diff --git a/VERSION b/VERSION index ee90284..9084fa2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.4 +1.1.0 diff --git a/brewfiles/Brewfile.dev b/brewfiles/Brewfile.dev index a1c601f..65d407a 100644 --- a/brewfiles/Brewfile.dev +++ b/brewfiles/Brewfile.dev @@ -6,9 +6,6 @@ brew "mise" # Modern asdf replacement (10x faster) # JavaScript / Node brew "bun" # Bun runtime (also managed via mise) -# GPG -brew "pinentry-mac" # macOS-native GPG passphrase dialog - # Build tools brew "watchman" # File watching (React Native, Jest) diff --git a/dotfiles/gitconfig b/dotfiles/gitconfig index aa6e300..ca16b78 100644 --- a/dotfiles/gitconfig +++ b/dotfiles/gitconfig @@ -16,6 +16,6 @@ [credential "https://gist.github.com"] helper = helper = !/opt/homebrew/bin/gh auth git-credential -# GPG signing is configured by module 06 (git) if a key is present. +# SSH commit signing is configured by module 06 (git) if a key is present. # Client-specific git identities are added by: mbp client add # which appends [includeIf] blocks below this line. diff --git a/modules/06-git.sh b/modules/06-git.sh index 841d031..ab81c11 100755 --- a/modules/06-git.sh +++ b/modules/06-git.sh @@ -25,30 +25,32 @@ else mbp_log_warn "gh CLI not found — skipping credential helper setup" fi -# GPG signing: configure only if a key exists -# Module 08 (secrets) restores keys; this module picks them up if already present. -GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format SHORT 2>/dev/null | \ - grep "^sec" | awk '{print $2}' | cut -d/ -f2 | head -1) - -if [ -n "$GPG_KEY_ID" ]; then - git config --global user.signingkey "$GPG_KEY_ID" - git config --global commit.gpgsign true - git config --global gpg.program "$(which gpg)" - - # Configure pinentry-mac for passphrase entry if available - PINENTRY_MAC="${BREW_PREFIX}/bin/pinentry-mac" - if [ -f "$PINENTRY_MAC" ]; then - GPG_AGENT_CONF="$HOME/.gnupg/gpg-agent.conf" - if ! grep -q "pinentry-program.*pinentry-mac" "$GPG_AGENT_CONF" 2>/dev/null; then - echo "pinentry-program ${PINENTRY_MAC}" >> "$GPG_AGENT_CONF" - gpgconf --kill gpg-agent 2>/dev/null - mbp_log_ok "pinentry-mac configured for GPG agent" - fi +# SSH commit signing: uses the SSH key discovered by module 07 +# No GPG or pinentry needed — 1Password handles key access seamlessly. +SSH_DIR="${HOME}/.ssh" +SSH_SIGNING_KEY="" + +# Use the same key-discovery priority as module 07 +for key in "$SSH_DIR"/*.pub; do + [ -f "$key" ] || continue + local_name="$(basename "$key" .pub)" + if [ -z "$SSH_SIGNING_KEY" ]; then + SSH_SIGNING_KEY="$key" fi - - mbp_log_ok "GPG signing enabled: $GPG_KEY_ID" + case "$local_name" in + developer_ed25519) SSH_SIGNING_KEY="$key" ;; + id_ed25519) [[ "$(basename "$SSH_SIGNING_KEY" .pub)" != "developer_ed25519" ]] && SSH_SIGNING_KEY="$key" ;; + *ed25519*) [[ "$(basename "$SSH_SIGNING_KEY" .pub)" != "developer_ed25519" && "$(basename "$SSH_SIGNING_KEY" .pub)" != "id_ed25519" ]] && SSH_SIGNING_KEY="$key" ;; + esac +done + +if [ -n "$SSH_SIGNING_KEY" ]; then + git config --global gpg.format ssh + git config --global user.signingkey "$SSH_SIGNING_KEY" + git config --global commit.gpgsign true + mbp_log_ok "SSH commit signing enabled: $(basename "$SSH_SIGNING_KEY")" else - mbp_log_warn "No GPG key found — run 'mbp setup --module secrets' to enable commit signing" + mbp_log_warn "No SSH public key found — commit signing requires a key in ~/.ssh/" fi state_set_module_ok "git"