[NOT a Nova Extension issue] Git not auto-signing from inside Nova

Hello there!

I’m quite sure that this question is being placed in the wrong place, but I wonder, these days, where we should post non-extension-related-questions…

I have noticed that, for some unfathomable reason, git is not being launched with the auto-sign option, when launched via Nova. This is strange, because I thought — perhaps wrongly! — that Nova would read the .git/config file (as well as the global configurations) to properly access remote repositories (which it does).

However, it seems to ignore the following configuration commands:

[commit]
  gpgSign = true
[tag]
  forceSignAnnotated = true
[user]
  signingKey = <random sequence of letters>

When launched from the command line, /usr/local/bin/git has no problem in applying these commands to all commits. As I’m sure you’re aware, in certain environments, it’s good practice to PGP-sign one’s commits to public repositories, such as some projects in GitHub.

But since the manual states:

Nova’s git support is built-in and does not require any additional software to be installed.

I therefore have to assume that Nova, unlike Coda 2, is using some hard-coded library providing Git support which does not support the full Git configuration parameters. I’m using 2.31.1, but the auto-signing functionality has been around since at least 1.5 in one form or another.

Also, under Coda 2 this was an easy fix — just pass /usr/local/bin/git -S on the command line — since we had a configuration option for changing what Coda 2 would call on the command line — or, alternatively, create a git alias (or even a shell alias!). I could not find any equivalent configuration option in Nova; maybe it doesn’t even make sense, if you’ve really added git support directly in the source code using some sort of external library and are therefore limited to whatever Git functionality the vendor has packed into their library…

1 Like

Hm. I don’t normally use the git bits in Nova for commits, but with bit of poking at this, I can’t get commit signing to work either. Now back to CLI & Tower.

1 Like

Yes, you are correct. Nova currently does not support signing / GPG for Git. This is a limitation of the underlying C library we use for Git operations, libgit2. We have an outstanding feature request for supporting this and hope to do it in the future!

2 Likes

Hi @logan, I didn’t want to reply to the OP in order not to derail the conversation, but I thought now that you had seen that original issue, now might be a good time to provide additional feedback as related to git functionality.

Currently the git UI included in Nova is not very useful (to me from a development workflow perspective), as it does not provide the ability to review the changed files (using diffs) before committing them. The review process is integral to my workflow that helps me ensure that I didn’t leave debug code in the changes, and make sure that I didn’t miss anything, before committing it to git.

Is this something that could be added to the feature requests list? :slight_smile: Currently I just use Git Tower next to Nova, which isn’t a bad workflow for me. I just thought I’d provide this feedback, as comparing changes (as well as git signing) are the two items currently preventing me from using the git pane in my workflow. :slight_smile:

Thanks as always for your help!

2 Likes

And now following up on myself :slight_smile:

I know, I’m an ‘unusual’ user and always pushing it to the edges :slight_smile:

Keybase logo
Recently, I joined Keybase. They’ve been around for a while; my actual reason for joining was that one of the tech groups I follow uses Keybase as their chatroom — not necessarily because of its super-strong PGP encryption (they’re not paranoid enough for that), but rather because it comes for free with the Keybase app. Since Keybase works flawlessly with my current PGP setup — no need to create more PGP keys, etc., it just works with what I’ve got — I gave it a try, a few months ago.

Among many other goodies (such as offering encrypted folders for both private files as well as the ability to share them publicly — to anyone who has your public key to decrypt them), I found out that they even had a built-in Git server! It’s obviously not designed to replace GitHub or GitLab, of course, but it works quite well for my purposes, for small projects that I don’t intend to make public, and, if I do, I most certainly wish to benefit from fully encrypted authentication and access.

Keybase does a lot of interesting ‘magic’ at the OS level. In particular, it hooks on the git command-line application so that it ‘understands’ keybase:// URLs for Git repositories (e.g. just as ‘standard’ Git understands https://, ssh:// and git:// URLs). This, in turn, sets up whatever ‘magic’ is required at the communications layer to get git to place its files in the encrypted Git repository. From the end user’s perspective, it’s completely transparent — you use the same tools as with any other kind of repository.

