From 8f32c34eb5ce70018098ad3ba518837025557e94 Mon Sep 17 00:00:00 2001
From: Phorcys <57866459+phorcys420@users.noreply.github.com>
Date: Fri, 20 Oct 2023 13:16:00 +0000
Subject: [PATCH] feat: add git-commit-signing module

---
 git-commit-signing/README.md | 23 +++++++++++++++++++++++
 git-commit-signing/main.tf   | 29 +++++++++++++++++++++++++++++
 git-commit-signing/run.sh    | 26 ++++++++++++++++++++++++++
 3 files changed, 78 insertions(+)
 create mode 100644 git-commit-signing/README.md
 create mode 100644 git-commit-signing/main.tf
 create mode 100755 git-commit-signing/run.sh

diff --git a/git-commit-signing/README.md b/git-commit-signing/README.md
new file mode 100644
index 0000000..363531a
--- /dev/null
+++ b/git-commit-signing/README.md
@@ -0,0 +1,23 @@
+---
+display_name: Git commit signing
+description: Configures Git to sign commits using your Coder SSH key
+icon:  ../.icons/git.svg
+maintainer_github: phorcys420
+verified: false
+tags: [helper, git]
+---
+
+# git-commit-signing
+
+This module downloads your SSH key from Coder and uses it to sign commits with Git.
+It requires `jq` to be installed inside your workspace.
+
+This is not recommended if your workspace can be accessed by other/unwanted people, in the case an administrator account on your Coder account gets breached, the attacker could gain access to your workspace and sign commits on your behalf (since the key is stored in the worksace).
+If your Coder account gets breached, the SSH key could also be used on your behalf.
+
+```hcl
+module "git-commit-signing" {
+    source = "https://registry.coder.com/modules/git-commit-signing"
+    agent_id = coder_agent.example.id
+}
+```
diff --git a/git-commit-signing/main.tf b/git-commit-signing/main.tf
new file mode 100644
index 0000000..cab2d01
--- /dev/null
+++ b/git-commit-signing/main.tf
@@ -0,0 +1,29 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.12"
+    }
+  }
+}
+
+locals {
+  icon_url = "https://raw.githubusercontent.com/coder/modules/main/.icons/git.svg"
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+resource "coder_script" "git-commit-signing" {
+  display_name = "Git commit signing"
+  icon         = local.icon_url
+
+  script       = file("${path.module}/run.sh")
+  run_on_start = true
+
+  agent_id = var.agent_id
+}
diff --git a/git-commit-signing/run.sh b/git-commit-signing/run.sh
new file mode 100755
index 0000000..888ed0b
--- /dev/null
+++ b/git-commit-signing/run.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env sh
+
+mkdir -p ~/.ssh
+
+echo "Downloading SSH key"
+
+ssh_key=$(curl --request GET \
+        --url "${CODER_AGENT_URL}api/v2/workspaceagents/me/gitsshkey" \
+        --header "Coder-Session-Token: ${CODER_AGENT_TOKEN}")
+
+jq --raw-output ".public_key" > ~/.ssh/coder.pub <<EOF
+$ssh_key
+EOF
+
+jq --raw-output ".private_key" > ~/.ssh/coder <<EOF
+$ssh_key
+EOF
+
+chmod -R 400 ~/.ssh/coder
+chmod -R 400 ~/.ssh/coder.pub
+
+echo "Configuring git to use the SSH key"
+
+git config --global gpg.format ssh
+git config --global commit.gpgsign true
+git config --global user.signingkey ~/.ssh/coder
\ No newline at end of file