verification of commit signatures with SSH key

[jelmer]

Discussed in #1391

^{Originally posted by castedo October 20, 2024}
I am planning to migrate from using GitPython to Dulwich, but I will need to be able to verify commit signatures with SSH keys.

Am I correct that Dulwich does not have this functionality? It looks like tag signatures with GPG keys is only supported.

Are there any libraries or existing Python code that can do this? I've searched long and far and it seems the only Python code that replicates the core functionality of the type of SSH key signatures with git is https://github.com/grawity/ssh-datasign (thank you @grawity!) This is the SSHSIG type signature implemented by ssh-keygen -Y verify which is what git uses for SSH key signatures (nice blog post).

[castedo]

I've created https://gitlab.com/perm.pub/dulwich-sshsig-union for testing, coordination, and a bit of experimentation.

[castedo]

I somehow failed to recognize that my goal of switching hidos from GitPython to Dulwich will also require signing in addition verification. 🤦 So the mission of this thread has expanded to include signing too. But the code from grawity should make this relatively easy if I'm already doing all the work to test verification well.

[castedo]

Quick update on my thoughts, now that I've gotten verification partially working with hidos/sshsiglib/dulwich. I'm now planning to have hidos using Dulwich this month. But I think hidos is going to continue depending on GitPython & classic git for creating/amending/writing document succession for a long time. But reading document successions will be via Dulwich. So verification with Dulwich is high priority but signing commits via Dulwich is low priority for me for awhile. I still want to work towards getting signing into Dulwich too, but it's just not as urgent. I hope signing isn't that much work once verification is working.

[castedo]

#1431 is first subtask for SSH key based commit verification.

[castedo]

@jelmer Here's a quick update on my current thinking. I'm thinking of releasing version 2.0 of the hidos package this month and including a "vendored" library of sshsig inside the hidos package, but not as a submodule of hidos. sshsig and hidos are separate top level modules. Then as a follow-on stage, some of the code can be copied and/or sshsig can turn into a separate stand-alone package. Nobody that wants just the sshsig functionality will also want hidos.

sshsig code is also currently in a stand alone repository, currently at https://gitlab.com/perm.pub/sshsiglib/. For now, this repo is also submodule inside inside the hidos repository so that it can be packaged/vendored along with hidos 2.0.

I'll post some more details here this week on the sshsig and dulwich functions and types that hidos is calling which hopefully can provide some insights and guidance on improved approaches in other dulwich applications.