Consider using go-git (and thus protonmail/go-crypto/openpgp and crypto/rsa) for git gpg signature verfication

[xnox]

Describe the bug

Currently argo-cd executes git and gpg to verify signatures. Instead one could switch to using https://github.com/go-git/go-git to achieve the same verification.

This could have a few benefits - it is implemented in go, without need of git and gpg binaries.

Separately, it is easier to achieve FIPS certification for this functionality via go-fips toolchain.

Also you will have more control as to what is being verified.

[xnox]

Or even better, move away from support this altogether. Given how many other gaps there are in gpg signature verification of the git gpg commits as per https://github.com/argoproj/argo-cd/pull/14966/files

Using git-ssh / git-smime signature verification would be an improvement in terms of reducing number of cryptography implementations in use. But doesn't address other concerns.

[crenshaw-dev]

I highly doubt we'll move entirely to go-git any time soon. Argo Workflows moved to go-git and hit a ton of issues. Alex Collins mentioned at one point that, with the benefit of hindsight, he'd probably have just stuck with the git binary. And Argo CD uses git more heavily than Argo Workflows.

At the same time, I'm not opposed to the idea in principle. If we could rely on go-git as strongly as the git binary, I'd love to avoid the external dependency. Would also make distroless easier to achieve.

[xnox]

@crenshaw-dev

FUN!

Note my concern here is about gpg usage only, as used for signature verification. I do agree that it is very hard to stay up-to-date with all the feature-for-feature & bug-for-bug compatibility in git ecoland with anything but C git implementation for the rest of the git operations.

Thus I am mostly interested in using go-git / golang based OpenPGP parsing to replace the gpg binary usage. As that will eliminate gpg/gcrypt cryptography stack. And instead use golang-crypto mostly (or actually OpenSSL when building with go-fips or go-microsoft toolchains).

[crenshaw-dev]

Thus I am mostly interested in using go-git / golang based OpenPGP parsing to replace the gpg binary usage.

That's fair. I'm not sure how difficult it will be to extract all uses of the GPG binary. I imagine there are places where we use env vars or other config to ask the git binary to invoke gpg on our behalf. We'd need to find all those places and either provide a go-based gpg shim binary or add go code to substitute for the gpg binary call.

it is easier to achieve FIPS certification

How much easier? 🙂