You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
👿 Having to juggle multiple GPG identities per project, repository or vendor is a PITA, and sometimes might be even a requirement. However, it is not always necessary.
You can attach multiple identities to a single key record. So for example I can use a single GPG key for contributing to both Github and Gitlab (or other) projects, whilst using different no-reply identities (user/email/comment) attached to the same, single key.
Why?
Multiple repo vendors (Github, Gitlab, etc.) typically provide different private, no-reply "emails". By attaching multiple identities to the same, say "open source" key, I can still use the same key for all my open source contributions while still keeping all the commits validly signed and minimizing the aforementioned GPG key juggling to when it's strictly required per OpSec 🙏🏽
Problem
GPG pub/sub keys can support having multiple identities attached to a single record.
In addition, identities can be revoked (r) by the user.
GPG indicator currently searchers for and displays one identity per GPG record, in part this is probably informed by the fact that it is a taskbar extension, and the taskbar is naturally limited to displaying only one line at a time (although it does allow for user interaction).
The regex at the gpg->parseGpgKey() function is limited to recognizing only one identity per record. There is an expectation that multiple records will be returned by gpg.
The regular expression groupings that I have tried will allow only one identity record to be captured and associated with an individual key record (each key record can have multiple identities attached).
For example:
# gpg --fingerprint --fingerprint --with-keygrip --with-colon
pub record [sc] (signing, certificates)
grp
fpr
uid (u) (Github)
uid (r) (revoked, user made a typo, boo-hoo)
uid (u) (Gitlab, AWS, or some other vendor)
sub record [e] (subkey, encrypt)
grp
fpr
sub record [a] (subkey, authenticate)
grp
fpr
In the example above (taken from a friend 😂) the main pub record has three identities attached, one of them (the middle one) revoked. The main GPG record public key is uploaded to and recognized by all the user's vendors. Each uid record attached has a different identity associated for each vendor the user uses the key with. Multiple vendors, one identity per vendor, still the same key.
In this example depending how you tweak the gpg->parseGpgKey() regex you can arbitrarily grab the uid for Github, or Amazon, but not both. At least not if you want to associate them as part of the same regex capture group for the pub record. Maybe the regex gods did not look kindly upon me the day I was born.
Some suggestions:
Grab identities in a separate gpg call.
Let the user select through the extension UI (no config) which identity to use.
Use config to select the identity to use.
The regex works with native Linux gpg (as advertised by the labeling on the tin), but it breaks when using Windows native GPG from within WSL (gpg.exe works just fine in WSL, it's the regex that breaks), I'm currently working on fixing the regex. Fixed in issue Fix regex parsing when using gpg.exe (in Windows/WSL) #2.
Do not use a record identity if it is (r) revoked, warn the user with an extension popup if possible (I added a positive lookahead to the regex uid capture group to not match (r) revoked identity records).
More robust logging. The logger facilities are there, but the popup message the user gets when "a key is not found in current dir" is wanting. I should know which key GPG indicator is attempting (and failing) to use.
Additional suggestions
Identity selection (drop down): provide a drop-down from the task bar to select and "activate" (set git.config on demand) any key currently available in the GPG keychain for use. This is more of a fun/why not? request than an actual priority.
TL;DR:
👿 Having to juggle multiple GPG identities per project, repository or vendor is a PITA, and sometimes might be even a requirement. However, it is not always necessary.
You can attach multiple identities to a single key record. So for example I can use a single GPG key for contributing to both Github and Gitlab (or other) projects, whilst using different no-reply identities (user/email/comment) attached to the same, single key.
Why?
Multiple repo vendors (Github, Gitlab, etc.) typically provide different private, no-reply "emails". By attaching multiple identities to the same, say "open source" key, I can still use the same key for all my open source contributions while still keeping all the commits validly signed and minimizing the aforementioned GPG key juggling to when it's strictly required per OpSec 🙏🏽
Problem
GPG pub/sub keys can support having multiple identities attached to a single record.
In addition, identities can be revoked (r) by the user.
GPG indicator currently searchers for and displays one identity per GPG record, in part this is probably informed by the fact that it is a taskbar extension, and the taskbar is naturally limited to displaying only one line at a time (although it does allow for user interaction).
The regex at the
gpg->parseGpgKey()function is limited to recognizing only one identity per record. There is an expectation that multiple records will be returned bygpg.The regular expression groupings that I have tried will allow only one identity record to be captured and associated with an individual key record (each key record can have multiple identities attached).
For example:
In the example above (taken from a friend 😂) the main pub record has three identities attached, one of them (the middle one) revoked. The main GPG record public key is uploaded to and recognized by all the user's vendors. Each
uidrecord attached has a different identity associated for each vendor the user uses the key with. Multiple vendors, one identity per vendor, still the same key.In this example depending how you tweak the
gpg->parseGpgKey()regex you can arbitrarily grab the uid for Github, or Amazon, but not both. At least not if you want to associate them as part of the same regex capture group for thepub record. Maybe the regex gods did not look kindly upon me the day I was born.Some suggestions:
gpgcall.The regex works with native LinuxFixed in issue Fix regex parsing when usinggpg(as advertised by the labeling on the tin), but it breaks when using Windows native GPG from within WSL (gpg.exeworks just fine in WSL, it's the regex that breaks), I'm currently working on fixing the regex.gpg.exe(in Windows/WSL) #2.Additional suggestions