How exactly this works is really beyond my understanding — there are so many options to git that it’s not impossible that hidden among them is a way to define one’s own transport mechanism — but obviously libgit2 is clueless about it. And I can understand why: there are limits to how fast you can keep up with all the ‘innovations’ brought in by the core Git development team (is Linus Torvalds still the head of that team?) and exactly replicate its functionality…

So here goes my suggestion. For most practical purposes, libgit2 does a reasonably good job, and it’s well-integrated into Nova. When I use any external tool to tinker with my Git setup — say, either launching git push from the command line or using the GitHub app to do that (and get those precious diffs side by side…), whatever changes are made via these external tools are almost instantly ‘made known’ to Nova. In other words, I don’t know exactly how libgit2 works — if it gets automatically notified by macOS when a change happens, or if it just calls the equivalent of git status every second or so, and checks if there were any changes — but the truth is that changes are reflected on Nova as close to real-time as possible. I have yet to see Nova failing to keep up with whatever is being done with Git outside Nova. That means I can focus mainly on remaining ‘inside’ Nova for 70% or so for the functionality I use, and manually type commands via the Git CLI or other tools to do whatever Nova cannot do via libgit2. It can be a bit annoying, but things work quite well together…

Therefore, it would make little sense to ‘revert’ to a pre-Nova (i.e. Coda 2) way of dealing with the Git endpoints.

However, what might make some sense is to have an additional option for Git, namely, the ability to run an external command instead of using the built-in libgit2. Ideally, of course, I’d like that to happen just for some projects (those that really require the extra functionality that libgit2 does not have), e.g. have a checkbox for ‘use built-in Git’ for each project.

I’m pretty sure that there is a good reason why Panic dropped support for an external Git tool (as well as getting rid of Subversion); and, in theory, this could be something done as a Nova extension (I understand that we could even add a sidebar which would replicate the built-in Git functionality) — but it would be a really wasteful exercise since so much work has been put in the current Git implementation (which is rather well done!).

Anyway, just some additional rambling from Yours Truly…

2 Likes

Is there an update for this?

Heh. I wish. That reminds me of a long-standing issue on Bitbucket, Atlassian’s Git repository: the request for having it signing requests has been made almost a decade before it was actually implemented… Many — if not most! — of those who originally posted that request have long since abandoned Bitbucket in favour of GitHub (or any other public repository that does allow signing commits), of course.

The issue, however, seems to be strictly tied to libgit2 used by Nova, which has an outstanding request for supporting commit signing since early 2019. I can only assume that this is not going to be ever implemented — and, as a consequence, this means that Nova won’t support signing commits.

As suggested before, one workaround would simply to have call Git as an external process and let it do its magic (similar to how Coda 2 used to do). It could be an option — either using libgit2 or calling git as a separate process…

For what it’s worth, we do have intent to add this, it’s just proved difficult.

libgit2 has specifically said they do not intend to support this themselves, very similarly to Git hooks, as they see it as an application-level feature.

Integrating support for signing would require either shelling out to a user’s installed tool (likely gpg / GnuPG for most users) or integrating a library that is compliant with the OpenPGP standard.

The former has been difficult to do in our testing, as gpg really doesn’t like being invoked unless you’re running from an interactive terminal, where it can prompt securely from within the terminal session. I spent about four days trying to get this working a few months back but kept running up against weird edge cases with invoking the tool, reading its output, or passing it parameters in a secure fashion.

As for the latter, there are a few options of varying quality. I’ve looked into the GnuPG project’s portable library (GPGME), but it seems to have issues building on macOS that I don’t quite understand, and the library itself is not well documented. There are a couple other open-source options that have more permissible licenses, but we haven’t tested them yet.

I do know that the author of Working Copy for iOS has integrated signing support, which obviously couldn’t use a shell tool, so I should ask them what they might’ve used or whether they rolled their own PGP-compliant tool.

2 Likes