Authenticating Git with device code

You can set up a GPG key and password store within your dev container to perform Git operations securely and establish a robust authentication layer to clone, commit, and push changes to your repository.

Before you begin

You must have performed the following task:

About this task

The process involves creating a GPG key, initializing a password store, and then using a device code or passphrase to perform Git operations. https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Procedure

  1. Launch the dev container
    1. From the launcher in DevOps Loop, click the Code button.
    2. Run the dev container to start the code-server instance.
    3. After the container is running, open a new terminal by clicking the Explorer button in the right vertical toolbar and selecting Terminal.
    All subsequent steps must be run as commands from this terminal.
  2. Configure a GPG Key
    1. In the terminal, run the following command to create a GPG key with a passphrase

      gpg --full-generate-key

    2. When prompted, select "RSA and RSA (default)", which is the first option, as the key type.
    3. Specify the desired key size and how long the key should be valid.
    4. Once the key longevity is provided, you will get a prompt showing the key's expiration date. You need to confirm if this date is correct.
    5. The key identification process will then ask for a User ID, which includes your real name, email address, and an optional comment. During this step, you may be instructed to perform actions like moving your mouse or typing on the keyboard to generate enough "entropy".
    6. To protect your new key, you will be prompted to enter a passphrase.
    7. After the key is generated, you will see a line that says

      gpg: key <GPG Key> marked as ultimately trusted

      This confirms the key's creation.

    8. If the key is not printed properly, use this command:

      gpg --list-secret-keys --keyid-format LONG

  3. Initialize the Password Store
    • Use the following command to initialize the password store with your key.

      pass init <GPG Key>

      A message similar to the following confirms that the password store has been initialized and a directory (e.g., /usr/code/starter-ibm-devops-automation-code-minimal-1-0-300/.password-store/) has been created:

      mkdir: created directory '/usr/code/starter-ibm-devops-automation-code-minimal-1-0-300/.password-store/'

      Password store initialized for <GPG Key ID>

  4. Export an environment variable
    You have to export an environment variable each time you open a new terminal.
    export GPG_TTY=$(tty)
  5. Perform Git Operations via Terminal
    After the setup is complete, you can use a device code to perform Git operations.The device code is only valid as long as the GPG key is valid. If the key expires (for example, in one day), you will need to repeat the entire setup process the next day. When a session expires, you can use the passphrase to perform further Git operations.
    Example: Cloning, adding, committing, and pushing changes to the Control repository
    1. Copy the repository link from Control Repository, and run the following command to clone it:

      git clone <control-repo-link>

      Note: During the clone operation, you are prompted to authenticate by visiting a link provided in the terminal, entering the provided device code, and then granting access to the Git credential manager by clicking Yes.
    2. After cloning, you can add a file, and then commit and push the changes to the repository. This process is similar to working with a standard GitHub repository.

      When you run git push, you are prompted to provide your passphrase to complete the operation.

  6. Alternatively, using the Git UI
    1. From the right toolbar, click File > Open folder and select the root directory.
    2. Click the Clone Repository button.
    3. Paste the Control repository link when prompted.
    4. Authenticate by visiting the provided link and entering the device code, then approve the Git credential manager prompt.
    5. Once cloned, use the UI to add, commit, and push changes.
    6. When pushing, enter your passphrase when prompted to complete the operation.