Signature verification

[julienvincent]

This is a continuation from #3007 and #2728 which adds in the templater changes for verifying and displaying commit signatures.

---

There were some outstanding comments on #3007 which I am listing below:

• Commit signing backend implementation #3007 (comment)
• Commit signing backend implementation #3007 (comment) - I understand the conclusion to be that this could be addressed later.

Checklist

If applicable:

• I have updated CHANGELOG.md
• I have updated the documentation (README.md, docs/, demos/)
• I have updated the config schema (cli/src/config-schema.json)
• I have added tests to cover my changes

[necauqua]

I think this should not be a global flag - it only applies to log and status, maybe something else that's using the template, and that's it

[julienvincent]

I agree, but it's really not clear to me how to link command local arguments to the config as it is done here. How would I go about doing that?

[martinvonz]

I think you will have to make the flag a member of CommitTemplateLanguage.

[yuja]

Is it common to temporarily turn on/off this flag?

Can't we simply let the user select -Tbuiltin_log_compact_without_signature or -Tbuiltin_log_compact_with_signature? (Or something like template-aliases.format_cryptographic_signature(signature) to override?)

[julienvincent]

Personally I believe this does belong as a feature flag. Signing is a fairly broad operation that has 'first-class' support in other commands and should I think have similar 'first-class' support in commands that render commits.

It seems a bit clunky to have to maintain separate (otherwise identical) templates just for rendering a signature - and similarly clunky from a users perspective to then need to select the correct template variation. This is made even worse if the user is then making their own templates that need to show this information.

Being able to build templates that support rendering a signature based on whether the information is present or not seems to me like a better all-round approach.

Is it common to temporarily turn on/off this flag?

I don't know if I would claim this is a commonly used option, but I do use this fairly often to check (for example) that I am not overriding someones signatures during a rebase.

By default I want it off unless I want to quickly view this information. If this was a template I would need to google the template name every time I wanted to use it as apposed to just checking help text.

---

Lastly, and probably not a very strong point, but git does also exposes a flag with this name. Doing the same would help ease the experience of users coming from git as things will all work in a familiar way.

[necauqua]

yeah I agree with everything said, templates seem a bit clunky for this

[yuja]

I'm not against adding a flag to disable verification process (which I think @necauqua suggested somewhere), but I think the visibility should be controlled by template. It's confusing if -Tsignature needed additional flag to turn it into non-empty string.

I don't know if I would claim this is a commonly used option, but I do use this fairly often to check (for example) that I am not overriding someones signatures during a rebase.

By default I want it off unless I want to quickly view this information. If this was a template I would need to google the template name every time I wanted to use it as apposed to just checking help text.

It's not uncommon to switch between a few sets of preferred templates. Git provides various flags to control outputs (--oneline, --pretty=, etc.) In jj (and hg), it's controlled by -T/--template. I don't think --show-signature is special, and I would probably want to enable the signature only in detailed output (e.g. only in -Tbuiltin_log_detailed.)

Regarding discoverability, I agree. (related: #3175)

[necauqua]

Yeah, I guess this all makes sense too.

Since the verification is only invoked when the templater asks for it, you can just not have it in the default template and have a non-default template that shows the sigs.

With that, to show the signature once you'd do jj log .. -T show-signature or similar, and to have it shown always you'd edit the template in your config - eliminating the need for the signing.show-signatures config option.

We could add a hidden --show-signature flag to the log command the sole purpose of which would be to print a hint that "probably you want -T builtin_log_with_signature_or_something_shorter_than_that_lol" - this would be great for learning when moving from git

@julienvincent what do you think about this

---

Some other thoughts:

I'd keep the template alias function thing that makes pretty checkmarks from the signature variable that I had there - just don't use it by default, but keep it for me so that the default template override is simple - and such an override could go into the docs like "if you want to see the checkmars like on github".

Probably would be great to go the format_short_id route - have a template verify_commit_signature that resolves to nothing and is used in the default templates, and then people can do something like verify_commit_signature = render_the_checkmark_thing in their config.

Another thing is I'd refactor the verification so that it happens only on concrete signature.valid/invalid/etc template calls, but not on signature.present(), which would just check for the gpgsig header presence which is real fast, to support the usecase I've described where someone (me again) might want to just always have a symbol in the log showing that there's some signature without paying the performance cost of full verification on every log.

[yuja]

I'd keep the template alias function thing that makes pretty checkmarks from the signature variable that I had there - just don't use it by default, but keep it for me so that the default template override is simple - and such an override could go into the docs like "if you want to see the checkmars like on github".

Probably would be great to go the format_short_id route - have a template verify_commit_signature that resolves to nothing and is used in the default templates, and then people can do something like verify_commit_signature = render_the_checkmark_thing in their config.

That could be other way around, or both?

builtin_log_compact(whatever_template_to_insert_after_commit_id) = ...
then
my_log_sig = 'builtin_log_compact(fancy_sig_status)'

[julienvincent]

Yes I think I am also in agreement with what has been discussed here. I had already started to implement the discussed changes, starting by adding a way to test the signature templates and then removing the changes to the default templates and the --show-signature flag.

I haven't had a lot of time in the last couple weeks so sorry this is dragging on a bit. I will probably only get time to complete the work here on the upcoming weekend.

[necauqua]

"configured signing backends" here sounds like "enabled signing backends" - which is not the case, the verification uses "all the backends" - and well while you have to configure allowed signers for ssh, for gpg it actually just works™ if it's installed and the keys are imported (and even for unknown keys it'll show key fingerprint), no jj configuration needed

[yuja]

I've moved the whole section under the "Commit type", so signature: .. will have to be moved there.

I'm also doing some structural changes in the template engine. It should be relatively easy to migrate to the new form, but auto-rebase will fail. Just fyi.

[yuja]

Maybe better to split the changes in the default templates? I think this would be a controversial part, and we'll have to be careful because these changes affect all users.

[yuja]

nit: maybe this can be inlined? It's not obvious at the call site whether the arguments are (old, new) or (new, old).

[yuja]

nit: can be squashed to the templating commit.

We usually include trivial test and doc changes in the implementation patch.

[julienvincent]

Superseded by #4853