Skip to content

feat(code-agent): add gitsign for cryptographic commit signing#3858

Draft
lahavyuv86 wants to merge 1 commit into
fullsend-ai:mainfrom
lahavyuv86:feat/gitsign-commit-signing
Draft

feat(code-agent): add gitsign for cryptographic commit signing#3858
lahavyuv86 wants to merge 1 commit into
fullsend-ai:mainfrom
lahavyuv86:feat/gitsign-commit-signing

Conversation

@lahavyuv86

@lahavyuv86 lahavyuv86 commented Jul 9, 2026

Copy link
Copy Markdown

Summary

Add gitsign (Sigstore keyless signing) to the code agent sandbox image to enable cryptographic commit signing.

Related Issue

#1685

Changes

  • Install gitsign v0.16.1 binary with SHA256 verification for both amd64 and arm64 architectures
  • Configure Git system-wide to use gitsign with x509 format (gpg.format=x509, gpg.x509.program=gitsign)
  • Signing is opt-in: enabled per-agent via GIT_CONFIG_* environment variables (not globally enabled)

Testing

  • make lint passes (stage changes first, then run)
  • Tests added/updated for new or modified logic

Checklist

  • PR title follows Conventional Commits (correct type, ! for breaking changes)
  • Commits are signed off (DCO) — human and human-directed agent sessions only
  • I wrote this contribution myself and can explain all changes in it

@lahavyuv86 lahavyuv86 requested a review from a team as a code owner July 9, 2026 12:06
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

E2E tests are running

Authorization passed for this commit. See the E2E Tests workflow for results.

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Add gitsign to code-agent image for keyless Git commit/tag signing

✨ Enhancement ⚙️ Configuration changes 🕐 20-40 Minutes

Grey Divider

AI Description

• Install pinned gitsign binary (amd64/arm64) with SHA256 verification during image build.
• Configure system Git to use x509/gitsign and enable commit/tag signing by default.
• Ensure agent-produced commits are cryptographically verifiable via Sigstore keyless flow.
Diagram

graph TD
  A["images/code/Containerfile"] --> B["Code-agent image"] --> C["Git (system)"] --> D["gitsign"] --> E{{"Sigstore/OIDC"}}
  C --> F[("Git remote")]

  subgraph Legend
    direction LR
    _cfg["Build/config"] ~~~ _ext{{"External"}} ~~~ _dep[("Remote")]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Install gitsign via OS package manager
  • ➕ Less custom curl logic in the Containerfile
  • ➕ Potentially easier patching via distro updates
  • ➖ Often unavailable or outdated in apt/apk repos
  • ➖ Harder to guarantee consistent versions across images/architectures
2. Move gitsign install to the shared base sandbox image
  • ➕ Centralizes supply-chain tooling for all derived images
  • ➕ Avoids repeating install logic across multiple images
  • ➖ Broadens blast radius (all sandboxes get gitsign)
  • ➖ May be undesirable if only the code-agent image needs signing
3. Use traditional GPG signing with imported keys
  • ➕ Widely supported and familiar workflow
  • ➕ No dependency on OIDC/Sigstore availability
  • ➖ Key management overhead (storage/rotation/secrets)
  • ➖ Not keyless; weaker provenance story for ephemeral agent runs

Recommendation: The current approach (pinned binary + per-arch SHA256 verification + system Git defaults) is a good fit for reproducible, multi-arch container builds and minimizes operational key management via Sigstore keyless signing. Consider relocating the install to a shared base image only if other sandbox images also need commit signing.

Files changed (1) +27 / -0

Other (1) +27 / -0
ContainerfileInstall gitsign and enable system-wide commit/tag signing +27/-0

Install gitsign and enable system-wide commit/tag signing

• Adds a pinned gitsign (v0.16.1) install step that selects the correct binary for amd64/arm64 and verifies it via SHA256 before placing it in /usr/local/bin. Configures system Git to use x509/gitsign and enables commit and tag signing by default for the container environment.

images/code/Containerfile

@lahavyuv86 lahavyuv86 force-pushed the feat/gitsign-commit-signing branch 2 times, most recently from a250bc3 to e52b620 Compare July 9, 2026 12:12
@qodo-code-review

qodo-code-review Bot commented Jul 9, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 54 rules

Grey Divider


Action required

1. Signing blocked by egress ✓ Resolved 🐞 Bug ☼ Reliability
Description
The image enables mandatory commit/tag signing via gitsign, but sandbox network egress is restricted
by provider profiles and the default harness providers do not allow Sigstore endpoints, so `git
commit` in the sandbox will fail when it tries to sign.
Code

images/code/Containerfile[R52-57]

+# Configure Git to use gitsign for commit signing (keyless signing via Sigstore).
+# This enables cryptographic verification of agent commits.
+RUN git config --system gpg.format x509 \
+    && git config --system gpg.x509.program gitsign \
+    && git config --system commit.gpgsign true \
+    && git config --system tag.gpgsign true
Relevance

⭐⭐⭐ High

Repo assumes limited/no egress in sandboxes; previously baked tools into image to avoid network
failures.

PR-#1054
PR-#286

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The PR enables signing for all commits/tags in the image, but the scaffolded sandbox policy states
network access is granted via provider profiles; the GitHub provider profile only allowlists GitHub
domains, and the code-agent harness enables only vertex-ai/github/package-registries/gitleaks
providers, leaving no allowlisted path to Sigstore services required by gitsign signing.

internal/scaffold/fullsend-repo/policies/base.yaml[4-9]
internal/scaffold/fullsend-repo/profiles/fullsend-github.yaml[1-16]
internal/scaffold/fullsend-repo/harness/code.yaml[14-21]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The code sandbox image sets `commit.gpgsign=true` and `tag.gpgsign=true` system-wide and configures `gitsign` as the x509 signing program. In the scaffolded harnesses, sandbox network access is controlled by provider profiles, and the selected providers do not allow Sigstore/Fulcio/Rekor endpoints. As a result, any in-sandbox `git commit`/`git tag` that triggers signing will fail.

### Issue Context
- Network egress in the sandbox is granted via provider profiles, not via the base policy.
- The scaffold harnesses for code/fix use providers like `github` and `package-registries`, which only allow GitHub/registry domains.
- Keyless signing requires outbound calls to Sigstore services.

### Fix Focus Areas
- images/code/Containerfile[52-57]
- internal/scaffold/fullsend-repo/policies/base.yaml[4-9]
- internal/scaffold/fullsend-repo/profiles/fullsend-github.yaml[1-16]
- internal/scaffold/fullsend-repo/harness/code.yaml[14-21]

### Suggested fix
Choose one:
1) **Make signing opt-in**: remove `commit.gpgsign=true` / `tag.gpgsign=true` from system config and enable it only in runs that have the needed network/identity configuration.
2) **Add a Sigstore provider profile** (recommended if signing should be default): create a new provider profile that allowlists the required Sigstore endpoints (e.g., Fulcio/Rekor) and include that provider in the relevant harness `providers:` lists (code/fix/etc.).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. gitsign docs missing ✓ Resolved 📎 Requirement gap ⛨ Security
Description
This PR enables keyless gitsign commit/tag signing in the code-agent image, but does not include
the required written feasibility, identity binding, compatibility, DCO interaction, and
SLSA/provenance alignment assessments. Without this documentation, it’s unclear how signatures will
be verifiable/enforceable across target repos and policies.
Code

images/code/Containerfile[R52-57]

+# Configure Git to use gitsign for commit signing (keyless signing via Sigstore).
+# This enables cryptographic verification of agent commits.
+RUN git config --system gpg.format x509 \
+    && git config --system gpg.x509.program gitsign \
+    && git config --system commit.gpgsign true \
+    && git config --system tag.gpgsign true
Relevance

⭐⭐⭐ High

Team often requires security-sensitive design/threat-model docs; accepted similar doc clarifications
in ADR/security-threat-model updates.

PR-#716
PR-#18

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The diff shows Git is configured system-wide to use gitsign and to sign commits/tags by default,
and the image now downloads/installs gitsign. Existing repo documentation still frames gitsign for
agent commits as an exploration (issue #1685) rather than documenting the required
feasibility/identity/compatibility/DCO/SLSA decisions.

Assess feasibility of integrating gitsign into agent commit workflow
Define signing identity and OIDC/service account binding for agent commits
Verify compatibility with repositories enforcing commit signature verification
Maintain correct interaction between cryptographic signing and DCO Signed-off-by handling
Align gitsign approach with SLSA source attestation goals for provenance
images/code/Containerfile[52-57]
images/code/Containerfile[104-122]
docs/problems/security-threat-model.md[424-451]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR turns on `gitsign`-based signing by default, but the required documentation covering feasibility, signing identity/OIDC binding, compatibility with signature-required repos, DCO Signed-off-by interaction, and SLSA/source attestation alignment is missing.

## Issue Context
- The code-agent image is being configured to sign commits/tags (`commit.gpgsign=true`, `tag.gpgsign=true`) and to use `gitsign` as the signing program.
- The compliance checklist items derived from issue #1685 require explicit written assessments/decisions for how this will work operationally and how it will be verified.

## Fix Focus Areas
- images/code/Containerfile[52-57]
- images/code/Containerfile[104-122]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment thread images/code/Containerfile Outdated
Comment thread images/code/Containerfile Outdated
Add gitsign to the code agent sandbox image.

Signed-off-by: Yuval Lahav <ylahav@redhat.com>
@lahavyuv86 lahavyuv86 force-pushed the feat/gitsign-commit-signing branch 2 times, most recently from e52b620 to 540b27f Compare July 9, 2026 12:54
@rh-hemartin rh-hemartin added the ok-to-test Allow e2e CI to run after maintainer review (must be re-applied after each push) label Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Site preview

Preview: https://67316a9b-site.fullsend-ai.workers.dev

Commit: 540b27f8216d73da17316a3cc666db87a4b6436c

@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@rh-hemartin

Copy link
Copy Markdown
Member

Hello! I never dealt with signing commits before, could you add an example of how to enable this for an agent as if this was already merged? You mention GIT_CONFIG variables. How would you get them into the agent? And if this immediately available to use, could you create a guide about how to enable this at docs/user/how-to-enable-commit-signature.md or something similar?

@lahavyuv86

Copy link
Copy Markdown
Author

Hi @rh-hemartin, I'm still testing this change. I will move this MR to draft and add a "how to test" section to the summary.

@lahavyuv86 lahavyuv86 marked this pull request as draft July 9, 2026 13:47
@rh-hemartin

Copy link
Copy Markdown
Member

Hi @rh-hemartin, I'm still testing this change. I will move this MR to draft and add a "how to test" section to the summary.

Perfect, will give it a try when you update it. Write something as body changes do not send notifications (as far as I know).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test Allow e2e CI to run after maintainer review (must be re-applied after each push)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants