mirror of
https://github.com/go-gitea/gitea
synced 2025-07-26 20:28:40 +00:00
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631)
This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
This commit is contained in:
zeripath
GitHub
@@ -26,6 +26,16 @@
|
||||
<img class="ui avatar image" src="{{AvatarLink .Commit.Author.Email}}" />
|
||||
<strong>{{.Commit.Author.Name}}</strong>
|
||||
{{end}}
|
||||
{{if or (ne .Commit.Committer.Name .Commit.Author.Name) (ne .Commit.Committer.Email .Commit.Author.Email)}}
|
||||
<span> </span>
|
||||
{{if ne .Verification.CommittingUser.ID 0}}
|
||||
<img class="ui avatar image" src="{{.Verification.CommittingUser.RelAvatarLink}}" />
|
||||
<a href="{{.Verification.CommittingUser.HomeLink}}"><strong>{{.Commit.Committer.Name}}</strong></a> <{{.Commit.Committer.Email}}>
|
||||
{{else}}
|
||||
<img class="ui avatar image" src="{{AvatarLink .Commit.Committer.Email}}" />
|
||||
<strong>{{.Commit.Committer.Name}}</strong>
|
||||
{{end}}
|
||||
{{end}}
|
||||
<span class="text grey" id="authored-time">{{TimeSince .Commit.Author.When $.Lang}}</span>
|
||||
</div>
|
||||
<div class="seven wide right aligned column">
|
||||
@@ -50,15 +60,36 @@
|
||||
{{if .Commit.Signature}}
|
||||
{{if .Verification.Verified }}
|
||||
<div class="ui bottom attached positive message">
|
||||
<i class="green lock icon"></i>
|
||||
<span>{{.i18n.Tr "repo.commits.signed_by"}}:</span>
|
||||
<a href="{{.Verification.SigningUser.HomeLink}}"><strong>{{.Commit.Committer.Name}}</strong></a> <{{.Commit.Committer.Email}}>
|
||||
<span class="pull-right"><span>{{.i18n.Tr "repo.commits.gpg_key_id"}}:</span> {{.Verification.SigningKey.KeyID}}</span>
|
||||
{{if ne .Verification.SigningUser.ID 0}}
|
||||
<i class="green lock icon"></i>
|
||||
<span>{{.i18n.Tr "repo.commits.signed_by"}}:</span>
|
||||
<img class="ui avatar image" src="{{.Verification.SigningUser.RelAvatarLink}}" />
|
||||
<a href="{{.Verification.SigningUser.HomeLink}}"><strong>{{.Verification.SigningUser.Name}}</strong></a> <{{.Verification.SigningEmail}}>
|
||||
<span class="pull-right"><span>{{.i18n.Tr "repo.commits.gpg_key_id"}}:</span> {{.Verification.SigningKey.KeyID}}</span>
|
||||
{{else}}
|
||||
<i class="icons" title="{{.i18n.Tr "gpg.default_key"}}">
|
||||
<i class="green lock icon"></i>
|
||||
<i class="tiny inverted cog icon centerlock"></i>
|
||||
</i>
|
||||
<span>{{.i18n.Tr "repo.commits.signed_by"}}:</span>
|
||||
<img class="ui avatar image" src="{{AvatarLink .Verification.SigningEmail}}" />
|
||||
<strong>{{.Verification.SigningUser.Name}}</strong> <{{.Verification.SigningEmail}}>
|
||||
<span class="pull-right"><span>{{.i18n.Tr "repo.commits.gpg_key_id"}}:</span> <i class="cogs icon" title="{{.i18n.Tr "gpg.default_key"}}"></i>{{.Verification.SigningKey.KeyID}}</span>
|
||||
{{end}}
|
||||
</div>
|
||||
{{else if .Verification.Warning}}
|
||||
<div class="ui bottom attached message">
|
||||
<i class="red unlock icon"></i>
|
||||
<span class="red text">{{.i18n.Tr .Verification.Reason}}</span>
|
||||
<span class="pull-right"><span class="red text">{{.i18n.Tr "repo.commits.gpg_key_id"}}:</span> <i class="red warning icon"></i>{{.Verification.SigningKey.KeyID}}</span>
|
||||
</div>
|
||||
{{else}}
|
||||
<div class="ui bottom attached message">
|
||||
<i class="grey unlock icon"></i>
|
||||
