coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

kai-server: install GPG signing key so commits can be authored + pushed there #90

New issue
Open
opened 2026-05-23 20:54:41 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:41 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-04-28T06:20:35Z - https://github.com/coilysiren/infrastructure/issues/70

🤖 Filed by Claude Code on Kai's behalf.

kai-server doesn't have Kai's commit-signing GPG key, so pushing commits authored on kai-server fails the local "only signed-by-expected-author commits land" verification policy (see coilyco-vault/Notes/git-pull-verification.md). Today the workaround is to author the commit on Mac and push from there, then coily ssh git pull on kai-server. Worked through that pattern just now to clear the infrastructure CRLF-renormalize + chmod state.

That's fine for occasional drift, but the dashboard's dirty_tree action flow assumes the host with the dirty tree is the host that resolves it. When the dirty repo is on kai-server (which is most of them - eco-mods, infrastructure, deployable repos), the resolution path is currently mac-mediated, which is friction worth removing.

Set up commit signing on kai-server:

  1. Generate a kai-server-specific subkey (or import a copy of the existing key). A subkey is cleaner - revocable independently if the server is compromised, doesn't put the master key on a network-reachable host.
  2. Configure git config --global user.signingkey <fingerprint> + commit.gpgsign true for the kai user.
  3. Add the public subkey to GitHub under Kai's account so commits show as Verified.
  4. Document in infrastructure/docs/ (probably a new kai-server-git-signing.md or amend the existing setup docs) so this stays reproducible if kai-server is rebuilt.
  5. Optional: Yubikey-backed key on kai-server. Probably overkill for a homelab box, but worth naming so the trade-off is on the record.

Out of scope: fixing the upstream verification policy in git-pull-verification.md. The policy is right, the kai-server gap is what needs closing.

Pairs with the dashboard work this session: once kai-server can sign, future dirty_tree resolutions can flow through coily ssh git verbs (whenever an add / commit / push chain gets exposed) without the mac round-trip.

🤖 Filed by Claude Code on Kai's behalf.

_Originally filed by @coilysiren on 2026-04-28T06:20:35Z - [https://github.com/coilysiren/infrastructure/issues/70](https://github.com/coilysiren/infrastructure/issues/70)_ > 🤖 Filed by Claude Code on Kai's behalf. kai-server doesn't have Kai's commit-signing GPG key, so pushing commits authored on kai-server fails the local "only signed-by-expected-author commits land" verification policy (see `coilyco-vault/Notes/git-pull-verification.md`). Today the workaround is to author the commit on Mac and push from there, then `coily ssh git pull` on kai-server. Worked through that pattern just now to clear the `infrastructure` CRLF-renormalize + chmod state. That's fine for occasional drift, but the dashboard's `dirty_tree` action flow assumes the host with the dirty tree is the host that resolves it. When the dirty repo is on kai-server (which is most of them - eco-mods, infrastructure, deployable repos), the resolution path is currently mac-mediated, which is friction worth removing. Set up commit signing on kai-server: 1. Generate a kai-server-specific subkey (or import a copy of the existing key). A subkey is cleaner - revocable independently if the server is compromised, doesn't put the master key on a network-reachable host. 2. Configure `git config --global user.signingkey <fingerprint>` + `commit.gpgsign true` for the `kai` user. 3. Add the public subkey to GitHub under Kai's account so commits show as Verified. 4. Document in `infrastructure/docs/` (probably a new `kai-server-git-signing.md` or amend the existing setup docs) so this stays reproducible if kai-server is rebuilt. 5. Optional: Yubikey-backed key on kai-server. Probably overkill for a homelab box, but worth naming so the trade-off is on the record. Out of scope: fixing the upstream verification policy in `git-pull-verification.md`. The policy is right, the kai-server gap is what needs closing. Pairs with the dashboard work this session: once kai-server can sign, future `dirty_tree` resolutions can flow through `coily ssh git` verbs (whenever an `add` / `commit` / `push` chain gets exposed) without the mac round-trip. > 🤖 Filed by Claude Code on Kai's behalf.
coilysiren added
P3
 and removed
P2
 labels 2026-05-31 07:00:44 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#90
No description provided.