GPG Sign merge-commits of pull-requests (install GPG-key for gitea?) #400

Open
opened 1 year ago by BernieO · 4 comments
BernieO commented 1 year ago

I am looking for a way to sign a merge-commit of a pull-request.

When merging a pull-request, gitea will generate a commit itself. According to the gitea docs those commits could automatically be signed by gitea.

When a branch is proteced with 'status check' and 'require signed commits' enabled, a merge is impossible, because some required checks are missing.

When disabling 'require signed commits' (but with 'status check' still being enabled) an administrator may merge the pull request, but gitea clearly states that there is no key available to sign this commit.

In both cases, all commits being contained in the pull-request are signed with a proper signature, that gitea trusts.

According to the gitea API, the public key can be retrieved from https://codeberg.org/api/v1/signing-key. When requesting that link, Gitea returns http status code 200, but the result is an empty string.

All this looks like there is no GPG key installed for Gitea at codeberg.org and thus signing merge-commits of pull-requests is just not possible.

Would it be possible to install a GPG-key for the gitea-instance at codeberg.org?

Or am I missing something and there is another way to get signed merge-commits of pull-requests?

I am looking for a way to sign a merge-commit of a pull-request. When merging a pull-request, gitea will generate a commit itself. According to [the gitea docs](https://docs.gitea.io/en-us/signing/#automatic-signing) those commits could automatically be signed by gitea. When a branch is proteced with *'status check'* and *'require signed commits'* enabled, a merge is impossible, because `some required checks are missing`. When disabling *'require signed commits'* (but with *'status check'* still being enabled) an administrator may merge the pull request, but gitea clearly states that `there is no key available to sign this commit`. In both cases, all commits being contained in the pull-request are signed with a proper signature, that gitea trusts. According to [the gitea API](https://codeberg.org/api/v1/swagger#/miscellaneous/getSigningKey), the public key can be retrieved from https://codeberg.org/api/v1/signing-key. When requesting that link, Gitea returns http status code `200`, but the result is an empty string. All this looks like there is no GPG key installed for Gitea at codeberg.org and thus signing merge-commits of pull-requests is just not possible. Would it be possible to install a GPG-key for the gitea-instance at codeberg.org? Or am I missing something and there is another way to get signed merge-commits of pull-requests?
hw added the
gitea-related
contribution welcome
labels 1 year ago
6543 commented 1 year ago
Collaborator

If codeberg add a gpg key for gitea to sign (file+config), gitea can sign if it make commits (doesnt mather witcho one (merge,file-edit, ...))

If codeberg add a gpg key for gitea to sign (file+config), gitea can sign if it make commits (doesnt mather witcho one (merge,file-edit, ...))
hw commented 1 year ago
Owner

What are the consequences of this?

What are the consequences of this?
6543 commented 1 year ago
Collaborator

@hw codeberg has to make sure the gpg secret key is secure since it is used so sign ... - if it got stolen others can fake that an commit was created by codeberg server

@hw codeberg has to make sure the gpg secret key is secure since it is used so sign ... - if it got stolen others can fake that an commit was created by codeberg server
hw added
enhancement
and removed
gitea-related
contribution welcome
labels 1 year ago
fnetX added the
infrastructure
label 1 year ago
6543 added the
gitea-related
label 1 year ago
6543 commented 1 year ago
Collaborator
upstream **Summary**: https://github.com/go-gitea/gitea/issues/14736
6543 added the
upstream
label 1 year ago
6543 changed title from let gitea sign merge-commits of pull-requests (install GPG-key for gitea)? to GPG Sign merge-commits of pull-requests (install GPG-key for gitea?) 1 year ago
6543 self-assigned this 9 months ago
Sign in to join this conversation.
No Milestone
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Depends on
#9 AGENDA
Codeberg-Infrastructure/internal-logs
Loading…
There is no content yet.