Skip to content

Adds an SSH Allowed Signers editor#5494

Open
ianhattendorf wants to merge 4 commits into
mainfrom
ssh-allowed-signers-editor
Open

Adds an SSH Allowed Signers editor#5494
ianhattendorf wants to merge 4 commits into
mainfrom
ssh-allowed-signers-editor

Conversation

@ianhattendorf

@ianhattendorf ianhattendorf commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Description

Closes #5469.

SSH-signed commits can never reach the "Signed & Verified / Trusted" state in GitLens because Git can only validate an SSH signature when gpg.ssh.allowedSignersFile lists the signer's email and full public key — and git log only exposes fingerprints. This PR adds an Edit SSH Allowed Signers editor that builds/maintains that file for you.

What it does

  • Discovers candidate signers from two sources, cross-checked for provenance:
    • Local commits — extracts the full public key embedded in each SSH-signed commit's SSHSIG blob (offline, any host), read in a single batched git cat-file --batch.
    • Provider APIs — when a GitHub or GitLab integration is connected, fetches each signer's registered SSH signing keys and matches them, marking keys as signed-here, provider-verified, or both.
  • Streams a progress-aware loading page while scanning, then lets you review signers (avatar, email, fingerprint, provenance, signed-commit count) and choose which to include.
  • Pre-selection: only API-verified signers are pre-checked by default; opening from a commit's Add to allowed signers… action pre-checks all (explicit intent to trust).
  • Writes/merges the file idempotently without clobbering existing manual entries, and optionally points gpg.ssh.allowedSignersFile at it (globally or per-repo).
image image

Entry points

  • Command Palette: GitLens: Edit SSH Allowed Signers
  • An Add to allowed signers… action on an unverified SSH signature in a commit's signature details (Inspect view / commit hover), scoped to that commit's repository.

Verification

  • Unit tests for the SSHSIG parser and allowed_signers merge logic.
  • Exercised end-to-end in a running instance (command palette open → discovery → signer list; provenance-based default pre-checking; preselectAll via the signature-action link; toggle; Save → file write + idempotent 2-entry merge with no clobber; signature-action render + hover-underline).

@ianhattendorf ianhattendorf changed the title Closes #5469 - Adds an SSH Allowed Signers editor Adds an SSH Allowed Signers editor Jul 10, 2026
@ianhattendorf ianhattendorf force-pushed the ssh-allowed-signers-editor branch 2 times, most recently from 2916c29 to 4e1e115 Compare July 10, 2026 23:23
@ianhattendorf ianhattendorf marked this pull request as ready for review July 10, 2026 23:23
@ianhattendorf ianhattendorf requested review from a team and Copilot July 10, 2026 23:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new “SSH Allowed Signers” editor webview to help users generate/merge an allowed_signers file (and optionally set gpg.ssh.allowedSignersFile) so SSH-signed commits can become “Signed & Verified / Trusted” in GitLens. The change spans webview UI + IPC, host-side signer discovery (from local SSHSIG blobs + provider APIs), and new git-cli parsing utilities/tests to extract SSH public keys from commit objects.

Changes:

  • Adds a new allowedSigners webview panel + Lit app UI, including an “Add to allowed signers…” action surfaced from SSH signature details.
  • Implements signer discovery/merging: parse SSHSIG public keys from local commits, merge idempotently into allowed_signers, and optionally set git config.
  • Extends GitHub/GitLab integrations/APIs to fetch users’ SSH signing keys for provenance cross-checking.

