nix/2.home-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

git: support alternate signing methods (#5516)

Browse source 
The Git module now supports SSH and X.509 signing in addition to
OpenPGP/GnuPG, via setting the `programs.git.signing.format` option.
It defaults to `openpgp` for now as a backwards compatibility measure,
but I feel like we shouldn't enforce GPG as the default on everyone,
especially for people who use SSH signing like me.

Accordingly, `programs.git.signing.gpgPath` has been renamed to
`programs.git.signing.signer`, as now the signer binary is not
restricted to GnuPG. Users should only get a warning and everything
should continue to work.

Fixes #4221, supersedes #4235

Co-authored-by: Mario Rodas <marsam@users.noreply.github.com>
Co-authored-by: Sumner Evans <me@sumnerevans.com>
Co-authored-by: Leah Amelia Chen <hi@pluie.me>
This commit is contained in:
Sizhe Zhao 2025-02-15 02:47:27 +08:00 committed by GitHub
parent 5031c6d297
commit 7da01bc47a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 201 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

1
tests/modules/programs/git/default.nix
View file

@ -3,6 +3,7 @@
git-with-most-options = ./git.nix;
git-with-msmtp = ./git-with-msmtp.nix;
git-with-str-extra-config = ./git-with-str-extra-config.nix;
git-with-signing-key-id-legacy = ./git-with-signing-key-id-legacy.nix;
git-with-signing-key-id = ./git-with-signing-key-id.nix;
git-without-signing-key-id = ./git-without-signing-key-id.nix;
git-with-hooks = ./git-with-hooks.nix;

3
tests/modules/programs/git/git-expected.conf
View file

@ -38,6 +38,9 @@
smudge = "git-lfs smudge -- %f"
[gpg]
format = "openpgp"
[gpg "openpgp"]
program = "path-to-gpg"
[interactive]

12
tests/modules/programs/git/git-with-email-expected.conf
View file

@ -1,3 +1,12 @@
[commit]
gpgSign = false
[gpg]
format = "openpgp"
[gpg "openpgp"]
program = "path-to-gpg"
[sendemail "hm-account"]
from = "H. M. Test Jr. <hm@example.org>"
smtpEncryption = "tls"
@ -12,6 +21,9 @@
smtpSslCertPath = "/etc/ssl/certs/ca-certificates.crt"
smtpUser = "home.manager"
[tag]
gpgSign = false
[user]
email = "hm@example.com"
name = "H. M. Test"

1
tests/modules/programs/git/git-with-email.nix
View file

@ -8,6 +8,7 @@
programs.git = {
enable = true;
signing.signer = "path-to-gpg";
userEmail = "hm@example.com";
userName = "H. M. Test";
};

12
tests/modules/programs/git/git-with-msmtp-expected.conf
View file

@ -1,3 +1,12 @@
[commit]
gpgSign = false
[gpg]
format = "openpgp"
[gpg "openpgp"]
program = "path-to-gpg"
[sendemail "hm-account"]
from = "H. M. Test Jr. <hm@example.org>"
smtpEncryption = "tls"
@ -10,6 +19,9 @@
from = "H. M. Test <hm@example.com>"
smtpServer = "@msmtp@/bin/msmtp"
[tag]
gpgSign = false
[user]
email = "hm@example.com"
name = "H. M. Test"

1
tests/modules/programs/git/git-with-msmtp.nix
View file

@ -7,6 +7,7 @@
programs.git = {
enable = true;
signing.signer = "path-to-gpg";
userEmail = "hm@example.com";
userName = "H. M. Test";
};

7
tests/modules/programs/git/git-with-signing-key-id-expected.conf
View file

@ -2,7 +2,10 @@
gpgSign = true
[gpg]
program = "path-to-gpg"
format = "ssh"
[gpg "ssh"]
program = "path-to-ssh"
[tag]
gpgSign = true
@ -10,4 +13,4 @@
[user]
email = "user@example.org"
name = "John Doe"
signingKey = "00112233445566778899AABBCCDDEEFF"
signingKey = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

16
tests/modules/programs/git/git-with-signing-key-id-legacy-expected.conf Normal file
View file

@ -0,0 +1,16 @@
[commit]
gpgSign = true
[gpg]
format = "openpgp"
[gpg "openpgp"]
program = "path-to-gpg"
[tag]
gpgSign = true
[user]
email = "user@example.org"
name = "John Doe"
signingKey = "00112233445566778899AABBCCDDEEFF"

28
tests/modules/programs/git/git-with-signing-key-id-legacy.nix Normal file
View file

@ -0,0 +1,28 @@
{ lib, options, ... }: {
config = {
programs.git = {
enable = true;
userName = "John Doe";
userEmail = "user@example.org";
signing = {
gpgPath = "path-to-gpg";
key = "00112233445566778899AABBCCDDEEFF";
signByDefault = true;
};
};
test.asserts.warnings.expected = [
"The option `programs.git.signing.gpgPath' defined in ${
lib.showFiles options.programs.git.signing.gpgPath.files
} has been renamed to `programs.git.signing.signer'."
];
nmt.script = ''
assertFileExists home-files/.config/git/config
assertFileContent home-files/.config/git/config ${
./git-with-signing-key-id-legacy-expected.conf
}
'';
};
}

6
tests/modules/programs/git/git-with-signing-key-id.nix
View file

@ -5,8 +5,10 @@
userEmail = "user@example.org";
signing = {
gpgPath = "path-to-gpg";
key = "00112233445566778899AABBCCDDEEFF";
signer = "path-to-ssh";
format = "ssh";
key =
"ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
signByDefault = true;
};
};

12
tests/modules/programs/git/git-with-str-extra-config-expected.conf
View file

@ -1,5 +1,17 @@
This can be anything.
[commit]
gpgSign = false
[gpg]
format = "openpgp"
[gpg "openpgp"]
program = "path-to-gpg"
[tag]
gpgSign = false
[user]
email = "user@example.org"
name = "John Doe"

1
tests/modules/programs/git/git-with-str-extra-config.nix
View file

@ -1,6 +1,7 @@
{
programs.git = {
enable = true;
signing.signer = "path-to-gpg";
extraConfig = ''
This can be anything.
'';

3
tests/modules/programs/git/git-without-signing-key-id-expected.conf
View file

@ -2,6 +2,9 @@
gpgSign = true
[gpg]
format = "openpgp"
[gpg "openpgp"]
program = "path-to-gpg"
[tag]

2
tests/modules/programs/git/git-without-signing-key-id.nix
View file

@ -5,7 +5,7 @@
userEmail = "user@example.org";
signing = {
gpgPath = "path-to-gpg";
signer = "path-to-gpg";
key = null;
signByDefault = true;
};

3
tests/modules/programs/git/git.nix
View file

@ -52,7 +52,8 @@ in {
}
];
signing = {
gpgPath = "path-to-gpg";
signer = "path-to-gpg";
format = "openpgp";
key = "00112233445566778899AABBCCDDEEFF";
signByDefault = true;
};