verification of commit signatures with SSH key

[jelmer]

Discussed in #1391

^{Originally posted by castedo October 20, 2024}
I am planning to migrate from using GitPython to Dulwich, but I will need to be able to verify commit signatures with SSH keys.

Am I correct that Dulwich does not have this functionality? It looks like tag signatures with GPG keys is only supported.

Are there any libraries or existing Python code that can do this? I've searched long and far and it seems the only Python code that replicates the core functionality of the type of SSH key signatures with git is https://github.com/grawity/ssh-datasign (thank you @grawity!) This is the SSHSIG type signature implemented by ssh-keygen -Y verify which is what git uses for SSH key signatures (nice blog post).

[castedo]

I've created https://gitlab.com/perm.pub/dulwich-sshsig-union for testing, coordination, and a bit of experimentation.

[castedo]

I somehow failed to recognize that my goal of switching hidos from GitPython to Dulwich will also require signing in addition verification. 🤦 So the mission of this thread has expanded to include signing too. But the code from grawity should make this relatively easy if I'm already doing all the work to test verification well.