feat: commit signing using ssh and gpg

[bryans-go]

feat: commit signing using ssh and gpg

Description

add support for commit signing when adding git provider(s)

• This change requires a documentation update
• I have made corresponding changes to the documentation

Related Issue(s)

Closes #370
/claim #370

Screenshots

Notes

In order to sign your commits with ssh . ssh keys need to be present on your local system and should be added to your github or gitlab account. my pr simplifies the work for manually doing setup for ssh commit signing in the gitconfig file of the project.
for the ssh key field : paste the same key that you pasted in the add ssh key in github or gitlab

[bryans-go]

@Tpuljak

can you please assist here. I am succesfull in adding git provider but these values are not getting stored and am not able to understand what to do

[Tpuljak]

@Tpuljak can you please assist here. I am succesfull in adding git provider but these values are not getting stored and am not able to understand what to do

@bryans-go from what I can see, you don't pass the properties from SetGitProviderConfig to GitProviderConfig here https://github.com/daytonaio/daytona/blob/main/pkg/api/controllers/gitprovider/gitprovider.go#L134

[bryans-go]

[bryans-go]

now the ssh signing is working perfectly @Tpuljak
Some of the git providers does not show verified commits bagde even on signed commits by git while some also dont have proper docs on this . what should we do there ?

[Tpuljak]

Some of the git providers does not show verified commits bagde even on signed commits by git while some also dont have proper docs on this . what should we do there ?

Could you let us know which providers don't show the verified badge but should?

P.S. Nice work on the solution!

[bryans-go]

https://jira.atlassian.com/browse/BCLOUD-3166. Bitbucket doesn't have this feature yet and gitness don't have a proper docs on ssh and gpg signing while

[Tpuljak]

https://jira.atlassian.com/browse/BCLOUD-3166. Bitbucket doesn't have this feature yet and gitness don't have a proper docs on ssh and gpg signing while

Then let's not show that input at all if the user selects Bitbucket or Gitness

[bryans-go]

Ok

[bryans-go]

@Tpuljak Done

[bryans-go]

@bryans-go I had something else in mind with https://github.com/daytonaio/daytona/pull/1146/files#r1778545525.

"none" shouldn't be defined as an option here.

The solution I was aiming for included setting up a variable inside GitProviderSelectionView that would be a helper variable for selecting the signing method. It would include ssh gpg and none as options. After the form runs inside that function, you would check the value of that variable and assign GitProviderView to the appropriate value (if none then nil).

@Tpuljak I did what you said but problem is that due to the fact that signing method is a enum . the following problem has arisen. please assist with it

[Tpuljak]

@bryans-go I had something else in mind with https://github.com/daytonaio/daytona/pull/1146/files#r1778545525.
"none" shouldn't be defined as an option here.
The solution I was aiming for included setting up a variable inside GitProviderSelectionView that would be a helper variable for selecting the signing method. It would include ssh gpg and none as options. After the form runs inside that function, you would check the value of that variable and assign GitProviderView to the appropriate value (if none then nil).

@Tpuljak I did what you said but problem is that due to the fact that signing method is a enum . the following problem has arisen. please assist with it

@bryans-go please try to do some debugging yourself. Not completely sure but this might be part of the issue. The signing method is a string when passed here when it should be a pointer to a string.
Also, make sure to wipe your config between these changes since these are all breaking to one another.

[bryans-go]

daytona/pkg/views/gitprovider/select.go

Line 179 in 0606c74

gitProviderAddView.SigningMethod = nil

I added the following line by explicitly setting the value as nil, and now everything works perfectly.

PS: I tried setting signing method as pointer to string but it didn't worked as expected but the following method was successful .

[bryans-go]

@Tpuljak
Done !
did all requested changes

[bryans-go]

done

[Tpuljak]

How exactly did you test GPG signing?

[bryans-go]

@Tpuljak you will need to specify what problem are you facing. I also faced some problems while testing
you can visit here for troubleshooting
https://docs.gitlab.com/ee/user/project/repository/signed_commits/gpg.html#troubleshooting

[Tpuljak]

@bryans-go you're supposed to tell us how to test this 😄

Please let us know how exactly you tested this and proof that it actually works.
The issue I'm having is that, inside the project, I can't sign with GPG because the secret key is missing.