Reviewed changes

Copilot reviewed 39 out of 39 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
webpack.config.mjs Adds the allowedSigners webview bundle entry.
src/webviews/apps/shared/components/commit/signature-details.ts Adds a command-URI link to open the editor for unverified SSH signatures.
src/webviews/apps/shared/components/commit/commit-author.ts Forwards repoPath into signature details for scoping the editor to a repo.
src/webviews/apps/commitDetails/components/gl-details-commit-panel.ts Supplies repoPath to the commit author block in commit details.
src/webviews/apps/allowedSigners/stateProvider.ts Adds state provider for allowed signers webview notifications → state updates.
src/webviews/apps/allowedSigners/context.ts Adds Lit context for allowed signers state.
src/webviews/apps/allowedSigners/components/signer-row.ts Introduces signer list row UI (checkbox + provenance + fingerprint).
src/webviews/apps/allowedSigners/allowedSigners.ts Implements the main Allowed Signers Lit app (loading, selection, save/config UI).
src/webviews/apps/allowedSigners/allowedSigners.scss Base styling/bootstrap for the allowed signers webview app.
src/webviews/apps/allowedSigners/allowedSigners.html New webview HTML shell for Allowed Signers panel.
src/webviews/apps/allowedSigners/allowedSigners.css.ts Lit CSS styles for the Allowed Signers app.
src/webviews/allowedSigners/registration.ts Registers the new webview panel + lazy-loaded provider chunk.
src/webviews/allowedSigners/protocol.ts Defines IPC scope, state, requests, and notifications for allowed signers.
src/webviews/allowedSigners/allowedSignersWebview.ts Host-side implementation: discovery (commits + provider), merge/write, progress streaming.
src/git/utils/allowedSignersFile.ts Adds parse/merge utilities for allowed_signers content with injection guards.
src/git/utils/tests/allowedSignersFile.test.ts Unit tests for public key parsing + merge/idempotency + injection cases.
src/env/node/platform.ts Adds getHomeDir() for node host.
src/env/browser/platform.ts Adds getHomeDir() stub for web host.
src/container.ts Registers the Allowed Signers webview panel in the extension container.
src/constants.views.ts Adds allowedSigners to WebviewPanelTypes.
src/constants.commands.generated.ts Adds gitlens.git.editAllowedSigners command type.
packages/plus/integrations/src/providers/gitlab/models.ts Adds GitLab SSH key model for /users/:id/keys responses.
packages/plus/integrations/src/providers/gitlab/gitlab.ts Adds GitLab API call to fetch user signing-capable SSH keys.
packages/plus/integrations/src/providers/gitlab.ts Implements SSH signing-key lookup by email with bounded concurrency.
packages/plus/integrations/src/providers/github.ts Implements SSH signing-key lookup by email (email→login + per-login key fetch).
packages/plus/integrations/src/models/integration.ts Adds getSshSigningKeysForEmails to the sync usecase union.
packages/plus/integrations/src/models/gitHostIntegration.ts Adds cross-provider integration method for SSH signing keys (default no-op).
packages/plus/git-github/src/models.ts Adds REST response typing for GitHub SSH signing keys.
packages/plus/git-github/src/api/github.ts Adds GitHub GraphQL email→login resolution + REST SSH signing keys endpoints.
packages/git/src/utils/sshKey.utils.ts Adds strict allowlist validation for SSH key types/data and principal token.
packages/git/src/providers/commits.ts Extends commits provider interface with getCommitsSshSigners.
packages/git/src/models/signature.ts Adds SshPublicKey + SshSignedCommit types.
packages/git-cli/src/providers/commits.ts Implements batched cat-file --batch parsing to extract SSH signer key + committer.
packages/git-cli/src/providers/tests/commits.sshSigners.test.ts Tests for cat-file --batch parsing and boundary handling scenarios.
packages/git-cli/src/parsers/sshSignatureParser.ts Adds SSHSIG + committer parsing from raw commit objects with validation.
packages/git-cli/src/parsers/tests/sshSignatureParser.test.ts Tests for SSHSIG extraction, committer extraction, and malicious inputs.
package.json Adds the new command contribution (generated output).
contributions.json Adds the new command contribution source entry.
CHANGELOG.md Documents the new SSH Allowed Signers editor feature.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/webviews/allowedSigners/allowedSignersWebview.ts
Comment thread packages/git/src/utils/sshKey.utils.ts Outdated
Comment thread src/webviews/apps/allowedSigners/components/signer-row.ts Outdated
Comment thread packages/git-cli/src/providers/commits.ts Outdated
Comment thread packages/plus/integrations/src/providers/github.ts Outdated
@ianhattendorf ianhattendorf force-pushed the ssh-allowed-signers-editor branch from 4e1e115 to 8b81237 Compare July 14, 2026 00:46
@ianhattendorf

Copy link
Copy Markdown
Contributor Author

augment review

@augmentcode

augmentcode Bot commented Jul 14, 2026

Copy link
Copy Markdown
🤖 Augment PR Summary

Summary: This PR adds an SSH Allowed Signers editor to help GitLens reach “Signed & Verified / Trusted” for SSH-signed commits by generating/maintaining an SSH allowed_signers file.

Key changes:

  • Adds a new webview panel + Lit UI to discover candidate SSH signers, show provenance, and write selected entries.
  • Implements an SSHSIG parser to extract the full SSH public key and committer identity directly from raw commit objects.
  • Adds allowed_signers parsing/merge utilities with strict validation of principals, key types, and base64 key blobs to prevent injection.
  • Extends GitHub/GitLab integrations to resolve accounts by email and fetch users’ SSH signing keys, with batching/concurrency limits to reduce rate-limit bursts.
  • Wires commit signature details to surface an “Add to allowed signers…” action for unverified SSH signatures, scoped to the current repo.
  • Adds home-dir expansion helper and webpack webview entry, plus unit tests for the SSHSIG parser and merge logic.

Technical notes: Discovery scans recent commits via a single git cat-file --batch invocation and keeps merges idempotent while preserving existing/manual file content; optionally updates gpg.ssh.allowedSignersFile globally or per-repo.

🤖 Was this summary useful? React with 👍 or 👎

@augmentcode augmentcode Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 2 suggestions posted.

Fix All in Augment

Comment augment review to trigger a new review at any time.

Comment thread src/webviews/allowedSigners/allowedSignersWebview.ts
Comment thread src/webviews/allowedSigners/allowedSignersWebview.ts Outdated
@ianhattendorf ianhattendorf force-pushed the ssh-allowed-signers-editor branch from 8b81237 to dcd1884 Compare July 14, 2026 16:46
Adds an 'Add to allowed signers…' action in the commit signature details (Inspect view / commit hover), shown only for an SSH signature that isn't verified yet (not already trusted, not tampered) — exactly where a user notices a commit won't verify. It opens the editor scoped to that commit's repository via a command link. The repo path is threaded from the commit-details panel through gl-commit-author to gl-signature-details; other consumers of the shared component (e.g. the Graph's multi-commit panel) don't pass a repo path, so the action doesn't appear there.
@ianhattendorf ianhattendorf force-pushed the ssh-allowed-signers-editor branch from dcd1884 to 5695467 Compare July 14, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Build an SSH allowed_signers file to verify SSH-signed commits

2 participants