#400 let gitea sign merge-commits of pull-requests (install GPG-key for gitea)?

Open
opened 2 weeks ago by BernieO · 3 comments
BernieO commented 2 weeks ago

I am looking for a way to sign a merge-commit of a pull-request.

When merging a pull-request, gitea will generate a commit itself. According to the gitea docs those commits could automatically be signed by gitea.

When a branch is proteced with 'status check' and 'require signed commits' enabled, a merge is impossible, because some required checks are missing.

When disabling 'require signed commits' (but with 'status check' still being enabled) an administrator may merge the pull request, but gitea clearly states that there is no key available to sign this commit.

In both cases, all commits being contained in the pull-request are signed with a proper signature, that gitea trusts.

According to the gitea API, the public key can be retrieved from https://codeberg.org/api/v1/signing-key. When requesting that link, Gitea returns http status code 200, but the result is an empty string.

All this looks like there is no GPG key installed for Gitea at codeberg.org and thus signing merge-commits of pull-requests is just not possible.

Would it be possible to install a GPG-key for the gitea-instance at codeberg.org?

Or am I missing something and there is another way to get signed merge-commits of pull-requests?

I am looking for a way to sign a merge-commit of a pull-request. When merging a pull-request, gitea will generate a commit itself. According to [the gitea docs](https://docs.gitea.io/en-us/signing/#automatic-signing) those commits could automatically be signed by gitea. When a branch is proteced with *'status check'* and *'require signed commits'* enabled, a merge is impossible, because `some required checks are missing`. When disabling *'require signed commits'* (but with *'status check'* still being enabled) an administrator may merge the pull request, but gitea clearly states that `there is no key available to sign this commit`. In both cases, all commits being contained in the pull-request are signed with a proper signature, that gitea trusts. According to [the gitea API](https://codeberg.org/api/v1/swagger#/miscellaneous/getSigningKey), the public key can be retrieved from https://codeberg.org/api/v1/signing-key. When requesting that link, Gitea returns http status code `200`, but the result is an empty string. All this looks like there is no GPG key installed for Gitea at codeberg.org and thus signing merge-commits of pull-requests is just not possible. Would it be possible to install a GPG-key for the gitea-instance at codeberg.org? Or am I missing something and there is another way to get signed merge-commits of pull-requests?
hw added the
gitea-related issue
label 1 week ago
hw added the
contribution welcome
label 1 week ago
6543 commented 1 week ago
Poster
Collaborator

If codeberg add a gpg key for gitea to sign (file+config), gitea can sign if it make commits (doesnt mather witcho one (merge,file-edit, ...))

If codeberg add a gpg key for gitea to sign (file+config), gitea can sign if it make commits (doesnt mather witcho one (merge,file-edit, ...))
hw commented 1 week ago
Poster
Owner

What are the consequences of this?

What are the consequences of this?
6543 commented 1 week ago
Poster
Collaborator

@hw codeberg has to make sure the gpg secret key is secure since it is used so sign ... - if it got stolen others can fake that an commit was created by codeberg server

@hw codeberg has to make sure the gpg secret key is secure since it is used so sign ... - if it got stolen others can fake that an commit was created by codeberg server
hw removed the
gitea-related issue
label 1 week ago
hw removed the
contribution welcome
label 1 week ago
hw added the
enhancement
label 1 week ago
Sign in to join this conversation.
Loading…
There is no content yet.