Signature validation does not work with gpg.format=ssh

sublimehq / sublime_merge

Issue tracker for Sublime Merge

https://www.sublimemerge.com

276 stars 14 forks source link

Signature validation does not work with gpg.format=ssh #1598

Open tdanner opened 2 years ago

tdanner commented 2 years ago

Version info

OS: macOS 12.5.1
Build: 2077

Description

As of git 2.34, you can use an SSH key to sign commits. GitHub recently added support for verifying these signatures. Sublime Merge displays "Invalid" for these signatures, though the tooltip says otherwise.

Steps to reproduce

Steps to reproduce the behavior:

Set up git commit signing using an SSH key according to these instructions.
Make a commit.
Verify the signature using git show --show-signature
View the commit in Sublime Merge

Expected behavior

Sublime Merge shows "Valid" when the signature is valid.

dpjohnst commented 2 years ago

Hi @tdanner,

Thanks for reaching out and sharing this! This will be fixed in the next build.

Cheers, - Dylan from Sublime HQ

huornlmj commented 1 year ago

This issue is still present in build 2083.

tdanner commented 1 year ago

For me, Sublime Merge started showing "Valid" for ssh signatures in build 2079.

renatoliveira commented 1 year ago

For me, in version 2083, it works, just like @tdanner said.

huornlmj commented 1 year ago

I'm not using an Ed25519 key, though - just an ssh-rsa one. Could this be the reason? My installed git software (Windows) is git version 2.39.1.windows.1.

tdanner commented 1 year ago

I've seen it work with both Ed25519 and RSA ssh keys, so I don't think that is the issue. I have only tried this from macOS - maybe it is something specific to SM on Windows?

dpjohnst commented 1 year ago

Hi @huornlmj,

Thanks for reaching out!

If you hover over the "invalid signature" in Sublime Merge, does the output indicate that the validation was successful? e.g. the same message as shown in the original report?

Kind regards, - Dylan from Sublime HQ

huornlmj commented 1 year ago

@dpjohnst I didn't know I could do this, so this is the message I get when I hover:

dpjohnst commented 1 year ago

Hi @huornlmj,

Looks like Git hasn't been configured with an allowedSignersFile - see: https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgsshallowedSignersFile

In other words, you need to provide Git with a list of public keys it can trust. For more info take a look at this great blog post - specifically the verifying section: https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/

Thanks, - Dylan from Sublime HQ

MikeJCusack commented 7 months ago

For me this issue is occurring with build 2091. I am just evaluating so it is unregistered. When I hover over invalid I see error: cannot run gpg: No such file or directory. The repo is set to use ssh. I do not have gpg installed because I don't use it for anything. The allowed signers file is properly set. Signing is correctly verified via git log --show-signature.

MikeJCusack commented 7 months ago

I was able to get this working by adding export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my .zshenv.