Sign commits created by Batch Changes with GitHub App (Tracking)

[BolajiOlajide]

This issue is related to #15271.

We have requests from some of our customers to add an extra layer of security when creating changesets from a Batch Change to have the associated commits in a changeset signed by the author of the Batch Change. To achieve tho

• Gitlab
• Github
• Bitbucket (Unsupported)
• Azure DevOps (Unsupported)

The proposal here is to have users generate SSH keys on Sourcegraph, the private key will be encrypted and stored and used for creating commits, while the public key will be displayed to the user to be added to their code hosts.

Thanks to Erik, we have a draft PR here.

The scope of work involved to finish this implementation includes:

• Extending the user credential and site admin credential types by a flag "I want signing bool" that can be toggled from the UI
  • If that is checked, we will show the generated SSH key regardless of if ssh on the code host is enabled
  • And inform the user that they need to store that key in their profile as a signing key
• Polishing the gitserver part of that PR, likely want some testing and such
• Adding some feature gating because older GitHub instances don't support this signing type
• Investigating if GitLab supports this, implementing support for it if so
• Documenting
• Testing

Tracked issues

@unassigned

• https://github.com/sourcegraph/sourcegraph/issues/51219
• https://github.com/sourcegraph/sourcegraph/issues/52792
• https://github.com/sourcegraph/sourcegraph/issues/53320

Completed

• (🏁 20 days ago) https://github.com/sourcegraph/sourcegraph/issues/50940
• (🏁 20 days ago) https://github.com/sourcegraph/sourcegraph/issues/50944

@BolajiOlajide

• https://github.com/sourcegraph/sourcegraph/pull/52333

Completed

• (🏁 22 days ago) https://github.com/sourcegraph/sourcegraph/issues/52264
• (🏁 19 days ago) https://github.com/sourcegraph/sourcegraph/issues/52270
• (🏁 19 days ago) https://github.com/sourcegraph/sourcegraph/issues/52324
• (🏁 19 days ago) https://github.com/sourcegraph/sourcegraph/issues/52346
• (🏁 12 days ago) https://github.com/sourcegraph/sourcegraph/issues/52494
• (🏁 2 days ago) https://github.com/sourcegraph/sourcegraph/issues/52475 (PRs: #52979)

@courier-new

Completed

• (🏁 19 days ago) https://github.com/sourcegraph/sourcegraph/issues/52342 (PRs: #52430)
• (🏁 11 days ago) https://github.com/sourcegraph/sourcegraph/issues/52488 (PRs: #52749)
• (🏁 8 days ago) https://github.com/sourcegraph/sourcegraph/issues/52493 (PRs: #52492)
• (🏁 7 days ago) https://github.com/sourcegraph/sourcegraph/pull/52907
• (🏁 5 days ago) https://github.com/sourcegraph/sourcegraph/issues/52341
• (🏁 5 days ago) https://github.com/sourcegraph/sourcegraph/issues/53032
• (🏁 2 days ago) https://github.com/sourcegraph/sourcegraph/pull/53286
• (🏁 2 days ago) https://github.com/sourcegraph/sourcegraph/issues/52220 (PRs: #52979)
• (🏁 1 day ago) https://github.com/sourcegraph/sourcegraph/issues/53280 (PRs: #53212)

@st0nebraker

• https://github.com/sourcegraph/sourcegraph/issues/52224

Completed

• (🏁 25 days ago) https://github.com/sourcegraph/sourcegraph/issues/50935
• (🏁 25 days ago) https://github.com/sourcegraph/sourcegraph/issues/51317
• (🏁 22 days ago) https://github.com/sourcegraph/sourcegraph/issues/52264
• (🏁 19 days ago) https://github.com/sourcegraph/sourcegraph/issues/52270
• (🏁 19 days ago) https://github.com/sourcegraph/sourcegraph/issues/52324
• (🏁 19 days ago) https://github.com/sourcegraph/sourcegraph/issues/52465
• (🏁 8 days ago) https://github.com/sourcegraph/sourcegraph/issues/52484
• (🏁 7 days ago) https://github.com/sourcegraph/sourcegraph/issues/52223 (PRs: #52979)

Stretch goal:

• Infer commit author details from credentials #51431

[courier-new]

Given what we've been discussing about https://github.com/sourcegraph/sourcegraph/issues/32196, it sounds like that'll probably come first, then at least some initial feedback gathering, before we would consider prioritizing this. So maybe for now, backlog?

