Last active
February 4, 2022 20:47
-
-
Save apolopena/15fd19ee71232fdd687a7fea88f16688 to your computer and use it in GitHub Desktop.
Enable, configure and optionally trust a GPG key for signing git commits
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# SPDX-License-Identifier: MIT | |
# Copyright © 2022 Apolo Pena | |
# | |
# gitpod_gpg.sh | |
# Description: | |
# Enable, configure and optionally trust a GPG key for signing git commits | |
# | |
# Notes: | |
# This script should be run as a before task in .gitpod.yml so the settings are written upon workspace creation | |
# and workspace restart. | |
# Example implmentation in .gitpod.yml | |
# tasks: | |
# - before: bash gitpod_gpg.sh | |
# | |
# Setting the following environment variables in your Gitpod settings dashboard | |
# will have the following results: | |
# GPG_KEY_ID (required): The ID of the GPG key you want to use to sign your git commits | |
# GPG_KEY (required): Base64 encoded private GPG key that corresponds to your GPG_KEY_ID | |
# GPG_MATCH_GIT_TO_EMAIL (optional): Sets your git user.email in ~/.gitconfig to the value provided | |
# GPG_AUTO_ULTIMATE_TRUST (optional): If the value is set to yes or YES then your GPG_KEY will be automatically ultimately trusted. | |
# Error handling for improper use of GPG environment variables | |
err_msg_prefix1="A GPG_KEY was found but it's corresponding GPG_KEY_ID was not." | |
err_msg_prefix2="A GPG_KEY_ID was found but it's corresponding GPG_KEY was not." | |
err_msg_suffix="Git commits will not be signed." | |
[[ -n $GPG_KEY && -z $GPG_KEY_ID ]] && | |
2>&1 echo "ERROR: $err_msg_prefix1 $err_msg_suffix" | |
[[ -n $GPG_KEY_ID && -z $GPG_KEY ]] && | |
2>&1 echo "ERROR: $err_msg_prefix2 $err_msg_suffix" | |
# Main GPG key logic | |
if [[ -n $GPG_KEY && -n $GPG_KEY_ID ]]; then | |
gpg_conf_path=~/.gnupg/gpg.conf | |
msg="Enabling Git commit signing for GPG key id: $GPG_KEY_ID" | |
gpg -q --batch --import <(echo "$GPG_KEY" | base64 -d) && | |
echo 'pinentry-mode loopback' >> "$gpg_conf_path" && | |
git config --global user.signingkey "$GPG_KEY_ID" && | |
git config commit.gpgsign true | |
ec=$? | |
if [[ $ec -eq 0 ]]; then | |
echo "SUCCESS: $msg" | |
# Change the git email if the user needs it (ensures the commit is marked as 'Verified') | |
if [[ -n $GPG_MATCH_GIT_TO_EMAIL ]]; then | |
msg="Setting user.email in ~/.gitconfig to $GPG_MATCH_GIT_TO_EMAIL" | |
if git config --global user.email "$GPG_MATCH_GIT_TO_EMAIL"; then | |
echo "SUCCESS: $msg" | |
else | |
2>&1 echo "ERROR: $msg" | |
fi | |
fi | |
# Ultimately trust the key, bump to lowercase and check the value of the directive | |
if [[ $(echo "$GPG_AUTO_ULTIMATE_TRUST" | tr '[:upper:]' '[:lower:]') == yes ]]; then | |
msg="Automagically giving ultimate trust to GPG_KEY_ID: $GPG_KEY_ID" | |
# Prepend the key id as a trusted hex and update the local database with a silent arbitrary gpg call | |
echo -e ""trusted-key 0x"$GPG_KEY_ID""\n$(cat $gpg_conf_path)" > "$gpg_conf_path" && | |
gpg --list-keys &> /dev/null | |
ec=$? | |
if [[ $ec -eq 0 ]]; then | |
echo "SUCCESS: $msg" | |
else | |
2>&1 echo "ERROR: $msg" | |
fi | |
fi | |
else | |
log -e "ERROR: $msg" | |
fi | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment