Skip to content

feat(identity): store and retrieve full GPG keys#1527

Draft
smoyer64 wants to merge 4 commits intotrunkfrom
feat/store-retrieve-gpg-entity
Draft

feat(identity): store and retrieve full GPG keys#1527
smoyer64 wants to merge 4 commits intotrunkfrom
feat/store-retrieve-gpg-entity

Conversation

@smoyer64
Copy link
Copy Markdown
Collaborator

@smoyer64 smoyer64 commented Mar 3, 2026
edited
Loading

This PR stores the full GPG private key to the git-bug keyring and marshals the full GPG public key into the git-bug Identity entity (user) that's committed to Git. This change is non-breaking but foundational - it allows future features such as exporting the GPG public keys associated with one or all users and unifies git-bug's commit signing and verification with Git itself.

Storing just the ASCII-armored *packet.PrivateKey makes it impossible to recover the associated public key as the identities, sub-keys and certifications are stripped. Likewise, marshaling just the *packet.PublicKey into the git-bug identity results in a public key that can perform certain verification functions, but can't be imported into GPG and therefore would never be used by Git.

For example, the current git-bug release produces the following ASCII-armored public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBIhuCQABCADoUWB84tn1aEqWung+Ork32bbS2C96K7YkoWETYmkxJPCmvUHY
Fm8cp4v10tmP0PIfjv5urOBKP9qYRPN7DSg0CTG946tpAw/PvC71QZvMJTjuZDYf
+xCccxkEIu2Q60VHNYDQZNMtkglxcSk1uD4HcfTCBFCfj/cEhGaR9okj0LirOdh3
t/JsAS17x7Wqkbk4yowj3ABHucLwqXxiEo0Ri6Y9Co++HJ6u172I9dY9Cq7ThmQH
x2kBIYdlEVDwdGLRpnpTFiDFudyH7RgxhzRkz96HjpJuGQqvB6mtFCkWGrvecDGi
RKkZP2YgoH4m+NvVkOt7ih2OcRQRBVUcMhpNABEBAAHNBG5hbWXCwLsEEwEIAG8F
gmmm0+MCCwcJEBstdUeOxeZ4NRQAAAAAABwAEHNhbHRAbm90YXRpb25zLm9wZW5w
Z3Bqcy5vcmfpLeuBJ4hudiUAPXgt/TKzAhUIAhYAAhkBApsDAh4BFiEEavUI3GLI
nMNJn2owGy11R47F5ngAACkNCAC79HI+xm73WjnXUMqXjunqHmUIxrF3GMGjkSF3
YKGj/qWWmRtFF2gzE7oeLiGnELwvopslM/9b6lpyNn1CLlDCRe1F8jEJKcK03aG9
/H0y29kwC+E98ooren1lB1HYpEG6Ad+AuEdZQL0jv1telJ+a7sL3x5Zr0QnLSy4x
isD16V1YXW+c9QPb4hDzBnM/XdtaBJr8cN/ZByijCBXacJcpbIAqy6SKscN5z1BI
Y8DaCABw+iEvatbB0FYBeahPLxWo3Wu5mAVRpN4H6bbSJr80vdoA2GhXMbW/7d/V
SEo74zrBklzdeU6CqpHpW/I8pUp374qJ6X6uMXNkuX4Uj7M7
=IjN0
-----END PGP PUBLIC KEY BLOCK-----

This key cannot be imported into GPG due to the missing identity and self-signed certification (and because the creation time is set to the Go zero value of time.Time):

$ gpg --import bug-pub.asc 
gpg: public key 1B2D75478EC5E678 is 5976 days newer than the signature
gpg: public key 1B2D75478EC5E678 is 5976 days newer than the signature
gpg: key 1B2D75478EC5E678: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Therefore, git can't verify the signature produced when the associated user commits a new bug:

$ git log --all --show-signature
commit 614c8d7cfbd62c7499b626da45719f30ae46aea6
gpg: Signature made Tue 03 Mar 2026 07:28:19 AM EST
gpg:                using RSA key 6AF508DC62C89CC3499F6A301B2D75478EC5E678
gpg: Can't check signature: No public key
Author:  <>
Date:   Tue Mar 3 07:28:19 2026 -0500

The updated code produces an ASCII-armored public key that includes the identities, sub-keys and certifications. This key is therefore noticeably larger:

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBGmm164BCAClhH7EdPWiFdRkOFRzAFlH5TnzYybjjSwllzWX1Y74ehgQ6rUx
OvgZgDa+sIDXkOZvX97RfMMTNRNxMFcShyt0/bRFOG6D77PwhzTOggYo6Iimr7W+
izKIPU8+5ExcaDHqpjMxoZMMjps2geWYDFyQFOk4YpA5ccw4G1MGUKH01sqw0CL3
H5tDXBxnhsvahUcmHIWTdWbcmejjerUlCSrwwN3++1vRT0trUj7NpYTYnCecyHBR
74BV2GNTEccivEFreNOQoyxQTOLCTS52iSFLr62nD8Cipc+Om5MlCRpy+eQS9Vf2
PYOqCXQ5HbVGhpRUISC8OCj9kXGOH8/WVOGtABEBAAHNKlN0ZXZlIE1veWVyIChz
bW95ZXIxKSA8c21veWVyMUBzZWxlc3kuY29tPsLAuwQTAQgAbwWCaabXrgILBwkQ
DXvtO+7HRzQ1FAAAAAAAHAAQc2FsdEBub3RhdGlvbnMub3BlbnBncGpzLm9yZ3Zq
0mvwhUBxsIoS7OLbnxkCFQgCFgACGQECmwMCHgEWIQR5c2BG2hYU+u6JJ6gNe+07
7sdHNAAAwaAH/0S1jGTxQVC4iumsl7GB8XnvEDeGSJrUut6VDqMsoQOBHHte9P8D
U4AGo7SdiVUzQQ09fbHfSS19aW+Vd5YKZ8cyrWY578GKdmxV+awIwit1du46qfTr
1l8djhvURwGn+clWf43wlGOUM9qOJwSpvL5qxdS6XZAfukIlA0O29IdmLY0YOn+a
akGPkBOeHC7vG63TAfYKKp1/XY2KxGHvZ/aKH8sg/pp5mzzwyfuLNkgPURoYmv0Y
h7r5/LR3r7VgkGJjTLtCok0qzHELmwFw5gxYHSDVHrip/c7iSl9HywQ2W/fjWpR6
unah3szDaGbghTdO/RmJYnrHyS+aBCLSfl7OwE0EaabXrgEIAMVkAIkPgADgE/sN
mNowxc4bSxCSTSYxhthfVZ5T+3QXOz1WSQQdhLQlmSRP5zll+VWgm6jT4f7HKWMK
pY77GVbqWmRLq8Im56X3zwaZ23PTSaSAO8LPB060xxgpU87QHvO3Lmzxcc/CHkCb
9/rh7uQT+XlK75JlPOMexdCerMG6w6CXqcR6Jy+Ek2hnZcB0beK3mV9tz4JGOxKZ
yrCKkK99unmMOxSB+ul72gq98KHSxwXHXLvL4zdAMB40Ulm2m+e4fvedeFCzDeeP
QRQwfGZStCoimss+XIsM82txDc/XMlzs2Y5LaEobe1XpgPIneCag6YkbXPK+Clgw
25xe+ssAEQEAAcLArAQYAQgAYAWCaabXrgkQDXvtO+7HRzQ1FAAAAAAAHAAQc2Fs
dEBub3RhdGlvbnMub3BlbnBncGpzLm9yZwZFE8eSSldaU8NMM/qUoPACmwwWIQR5
c2BG2hYU+u6JJ6gNe+077sdHNAAAbfAH/Rte7alumoQZlpOJ41gq9ptII9qD51u9
omq8qV9+EaO4qzPsj/NJQheROROBjGDspgpHL15RUAxE3ZgtzuBe8JDekPjyLsIG
5GK7CiIX9jEz8kHOERKe69ZGqEVOKzb6BRPZgfjL9eLoNHemJvRQYiJWdpjdj+pF
x6nZmmOalDNlna28ofdTv6VtUjkiSDL1GGCBL802xNncQFx7JfnyE0kYa9ZZsHq9
RufTN1Ah5hhKYSTaBiXzTC3BXpJjfpdzIhfIt7CGez/73gaPryKA/YBD5X+ExPRn
bCkZ8CWsEqA2etjvsPq+ydt8yEJmmeLy6FiVps+e3eXoxU1UDqbvRHU=
=MblH
-----END PGP PUBLIC KEY BLOCK-----

But more importantly, this key can be imported into GPG:

$ gpg --import bug-pub.asc 
gpg: key 0D7BED3BEEC74734: public key "Steve Moyer (smoyer1) <smoyer1@selesy.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

The git-bug commit is now recognized as having a valid signature:

$ git log --all --show-signature
commit bb499be38807b2172008d3c5c7be27cb87f95004
gpg: Signature made Tue 03 Mar 2026 07:44:30 AM EST
gpg:                using RSA key 79736046DA1614FAEE8927A80D7BED3BEEC74734
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   6  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 6u
gpg: Good signature from "Steve Moyer (smoyer1) <smoyer1@selesy.com>" [ultimate]
Primary key fingerprint: 7973 6046 DA16 14FA EE89  27A8 0D7B ED3B EEC7 4734
Author:  <>
Date:   Tue Mar 3 07:44:30 2026 -0500

Note that the presence or absence of signatures on git-bug commits doesn't impact the behavior of "Require sIgned commits" on GitHub branch rules:

image

@smoyer64 smoyer64 force-pushed the feat/store-retrieve-gpg-entity branch from d0209e5 to a1a1629 Compare March 3, 2026 13:43
@smoyer64 smoyer64 marked this pull request as draft March 4, 2026 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaelMure MichaelMure Awaiting requested review from MichaelMure

@sudoforge sudoforge Awaiting requested review from sudoforge

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@smoyer64