Sign batch changes commit with an instance-wide certificate

Created by: malomarrec

Customer problem and context

Some customers require all commits to be signed. There was ample discussion in this customer-submitted issue on potential solutions and scope (#15271).

This issue is not trivial: to rigorously validate the chain of truth down to the user, one would require to sign the commit using each user's certificate, ideally on the user's local. This is not possible because src-cli only generates the diff, which is then sent to the Sourcegraph instance, which then generates the commit (at apply).

Signing each commit with the user's certificate would require (a) to fully trust the instance with storing each user's certificate or (b) to rearchitect Batch Changes to produce commits locally. The former is a very large scope, and not entirely desirable from a chain of truth perspective. The latter is incompatible with batch change's model, and running batch changes server-side.

However, a reasonable option emerged in discussions.

Impacted customers

• https://github.com/sourcegraph/accounts/issues/8360
• https://github.com/sourcegraph/accounts/issues/6312
• https://github.com/sourcegraph/accounts/issues/280
• https://github.com/sourcegraph/accounts/issues/8290

Aslo see: https://sourcegraph2020.lightning.force.com/lightning/r/Product_Gap__c/a1B3t00000Im5oOEAR/view

Proposed solution

Allow signing commits with a single, instance-wide certificate. There is a single key shared by all codehosts at first. The key will be stored as a site-admin config, along with its passphrase if any.

As a user puts it, this validates that "sourcegraph believes this person submitted the change at the time of the commit". While it is not sufficient for ascertaining the chain of truth end to end, it meets the requirements of

• https://github.com/sourcegraph/accounts/issues/8360
• https://github.com/sourcegraph/accounts/issues/280 but not of:
• https://github.com/sourcegraph/accounts/issues/6312

Setup The site admin:

• generates an x509 certificate and GPG key
• the site admin would add the private key to Sourcegraph as a site config
• if the private key has a passphrase, the site admin saves it as a site config parameter. Otherwise, nothing is needed.
• Then, the site-admin adds the public key to the codehost.

Out of scope, potential future improvements

• encrypt the certificate, or store it in a secret manager such as Vault
• add the ability to have one certificate per code host connection