diff --git a/CHANGELOG.md b/CHANGELOG.md index a2a555a..59fef0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Unreleased +- Changed `dvm ssh-key` generated access-key comments and output labels from + GitHub-specific wording to provider-neutral Git wording. Existing key file paths are + unchanged. - Fixed per-VM `DVM_CODE_ROOT` overrides so the default `DVM_CODE_DIR` is computed after VM config is sourced. - Fixed remaining user-facing docs and diagnostics that still used old command names @@ -114,7 +117,7 @@ `use_app_tools`. - Added nested Git dirty checks before `dvm rm`; `--force` skips the check. - Added VM-local SSH and GPG key helpers. -- Changed `dvm ssh-key` to create separate VM-local GitHub access and Git commit +- Changed `dvm ssh-key` to create separate VM-local Git hosting access and Git commit signing SSH keys, and to configure Git signing with the signing key. - Added bundled defaults under `share/dvm`: global config, Lima template, example VM configs, and reusable guest recipes. diff --git a/README.md b/README.md index 8f1e31a..54eabf1 100644 --- a/README.md +++ b/README.md @@ -77,9 +77,9 @@ Use `--force` only when you intentionally want to skip that check. Use `dvm stop --inactive` to stop only VMs without a detected active shell, `tmux`/`zellij`, or known DVM service unit. -`dvm ssh-key ` creates separate VM-local SSH keys for GitHub access and Git commit -signing. Use the access key as a deploy/authentication key and add the signing key to -your GitHub account's SSH signing keys. +`dvm ssh-key ` creates separate VM-local SSH keys for Git hosting access and Git +commit signing. Use the access key as a deploy/authentication key and add the signing +key to your Git hosting account's SSH signing keys, if supported. ## Config diff --git a/docs/commands.md b/docs/commands.md index bf11309..53e9ccc 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -129,15 +129,17 @@ dvm gpg-key app `ssh-key` creates or reuses two VM-local SSH keys: -- `~/.ssh/id_ed25519_dvm`: GitHub access key. Use this as a repo deploy key or an +- `~/.ssh/id_ed25519_dvm`: Git access key. Use this as a repo deploy key or an account authentication key. -- `~/.ssh/id_ed25519_dvm_signing`: Git commit signing key. Add this to your GitHub - account as an SSH signing key. - -The same GitHub SSH key cannot be both a repo deploy key and an account signing key, so -DVM keeps those identities separate. The command also adds a GitHub SSH config entry for -the access key and configures Git SSH signing with the signing key. Missing or empty -public key files are regenerated through a temporary file and moved into place. +- `~/.ssh/id_ed25519_dvm_signing`: Git commit signing key. Add this to your Git + hosting account as an SSH signing key, if supported. + +Some Git hosting services keep repo deploy/access keys and account signing keys as +separate identities, so DVM keeps those identities separate too. The command also adds a +default `github.com` SSH config entry for the access key and configures Git SSH signing +with the signing key. Add matching SSH config entries for other Git hosts if you want +this access key selected automatically there. Missing or empty public key files are +regenerated through a temporary file and moved into place. `gpg-key` creates or reuses a one-year VM-local signing key and prints the public key plus fingerprint. Neither command copies host private keys into the VM. diff --git a/docs/security-standards.md b/docs/security-standards.md index 8c9a82f..0833a29 100644 --- a/docs/security-standards.md +++ b/docs/security-standards.md @@ -17,8 +17,8 @@ small, but they are the bar for changes. - Do not copy host SSH/GPG private keys into VMs. - Generate VM-local keys when a VM needs Git or signing access: `dvm ssh-key ` and `dvm gpg-key `. -- `dvm ssh-key` intentionally creates separate SSH keys for GitHub access and Git - commit signing. Do not reuse a repo deploy key as a GitHub account signing key. +- `dvm ssh-key` intentionally creates separate SSH keys for Git hosting access and Git + commit signing. Do not reuse a repo deploy/access key as an account signing key. - The VM-local GPG helper creates an unencrypted, one-year signing key for disposable VM use; do not treat it as a long-lived identity key. - Prefer repo-scoped deploy keys and service-scoped tokens. diff --git a/share/dvm/lib/keys.sh b/share/dvm/lib/keys.sh index 7e0d0bb..56df08d 100644 --- a/share/dvm/lib/keys.sh +++ b/share/dvm/lib/keys.sh @@ -18,7 +18,7 @@ config="$HOME/.ssh/config" mkdir -p "$HOME/.ssh" chmod 700 "$HOME/.ssh" if [ ! -f "$key" ]; then - ssh-keygen -t ed25519 -C "$DVM_NAME-dvm-github-access" -f "$key" -N "" + ssh-keygen -t ed25519 -C "$DVM_NAME-dvm-git-access" -f "$key" -N "" fi if [ ! -f "$signing_key" ]; then ssh-keygen -t ed25519 -C "$DVM_NAME-dvm-git-signing" -f "$signing_key" -N "" @@ -54,9 +54,9 @@ if command -v git >/dev/null 2>&1; then GIT_CONFIG_GLOBAL="$git_config" git config --global user.signingkey "$signing_key.pub" GIT_CONFIG_GLOBAL="$git_config" git config --global commit.gpgsign true fi -printf 'GitHub access key public key (use as deploy key or account authentication key):\n' +printf 'Git access key public key (use as deploy key or account authentication key):\n' cat "$key.pub" -printf '\nGit commit signing public key (add to GitHub account as SSH signing key):\n' +printf '\nGit commit signing public key (add to your Git hosting account as an SSH signing key, if supported):\n' cat "$signing_key.pub" DVM_SSH_KEY } diff --git a/tests/smoke.sh b/tests/smoke.sh index b4f5323..ae13c1c 100755 --- a/tests/smoke.sh +++ b/tests/smoke.sh @@ -435,13 +435,13 @@ rm -f "$TMP/config/vms/race.sh" "$ROOT/bin/dvm" ssh-key app grep -Fq 'shell dvm-app env DVM_NAME=app bash -s' "$TMP/state/log" grep -Fq 'id_ed25519_dvm_signing' "$TMP/state/guest.sh" -grep -Fq 'dvm-github-access' "$TMP/state/guest.sh" +grep -Fq 'dvm-git-access' "$TMP/state/guest.sh" grep -Fq 'dvm-git-signing' "$TMP/state/guest.sh" grep -Fq 'write_public_key()' "$TMP/state/guest.sh" grep -Fq 'mktemp "${public_key}.XXXXXX"' "$TMP/state/guest.sh" grep -Fq 'mv "$tmp" "$public_key"' "$TMP/state/guest.sh" grep -Fq 'user.signingkey "$signing_key.pub"' "$TMP/state/guest.sh" -grep -Fq 'GitHub access key public key' "$TMP/state/guest.sh" +grep -Fq 'Git access key public key' "$TMP/state/guest.sh" grep -Fq 'Git commit signing public key' "$TMP/state/guest.sh" "$ROOT/bin/dvm" gpg-key app