Skip to content

fix:honor gpg.program in LoadPublicKeyFromGitConfig#1265

Open
ayuxsh009 wants to merge 1 commit into
gittuf:mainfrom
ayuxsh009:fix/gpg-program-publickey-path
Open

fix:honor gpg.program in LoadPublicKeyFromGitConfig#1265
ayuxsh009 wants to merge 1 commit into
gittuf:mainfrom
ayuxsh009:fix/gpg-program-publickey-path

Conversation

@ayuxsh009

@ayuxsh009 ayuxsh009 commented Apr 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Fixes #1261.

LoadPublicKeyFromGitConfig previously ignored gpg.program and always executed gpg from PATH.
LoadSignerFromGitConfig already honored gpg.program, which caused inconsistent behavior in minimal PATH environments.

This PR:

  • Updates the GPG public-key loading path used by LoadPublicKeyFromGitConfig to respect gpg.program when configured.
  • Keeps default behavior when gpg.program is not set.
  • Adds a regression test that simulates restricted PATH and verifies both signer loading and public-key loading work when gpg.program is configured.

Testing performed:

  • go test -count=1 -run TestLoadPublicKeyFromGitConfig ./experimental/gittuf -v
  • go test -count=1 -race -run TestLoadPublicKeyFromGitConfig ./experimental/gittuf -v
  • go test -count=1 ./experimental/gittuf -v
  • go test -count=1 ./...

AI Usage

  • I did not use generative AI at all in making the content of this pull request.
  • I did use generative AI in some form in making the content of this pull request. I have described my use of AI below.

Contributor Checklist

  • I have manually reviewed all content submitted to gittuf in this pull request.
  • I fully understand the content I am submitting.
  • The changes introduced are documented and have tests included if applicable.
  • My changes do not infringe on copyright/trademarks/etc.
  • All commits in this pull request include a DCO Signoff.
  • By submitting this pull request, I agree to follow the gittuf Code of Conduct.

@ayuxsh009 ayuxsh009 force-pushed the fix/gpg-program-publickey-path branch from 4fcf6b4 to 087cc10 Compare April 7, 2026 14:52
patzielinski
patzielinski requested changes Apr 7, 2026
View reviewed changes

@patzielinski patzielinski left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reporting the issue and sending this PR in, @ayuxsh009.

The solution to this is simpler than the code in the PR, we just need to have the GPG case in LoadPublicKey inspect the Git config. We also want to mirror the behavior of signerverifier, where the Git config is always inspected for the preferred GPG program.

Please make the changes I've suggested, squash commits when done, and we should get this merged soon. Thanks!

Comment thread experimental/gittuf/keys.go Outdated
Comment thread experimental/gittuf/keys.go Outdated
Comment thread experimental/gittuf/keys.go
Comment thread experimental/gittuf/keys_test.go
@ayuxsh009 ayuxsh009 force-pushed the fix/gpg-program-publickey-path branch from 087cc10 to b0056d6 Compare April 7, 2026 20:32
@ayuxsh009

ayuxsh009 commented Apr 7, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for reporting the issue and sending this PR in, @ayuxsh009.

The solution to this is simpler than the code in the PR, we just need to have the GPG case in LoadPublicKey inspect the Git config. We also want to mirror the behavior of signerverifier, where the Git config is always inspected for the preferred GPG program.

Please make the changes I've suggested, squash commits when done, and we should get this merged soon. Thanks!

Implemented. I moved the fix into LoadPublicKey so the GPG path now checks Git config for gpg.program (with fallback to gpg), matching signer behavior. I also squashed this PR to one commit.

@ayuxsh009 ayuxsh009 force-pushed the fix/gpg-program-publickey-path branch from b0056d6 to 566c3e4 Compare April 7, 2026 20:35
@ayuxsh009 ayuxsh009 requested a review from patzielinski April 7, 2026 20:46
@patzielinski patzielinski force-pushed the fix/gpg-program-publickey-path branch from 566c3e4 to 1ffc75f Compare May 26, 2026 19:11
Copilot AI review requested due to automatic review settings May 26, 2026 19:11
Copilot AI reviewed May 26, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@patzielinski patzielinski force-pushed the fix/gpg-program-publickey-path branch from 1ffc75f to 9d0da60 Compare May 26, 2026 19:35
@ayuxsh009 @patzielinski
fix: honor gpg.program in LoadPublicKey
05f1868 
Signed-off-by: ayuxsh009 <1raj.aayush@gmail.com>
Copilot AI review requested due to automatic review settings May 26, 2026 19:35
@patzielinski patzielinski force-pushed the fix/gpg-program-publickey-path branch from 9d0da60 to 05f1868 Compare May 26, 2026 19:35
Copilot AI reviewed May 26, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@patzielinski

patzielinski commented May 26, 2026

Copy link
Copy Markdown
Collaborator

@adityasaky I've reworked this to now support using the user's chosen gpg.program even if a repository hasn't been loaded. It's not a super-elegant fix, so let me know if you have thoughts on this.

adityasaky
adityasaky reviewed Jun 1, 2026
View reviewed changes
Comment thread pkg/gitinterface/config.go
return nil, fmt.Errorf("unable to read Git config: %w", err)
}
} else {
output, err := exec.Command("config", "--global", "--get-regexp", `.*`).Output()

@adityasaky adityasaky Jun 1, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing git? Guessing this is not tested then? 😄

@adityasaky adityasaky Jun 1, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also do we need --global here?

adityasaky
adityasaky reviewed Jun 1, 2026
View reviewed changes
Comment thread pkg/gitinterface/config.go
Comment on lines +17 to +22
func GetGitConfig(repo *Repository) (map[string]string, error) {
var stdOut string
var err error

if repo != nil {
stdOut, err = repo.executor("config", "--get-regexp", `.*`).executeString()

@adityasaky adityasaky Jun 1, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given this is part of the now public gitinterface package, I wonder if this should be part of (r *Repository) still. If we're anyway going to use exec.Command, that can happen in exp/gittuf which wraps this. We're not benefiting from the repo.executor pattern anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adityasaky adityasaky adityasaky left review comments

Copilot code review Copilot Copilot left review comments

@patzielinski patzielinski Awaiting requested review from patzielinski

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

LoadPublicKeyFromGitConfig ignores gpg.program and always executes gpg from PATH

4 participants

@ayuxsh009 @patzielinski @adityasaky