[courier-new]

We resolved in our last team sync that this would likely require minimal additional effort to complete over https://github.com/sourcegraph/sourcegraph/issues/32196 but would nontrivially improve the UX, so we will be planning to move forward with this issue for the next round of Job Fair work.

[courier-new]

I saw during sprint planning there was another ticket with an open investigation as to where we store the commit signing keys. I can't seem to find that ticket now. Did we come to a decision about that?

[st0nebreaker]

I'm unclear on a few things in these project specs:
(1)

• Extending the user credential and site admin credential types by a flag "I want signing bool" that can be toggled from the UI
  • If that is checked, we will show the generated SSH key regardless of if ssh on the code host is enabled
  • And inform the user that they need to store that key in their profile as a signing key

Do we need a design for this? I'm not familiar with where this admin toggle would live.

(2) Will the SSH signing key be able to be used universally for GitLab (if GitLab supports this) and GitHub ? Or would we need one for each code host? This will effect the design and how we display the info and give more actions here for the user.

(3) On a similar note, for #50944, if we extend the CreateBatchChangesCredential mutation to generate this SSH key, how would this work with the current variables we require in the request? externalServiceKind & externalServiceURL could be static if this feature is only supported in GitHub, or we can give some user action to determine if it's for GitHub/GitLab. But credential is also required, but we're trying to generate one here, correct? Not store what a different code host generates. Would it make more sense to create a new endpoint to generate the SSH signing key? I'm just trying to understand the shape of the data & request the client needs to make as I work on #50935. @sourcegraph/batchers

[courier-new]

So I don't want to speak for Bolaji, but in the hopes that this might at least partially unblock you, here's what I would personally interpret/suggest for these things:

1. Do we need a design for this? I'm not familiar with where this admin toggle would live.

I'm actually really glad you asked about this because I totally missed this part of the project spec, and I think it cleared up one of my own questions! 😂 I believe this admin toggle would belong on the "add credential" modal for configuring code host credentials on that same user/admin settings page.

cc @danielmarquespt for thoughts on this, but here's what I might propose in terms of design:

1. We show a checkbox at the end of the "add credential" modal form to enable a user to toggle commit signing on/off for that code host credential:
   

2. When toggled, we expand the form to show a region similar to "Step 2: Get SSH Key" on the version of the modal where the code host has SSH enabled for the connection, except maybe the text reads like this:
   

3. The "Configuration instructions" link should link to the docs pages referenced in the initial issue description above for the appropriate code host.

4. If the code host type does not support commit signing, e.g. Bitbuckets or ADO, we disable the checkbox with a tooltip:
   

   This should match the style of the execution options dropdown on the spec editor page:
   

   The checkbox could also be disabled if the user has not yet created any key to sign with:
   

5. I expect we will add another arg to the CreateBatchChangesCredential mutation to reflect whether or not this checkbox is toggled, such as preferSignedCommits: Boolean, so that we can use that information when acting with this credential.

6. Once successfully configured, the credential node should show an indication that it uses commit signing, such as with an inline badge:
   

   Or likewise if it's from a global token:
   

   I would expect this property to be queryable on the BatchChangeCodeHost type as a field like prefersSignedCommits.

7. Lastly, for code hosts with SSH enabled, you can view credentials after the fact, if you forgot the public key. We should mirror the form checkbox here in a readonly mode:
   

---

2. Will the SSH signing key be able to be used universally for GitLab (if GitLab supports this) and GitHub ? Or would we need one for each code host? This will effect the design and how we display the info and give more actions here for the user.

My current understanding is that a user generates a single signing key to use across all of their code hosts that would support it. The way it's presented in the design screenshot seems to support that. We definitely ought to convey this appropriately in the modal when that appears when you generate it.

---

3. On a similar note, for https://github.com/sourcegraph/sourcegraph/issues/50944, if we extend the CreateBatchChangesCredential mutation to generate this SSH key, how would this work with the current variables we require in the request?

This is exactly the question I asked on https://github.com/sourcegraph/sourcegraph/issues/50944 myself. 🙂 So I definitely want to hear what Bolaji had in mind for this. My personal feeling is that it ought to be a separate mutation and write the key to a separate table, but for now to unblock you on that I'd advise just skipping the onclick handler for generating the new key, if you can.