Sign merges, CRUD, Wiki and Repository initialisation with gpg key #7631
Labels
No Label
backport/done
backport/v1.0
backport/v1.1
backport/v1.10
backport/v1.11
backport/v1.12
backport/v1.13
backport/v1.14
backport/v1.15
backport/v1.2
backport/v1.3
backport/v1.4
backport/v1.5
backport/v1.6
backport/v1.7
backport/v1.8
backport/v1.9
bounty
changelog
dependencies
frontport/done
frontport/main
good first issue
Hacktoberfest
hacktoberfest-accepted
in progress
kind/api
kind/breaking
kind/bug
kind/build
kind/deployment
kind/deprecated
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/misc
kind/moderation
kind/package
kind/proposal
kind/question
kind/refactor
kind/regression
kind/security
kind/summary
kind/testing
kind/translation
kind/ui
kind/upstream-related
kind/usability
kind/ux
lgtm/done
lgtm/need 1
lgtm/need 2
performance/bigrepo
performance/cpu
performance/memory
performance/speed
priority/critical
priority/low
priority/maybe
priority/medium
proposal/rejected
reviewed/confirmed
reviewed/duplicate
reviewed/fixed
reviewed/invalid
reviewed/not-a-bug
reviewed/wontfix
skip-changelog
stale
status/blocked
status/needs-feedback
status/wip
theme/2fa
theme/authentication
theme/avatar
theme/backup-restore
theme/docker
theme/federation
theme/issues
theme/kanban
theme/markdown
theme/migration
theme/mobile
theme/pr
theme/signing
theme/sqlite
theme/timetracker
theme/webhook
theme/wiki
No Milestone
No project
No Assignees
2 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: lunny/gitea#7631
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "web-sign"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however.
Features
I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
Codecov Report
56.5% <ø> (ø)
51.42% <ø> (ø)
6.66% <ø> (ø)
0% <0%> (ø)
36.61% <0%> (ø)
73.08% <100%> (+0.08%)
71.07% <100%> (+0.63%)
81.73% <100%> (+0.32%)
69.49% <31.25%> (-14.23%)
51.17% <40%> (-0.19%)
Continue to review full report at Codecov.
This is a bug, could we create a new PR to fix this and back port it to v1.9?
I actually introduced it in this pr (by accident) - it's not actually in the codebase.
There's a problem with the current merging author and committer. They don't really work correctly.
I think the committer for these should definitely be the doer - (which they currently aren't - it's currently Gitea)
Now the author is difficult - should this be the PR author - well that doesn't necessarily match who is the author of most of these commits and isn't necessarily the owner of the headRepo. Should it be the owner of the headRepo - if that person is a user - otherwise the opener of the PR?
We should probably use the Co-Authored-By: tag in our commits.
This issue can wait for another PR. In the meantime I've just set the committer to be the same as the author
Edit2:
Just to clarify this really only matters for squash commits - this code sets the author to the PR poster and committer to the doer of the merge.
Which
.gitconfig
file does this refer to? The server-side one of the SSH user?GitHub only shows the committer's gpg key if that's of any help.
Hey @silverwind. I'm referring to .gitconfig on the server side. There are three levels of .git config on the server:
My code should run down each one in turn as I use git config without a specifying argument.
I'm not sure exactly what GitHub does - I'd have to check, but as far as I can see looking at the code for verify-commit and from my understanding of how it's supposed to work - you don't need to be the committer or the author to sign a commit. Neither are used to verify that the signature is correct as GPG does not parse the commit data - it simply verifies that the signature is valid for the string representation for the commit block without the gpgsign block. I suspect that it's a very common misconception that only the committer can sign the commit - it is not the case.
This makes sense because you might want to rewrite history to re-sign from a compromised key and may not be able to contact the original authors although you trust the code. The commit signature only signs the commit - so given two commits, one signed and one not - you can verify that they're talking about the same thing from tree hash even if they have different parents.
