{"id":18003336,"url":"https://github.com/woss/git-gpg-remote-sign","last_synced_at":"2025-07-27T04:39:43.718Z","repository":{"id":43358162,"uuid":"455988545","full_name":"woss/git-gpg-remote-sign","owner":"woss","description":"Use remote server for signing the git commits with GPG and substrate keys. ","archived":false,"fork":false,"pushed_at":"2022-03-07T09:50:59.000Z","size":359,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-21T12:54:21.840Z","etag":null,"topics":["git","gpg","pgp","remote","signing","substrate","web3"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/woss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-02-05T21:21:55.000Z","updated_at":"2023-04-04T14:59:46.000Z","dependencies_parsed_at":"2022-09-18T03:31:15.134Z","dependency_job_id":null,"html_url":"https://github.com/woss/git-gpg-remote-sign","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/woss%2Fgit-gpg-remote-sign","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/woss%2Fgit-gpg-remote-sign/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/woss%2Fgit-gpg-remote-sign/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/woss%2Fgit-gpg-remote-sign/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/woss","download_url":"https://codeload.github.com/woss/git-gpg-remote-sign/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245618777,"owners_count":20645066,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","gpg","pgp","remote","signing","substrate","web3"],"created_at":"2024-10-29T23:26:24.331Z","updated_at":"2025-03-26T08:31:24.666Z","avatar_url":"https://github.com/woss.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# remote GPG sign mainly for for git\n\n**DISCLAIMER**\n\nTHIS IS THE PROOF-OF-CONCEPT USE AT YOUR OWN RISK :)\n\n**DISCLAIMER**\n\n## Questions:\n\n\u003e Are my keys secure?\n\nThat depends on, is your sever secure.\n\n\u003e Do you (woss) host my keys?\n\nNope, i don't host your keys or the server, you should do it yourself.\n\n\u003e any other questions ask on https://twitter.com/woss_io\n\n---\n\n### Run the server\n\n\n1. Copy the `cp env.sample .env` and edit it\n2. change the `APPROVED_API_KEY` key to something unique, it doesn't need to be uuidv4. there is no limit to the length not format, but i suggest no spaces nor line breaks\n3. You **MUST** provide the keys ( for now since it is a PoC ) as a mount in the `/keys` path or you can mount them in a different place byt setting the `WOSS_REMOTE_SIGNER_SERVER_ABS_KEYS_PATH` variable\n\t1. in `keys` mounted volume 2 files are important `passphrase` and `private.key`\n4. Following is the `docker-compose.yml` file which will spin the signing repo\n\n```yaml\nversion: \"3\"\nservices:\n  server:\n    image: woss/remote-signer-server\n    env_file: ./.env\n    volumes:\n      - ./keys:/keys\n    ports:\n      - 3000:3000\n```\n\nThe key, once retrieved is cached in the `~/.cache/remote-signer/FINGERPRINT.asc` and used later. If you didn't broadcast your public key ( i have no idea why you would do that ) then you can create a file with the armored content. \n\n\nExpose the port as you see fit, it must be `3000` internally.\n\n### Get the signer\n\nModify this to suits your need:\n\n```\nsudo sh -c 'curl https://ipfs.anagolay.network/ipfs/bafybeigcptua5ztgeydvokh6tsz7noz2cvfd2boxfbolbdgdm7wsajcuom \u003e /usr/local/bin/remote_signer \u0026\u0026 chmod +x /usr/local/bin/remote_signer'\n```\n\n### Set the env variables\n\nIf you are using the GITPOD you should set the variable with the `*/*` permission.\n\n```bash\n# where your service is running\nexport GIT_REMOTE_SIGN_URL=https://your-service.com\n\n# only set this if you don't want to add the git.user.signingKey\n# variable or that somehow doesn't work\nexport GPG_SIGN_KEY=YOUR_FULL_LENGTH_KEY_ID\n\n# be really careful where and how you store this. who ever has access to this can acceess your sever\nexport APPROVED_API_KEY=777da2f3-19a5-425c-b662-79747d0b390c\n```\n\n### Change the gitconfig\n\nFor now, this approach only works if you:\n\n1. have the signing key set with 40 characters(full key id and not 16)\n2. the public key is available through the https://keys.openpgp.org\n\nHere is my [testing key](https://keys.openpgp.org/search?q=3595E4B1EB3363FB7C4F78CC12F55F75B1EB0FA4), when you click the link you can see the link below the search, that is what the signer will look for and download the public key.\n\nNow when you all that, change the gitconfig to match this:\n\n```ini\n[user]\nname = Daniel Maricic\nemail = daniel@woss.io\n# signingKey = 7A6DB9962EF3128E # this is my main key, only last 16 chars\n\n# this is my new full length testing key for p2p git signing, if this is not set GPG_SIGN_KEY will be used\nsigningKey = 3595E4B1EB3363FB7C4F78CC12F55F7513EB0FA4 \n[gpg]\nprogram = remote_signer\n[tag]\nforceSignAnnotated = true\n[commit]\ngpgsign = true\n```\n\nThere is a log file generated in the `~/.logs/remote-signer/git-signer.log` which you can tail like this:\n\n```bash\ntail -f ~/.logs/remote-signer/git-signer.log\n```\n\nyou can test the `remote_signer` bu executing it then checking the logs where you will see error message 😉\n\n```sh\ngit add your-file\ngit commit -m 'commiting with remote gpg signing'\ngit push\n\n```\n\nP.S. MOST OF THIS IS MADE WITH GITPOD :) AND THE SIGNATURES WORK. NO PRIVATE KEYS ON THE GITPOD SERVERS. YOU CONTROL WHERE THEY ARE AND IN THE FUTURE HOW THEY CAN BE ACCESSED.\n\nThis is the PoC build in one day and if this makes sense there is lot of improvement to be done, from the security and choosing the correct key.\n\n## Debugging\n\n```bash\n# this is the most important one\nexport GIT_TRACE=true\n\n# super super optional\nexport GIT_CURL_VERBOSE=true\nexport GIT_SSH_COMMAND=\"ssh -vvv\"\nexport GIT_TRACE_PACK_ACCESS=true\nexport GIT_TRACE_PACKET=true\nexport GIT_TRACE_PACKFILE=true\nexport GIT_TRACE_PERFORMANCE=true\nexport GIT_TRACE_SETUP=true\nexport GIT_TRACE_SHALLOW=true\n```\n\n## Good ref links\n\n- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;hb=HEAD#l323\n- https://stackoverflow.com/questions/58442313/can-i-sign-git-commits-with-keybase-io/71002961#71002961\n- https://docs.openpgpjs.org/\n- https://github.com/git/git/blob/master/gpg-interface.c#L917\n- https://github.com/git/git/blob/master/Documentation/config/gpg.txt#L1\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwoss%2Fgit-gpg-remote-sign","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwoss%2Fgit-gpg-remote-sign","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwoss%2Fgit-gpg-remote-sign/lists"}