Using gpg signing for git commits does not work with tuf-on-ci-delegate

[mikn]

I did not do a lot of debugging on this, but I have set up gpg signing on git commits on my global git config. This is backed by a yubikey with its openpgp feature. It requires a tap to actually generate the signature.

When running tuf-on-ci-delegate with this setting, it just blocks after the sigstore OpenID verification (and it also breaks the Yubikey PIV method, as the Yubikey does not switch modes fast enough) without any user interaction triggered.

A nagging suspicion is that it has something to do with this being triggered from a sub-process that does not have a TTY attached (?)

I could unblock it by triggering a TTY-backed signing event (opening another terminal and doing a git commit, then cancelling it), then tapping the Yubikey.

[jku]

When running tuf-on-ci-delegate with this setting, it just blocks after the sigstore OpenID verification ... without any user interaction triggered.

I'm not surprised if there are issues here: just shelling out to "git" like we do is not really a solid way to build applications.

That said, I have my git setup to authenticate pushes with my yubikey and at least that part works fine... I think the only difference is that commits are done with capture_output=True on the subprocess.

I'm not against making commiting somehow more visible in the tools if that helps your case

it also breaks the Yubikey PIV method, as the Yubikey does not switch modes fast enough

this I can imagine, yubikeys do not feel very robust when using multiple modules