build(container): setup GitHub signing using forwarded SSH key

RembrandtK · RembrandtK · commit c69a59252661 · 2025-04-30T16:20:54.000Z
diff --git a/.devcontainer/README.md b/.devcontainer/README.md
@@ -14,6 +14,7 @@ The dev container provides a consistent development environment with caching to
 2. **Dockerfile**: Specifies the container image and installed tools
 3. **project-setup.sh**: Configures the environment after container creation
 4. **host-setup.sh**: Sets up the host environment before starting the container
+5. **setup-git-signing.sh**: Automatically configures Git to use SSH signing with forwarded SSH keys
 
 ## Cache System
 
@@ -59,11 +60,27 @@ When the container starts, the `project-setup.sh` script will automatically run
 - Create package-specific cache directories
 - Set up symlinks for package cache directories
 - Install project dependencies using yarn
+- Configure Git to use SSH signing with your forwarded SSH key
 - Source shell customizations if available in PATH (currently depends on base image configuration)
 
 ## Environment Variables
 
-Environment variables are defined in the `docker-compose.yml` file, making the configuration self-contained and predictable.
+Environment variables are defined in two places:
+
+1. **docker-compose.yml**: Contains most of the environment variables for tools and caching
+2. **Environment File**: Personal settings are stored in `/opt/configs/graphprotocol/contracts.env`
+
+### Git Configuration
+
+To enable Git commit signing, add the following settings to your environment file:
+
+```env
+# Git settings for commit signing
+GIT_USER_NAME=Your Name
+GIT_USER_EMAIL=your.email@example.com
+```
+
+These environment variables are needed for Git commit signing to work properly. If they are not defined, Git commit signing will not be configured, but the container will still work for other purposes.
 
 ## Troubleshooting
 
@@ -73,4 +90,26 @@ If you encounter permission denied errors when trying to access directories, mak
 sudo .devcontainer/host-setup.sh
 ```
 
-For other issues, check the `project-setup.sh` script for any errors.
+### Git SSH Signing Issues
+
+If you encounter issues with Git SSH signing:
+
+1. **SSH Agent Forwarding**: Make sure SSH agent forwarding is properly set up in your VS Code settings
+2. **GitHub Configuration**: Ensure your SSH key is added to GitHub as a signing key in your account settings
+3. **Manual Setup**: If automatic setup fails, you can manually configure SSH signing:
+
+```bash
+# Check available SSH keys
+ssh-add -l
+
+# Configure Git to use SSH signing
+git config --global gpg.format ssh
+git config --global user.signingkey "key::ssh-ed25519 YOUR_KEY_CONTENT"
+git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
+git config --global commit.gpgsign true
+
+# Create allowed signers file
+echo "your.email@example.com ssh-ed25519 YOUR_KEY_CONTENT" > ~/.ssh/allowed_signers
+```
+
+For other issues, check the `project-setup.sh` and `setup-git-signing.sh` scripts for any errors.
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
@@ -5,7 +5,7 @@ services:
       context: .
       dockerfile: Dockerfile
     env_file:
-      - /opt/configs/RembrandtK/rem/rs/graph.env
+      - /opt/configs/graphprotocol/contracts.env
     environment:
       # Cache directories
       - FOUNDRY_CACHE_DIR=/cache/foundry
diff --git a/.devcontainer/project-setup.sh b/.devcontainer/project-setup.sh
@@ -107,4 +107,12 @@ else
   echo "Shell customizations not found in PATH, skipping..."
 fi
 
+# Set up Git SSH signing
+echo "Setting up Git SSH signing..."
+if [ -f "$SCRIPT_DIR/setup-git-signing.sh" ]; then
+  "$SCRIPT_DIR/setup-git-signing.sh"
+else
+  echo "WARNING: setup-git-signing.sh not found, skipping Git SSH signing setup"
+fi
+
 echo "Project-specific setup completed"
diff --git a/.devcontainer/sample-graph.env b/.devcontainer/sample-graph.env
@@ -0,0 +1,8 @@
+# Sample environment file for Graph Protocol contracts development
+# Copy the Git settings below to your actual environment file at:
+# /opt/configs/graphprotocol/contracts.env
+
+# Git settings for commit signing
+# Add these settings if you want to enable Git commit signing
+GIT_USER_NAME=Your Name
+GIT_USER_EMAIL=your.email@example.com
diff --git a/.devcontainer/setup-git-signing.sh b/.devcontainer/setup-git-signing.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+# Automatically configure Git to use SSH signing with forwarded SSH keys
+set -euo pipefail
+
+echo "Setting up Git SSH signing..."
+
+# Check if SSH agent forwarding is working
+if ! ssh-add -l &>/dev/null; then
+  echo "ERROR: No SSH keys found in agent. SSH agent forwarding is not set up correctly."
+  echo "SSH signing will not work without SSH agent forwarding."
+  exit 1
+fi
+
+# Get the first SSH key from the agent
+SSH_KEY=$(ssh-add -L | head -n 1)
+if [ -z "$SSH_KEY" ]; then
+  echo "ERROR: No SSH keys found in agent. SSH signing will not work."
+  exit 1
+fi
+
+# Extract the key type and key content
+KEY_TYPE=$(echo "$SSH_KEY" | awk '{print $1}')
+KEY_CONTENT=$(echo "$SSH_KEY" | awk '{print $2}')
+
+# Check if Git user settings are available
+if [[ -z "${GIT_USER_NAME:-}" || -z "${GIT_USER_EMAIL:-}" ]]; then
+  echo "WARNING: Git user settings (GIT_USER_NAME and/or GIT_USER_EMAIL) are not set."
+  echo "Git commit signing will not be configured."
+  echo "If you need Git commit signing, add these variables to your environment file."
+  exit 0
+fi
+
+# Set Git user name from environment variable
+echo "Setting Git user.name: $GIT_USER_NAME"
+git config --global user.name "$GIT_USER_NAME"
+
+# Set Git user email from environment variable
+echo "Setting Git user.email: $GIT_USER_EMAIL"
+git config --global user.email "$GIT_USER_EMAIL"
+
+# Create the .ssh directory if it doesn't exist
+mkdir -p ~/.ssh
+chmod 700 ~/.ssh
+
+# Create or update the allowed signers file
+echo "Updating allowed signers file..."
+ALLOWED_SIGNERS_FILE=~/.ssh/allowed_signers
+SIGNER_LINE="$GIT_USER_EMAIL $KEY_TYPE $KEY_CONTENT"
+
+# Create the file if it doesn't exist
+if [ ! -f "$ALLOWED_SIGNERS_FILE" ]; then
+  echo "$SIGNER_LINE" > "$ALLOWED_SIGNERS_FILE"
+  echo "Created new allowed signers file."
+else
+  # Check if the key is already in the file
+  if ! grep -q "$KEY_CONTENT" "$ALLOWED_SIGNERS_FILE"; then
+    # Append the key if it's not already there
+    echo "$SIGNER_LINE" >> "$ALLOWED_SIGNERS_FILE"
+    echo "Added new key to allowed signers file."
+  else
+    echo "Key already exists in allowed signers file."
+  fi
+fi
+
+chmod 600 "$ALLOWED_SIGNERS_FILE"
+
+# Configure Git to use SSH signing
+echo "Configuring Git to use SSH signing..."
+git config --global gpg.format ssh
+git config --global user.signingkey "key::$KEY_TYPE $KEY_CONTENT"
+git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
+git config --global commit.gpgsign true
+
+echo "Git SSH signing setup complete!"
+echo "Your commits will now be automatically signed using your SSH key."
+echo "Make sure this key is added to GitHub as a signing key in your account settings."
