Git commit signing

[metcalfc]

Is your feature request related to a problem? Please describe.
An increasing number of projects are requiring verified / signed commits. https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

For GitHub there are two general approaches to commit signing:

• Sign with SSH key
• Sign with GPG key

SSH agent forwarding can be part of the solution here (both ssh and gpg can be forwarded over ssh). There is also changes that need to be made with the .gitconfig (gpg/ssh)

This is certainly advanced but its needed for these projects which are becoming more common.

Describe the solution you'd like

I think this is part of a larger re-envisioning of git credentials. In the Daytona config (global, profile, etc). I should be able to say, I want to use ssh or oauth. In a commercial setting, ops is likely to want to mandate you have to use ssh or oauth. If I choose ssh, do I also want to setup for signed commits, great plumb that through all the way. SSH agent forward, gitconfig with the right settings, etc. Similarly, do I have gpg and do I want to forward it? Plumb that through.

This is related to #369.

Describe alternatives you've considered

This is also related to Yubikey support. Yubikeys can act as ssh/gpg hardware which could add complexity (or perhaps that is solved by general ssh forwarding). Someone would need to do more research.

[Tpuljak]

@metcalfc these are all valid points.

As we fixed agent forwarding in v0.11.0, you can help us out by trying to set up SSH key signing in one of your projects.

We can definitely include some sort of options for the user to configure that automatically.

I would suggest keeping this issue as a discussion issue for both SSH and GPG signing and then opening separate implementation issues once we gather enough info.

[idagelic]

/bounty $100

[algora-pbc]

💎 $100 bounty • Daytona

Steps to solve:

1. Start working: Comment /attempt #370 with your implementation plan
2. Submit work: Create a pull request including /claim #370 in the PR body to claim the bounty
3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

If no one is assigned to the issue, feel free to tackle it, without confirmation from us, after registering your attempt. In the event that multiple PRs are made from different people, we will generally accept those with the cleanest code.

Please respect others by working on PRs that you are allowed to submit attempts to.

e.g. If you reached the limit of active attempts, please wait for the ability to do so before submitting a new PR.

If you can not submit an attempt, you will not receive your payout.

Thank you for contributing to daytonaio/daytona!

Add a bounty • Share on socials

Attempt	Started (GMT+0)	Solution
🟢 @swaingotnochill	Jul 21, 2024, 8:56:44 PM	WIP
🟢 @onyedikachi-david	Aug 9, 2024, 4:49:04 PM	WIP

[swaingotnochill]

/attempt #370

Options

• Cancel my attempt

[hanshal101]

hey there is this issue still open?

[idagelic]

@hanshal101 Yes, the issue and the bounty are both open

[onyedikachi-david]

/attempt #370

Algora profile	Completed bounties	Tech	Active attempts	Options
@onyedikachi-david	5 bounties from 2 projects	JavaScript, Shell	﹟777	Cancel attempt