feat: add git-commit-signing module (#94)

* feat: add git-commit-signing module * feat(git-commit-signing): check for git and jq * fix(git-commit-signing): only use icon once * fix(git-commit-signing): fix typo in README Co-authored-by: Muhammad Atif Ali <matifali@live.com> * bun fmt * chore: clarify readme SSH key paragraph * fix: add `curl` as dependency * feat: download keys to ~/.ssh/git-commit-signing * feat: add conflict disclaimer --------- Co-authored-by: Muhammad Atif Ali <matifali@live.com> Co-authored-by: Atif Ali <atif@coder.com>
2 years ago · 4dc9eae9c9
parent e2f4fcba4a
commit 4dc9eae9c9
3 changed files with 90 additions and 0 deletions
--- a/git-commit-signing/README.md
+++ b/git-commit-signing/README.md
@ -0,0 +1,24 @@
+---
+display_name: Git commit signing
+description: Configures Git to sign commits using your Coder SSH key
+icon: ../.icons/git.svg
+maintainer_github: phorcys420
+verified: false
+tags: [helper, git]
+---
+
+# git-commit-signing
+
+This module downloads your SSH key from Coder and uses it to sign commits with Git.
+It requires `curl` and `jq` to be installed inside your workspace.
+
+Please observe that using the SSH key that's part of your Coder account for commit signing, means that in the event of a breach of your Coder account, or a malicious admin, someone could perform commit signing pretending to be you.
+
+This module has a chance of conflicting with the user's dotfiles / the personalize module if one of those has configuration directives that overwrite this module's / each other's git configuration.
+
+```hcl
+module "git-commit-signing" {
+    source = "https://registry.coder.com/modules/git-commit-signing"
+    agent_id = coder_agent.example.id
+}
+```
--- a/git-commit-signing/main.tf
+++ b/git-commit-signing/main.tf
@ -0,0 +1,25 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.12"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+resource "coder_script" "git-commit-signing" {
+  display_name = "Git commit signing"
+  icon         = "https://raw.githubusercontent.com/coder/modules/main/.icons/git.svg"
+
+  script       = file("${path.module}/run.sh")
+  run_on_start = true
+
+  agent_id = var.agent_id
+}
--- a/git-commit-signing/run.sh
+++ b/git-commit-signing/run.sh
@ -0,0 +1,41 @@
+#!/usr/bin/env sh
+
+if ! command -v git > /dev/null; then
+        echo "git is not installed"
+        exit 1
+fi
+
+if ! command -v curl > /dev/null; then
+        echo "curl is not installed"
+        exit 1
+fi
+
+if ! command -v jq > /dev/null; then
+        echo "jq is not installed"
+        exit 1
+fi
+
+mkdir -p ~/.ssh/git-commit-signing
+
+echo "Downloading SSH key"
+
+ssh_key=$(curl --request GET \
+        --url "${CODER_AGENT_URL}api/v2/workspaceagents/me/gitsshkey" \
+        --header "Coder-Session-Token: ${CODER_AGENT_TOKEN}")
+
+jq --raw-output ".public_key" > ~/.ssh/git-commit-signing/coder.pub <<EOF
+$ssh_key
+EOF
+
+jq --raw-output ".private_key" > ~/.ssh/git-commit-signing/coder <<EOF
+$ssh_key
+EOF
+
+chmod -R 400 ~/.ssh/git-commit-signing/coder
+chmod -R 400 ~/.ssh/git-commit-signing/coder.pub
+
+echo "Configuring git to use the SSH key"
+
+git config --global gpg.format ssh
+git config --global commit.gpgsign true
+git config --global user.signingkey ~/.ssh/git-commit-signing/coder