Created
December 31, 2025 19:43
-
-
Save jkoelker/5adc286cdc9da923e9e591371d55fc2b to your computer and use it in GitHub Desktop.
Keybase GIT signing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Git gpg.program wrapper for keybase pgp sign | |
| # Usage: git config gpg.program /path/to/keybase-git-gpg.sh | |
| set -e | |
| debug() { | |
| [ -n "$KEYBASE_GIT_DEBUG" ] && printf '[keybase-git-gpg] %s\n' "$*" >&2 | |
| return 0 | |
| } | |
| debug "Called with args: $*" | |
| case "$*" in | |
| *--verify*) | |
| exec gpg "$@" | |
| ;; | |
| esac | |
| STATUS_FD=2 | |
| KEY_ID="" | |
| while [ $# -gt 0 ]; do | |
| case "$1" in | |
| --status-fd=*) | |
| STATUS_FD="${1#--status-fd=}" | |
| ;; | |
| --status-fd) | |
| shift | |
| STATUS_FD="$1" | |
| ;; | |
| -bsau) | |
| shift | |
| KEY_ID="$1" | |
| ;; | |
| -u|--local-user) | |
| shift | |
| KEY_ID="$1" | |
| ;; | |
| -b|--detach-sign|-s|--sign|-a|--armor|--batch|--yes|--no-tty) | |
| ;; | |
| --pinentry-mode=*) | |
| ;; | |
| --pinentry-mode) | |
| shift | |
| ;; | |
| *) | |
| if [ -z "$KEY_ID" ] && [ "${1#-}" = "$1" ]; then | |
| KEY_ID="$1" | |
| fi | |
| ;; | |
| esac | |
| shift | |
| done | |
| debug "Parsed: STATUS_FD=$STATUS_FD KEY_ID=$KEY_ID" | |
| if [ -z "$KEY_ID" ]; then | |
| echo "error: no key ID provided" >&2 | |
| exit 1 | |
| fi | |
| status() { | |
| case "$STATUS_FD" in | |
| 1) printf '[GNUPG:] %s\n' "$*" ;; | |
| 2) printf '[GNUPG:] %s\n' "$*" >&2 ;; | |
| *) printf '[GNUPG:] %s\n' "$*" >&"$STATUS_FD" ;; | |
| esac | |
| } | |
| if ! command -v keybase >/dev/null 2>&1; then | |
| status "ERROR keybase not found" | |
| echo "error: keybase command not found" >&2 | |
| exit 1 | |
| fi | |
| if ! keybase status -j 2>/dev/null | grep -q '"LoggedIn": true'; then | |
| status "ERROR not logged in" | |
| echo "error: not logged in to keybase. Run: keybase login" >&2 | |
| exit 1 | |
| fi | |
| status "KEY_CONSIDERED $KEY_ID 0" | |
| status "BEGIN_SIGNING H10" | |
| TMPFILE=$(mktemp) | |
| trap 'rm -f "$TMPFILE"' EXIT | |
| debug "Running: keybase pgp sign --detached --key $KEY_ID" | |
| if keybase pgp sign --detached --key "$KEY_ID" > "$TMPFILE" 2>&1; then | |
| cat "$TMPFILE" | |
| # SIG_CREATED format: D=detached 1=RSA 10=SHA512 00=class timestamp keyid | |
| TIMESTAMP=$(date +%s) | |
| status "SIG_CREATED D 1 10 00 $TIMESTAMP $KEY_ID" | |
| debug "Signing successful" | |
| exit 0 | |
| else | |
| EXIT_CODE=$? | |
| debug "Signing failed with exit code $EXIT_CODE" | |
| cat "$TMPFILE" >&2 | |
| status "INV_SGNR 9 $KEY_ID" | |
| status "FAILURE sign" | |
| exit $EXIT_CODE | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment