Cannot sign commit using Github App auth

[andridzi]

Subject of the issue

Cannot sign commit using Github App auth.

Steps to reproduce

As mentioned in docs, Signature verification for bots will only work if there is no custom author information, custom committer information, and no custom signature information.

Even if put correct committer and author fields commit will not be signed.
It will be signed only when committer and author fields not set at all.

[peter-evans]

Hi @andridzi

Please could you explain in more detail about what you are trying and what does/doesn't work.

It will be signed only when committer and author fields not set at all.

So are you saying it works when you set the committer and author to empty strings? e.g.

      - uses: peter-evans/create-pull-request@v4
        with:
          committer: ''
          author: ''

[andridzi]

Hi @peter-evans,

Yes, something like that. And inside the action when committer and author are empty strings, they should not be passed to the API call.

From what I've found during the investigation.

Commit will be signed:

curl \
      -X PUT \
      -H "Authorization: token GITHUB_APP_TOKEN" \
      -H "Accept: application/vnd.github.v3+json" \
      https://api.github.com/repos/someOrg/someRepo/contents/test1 \
      -d '{"message":"message","content":"Y29udGVudA==","branch":"master"}'

Commit will NOT be signed:

curl \
      -X PUT \
      -H "Authorization: token GITHUB_APP_TOKEN" \
      -H "Accept: application/vnd.github.v3+json" \
      https://api.github.com/repos/someOrg/someRepo/contents/test2 \
      -d '{"committer":{"name":"GitHub","email":"noreply@github.com"},"author":{"name":"your-github-app[bot]","email":"112472085+your-github-app[bot]@users.noreply.github.com"},"message":"message","content":"Y29udGVudA==","branch":"master"}'

And when comparing both commits through the GitHub API - the only difference (except date, hash etc.) is that first one is signed, and second one isn't.

[peter-evans]

@andridzi I'm not sure how to approach this problem because this action does not use the API you mentioned. Commits are made locally in the GitHub Actions run using the Git protocol, not the REST API.

If I was to allow author and committer to be empty strings then Git would complain and wouldn't allow commits to take place. I think at least one of those must exists for commits to be successful using the git command line.

[andridzi]

@peter-evans Yes, indeed. I missed that commits created using Git protocol.

So, currently in peter-evans/create-pull-request action it's not possible to create Verified commits using Github App auth token. And I think it will be good to mention this somewhere in the docs.

[peter-evans]

Signature verification for bots will only work if the request is verified and authenticated as the GitHub App or bot and contains no custom author information, custom committer information, and no custom signature information, such as Commits API.

Is it not possible to achieve this without using GitHub's REST API for committing? Perhaps there is some way to do this using the git protocol, too.

[lemeurherve]

Git is the way:
https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

If a commit or tag has a GPG, SSH, or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified" or "Partially verified."

[peter-evans]

I've documented how you can do it with GPG here:
https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#gpg-commit-signature-verification

Not sure if something like this can work with tokens generated from a GitHub auth app, though.

[peter-evans]

Closing this for now because it appears to not be possible.

[HenryNguyen5]

Yeah, its not possible to create signed commits with a github app token without using github's REST or GQL API https://github.com/orgs/community/discussions/24664#discussioncomment-5084236