{{.i18n.Tr .Verification.Reason}}
|
||||
{{if and .Verification.SigningKey (ne .Verification.SigningKey.KeyID "")}}
|
||||
<span class="pull-right"><span class="red text">{{.i18n.Tr "repo.commits.gpg_key_id"}}:</span> <i class="red warning icon"></i>{{.Verification.SigningKey.KeyID}}</span>
|
||||
{{end}}
|
||||
</div>
|
||||
{{end}}
|
||||
{{end}}
|
||||
|
||||
@@ -56,12 +56,21 @@
|
||||
{{end}}
|
||||
</td>
|
||||
<td class="sha">
|
||||
<a rel="nofollow" class="ui sha label {{if .Signature}} isSigned {{if .Verification.Verified }} isVerified {{end}}{{end}}" href="{{AppSubUrl}}/{{$.Username}}/{{$.Reponame}}/commit/{{.ID}}">
|
||||
<a rel="nofollow" class="ui sha label {{if .Signature}} isSigned {{if .Verification.Verified }} isVerified {{else if .Verification.Warning}} isWarning {{end}}{{end}}" href="{{AppSubUrl}}/{{$.Username}}/{{$.Reponame}}/commit/{{.ID}}">
|
||||
{{ShortSha .ID.String}}
|
||||
{{if .Signature}}
|
||||
<div class="ui detail icon button">
|
||||
{{if .Verification.Verified}}
|
||||
<i title="{{.Verification.Reason}}" class="lock green icon"></i>
|
||||
{{if ne .Verification.SigningUser.ID 0}}
|
||||
<i title="{{.Verification.Reason}}" class="lock green icon"></i>
|
||||
{{else}}
|
||||
<i title="{{.Verification.Reason}}" class="icons">
|
||||
<i class="green lock icon"></i>
|
||||
<i class="tiny inverted cog icon centerlock"></i>
|
||||
</i>
|
||||
{{end}}
|
||||
{{else if .Verification.Warning}}
|
||||
<i title="{{$.i18n.Tr .Verification.Reason}}" class="red unlock icon"></i>
|
||||
{{else}}
|
||||
<i title="{{$.i18n.Tr .Verification.Reason}}" class="unlock icon"></i>
|
||||
{{end}}
|
||||
|
||||
@@ -5140,6 +5140,42 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"/repos/{owner}/{repo}/signing-key.gpg": {
|
||||
"get": {
|
||||
"produces": [
|
||||
"text/plain"
|
||||
],
|
||||
"tags": [
|
||||
"repository"
|
||||
],
|
||||
"summary": "Get signing-key.gpg for given repository",
|
||||
"operationId": "repoSigningKey",
|
||||
"parameters": [
|
||||
{
|
||||
"type": "string",
|
||||
"description": "owner of the repo",
|
||||
"name": "owner",
|
||||
"in": "path",
|
||||
"required": true
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"description": "name of the repo",
|
||||
"name": "repo",
|
||||
"in": "path",
|
||||
"required": true
|
||||
}
|
||||
],
|
||||
"responses": {
|
||||
"200": {
|
||||
"description": "GPG armored public key",
|
||||
"schema": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"/repos/{owner}/{repo}/stargazers": {
|
||||
"get": {
|
||||
"produces": [
|
||||
@@ -5691,6 +5727,26 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"/signing-key.gpg": {
|
||||
"get": {
|
||||
"produces": [
|
||||
"text/plain"
|
||||
],
|
||||
"tags": [
|
||||
"miscellaneous"
|
||||
],
|
||||
"summary": "Get default signing-key.gpg",
|
||||
"operationId": "getSigningKey",
|
||||
"responses": {
|
||||
"200": {
|
||||
"description": "GPG armored public key",
|
||||
"schema": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"/teams/{id}": {
|
||||
"get": {
|
||||
"produces": [
|
||||
@@ -9525,6 +9581,9 @@
|
||||
"type": "string",
|
||||
"x-go-name": "Signature"
|
||||
},
|
||||
"signer": {
|
||||
"$ref": "#/definitions/PayloadUser"
|
||||
},
|
||||
"verified": {
|
||||
"type": "boolean",
|
||||
"x-go-name": "Verified"
|
||||
|
||||
Reference in New Issue
Block a user