GPG Signing of Commits not supported

[danielwagn3r]

I'm currrently facing a problem where I'm unable to refresh or commit my model anymore without any user-visible failure. In the Archi logfile I found the following exception:

Versions: Archi 4.6.0.201911111111 Archi Model Repository 0.5.3.201910181308

!ENTRY org.eclipse.e4.ui.workbench 4 0 2019-12-02 08:59:58.339
!MESSAGE Command 'org.archicontribs.modelrepository.command.refreshModel' failed
!STACK 0
org.eclipse.core.commands.ExecutionException: Error executing 'org.archicontribs.modelrepository.command.refreshModel': org.eclipse.jgit.api.errors.JGitInternalException: Blob with base offset of 32 has incorrect digest.
        at org.eclipse.e4.core.commands.internal.HandlerServiceHandler.execute(HandlerServiceHandler.java:170)
        at org.eclipse.core.commands.Command.executeWithChecks(Command.java:498)
        at org.eclipse.core.commands.ParameterizedCommand.executeWithChecks(ParameterizedCommand.java:487)
        at org.eclipse.e4.core.commands.internal.HandlerServiceImpl.executeHandler(HandlerServiceImpl.java:213)
        at org.eclipse.e4.ui.workbench.renderers.swt.HandledContributionItem.executeItem(HandledContributionItem.java:438)
        at org.eclipse.e4.ui.workbench.renderers.swt.AbstractContributionItem.handleWidgetSelection(AbstractContributionItem.java:449)
        at org.eclipse.e4.ui.workbench.renderers.swt.AbstractContributionItem.lambda$2(AbstractContributionItem.java:475)
        at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:89)
        at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4173)
        at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1057)
        at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:3986)
        at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3585)
        at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1160)
        at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
        at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1049)
        at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:155)
        at org.eclipse.ui.internal.Workbench.lambda$3(Workbench.java:633)
        at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
        at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:557)
        at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:150)
        at com.archimatetool.editor.Application.start(Application.java:84)
        at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:203)
        at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:137)
        at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:107)
        at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:400)
        at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:255)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:660)
        at org.eclipse.equinox.launcher.Main.basicRun(Main.java:597)
        at org.eclipse.equinox.launcher.Main.run(Main.java:1468)
Caused by: org.eclipse.e4.core.di.InjectionException: org.eclipse.jgit.api.errors.JGitInternalException: Blob with base offset of 32 has incorrect digest.
        at org.eclipse.e4.core.internal.di.MethodRequestor.execute(MethodRequestor.java:68)
        at org.eclipse.e4.core.internal.di.InjectorImpl.invokeUsingClass(InjectorImpl.java:318)
        at org.eclipse.e4.core.internal.di.InjectorImpl.invoke(InjectorImpl.java:252)
        at org.eclipse.e4.core.contexts.ContextInjectionFactory.invoke(ContextInjectionFactory.java:173)
        at org.eclipse.e4.core.commands.internal.HandlerServiceHandler.execute(HandlerServiceHandler.java:156)
        ... 32 more
Caused by: org.eclipse.jgit.api.errors.JGitInternalException: Blob with base offset of 32 has incorrect digest.
        at org.eclipse.jgit.lib.internal.BouncyCastleGpgSigner.sign(BouncyCastleGpgSigner.java:157)
        at org.eclipse.jgit.api.CommitCommand.call(CommitCommand.java:271)
        at org.archicontribs.modelrepository.grafico.ArchiRepository.commitChanges(ArchiRepository.java:175)
        at org.archicontribs.modelrepository.actions.AbstractModelAction.offerToCommitChanges(AbstractModelAction.java:132)
        at org.archicontribs.modelrepository.actions.RefreshModelAction.init(RefreshModelAction.java:146)
        at org.archicontribs.modelrepository.actions.RefreshModelAction.run(RefreshModelAction.java:78)
        at org.archicontribs.modelrepository.actions.RefreshModelHandler.execute(RefreshModelHandler.java:30)
        at org.eclipse.ui.internal.handlers.HandlerProxy.execute(HandlerProxy.java:283)
        at org.eclipse.ui.internal.handlers.E4HandlerProxy.execute(E4HandlerProxy.java:95)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.eclipse.e4.core.internal.di.MethodRequestor.execute(MethodRequestor.java:58)
        ... 36 more
Caused by: java.io.IOException: Blob with base offset of 32 has incorrect digest.
        at org.bouncycastle.gpg.keybox.KeyBlob.verifyDigest(Unknown Source)
        at org.bouncycastle.gpg.keybox.CertificateBlob.parseContent(Unknown Source)
        at org.bouncycastle.gpg.keybox.Blob.getInstance(Unknown Source)
        at org.bouncycastle.gpg.keybox.KeyBox.<init>(Unknown Source)
        at org.bouncycastle.gpg.keybox.KeyBox.<init>(Unknown Source)
        at org.eclipse.jgit.lib.internal.BouncyCastleGpgKeyLocator.readKeyBoxFile(BouncyCastleGpgKeyLocator.java:369)
        at org.eclipse.jgit.lib.internal.BouncyCastleGpgKeyLocator.findPublicKeyInKeyBox(BouncyCastleGpgKeyLocator.java:207)
        at org.eclipse.jgit.lib.internal.BouncyCastleGpgKeyLocator.findSecretKey(BouncyCastleGpgKeyLocator.java:241)
        at org.eclipse.jgit.lib.internal.BouncyCastleGpgSigner.locateSigningKey(BouncyCastleGpgSigner.java:120)
        at org.eclipse.jgit.lib.internal.BouncyCastleGpgSigner.sign(BouncyCastleGpgSigner.java:129)
        ... 49 more

