Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign merges, CRUD, Wiki and Repository initialisation with gpg key #7631

Merged
merged 27 commits into from
Oct 16, 2019
Merged
Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
b205fdf
Enable use of default gpg key for signing commits
zeripath Jul 26, 2019
9f8cdb5
fix more unix date uses
zeripath Aug 1, 2019
35b68ce
Merge branch 'master' into web-sign
zeripath Aug 7, 2019
e5f8508
Merge branch 'master' into web-sign
zeripath Aug 16, 2019
5e5d201
fix verification for provided key id and file response
zeripath Aug 16, 2019
c4fda14
Add some integration test for gpg signing
zeripath Aug 16, 2019
483ac21
fix issue with default reason
zeripath Aug 17, 2019
7d0ffa9
Merge branch 'master' into web-sign
zeripath Aug 17, 2019
4c8487f
update vendor
zeripath Aug 17, 2019
dae22e7
Use gpg.error.not_signed_commit instead of unsigned for unsigned commits
zeripath Aug 17, 2019
f4a07a5
Restore old signing key, name, and email at end of gpg_git_test
zeripath Aug 17, 2019
b674f17
fix repofiles_delete_test
zeripath Aug 17, 2019
52740e6
Make it possible to get per repository signing-keys
zeripath Aug 17, 2019
09d771a
Update documentation
zeripath Aug 17, 2019
cf35ac6
Merge branch 'master' into web-sign
zeripath Aug 17, 2019
a7dca0b
Merge branch 'master' into web-sign
zeripath Oct 9, 2019
5d827d5
Adjust the app.ini.sample to make SIGNING_* clearer
zeripath Oct 9, 2019
83fc620
Fix duplicate declaration of modules/settings in file_test
zeripath Oct 9, 2019
61bb5c2
Merge branch 'master' into web-sign
zeripath Oct 13, 2019
942ccbe
Ensure early git functionality
zeripath Oct 13, 2019
d245253
Add functionality note
zeripath Oct 13, 2019
a1f4a0d
Oops -m is present since 1.7.2 on commit
zeripath Oct 13, 2019
e1979a7
Merge branch 'master' into web-sign
zeripath Oct 14, 2019
b03ca96
Update docs/content/doc/advanced/signing.en-us.md
zeripath Oct 15, 2019
070a5c2
Merge branch 'master' into web-sign
zeripath Oct 15, 2019
7a01822
Add swagger definitions
zeripath Oct 15, 2019
f9f14c0
Merge branch 'master' into web-sign
lafriks Oct 16, 2019
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,10 @@ fmt-check:
test:
GO111MODULE=on $(GO) test -mod=vendor -tags='sqlite sqlite_unlock_notify' $(PACKAGES)

.PHONY: test\#%
test\#%:
GO111MODULE=on $(GO) test -mod=vendor -tags='sqlite sqlite_unlock_notify' -run $* $(PACKAGES)

.PHONY: coverage
coverage:
@hash gocovmerge > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
Expand Down
33 changes: 32 additions & 1 deletion custom/conf/app.ini.sample
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,37 @@ WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]
; List of reasons why a Pull Request or Issue can be locked
LOCK_REASONS=Too heated,Off-topic,Resolved,Spam

[repository.signing]
; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey
zeripath marked this conversation as resolved.
Show resolved Hide resolved
; run in the context of the RUN_USER
; Switch to none to stop signing completely
SIGNING_KEY = default
; If a SIGNING_KEY ID is provided and is not set to default, use the provided Name and Email address as the signer.
; These should match a publicized name and email address for the key. (When SIGNING_KEY is default these are set to
; the results of git config --get user.name and git config --get user.email respectively and can only be overrided
; by setting the SIGNING_KEY ID to the correct ID.)
SIGNING_NAME =
SIGNING_EMAIL =
lafriks marked this conversation as resolved.
Show resolved Hide resolved
; Determines when gitea should sign the initial commit when creating a repository
; Either:
; - never
; - pubkey: only sign if the user has a pubkey
; - twofa: only sign if the user has logged in with twofa
; - always
; options other than none and always can be combined as comma separated list
INITIAL_COMMIT = always
; Determines when to sign for CRUD actions
; - as above
; - parentsigned: requires that the parent commit is signed.
CRUD_ACTIONS = pubkey, twofa, parentsigned
; Determines when to sign Wiki commits
; - as above
WIKI = never
; Determines when to sign on merges
; - basesigned: require that the parent of commit on the base repo is signed.
; - commitssigned: require that all the commits in the head branch are signed.
MERGES = pubkey, twofa, basesigned, commitssigned

