Support configurable gpg.<format>.programs
#92
Comments
jsoo1
changed the title
gpg.<format>.programsgpg.<format>.programs
|
Note that EGit has implemented calling an external gpg/gpgsm. See package org.eclipse.egit.core.internal.signing. Some of that could be moved to JGit, but JGit will have to provide suitable means to customize calling the external program. For instance, when calling gpg from Eclipse, we must make sure that certain environment variables are not set (to ensure that gpg doesn't try to use a terminal for asking for passphrases). The same problem will also exist for SSH signatures if done via calling ssh-keygen: if called from Eclipse, prompts must not happen in a terminal but in a dialog. SSH signatures can be done fully in Java, though, with no loss of functionality and no problems finding keys. I am currently in the process of implementing exactly that (signing is easy, verifying signatures is complicated). |
Ok I looked at the EGit implementation and I'm a bit confused. The docs for the
But the egit version also adds Second, the egit version does not use the exit code to determine if verification failed (which is all it should do): https://github.com/eclipse-egit/egit/blob/e0f8ba40a4b346cfa00d229cd69bc71d2c428548/org.eclipse.egit.core/src/org/eclipse/egit/core/internal/signing/ExternalGpgSignatureVerifier.java#L176 Third the egit version adds too many flags to the signer: https://github.com/eclipse-egit/egit/blob/e0f8ba40a4b346cfa00d229cd69bc71d2c428548/org.eclipse.egit.core/src/org/eclipse/egit/core/internal/signing/ExternalGpgSigner.java#L110 (it should only do what the config says it does). Are these because the docs are wrong, git needs fixing or egit needs fixing?
Could you elaborate on why inheriting the environ of the calling process won't be sufficient? I would think that the correct place to handle environ would be in the calling process. |
You mean Besides, take a look a the C git code:
C git also passes these
This is wrong. EGit does consider the exit code of the program called; see https://github.com/eclipse-egit/egit/blob/e0f8ba40/org.eclipse.egit.core/src/org/eclipse/egit/core/internal/signing/ExternalProcessRunner.java#L69 .
No, it doesn't. This is
Perhaps the C git documentation could be fixed to say more clearly what exactly is expected of a custom
Because the calling process may have these environment variables set. For instance, when you start Eclipse from a terminal. In the terminal, these environment variables might make gpg prompt inside the terminal. Eclipse will inherit these variables, but when gpg is called from Eclipse, you'll want the gpg prompt to use a dialog. If gpg prompts within the terminal, the user may not even see the prompt and wonder why Eclipse or EGit "hangs". Therefore EGit unsets these variables for the child process.
Exactly. And the calling process is the one executing the EGit code, hence EGit takes care to unset these variables so that the child process executing gpg gets the correct environment. |
|
Sorry for the initial frustrated tone. As I looked into how things actually work I got increasingly disappointed and I understood more the reasons the egit version does it the way it does.
Thanks for the correction, yes I meant
I see, so the
I understand that sentiment. I think this is my only real concern here. I mentioned the other two issues for x509 and ssh sigs because I would like to give the user maximum flexibility to implement their own sig/verify infrastructure. Any additional requirements {j,e,c}git like requiring a Again I understand why it was done this way but I want to explore the benefit of requiring less of the
The docs gave me the strong impression that those were the only requirements. I'll follow up on the list about that. The colons output, for instance, is not mentioned.
Glad we agree, here :) - I was curious if there was a footgun I need to avoid, in particular. (I'm not a |
|
EGit does things a bit a differently, mainly because it is intended for a program with a graphical UI. We want to have a The other options for signing that differ from C git (like A port to the JGit library also would not need to fiddle with the environment like EGit does, but JGit would need to provide means such that EGit could customize the environment the way it does. We really need to avoid gpg prompting in a terminal when calling it from a graphical UI application like Eclipse. Here's an idea, though: perhaps most of the EGit specifics can be avoided in Java if EGit has its own wrapper script around whatever gpg.program is configured, and tweaks the GpgConfig such that this script is called, so JGit might in the end not need to be configurable in that respect. But to work in EGit, the called program would of course still need to support these extra arguments. And EGit would need to have at least two such scripts (a shell script for Unix/Linux/Mac OS, and something for Windows), and they'd need to be portable across OS versions (and shells; cannot assume bash).
|
Do you think the
+1
I don't think I really know enough about the design goals of Eclipse/EGit to say what the ideal design would be. That said I would think the goal of being able to specify a program for sign/verify is to allow the user freedom to configure it themselves. Does Eclipse offer a way to do that at the moment? If not, I think that would be the direction I would take a IDE of my design. But again I don't fully understand the EGit design values. Could you live with EGit shipping a wrapper or allowing the user to configure it? It seems to me that JGit should either try to a) improve on cgit or b) emulate cgit as closely as possible to avoid surprise.
If emulating cgit is the desire, it sure seems so. Oof. |
I don't think so. How exactly it is implemented is an implementation detail of individual signers. EGit has no way of knowing how the BouncyCastle GPG bundle locates keys.
EGit uses either the program defined in the git config, or the one defined in the EGit preferences.
Wrapper scripts would be a significant development effort, especially for Windows. But it might be a possibility. It was just an idea; if calling a program is implemented in JGit, I would expect the implementation in EGit to be changed/updated accordingly to make use of the new JGit functionality. Then we'll see whether a wrapper script is really a good idea. |
Description
openssl,gpgandssh-keygenare only the default signing/verifying programs in git. jgit could provide a lot of flexibility by allowing the user to specify the sign/verify programs themselves by honoring the existinggpg.<format>.programconfiguration option: https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogramGitsign, for example, uses a
gpg.x509.programconfiguration to sign.Motivation
There are open issues for S/MIME (#49) and ssh (#44) support. Allowing the user to specify an external program would provide that flexibility (so long as
gpg.formatwas honored).Moreover the current arrangement does not allow much in the way of customizing the trust database - a separate program can provide the functionality of only trusting some set of keys or some keyserver (or other more elaborate configuration).
Alternatives considered
Not many, frankly. I just know that the current bouncycastle implementation will not work for our signature verification.
Additional context
I would be happy to pick up work on this if there is any interest and no one else is already doing it.
The text was updated successfully, but these errors were encountered: