feat: support signing commits with gpg, ssh, x509

Originally implemented by Thomas Ip in arxanas#966. Updated by Matt.

Co-authored-by: Thomas Ip <[email protected]>

Author: mhammerly

Cargo.lock

@@ -70,6 +70,8 @@ git-branchless-submit = { version = "0.10.0", path = "git-branchless-submit" }
 git-branchless-test = { version = "0.10.0", path = "git-branchless-test" }
 git-branchless-undo = { version = "0.10.0", path = "git-branchless-undo" }
 git2 = { version = "0.20.0", default-features = false }
+# TODO: using a local clone of git2-ext that updates its git2 and git-fixture deps
+git2-ext = { path = "../git2-ext" }
 glob = "0.3.2"
 indexmap = "2.7.1"
 indicatif = { version = "0.17.11", features = ["improved_unicode"] }

Cargo.toml

@@ -56,6 +56,7 @@ eden_dag = { workspace = true }
 eyre = { workspace = true }
 futures = { workspace = true }
 git2 = { workspace = true }
+git2-ext = { workspace = true }
 indicatif = { workspace = true }
 itertools = { workspace = true }
 lazy_static = { workspace = true }

git-branchless-lib/Cargo.toml

@@ -15,7 +15,7 @@ use crate::core::formatting::Pluralize;
 use crate::core::repo_ext::RepoExt;
 use crate::git::{
     BranchType, CategorizedReferenceName, GitRunInfo, MaybeZeroOid, NonZeroOid, ReferenceName,
-    Repo, ResolvedReferenceInfo,
+    Repo, ResolvedReferenceInfo, SignOption,
 };
 use crate::util::{ExitCode, EyreExitOr};
 
@@ -436,8 +436,8 @@ mod in_memory {
     use crate::core::rewrite::move_branches;
     use crate::core::rewrite::plan::{OidOrLabel, RebaseCommand, RebasePlan};
     use crate::git::{
-        AmendFastOptions, CherryPickFastOptions, CreateCommitFastError, GitRunInfo, MaybeZeroOid,
-        NonZeroOid, Repo,
+        self, AmendFastOptions, CherryPickFastOptions, CreateCommitFastError, GitRunInfo,
+        MaybeZeroOid, NonZeroOid, Repo,
     };
     use crate::util::EyreExitOr;
 
@@ -500,6 +500,7 @@ mod in_memory {
             force_on_disk: _,
             resolve_merge_conflicts: _, // May be needed once we can resolve merge conflicts in memory.
             check_out_commit_options: _, // Caller is responsible for checking out to new HEAD.
+            sign_option,
         } = options;
 
         let mut current_oid = rebase_plan.first_dest_oid;
@@ -537,6 +538,8 @@ mod in_memory {
             .count();
         let (effects, progress) = effects.start_operation(OperationType::RebaseCommits);
 
+        let signer = git::get_signer(repo, sign_option)?;
+
         for command in rebase_plan.commands.iter() {
             match command {
                 RebaseCommand::CreateLabel { label_name } => {
@@ -670,12 +673,12 @@ mod in_memory {
                         );
                         rebased_commit_oid = Some(
                             repo.create_commit(
-                                None,
                                 &commit_author,
                                 &committer_signature,
                                 commit_message,
                                 &commit_tree,
                                 vec![&current_commit],
+                                signer.as_deref(),
                             )
                             .wrap_err("Applying rebased commit")?,
                         );
@@ -802,12 +805,12 @@ mod in_memory {
                     };
                     let rebased_commit_oid = repo
                         .create_commit(
-                            None,
                             &replacement_commit.get_author(),
                             &committer_signature,
                             replacement_commit_message,
                             &replacement_tree,
                             parents.iter().collect(),
+                            signer.as_deref(),
                         )
                         .wrap_err("Applying rebased commit")?;
 
@@ -911,6 +914,7 @@ mod in_memory {
             force_on_disk: _,
             resolve_merge_conflicts: _,
             check_out_commit_options,
+            sign_option: _,
         } = options;
 
         for new_oid in rewritten_oids.values() {
@@ -996,6 +1000,7 @@ mod on_disk {
             force_on_disk: _,
             resolve_merge_conflicts: _,
             check_out_commit_options: _, // Checkout happens after rebase has concluded.
+            sign_option,
         } = options;
 
         let (effects, _progress) = effects.start_operation(OperationType::InitializeRebase);
@@ -1113,6 +1118,16 @@ mod on_disk {
             )
         })?;
 