[cors]
; More information about CORS can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers
; enable cors headers (disabled by default)
Expand Down Expand Up @@ -415,7 +446,7 @@ DEFAULT_ALLOW_CREATE_ORGANIZATION = true
; Public is for everyone
DEFAULT_ORG_VISIBILITY = public
; Default value for DefaultOrgMemberVisible
; True will make the membership of the users visible when added to the organisation
; True will make the membership of the users visible when added to the organisation
DEFAULT_ORG_MEMBER_VISIBLE = false
; Default value for EnableDependencies
; Repositories will use dependencies by default depending on this setting
Expand Down
19 changes: 19 additions & 0 deletions docs/content/doc/advanced/config-cheat-sheet.en-us.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,25 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.

- `LOCK_REASONS`: **Too heated,Off-topic,Resolved,Spam**: A list of reasons why a Pull Request or Issue can be locked

### Repository - Signing (`repository.signing`)

- `SIGNING_KEY`: **default**: \[none, KEYID, default \]: Key to sign with.
- `SIGNING_NAME` & `SIGNING_EMAIL`: if a KEYID is provided as the `SIGNING_KEY`, use these as the Name and Email address of the signer. These should match publicized name and email address for the key.
- `INITIAL_COMMIT`: **always**: \[never, pubkey, twofa, always\]: Sign initial commit.
- `never`: Never sign
- `pubkey`: Only sign if the user has a public key
- `twofa`: Only sign if the user is logged in with twofa
- `always`: Always sign
- Options other than `never` and `always` can be combined as a comma separated list.
- `WIKI`: **never**: \[never, pubkey, twofa, always, parentsigned\]: Sign commits to wiki.
- `CRUD_ACTIONS`: **pubkey, twofa, parentsigned**: \[never, pubkey, twofa, parentsigned, always\]: Sign CRUD actions.
- Options as above, with the addition of:
- `parentsigned`: Only sign if the parent commit is signed.
- `MERGES`: **pubkey, twofa, basesigned, commitssigned**: \[never, pubkey, twofa, basesigned, commitssigned, always\]: Sign merges.
- `basesigned`: Only sign if the parent commit in the base repo is signed.
- `headsigned`: Only sign if the head commit in the head branch is signed.
- `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed.

## CORS (`cors`)

- `ENABLED`: **false**: enable cors headers (disabled by default)
Expand Down
162 changes: 162 additions & 0 deletions docs/content/doc/advanced/signing.en-us.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
---
date: "2019-08-17T10:20:00+01:00"
title: "GPG Commit Signatures"
slug: "signing"
weight: 20
toc: false
draft: false
menu:
sidebar:
parent: "advanced"
name: "GPG Commit Signatures"
weight: 20
identifier: "signing"
---

# GPG Commit Signatures

Gitea will verify GPG commit signatures in the provided tree by
checking if the commits are signed by a key within the gitea database,
or if the commit matches the default key for git.

Keys are not checked to determine if they have expired or revoked.
Keys are also not checked with keyservers.

A commit will be marked with a grey unlocked icon if no key can be
found to verify it. If a commit is marked with a red unlocked icon,
it is reported to be signed with a key with an id.

Please note: The signer of a commit does not have to be an author or
committer of a commit.

This functionality requires git >= 1.7.9 but for full functionality
this requires git >= 2.0.0.

## Automatic Signing

There are a number of places where Gitea will generate commits itself:

* Repository Initialisation
* Wiki Changes
* CRUD actions using the editor or the API
* Merges
zeripath marked this conversation as resolved.
Show resolved Hide resolved

Depending on configuration and server trust you may want Gitea to
sign these commits.

## General Configuration

Gitea's configuration for signing can be found with the
`[repository.signing]` section of `app.ini`:

```ini
...
[repository.signing]
SIGNING_KEY = default
SIGNING_NAME =
SIGNING_EMAIL =
INITIAL_COMMIT = always
CRUD_ACTIONS = pubkey, twofa, parentsigned
WIKI = never
MERGES = pubkey, twofa, basesigned, commitssigned

...
```

### `SIGNING_KEY`

The first option to discuss is the `SIGNING_KEY`. There are three main
options:

* `none` - this prevents Gitea from signing any commits
* `default` - Gitea will default to the key configured within
`git config`
* `KEYID` - Gitea will sign commits with the gpg key with the ID
`KEYID`. In this case you should provide a `SIGNING_NAME` and
`SIGNING_EMAIL` to be displayed for this key.

The `default` option will interrogate `git config` for
`commit.gpgsign` option - if this is set, then it will use the results
of the `user.signingkey`, `user.name` and `user.email` as appropriate.

