#399 let gitea sign merge-commits of pull-requests (install GPG-key for gitea)?

Closed
opened 2 months ago by BernieO · 1 comments
BernieO commented 2 months ago

I am looking for a way to sign a merge-commit of a pull-requests.

When merging a pull-request, gitea will generate a commit itself. According to the gitea docs those commits could automatically be signed by gitea.

When a branch is proteced with status check and require signed commits enabled, a merge is impossible, because some required checks are missing.

When disabling require signed commits (status check still enabled) an administrator still may merge the pull request, but gitea clearly states that there is no key available to sign this commit.

In both cases all commits being contained in the pull-request are signed with a proper signature, that gitea trusts.

According to the gitea API the public key can be retrieved from https://codeberg.org/api/v1/signing-key. When requesting that link, Gitea returns http status code 200, but the result is an empty string.

To me, all this looks like there is no GPG key installed for Gitea at codeberg.org and thus signing merge-commits of pull-requests is just not possible on codeberg.org.

Am I something missing, or is there another way to get signed merge-commits of pull-requests?

Would it be possible to install a GPG-key for the gitea-instance at codeberg.org?

I am looking for a way to sign a merge-commit of a pull-requests. When merging a pull-request, gitea will generate a commit itself. According to [the gitea docs](https://docs.gitea.io/en-us/signing/#automatic-signing) those commits could automatically be signed by gitea. When a branch is proteced with *status check* and *require signed commits* enabled, a merge is impossible, because `some required checks are missing`. When disabling *require signed commits* (*status check* still enabled) an administrator still may merge the pull request, but gitea clearly states that `there is no key available to sign this commit`. In both cases all commits being contained in the pull-request are signed with a proper signature, that gitea trusts. According to [the gitea API](https://codeberg.org/api/v1/swagger#/miscellaneous/getSigningKey) the public key can be retrieved from https://codeberg.org/api/v1/signing-key. When requesting that link, Gitea returns http status code `200`, but the result is an empty string. To me, all this looks like there is no GPG key installed for Gitea at codeberg.org and thus signing merge-commits of pull-requests is just not possible on codeberg.org. Am I something missing, or is there another way to get signed merge-commits of pull-requests? Would it be possible to install a GPG-key for the gitea-instance at codeberg.org?
BernieO commented 2 months ago
Poster

Sorry - for whatever reason this issue was filed twice.
Forget about this one.
See #400 instead

Sorry - for whatever reason this issue was filed twice. Forget about this one. See #400 instead
BernieO closed this issue 2 months ago
Sign in to join this conversation.
Loading…
There is no content yet.