[jbsarrodie]

Some questions to try to narrow it down:

• Do you remember what operations you did before this happens (merge...)?
• Do you know is something specific was done on your Git Server? BTW, which one is-it?
• What's your plugin configuration (do you use SSH, SSL, some specific PKI...)?

Here's something you could try:

• First, backup your local clone (local model-repository sub-folder) just in case...
• Select or open your model and run "Collaboration > Abort Uncommitted Changes" (you will lose your changes obviously)
• Try to commit, this should say that there's nothing to commit
• Do a small change
• Try to commit, this should hopefully work

[danielwagn3r]

I've already reproduced the issue with a freshly imported model on which I did a single change. Import worked fine, so communication with Git Server (Atlassian Bitbucket) should be fine.

I've seen that already the commit doesn't work apparently so there is no push tried after all, at least it seems so.

[jbsarrodie]

I've already reproduced the issue with a freshly imported model on which I did a single change. Import worked fine, so communication with Git Server (Atlassian Bitbucket) should be fine.

Could you please detail you plugin configuration? If you use SSH key, then please try with alternate methode (HTTPS with user/password or token).

[Phillipus]

This is a Bouncy Castle error. This is used internally by JGit for encrypting and signing with GPG keys. Is there some unusual configuration going on here?

[danielwagn3r]

Hm, the problem seem's originate from the the global (per user) .gitconfig

[commit]
        gpgsign = true
[gpg]
        program = C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe

which wasn't honored by JGit as far as I know. Was there a change in JGit regarding this?

[Phillipus]

I don't know if there is an issue with JGit 5.3 and Bouncy Castle that could cause this. I searched but couldn't find anything. It may be that JGit 5,5 fixes this.

[danielwagn3r]

In the meanwhile I've disabled signed commits.

[Phillipus]

I couldn't even get my GPG key to work with JGit. I think it's this:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=545673

When JGit 5.6 is released I'll try that.

[Phillipus]

I've tested this with JGit 5.6 and there is a more fundamental issue to using GPG signed commits - we have to implement a specific credentials provider to ask the user for a pass phrase to the GPG store (or get it from somewhere) when committing.

I've created some POC code to do this but needs more work, refactoring and testing so we have to say that, right now, GPG signing of commits is unsupported.

[Phillipus]

Notes to self:

Create a GPG key:

1. gpg --list-keys
2. gpg --gen-key
3. Make sure this exists in user.home/.gnupg and not somewhere else

Add to .gitconfig the public key and gpgsign:

[user]
    signingkey = 1CCF1FC43907B95A18251F68E51AF52E2E2F12F1

[commit]
    gpgsign = true

POC code in branch "gpg"

[Phillipus]

There are times when coArchi does an automatic commit (when first cloning, when creating a new repo from a model, merging, refresh (pull) and restore commit). It might be inconvenient to ask the user for the pass-phrase at these points. We need to think about whether GPG signing is desirable or not and, if it is, how to deal with these types of commit. At any rate, my assessment is that implementing it would take some work.

[itewk]

just ran into this, womp womp

[Phillipus]

just ran into this, womp womp

Signed commits won't be implemented in coArchi, so this should be disabled in .gitconfig

[itewk]

which stinks cuz 99% of my work with git is on the command line so having gpg signing on by default isn't worth giving up for the 1% of the time i have to push from archi. rock. hard place. womp womp.

[jbsarrodie]

which stinks cuz 99% of my work with git is on the command line so having gpg signing on by default isn't worth giving up for the 1% of the time i have to push from archi. rock. hard place. womp womp.

But as explained several times here and on Archi's forum, nobody should use git command on a coArchi maintained repository, unless you want to loose your work of course (git is not able to do merge in a way that guarantee that the model won't be corrupted, coArchi does).

[Phillipus]

which stinks cuz 99% of my work with git is on the command line so having gpg signing on by default isn't worth giving up for the 1% of the time i have to push from archi. rock. hard place. womp womp.

You can manually add this to the local config file in the archi repository in the .git directory.

[commit]
    gpgSign = false

But please feel free to implement GPG signing as a pull request. It's all free and open source.

[Phillipus]

For the next version of coArchi I'll add the following as default to each new repo's config file:

[commit]
    gpgSign = false

[itewk]

@Phillipus oooh. good idea. thanks.

[Phillipus]

For the next version of coArchi I'll add the following as default to each new repo's config file

This is now in coArchi 0.8.5

[itewk]

wow. amazing. i assumed "next version" would be like a year from now. my heros!