On 2021.07.29 10:59, Fabian Stelzer wrote: > On 29.07.21 00:48, Jonathan Tan wrote: > > > if user.signingkey is not set and a ssh signature is requested we call > > > ssh-add -L and use the first key we get > > > > [snip] > > > > Could the commit message have a better explanation of why we need this? > > (Also, I would think that the command being run needs to be configurable > > instead of being just the first "ssh-add" in $PATH, and the parsing of > > the output should be more rigorous. But this is moot if we don't need > > this feature in the first place.) > > > > How about: > If user.signingkey ist not set and a ssh signature is requested we call > ssh-add -L und use the first key we get. This enables us to activate commit > signing globally for all users on a shared server when ssh-agent forwarding > is already in use without the need to touch an individual users gitconfig. > > Maybe a general gpg.ssh.signingKeyDefaultCommand that we call and use the > first returned line as key would be useful and achieve the same goal without > having this default for everyone. > On the other hand i like having less configuration / good defaults for > individual users. But I'm coming from a corporate environment, not an open > source project. Doesn't this run the risk of using the wrong key (and potentially exposing someone's identity)? On my work machine, my corporate SSH key is not actually the first key in my SSH agent. Rather than making this behavior the default, could it instead be enabled only if the signing key is set to "use-ssh-agent" or something similar?
