From fde2bc71d36b199098e5785e60aa925031b9e6f1 Mon Sep 17 00:00:00 2001 From: Leah Amelia Chen Date: Mon, 13 Nov 2023 13:05:43 +0100 Subject: [PATCH] git: add alternate signing methods The Git module now supports SSH and X.509 signing in addition to OpenPGP/GnuPG, via setting the `programs.git.signing.format` option. It defaults to `openpgp` for now as a backwards compatibility measure, but I feel like we shouldn't enforce GPG as the default on everyone, especially for people who use SSH signing like me. Accordingly, `programs.git.signing.gpgPath` has been renamed to `programs.git.signing.signer`, as now the signer binary is not restricted to GnuPG. Users should only get a warning and everything should continue to work. Fixes #4221, supersedes #4235 --- modules/misc/news.nix | 17 ++++ modules/programs/git.nix | 91 ++++++++++++------- tests/modules/programs/git/default.nix | 1 + tests/modules/programs/git/git-expected.conf | 3 + .../git/git-with-signing-key-id-expected.conf | 7 +- ...t-with-signing-key-id-legacy-expected.conf | 16 ++++ .../git/git-with-signing-key-id-legacy.nix | 28 ++++++ .../programs/git/git-with-signing-key-id.nix | 6 +- tests/modules/programs/git/git.nix | 3 +- 9 files changed, 133 insertions(+), 39 deletions(-) create mode 100644 tests/modules/programs/git/git-with-signing-key-id-legacy-expected.conf create mode 100644 tests/modules/programs/git/git-with-signing-key-id-legacy.nix diff --git a/modules/misc/news.nix b/modules/misc/news.nix index 82ad52877..9443490b8 100644 --- a/modules/misc/news.nix +++ b/modules/misc/news.nix @@ -1295,6 +1295,23 @@ in A new module is available: 'programs.granted'. ''; } + + { + time = "2023-11-13T12:13:04+00:00"; + condition = config.programs.git.signing != {}; + message = '' + The Git module now supports signing via SSH and X.509 keys, in addition to OpenPGP/GnuPG, + via the `programs.git.signing.format` option. + + The format defaults to `openpgp` for now, due to backwards compatibility reasons — this is + not guaranteed to last! GPG users should manually set `programs.git.signing.format` to + `openpgp` as soon as possible. + + Accordingly, `programs.git.signing.gpgPath` has been renamed to the more generic option + `programs.git.signing.signer` as not everyone uses GPG. + Please migrate to the new option to suppress the generated warning. + ''; + } ]; }; } diff --git a/modules/programs/git.nix b/modules/programs/git.nix index 53728060a..4e964e72b 100644 --- a/modules/programs/git.nix +++ b/modules/programs/git.nix @@ -14,33 +14,6 @@ let supersectionType = attrsOf (either multipleType sectionType); in attrsOf supersectionType; - signModule = types.submodule { - options = { - key = mkOption { - type = types.nullOr types.str; - description = '' - The default GPG signing key fingerprint. - - Set to `null` to let GnuPG decide what signing key - to use depending on commit’s author. - ''; - }; - - signByDefault = mkOption { - type = types.bool; - default = false; - description = "Whether commits and tags should be signed by default."; - }; - - gpgPath = mkOption { - type = types.str; - default = "${pkgs.gnupg}/bin/gpg2"; - defaultText = "\${pkgs.gnupg}/bin/gpg2"; - description = "Path to GnuPG binary to use."; - }; - }; - }; - includeModule = types.submodule ({ config, ... }: { options = { condition = mkOption { @@ -132,10 +105,46 @@ in { description = "Git aliases to define."; }; - signing = mkOption { - type = types.nullOr signModule; - default = null; - description = "Options related to signing commits using GnuPG."; + signing = { + key = mkOption { + type = types.nullOr types.str; + description = '' + The default signing key fingerprint. + + Set to `null` to let the signer decide what signing key + to use depending on commit’s author. + ''; + }; + + format = mkOption ({ + type = types.enum [ "openpgp" "ssh" "x509" ]; + description = '' + The signing method to use when signing commits and tags. + Valid values are `openpgp` (OpenPGP/GnuPG), `ssh`, (SSH) and `x509` (X.509 certificates). + + Defaults to `openpgp` until state version 23.11 for backwards compatibility reasons. + ''; + } // optionalAttrs (versionOlder config.home.stateVersion "23.11") { + default = "openpgp"; + }); + + signByDefault = mkOption { + type = types.bool; + default = false; + description = "Whether commits and tags should be signed by default."; + }; + + signer = mkOption { + type = types.str; + + default = { + openpgp = getExe' pkgs.gnupg "gpg2"; + ssh = getExe pkgs.ssh; + x509 = getExe' pkgs.gnupg "gpgsm"; + }.