Please note: by adjusting git's `config` file within Gitea's
repositories, `SIGNING_KEY=default` could be used to provide different
signing keys on a per-repository basis. However, this is cleary not an
ideal UI and therefore subject to change.

### `INITIAL_COMMIT`

This option determines whether Gitea should sign the initial commit
when creating a repository. The possible values are:

* `never`: Never sign
* `pubkey`: Only sign if the user has a public key
* `twofa`: Only sign if the user logs in with two factor authentication
* `always`: Always sign

Options other than `never` and `always` can be combined as a comma
separated list.

### `WIKI`

This options determines if Gitea should sign commits to the Wiki.
The possible values are:

* `never`: Never sign
* `pubkey`: Only sign if the user has a public key
* `twofa`: Only sign if the user logs in with two factor authentication
* `parentsigned`: Only sign if the parent commit is signed.
* `always`: Always sign

Options other than `never` and `always` can be combined as a comma
separated list.

### `CRUD_ACTIONS`

This option determines if Gitea should sign commits from the web
editor or API CRUD actions. The possible values are:

* `never`: Never sign
* `pubkey`: Only sign if the user has a public key
* `twofa`: Only sign if the user logs in with two factor authentication
* `parentsigned`: Only sign if the parent commit is signed.
* `always`: Always sign

Options other than `never` and `always` can be combined as a comma
separated list.

### `MERGES`

This option determines if Gitea should sign merge commits from PRs.
The possible options are:

* `never`: Never sign
* `pubkey`: Only sign if the user has a public key
* `twofa`: Only sign if the user logs in with two factor authentication
* `basesigned`: Only sign if the parent commit in the base repo is signed.
* `headsigned`: Only sign if the head commit in the head branch is signed.
* `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed.
* `always`: Always sign

Options other than `never` and `always` can be combined as a comma
separated list.

## Installing and generating a GPG key for Gitea

It is up to a server administrator to determine how best to install
a signing key. Gitea generates all its commits using the server `git`
command at present - and therefore the server `gpg` will be used for
signing (if configured.) Administrators should review best-practices
for gpg - in particular it is probably advisable to only install a
signing secret subkey without the master signing and certifying secret
key.

## Obtaining the Public Key of the Signing Key

The public key used to sign Gitea's commits can be obtained from the API at:

```/api/v1/signing-key.gpg```

In cases where there is a repository specific key this can be obtained from:

```/api/v1/repos/:username/:reponame/signing-key.gpg```
35 changes: 35 additions & 0 deletions integrations/api_helper_for_declarative_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -231,3 +231,38 @@ func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64)
ctx.Session.MakeRequest(t, req, 200)
}
}

func doAPIGetBranch(ctx APITestContext, branch string, callback ...func(*testing.T, api.Branch)) func(*testing.T) {
return func(t *testing.T) {
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/branches/%s?token=%s", ctx.Username, ctx.Reponame, branch, ctx.Token)
if ctx.ExpectedCode != 0 {
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
return
}
resp := ctx.Session.MakeRequest(t, req, http.StatusOK)

var branch api.Branch
DecodeJSON(t, resp, &branch)
if len(callback) > 0 {
callback[0](t, branch)
}
}
}

func doAPICreateFile(ctx APITestContext, treepath string, options *api.CreateFileOptions, callback ...func(*testing.T, api.FileResponse)) func(*testing.T) {
return func(t *testing.T) {
url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", ctx.Username, ctx.Reponame, treepath, ctx.Token)
req := NewRequestWithJSON(t, "POST", url, &options)
if ctx.ExpectedCode != 0 {
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
return
}
resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)

var contents api.FileResponse
DecodeJSON(t, resp, &contents)
if len(callback) > 0 {
callback[0](t, contents)
}
}
}
2 changes: 1 addition & 1 deletion integrations/api_repo_file_create_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ func getExpectedFileResponseForCreate(commitID, treePath string) *api.FileRespon
},
Verification: &api.PayloadCommitVerification{
Verified: false,
Reason: "unsigned",
Reason: "gpg.error.not_signed_commit",
Signature: "",
Payload: "",
},
Expand Down
2 changes: 1 addition & 1 deletion integrations/api_repo_file_update_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ func getExpectedFileResponseForUpdate(commitID, treePath string) *api.FileRespon
},
Verification: &api.PayloadCommitVerification{
Verified: false,
Reason: "unsigned",
Reason: "gpg.error.not_signed_commit",
Signature: "",
Payload: "",
},
Expand Down
Loading