add ROS Project Manager

[christian-rauch]

Describe your changes

I am adding the ROS Project Manager.

Checklist

• I have run npm run all to validate my changes
• I have made sure my commits are signed
• I have added an entry for new Extensions in CODEOWNERS

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Maddimax]

Please sign your commits. (see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)

[Maddimax]

Thank you for your contribution! We are still in the process of setting up all the legalese around including outside contributions. We will get back to your Merge Request as soon as that process is done. Thank you for your patience!

[cristianadam]

Please sign your commits. (see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)

I remember using the information from https://stackoverflow.com/questions/72844616/how-do-i-sign-git-commits-using-my-existing-ssh-key to configure my setup.

I have under ~/.ssh/config the following:

Host github.com
    Hostname ssh.github.com
    Port 443
    User git

and in my ~/.gitconfig:

# This is Git's per-user configuration file.
[user]
# Please adapt and uncomment the following lines:
	signingkey = /Users/cristian/.ssh/id_ed25519.pub
[commit]
	gpgsign = true
[gpg]
	format = ssh
[gpg "ssh"]
	allowedSignersFile = /Users/cristian/.ssh/allowed_signers

And in the GitHub settings I have my public key part of both auth and signing 😅

This way I have the green verified label next to the commits.

[christian-rauch]

I've never signed commits (apart from the Signed-off-by:) before.

I followed the instructions at https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key and initially tried to use an SSH key already registered to my account. But that key was not recognised. I then added a dedicated key via ssh-keygen -t ed25519 -C "[email protected]" as "Signing keys" and then added the very same key to git via git config --global user.signingkey ~/.ssh/id_ed25519.pub. But the key is still not recognised.

It's not clear to me if the email address matters and if it has to match the commiter email address or an email address registered to the GitHub account. Also, the error message "This user has not yet uploaded their public signing key." is mildly confusing as I definitely uploaded a public signing key. I guess it just cannot associate the key to the account or commit.

[Maddimax]

I did some more investigation into the signing stuff. You signed the commit with the SSH key SHA256:mZqA2T4sHhPObWcH5Cd/FkhlkqWnXyBgv+ZSWE1omDY, but the key you have uploaded to github is:

curl -L \                                                                                             test-gpg ◼
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/users/christianrauch/keys
[
  {
    "id": 49046490,
    "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCiRClwcMBeRux5nqCxSmSkb7y//nykZx1VM5IHA++u8gqbF3Pf/LvV85t9ND0GFB7nOKqoZtbY4eKFB+FjnqcP04DsaaRP44X4n+ZUUToIk1jWP3SvGQ05l1d0mnHBu4NFZaQa3toBePdG+4T6zwrgZVYd/Jm/nHp4egg3+zIBoRar++H8qFZ1jZLGdN+ZNTV4ZdrCXfB9/Im64blE8qTop+LULbuIHfW2U0xI5BBi1nXYQDSgBfjeB/PWMtPptyJE+pziJT7Vv4QjWRFz6sS+CHCoC4p0NZhSUenNyusiChbmaaShy0QPuNSh3MoI4Wit9x0HoWdypnc7gaoYu1dkx9lYXnNuBZKu3t49kDh84zkLDnRQtYXs9X5rCNldPgyfvKjEdEzPrzNxrlU49pNP948HeConPtQ4nLh0ITE/4fp70lHpTEnssoTBsbG1Y5/G+XWKLs1YDxWM4isMsYea2wPMnmeQvmz62EPsNsYysOWs0i+tunzEheeJHwz5XTU=",
    "created_at": "2021-01-02T18:48:40Z"
  }
]

which has a fingerprint of:

ssh-keygen -lvf rauch.pub                                                                             test-gpg ◼
3072 SHA256:q+choB0P4kD30CAsOkrShtZXVhJONso3gvor9ZTUX0c no comment (RSA)
+---[RSA 3072]----+
|.. .   *o.       |
|... = =oo    E   |
|o+.+ =++    .    |
|*o=.ooo..  . .   |
|*+. *.. S . .    |
|.o.= B   o       |
|  +.+ o o        |
| .  .. o..       |
|  ..  .o.        |
+----[SHA256]-----+

[christian-rauch]

Well, I was assuming I have to sign the commits with a key attached to the account that opened the PR and pushed the commits (@christian-rauch). But it seems you have to use a key attached to an account owning the email address associated with the commit.

Any way, I resigned the commits and git log --show-signature now tells me:

Good "git" signature with RSA key SHA256:q+choB0P4kD30CAsOkrShtZXVhJONso3gvor9ZTUX0c

for my two commits. So I assume they are now signed with the correct key? But GitHub still insists on "This user has not yet uploaded their public signing key.".

Also, I signed the CLA twice now with this very user, but @CLAassistant still does not recognise this.

Is this whole infrastructure only working when you are dealing with a single user and key?

[Maddimax]

You have signed the commits with the key from "@christianrauch", but I guess the email address of the commits is registered for "@christian-rauch"? Signing your commit with one of the two keys from @christian-rauch would probably solve the issue.

[Maddimax]

Same for the CLA I guess? I think mixing those two accounts in one merge request is not working well.

[aportale]

We are still in the process of setting up all the legalese around including outside contributions.

Legal-approved user-facing text implemented in version 18.0. Users accept it before proceeding.
https://bugreports.qt.io/browse/QTCREATORBUG-33144

[lavonardo]

Thank you for your submission and apologies to have kept you waiting.
With the incoming release of Qt Creator 18, we will be merging the pull request, and thus ROS Project Manager will be available in the extension directory.
However, as your extension is written in C++ and thus dependent on the version of Qt Creator, could you please update the pull request to refer to versions that have been built against Qt Creator 18.

[christian-rauch]

However, as your extension is written in C++ and thus dependent on the version of Qt Creator, could you please update the pull request to refer to versions that have been built against Qt Creator 18.

Yes, I can do that once the plugin has been released for Qt Creator 18. But I guess I will still need to figure out the signed commit issue, that I haven't figured out yet with my two accounts.

[lavonardo]

Yes, I can do that once the plugin has been released for Qt Creator 18. But I guess I will still need to figure out the signed commit issue, that I haven't figured out yet with my two accounts.

Sounds like a plan, I fell into the same trap of two accounts, but was able to resolve the issue based on the information provided by Cristian and Marcus.

[christian-rauch]

@lavonardo I updated to 18. Can you check and run the CI?