+        let gpg_sign_opt_path = rebase_state_dir.join("gpg_sign_opt");
+        if let Some(sign_flag) = sign_option.as_rebase_flag(repo)? {
+            std::fs::write(&gpg_sign_opt_path, sign_flag).wrap_err_with(|| {
+                format!(
+                    "Writing `gpg_sign_opt` to: {:?}",
+                    gpg_sign_opt_path.as_path()
+                )
+            })?;
+        }
+
         let end_file_path = rebase_state_dir.join("end");
         std::fs::write(
             end_file_path.as_path(),
@@ -1172,6 +1187,7 @@ mod on_disk {
             force_on_disk: _,
             resolve_merge_conflicts: _,
             check_out_commit_options: _, // Checkout happens after rebase has concluded.
+            sign_option: _,
         } = options;
 
         match write_rebase_state_to_disk(effects, git_run_info, repo, rebase_plan, options)? {
@@ -1216,6 +1232,9 @@ pub struct ExecuteRebasePlanOptions {
 
     /// If `HEAD` was moved, the options for checking out the new `HEAD` commit.
     pub check_out_commit_options: CheckOutCommitOptions,
+
+    /// GPG-sign commits.
+    pub sign_option: SignOption,
 }
 
 /// The result of executing a rebase plan.
@@ -1261,6 +1280,7 @@ pub fn execute_rebase_plan(
         force_on_disk,
         resolve_merge_conflicts,
         check_out_commit_options: _,
+        sign_option: _,
     } = options;
 
     if !force_on_disk {

git-branchless-lib/src/core/rewrite/execute.rs

@@ -8,6 +8,7 @@ mod oid;
 mod reference;
 mod repo;
 mod run;
+mod sign;
 mod snapshot;
 mod status;
 mod test;
@@ -27,6 +28,7 @@ pub use repo::{
     Result as RepoResult, Time,
 };
 pub use run::{GitRunInfo, GitRunOpts, GitRunResult};
+pub use sign::{get_signer, SignOption};
 pub use snapshot::{WorkingCopyChangesType, WorkingCopySnapshot};
 pub use status::{FileMode, FileStatus, StatusEntry};
 pub use test::{

git-branchless-lib/src/git/mod.rs

@@ -4,14 +4,16 @@ use bstr::{BString, ByteSlice};
 use cursive::theme::BaseColor;
 use cursive::utils::markup::StyledString;
 use git2::message_trailers_bytes;
-use tracing::instrument;
+use git2_ext::ops::Sign;
+use itertools::Itertools;
+use tracing::{error, instrument};
 
 use crate::core::formatting::{Glyphs, StyledStringBuilder};
 use crate::core::node_descriptors::{
     render_node_descriptors, CommitMessageDescriptor, CommitOidDescriptor, NodeObject, Redactor,
 };
 use crate::git::oid::make_non_zero_oid;
-use crate::git::repo::{Error, Result, Signature};
+use crate::git::repo::{Error, Repo, Result, Signature};
 use crate::git::{NonZeroOid, Time, Tree};
 
 use super::MaybeZeroOid;
@@ -291,26 +293,59 @@ impl<'repo> Commit<'repo> {
 
     /// Amend this existing commit.
     /// Returns the OID of the resulting new commit.
-    #[instrument]
+    #[instrument(skip(signer))]
     pub fn amend_commit(
         &self,
-        update_ref: Option<&str>,
+        repo: &'repo Repo,
         author: Option<&Signature>,
         committer: Option<&Signature>,
         message: Option<&str>,
         tree: Option<&Tree>,
+        signer: Option<&dyn Sign>,
     ) -> Result<NonZeroOid> {
-        let oid = self
-            .inner
-            .amend(
-                update_ref,
-                author.map(|author| &author.inner),
-                committer.map(|committer| &committer.inner),
-                None,
-                message,
-                tree.map(|tree| &tree.inner),
-            )
-            .map_err(Error::Amend)?;
+        let parents = self.get_parents();
+        let parents = parents.iter().map(|parent| &parent.inner).collect_vec();
+
+        let new_author = match author {
+            Some(author) => &author.inner,
+            None => &self.inner.author(),
+        };
+        let new_committer = match committer {
+            Some(committer) => &committer.inner,
+            None => &self.inner.committer(),
+        };
+        let new_message = match message {
+            Some(message) => message,
+            None => match std::str::from_utf8(self.inner.message_bytes()) {
+                Ok(message) => message,
+                Err(e) => {
+                    error!(
+                        ?message,
+                        ?e,
+                        "failed to decode git commit message, not valid UTF-8"
+                    );
+                    return Err(Error::DecodeUtf8 { item: "message" });
+                }
+            },
+        };
+        let new_tree = match tree {
+            Some(tree) => &tree.inner,
+            None => &self.inner.tree().map_err(|err| Error::FindTree {
+                source: err,
+                oid: self.inner.tree_id().into(),
+            })?,
+        };
+
+        let oid = git2_ext::ops::commit(
+            &repo.inner,
+            new_author,
+            new_committer,
+            new_message,
+            new_tree,
+            parents.as_slice(),
+            signer,
+        )
+        .map_err(Error::Amend)?;
         Ok(make_non_zero_oid(oid))
     }
 }