Interesting, so supposedly, I can generate a gpg key pair for the
RUN_USER
and add that to any user in the UI and the commits should show up as signed and verified, right? Maybe this should be documented somewhere.@sapk There are now tests for this. see
integrations/gpg_git_test.go
@ -75,2 +75,4 @@
LOCK_REASONS=Too heated,Off-topic,Resolved,Spam
[repository.signing]
; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey
Maybe add a comment that this uses
RUN_USER
's git config.@ -77,0 +84,4 @@
; the results of git config --get user.name and git config --get user.email respectively and can only be overrided
; by setting the SIGNING_KEY ID to the correct ID.)
SIGNING_NAME =
SIGNING_EMAIL =
Can these be derived from git config as well, as a default?
Please resolve the conflicts
@ -75,2 +75,4 @@
LOCK_REASONS=Too heated,Off-topic,Resolved,Spam
[repository.signing]
; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey
Done
@ -77,0 +84,4 @@
; the results of git config --get user.name and git config --get user.email respectively and can only be overrided
; by setting the SIGNING_KEY ID to the correct ID.)
SIGNING_NAME =
SIGNING_EMAIL =
When the SIGNING_KEY is set to default these values are not used and instead the results of:
git config --get user.name
andgit config --get user.email
are used.I've adjusted the comments here.
Conflicts resolved.
Conflicts resolved again - restored functionality for early gits.
also works with gpg card (yubiKey) - if a server owner use this methode to store the priv-key then stealing them is a physical akt :)
@zeripath swagger doesnt show api /api/v1/signing-key.gpg
is this intended?
@6543 Damn I forgot those.
It's not actually immediately obvious what the swagger spec for these would though.
Merges from Pull Requests
I don't think we do any other merges but I take your point.
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
Why is
Signer
needed?Otherwise LG-TM apart to comment above
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
The user signing a commit is not necessarily the author or committer.
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
Yes but does it really matter?
Signature
is pretty much what we need for verification@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
It will give a reference the signers name/email address (if we can match it) - so you can look them up in a keyserver or on Gitea.
A GPG signature only contains the ID of the key that signed the signature - if you don't have a public key in your local keyring that matches that ID you can't verify the signature.
Now if Gitea has verified the signature you can figure out how it has verified the signature.
@6543 I've added swagger definitions to
/signing-key.gpg
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
But there is only 3 keys that it can be - Gitea server signing key, repo singing key or commiter signing key
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
Could be anyone. You can sign anyone's commit.
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
But it won't be verified then imho
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
There is no parsing of the git commit when verifying a commit - it is simply does a key with ID that matches the ID of the signature decrypt the signature to the commit.
The key that matches the signature does not need to match anyone on the commit. It simply has to be a key on the keyring.
An example:
git checkout 08da6496b61341ec45eac36afcc8f94242763468 -b re-sign
git cat-file commit re-sign
- Pay attention to the CommitterGIT_COMMITTER_NAME="Junio C Hamano" GIT_COMMITTER_EMAIL="gitster@pobox.com" git commit --amend -S --no-edit
git cat-file commit re-sign
git verify-commit re-sign
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
@lafriks The signer can change, update, etc. their gpg key after signing. I think it's valuable to keep the actual key instead of the signer identity.
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
(And of course, @zeripath 's explanation)
@ -98,3 +98,4 @@
Payload string `json:"payload"`
}
var (
So, yeah, when I discovered this I was quite surprised, but it allows you to re-sign someone else's trees affirming your continued trust in those commits even if you no longer trust their signature.
Unfortunately this changes the sha of the commit so you have to effectively rebase by doing a git filter-branch for each commit and if you do do it because a key was compromised and is no longer trustworthy you have you change your heads to use the new commit heads.
(However the tree SHA should be the same so there should be a way to get git to recognise the commits would apply.)
I approved through I still find it a bit unneeded field imho as in UI we use user with that got key added :) but it might be useful to someone.