${cfg.signing.format}; + + description = "Path to signer binary to use."; + }; }; extraConfig = mkOption { @@ -353,9 +362,19 @@ in { }; }; + imports = [ + (mkRenamedOptionModule [ "programs" "git" "signing" "gpgPath" ] [ + "programs" + "git" + "signing" + "signer" + ]) + ]; + config = mkIf cfg.enable (mkMerge [ { home.packages = [ cfg.package ]; + assertions = [{ assertion = let enabled = @@ -415,12 +434,16 @@ in { (filterAttrs hasSmtp config.accounts.email.accounts); } - (mkIf (cfg.signing != null) { - programs.git.iniContent = { + (mkIf (cfg.signing != { }) { + programs.git.iniContent = let inherit (cfg.signing) format; + in { user.signingKey = mkIf (cfg.signing.key != null) cfg.signing.key; commit.gpgSign = mkDefault cfg.signing.signByDefault; tag.gpgSign = mkDefault cfg.signing.signByDefault; - gpg.program = cfg.signing.gpgPath; + gpg = { + inherit format; + ${format}.program = cfg.signing.signer; + }; }; }) diff --git a/tests/modules/programs/git/default.nix b/tests/modules/programs/git/default.nix index 3b92b2ff1..a1211f254 100644 --- a/tests/modules/programs/git/default.nix +++ b/tests/modules/programs/git/default.nix @@ -3,6 +3,7 @@ git-with-most-options = ./git.nix; git-with-msmtp = ./git-with-msmtp.nix; git-with-str-extra-config = ./git-with-str-extra-config.nix; + git-with-signing-key-id-legacy = ./git-with-signing-key-id-legacy.nix; git-with-signing-key-id = ./git-with-signing-key-id.nix; git-without-signing-key-id = ./git-without-signing-key-id.nix; git-with-hooks = ./git-with-hooks.nix; diff --git a/tests/modules/programs/git/git-expected.conf b/tests/modules/programs/git/git-expected.conf index 61e0a2cc5..3d072b404 100644 --- a/tests/modules/programs/git/git-expected.conf +++ b/tests/modules/programs/git/git-expected.conf @@ -38,6 +38,9 @@ smudge = "git-lfs smudge -- %f" [gpg] + format = "openpgp" + +[gpg "openpgp"] program = "path-to-gpg" [interactive] diff --git a/tests/modules/programs/git/git-with-signing-key-id-expected.conf b/tests/modules/programs/git/git-with-signing-key-id-expected.conf index b26377aac..aefca4142 100644 --- a/tests/modules/programs/git/git-with-signing-key-id-expected.conf +++ b/tests/modules/programs/git/git-with-signing-key-id-expected.conf @@ -2,7 +2,10 @@ gpgSign = true [gpg] - program = "path-to-gpg" + format = "ssh" + +[gpg "ssh"] + program = "path-to-ssh" [tag] gpgSign = true @@ -10,4 +13,4 @@ [user] email = "user@example.org" name = "John Doe" - signingKey = "00112233445566778899AABBCCDDEEFF" + signingKey = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" diff --git a/tests/modules/programs/git/git-with-signing-key-id-legacy-expected.conf b/tests/modules/programs/git/git-with-signing-key-id-legacy-expected.conf new file mode 100644 index 000000000..7c9bc1d02 --- /dev/null +++ b/tests/modules/programs/git/git-with-signing-key-id-legacy-expected.conf @@ -0,0 +1,16 @@ +[commit] + gpgSign = true + +[gpg] + format = "openpgp" + +[gpg "openpgp"] + program = "path-to-gpg" + +[tag] + gpgSign = true + +[user] + email = "user@example.org" + name = "John Doe" + signingKey = "00112233445566778899AABBCCDDEEFF" diff --git a/tests/modules/programs/git/git-with-signing-key-id-legacy.nix b/tests/modules/programs/git/git-with-signing-key-id-legacy.nix new file mode 100644 index 000000000..36f092299 --- /dev/null +++ b/tests/modules/programs/git/git-with-signing-key-id-legacy.nix @@ -0,0 +1,28 @@ +{ lib, options, ... }: { + config = { + programs.git = { + enable = true; + userName = "John Doe"; + userEmail = "user@example.org"; + + signing = { + gpgPath = "path-to-gpg"; + key = "00112233445566778899AABBCCDDEEFF"; + signByDefault = true; + }; + }; + + test.asserts.warnings.expected = [ + "The option `programs.git.signing.gpgPath' defined in ${ + lib.showFiles options.programs.git.signing.gpgPath.files + } has been renamed to `programs.git.signing.signer'." + ]; + + nmt.script = '' + assertFileExists home-files/.config/git/config + assertFileContent home-files/.config/git/config ${ + ./git-with-signing-key-id-legacy-expected.conf + } + ''; + }; +} diff --git a/tests/modules/programs/git/git-with-signing-key-id.nix b/tests/modules/programs/git/git-with-signing-key-id.nix index 8d182505f..049f7f396 100644 --- a/tests/modules/programs/git/git-with-signing-key-id.nix +++ b/tests/modules/programs/git/git-with-signing-key-id.nix @@ -6,8 +6,10 @@ userEmail = "user@example.org"; signing = { - gpgPath = "path-to-gpg"; - key = "00112233445566778899AABBCCDDEEFF"; + signer = "path-to-ssh"; + format = "ssh"; + key = + "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; signByDefault = true; }; }; diff --git a/tests/modules/programs/git/git.nix b/tests/modules/programs/git/git.nix index fb949be00..29b71adde 100644 --- a/tests/modules/programs/git/git.nix +++ b/tests/modules/programs/git/git.nix @@ -55,7 +55,8 @@ in { } ]; signing = { - gpgPath = "path-to-gpg"; + signer = "path-to-gpg"; + format = "openpgp"; key = "00112233445566778899AABBCCDDEEFF"; signByDefault = true; };