71add 100644 --- a/tests/modules/programs/git/git.nix +++ b/tests/modules/programs/git/git.nix @@ -55,7 +55,8 @@ in { } ]; signing = { - gpgPath = "path-to-gpg"; + signer = "path-to-gpg"; + format = "openpgp"; key = "00112233445566778899AABBCCDDEEFF"; signByDefault = true; };