feat: add git-commit-signing module (coder#94)

phorcys420 · matifali · web-flow · commit 4dc9eae9c9f5 · 2023-11-03T20:42:45.000+03:00
* feat: add git-commit-signing module

* feat(git-commit-signing): check for git and jq

* fix(git-commit-signing): only use icon once

* fix(git-commit-signing): fix typo in README

Co-authored-by: Muhammad Atif Ali &lt;matifali@live.com&gt;

* bun fmt

* chore: clarify readme SSH key paragraph

* fix: add `curl` as dependency

* feat: download keys to ~/.ssh/git-commit-signing

* feat: add conflict disclaimer

---------

Co-authored-by: Muhammad Atif Ali &lt;matifali@live.com&gt;
Co-authored-by: Atif Ali &lt;atif@coder.com&gt;
diff --git a/git-commit-signing/README.md b/git-commit-signing/README.md
@@ -0,0 +1,24 @@
+---
+display_name: Git commit signing
+description: Configures Git to sign commits using your Coder SSH key
+icon: ../.icons/git.svg
+maintainer_github: phorcys420
+verified: false
+tags: [helper, git]
+---
+
+# git-commit-signing
+
+This module downloads your SSH key from Coder and uses it to sign commits with Git.
+It requires `curl` and `jq` to be installed inside your workspace.
+
+Please observe that using the SSH key that's part of your Coder account for commit signing, means that in the event of a breach of your Coder account, or a malicious admin, someone could perform commit signing pretending to be you.
+
+This module has a chance of conflicting with the user's dotfiles / the personalize module if one of those has configuration directives that overwrite this module's / each other's git configuration.
+
+```hcl
+module "git-commit-signing" {
+    source = "https://registry.coder.com/modules/git-commit-signing"
+    agent_id = coder_agent.example.id
+}
+```
diff --git a/git-commit-signing/main.tf b/git-commit-signing/main.tf
@@ -0,0 +1,25 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.12"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+resource "coder_script" "git-commit-signing" {
+  display_name = "Git commit signing"
+  icon         = "https://raw.githubusercontent.com/coder/modules/main/.icons/git.svg"
+
+  script       = file("${path.module}/run.sh")
+  run_on_start = true
+
+  agent_id = var.agent_id
+}
diff --git a/git-commit-signing/run.sh b/git-commit-signing/run.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env sh
+
+if ! command -v git > /dev/null; then
+        echo "git is not installed"
+        exit 1
+fi
+
+if ! command -v curl > /dev/null; then
+        echo "curl is not installed"
+        exit 1
+fi
+
+if ! command -v jq > /dev/null; then
+        echo "jq is not installed"
+        exit 1
+fi
+
+mkdir -p ~/.ssh/git-commit-signing
+
+echo "Downloading SSH key"
+
+ssh_key=$(curl --request GET \
+        --url "${CODER_AGENT_URL}api/v2/workspaceagents/me/gitsshkey" \
+        --header "Coder-Session-Token: ${CODER_AGENT_TOKEN}")
+
+jq --raw-output ".public_key" > ~/.ssh/git-commit-signing/coder.pub <<EOF
+$ssh_key
+EOF
+
+jq --raw-output ".private_key" > ~/.ssh/git-commit-signing/coder <<EOF
+$ssh_key
+EOF
+
+chmod -R 400 ~/.ssh/git-commit-signing/coder
+chmod -R 400 ~/.ssh/git-commit-signing/coder.pub
+
+echo "Configuring git to use the SSH key"
+
+git config --global gpg.format ssh
+git config --global commit.gpgsign true
+git config --global user.signingkey ~/.ssh/git-commit-signing/coder