[bryans-go]

@Tpuljak
we will need to do some changes here

func generateSshConfigEntry(profileId, workspaceId, projectName, knownHostsPath string) (string, error) {
	daytonaPath, err := os.Executable()
	if err != nil {
		return "", err
	}

	tab := "\t"
	projectHostname := GetProjectHostname(profileId, workspaceId, projectName)

	config := fmt.Sprintf("Host %s\n"+
		tab+"User daytona\n"+
		tab+"StrictHostKeyChecking no\n"+
		tab+"UserKnownHostsFile %s\n"+
		tab+"ProxyCommand \"%s\" ssh-proxy %s %s %s\n"+
		tab+"ForwardAgent yes\n"+
		tab+"StreamLocalBindUnlink yes\n"+
		tab+"RemoteForward /home/daytona/.gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra\n\n",   // the 1000 is hardcoded we can make it dynamic
		projectHostname, knownHostsPath, daytonaPath, profileId, workspaceId, projectName)

	return config, nil
}

also after that

we need to export the public gpg key gpg --armor --export 44C255D0CE19BFF3 // gpg key id submitted by user. copy the full output
then daytona ssh
then gpg --import
paste the output here and then ctrl+d

this steps can be reduced to // if we want to code it

1. ssh -R /home/daytona/.gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra -o StreamLocalBindUnlink=yes user@remote

2.Ensure the following directory on the remote exists
if no then mkdir -p /home/daytona/.gnupg

Import the public GPG key on the remote (if not done yet):

gpg --export <key-id> | ssh user@remote 'gpg --import' // one line command will need to edit if we want to go this way by automatically adding public gpg in the project
Now we can do the gpg signing flawlessly

[bryans-go]

this requires (OpenSSH 6.7+) and also see this https://wiki.gnupg.org/AgentForwarding
reference https://superuser.com/questions/161973/how-can-i-forward-a-gpg-key-via-ssh-agent

[bryans-go]

apiClient.GitProviderAPI.GetGitProviderForUrl(ctx, encodedUrl).Execute() what will be the encoded url and ctx . I mean how to get repo url and which file change I'm not able to conclude anything

[Tpuljak]

The URL is the encoded Repository.Url of the project you are entering and ctx can be context.Background().

[bryans-go]

Please suggest a way to get git provide config because ssh_file.go doesn't let me import apiclient. Without using apiclient what others things we can do to get git provider config

[bryans-go]

Even after thinking so much and surfing through codebase I'm not able to find a good way to do this

[Tpuljak]

That information should be passed into EnsureSshConfigEntryAdded as an argument by callers of the function.

E.g. the daytona ssh command should get the git provider from the API, check if it has set gpg signing, if so, it should pass the appropriate argument to OpenTerminalSsh that will then pass that to EnsureSshConfigEntryAdded.

[bryans-go]

To forward your GPG keys over SSH using Unix Domain Socket Forwarding, follow these steps:

1. Get the GPG Agent Socket Paths

On your local machine, get the socket paths using gpgconf:

gpgconf --list-dirs agent-socket // do on remote machine or dtn ssh
gpgconf --list-dirs agent-extra-socket //do on local machine

In my case, the output shows:

• Agent socket on remote: /home/daytona/.gnupg/S.gpg-agent
• Extra socket on local: /run/user/1000/gnupg/S.gpg-agent.extra

2. Forward GPG Agent Socket via SSH

Use SSH with the -R option to forward the local GPG socket to the remote machine.

Example:

ssh -R /home/remote-user/.gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra -o StreamLocalBindUnlink=yes user@remote

#1146 (comment) see this too

Make sure the remote directory exists: /home/remote-user/.gnupg/.

3. Import the Public Key on the Remote Machine

GPG requires the public part of the key to verify signatures or encrypt data. You can import it by running:

gpg --export <key-id> | ssh user@remote 'gpg --import'

Replace <key-id> with your actual GPG key ID.

4. Test the Setup

After logging into the remote machine, check if the key is available using:

gpg --list-secret-keys

If the key is listed, the forwarding works, and you can now use your GPG keys on the remote server.