mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-25 17:44:32 +02:00 
			
		
		
		
	This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
		
			
				
	
	
		
			196 lines
		
	
	
		
			5.7 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			196 lines
		
	
	
		
			5.7 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2019 The Gitea Authors. All rights reserved.
 | |
| // Use of this source code is governed by a MIT-style
 | |
| // license that can be found in the LICENSE file.
 | |
| 
 | |
| package setting
 | |
| 
 | |
| import (
 | |
| 	"path"
 | |
| 	"path/filepath"
 | |
| 	"strings"
 | |
| 
 | |
| 	"code.gitea.io/gitea/modules/log"
 | |
| 
 | |
| 	"github.com/unknwon/com"
 | |
| )
 | |
| 
 | |
| // enumerates all the policy repository creating
 | |
| const (
 | |
| 	RepoCreatingLastUserVisibility = "last"
 | |
| 	RepoCreatingPrivate            = "private"
 | |
| 	RepoCreatingPublic             = "public"
 | |
| )
 | |
| 
 | |
| // Repository settings
 | |
| var (
 | |
| 	Repository = struct {
 | |
| 		AnsiCharset                             string
 | |
| 		ForcePrivate                            bool
 | |
| 		DefaultPrivate                          string
 | |
| 		MaxCreationLimit                        int
 | |
| 		MirrorQueueLength                       int
 | |
| 		PullRequestQueueLength                  int
 | |
| 		PreferredLicenses                       []string
 | |
| 		DisableHTTPGit                          bool
 | |
| 		AccessControlAllowOrigin                string
 | |
| 		UseCompatSSHURI                         bool
 | |
| 		DefaultCloseIssuesViaCommitsInAnyBranch bool
 | |
| 
 | |
| 		// Repository editor settings
 | |
| 		Editor struct {
 | |
| 			LineWrapExtensions   []string
 | |
| 			PreviewableFileModes []string
 | |
| 		} `ini:"-"`
 | |
| 
 | |
| 		// Repository upload settings
 | |
| 		Upload struct {
 | |
| 			Enabled      bool
 | |
| 			TempPath     string
 | |
| 			AllowedTypes []string `delim:"|"`
 | |
| 			FileMaxSize  int64
 | |
| 			MaxFiles     int
 | |
| 		} `ini:"-"`
 | |
| 
 | |
| 		// Repository local settings
 | |
| 		Local struct {
 | |
| 			LocalCopyPath string
 | |
| 		} `ini:"-"`
 | |
| 
 | |
| 		// Pull request settings
 | |
| 		PullRequest struct {
 | |
| 			WorkInProgressPrefixes []string
 | |
| 		} `ini:"repository.pull-request"`
 | |
| 
 | |
| 		// Issue Setting
 | |
| 		Issue struct {
 | |
| 			LockReasons []string
 | |
| 		} `ini:"repository.issue"`
 | |
| 
 | |
| 		Signing struct {
 | |
| 			SigningKey    string
 | |
| 			SigningName   string
 | |
| 			SigningEmail  string
 | |
| 			InitialCommit []string
 | |
| 			CRUDActions   []string `ini:"CRUD_ACTIONS"`
 | |
| 			Merges        []string
 | |
| 			Wiki          []string
 | |
| 		} `ini:"repository.signing"`
 | |
| 	}{
 | |
| 		AnsiCharset:                             "",
 | |
| 		ForcePrivate:                            false,
 | |
| 		DefaultPrivate:                          RepoCreatingLastUserVisibility,
 | |
| 		MaxCreationLimit:                        -1,
 | |
| 		MirrorQueueLength:                       1000,
 | |
| 		PullRequestQueueLength:                  1000,
 | |
| 		PreferredLicenses:                       []string{"Apache License 2.0,MIT License"},
 | |
| 		DisableHTTPGit:                          false,
 | |
| 		AccessControlAllowOrigin:                "",
 | |
| 		UseCompatSSHURI:                         false,
 | |
| 		DefaultCloseIssuesViaCommitsInAnyBranch: false,
 | |
| 
 | |
| 		// Repository editor settings
 | |
| 		Editor: struct {
 | |
| 			LineWrapExtensions   []string
 | |
| 			PreviewableFileModes []string
 | |
| 		}{
 | |
| 			LineWrapExtensions:   strings.Split(".txt,.md,.markdown,.mdown,.mkd,", ","),
 | |
| 			PreviewableFileModes: []string{"markdown"},
 | |
| 		},
 | |
| 
 | |
| 		// Repository upload settings
 | |
| 		Upload: struct {
 | |
| 			Enabled      bool
 | |
| 			TempPath     string
 | |
| 			AllowedTypes []string `delim:"|"`
 | |
| 			FileMaxSize  int64
 | |
| 			MaxFiles     int
 | |
| 		}{
 | |
| 			Enabled:      true,
 | |
| 			TempPath:     "data/tmp/uploads",
 | |
| 			AllowedTypes: []string{},
 | |
| 			FileMaxSize:  3,
 | |
| 			MaxFiles:     5,
 | |
| 		},
 | |
| 
 | |
| 		// Repository local settings
 | |
| 		Local: struct {
 | |
| 			LocalCopyPath string
 | |
| 		}{
 | |
| 			LocalCopyPath: "tmp/local-repo",
 | |
| 		},
 | |
| 
 | |
| 		// Pull request settings
 | |
| 		PullRequest: struct {
 | |
| 			WorkInProgressPrefixes []string
 | |
| 		}{
 | |
| 			WorkInProgressPrefixes: []string{"WIP:", "[WIP]"},
 | |
| 		},
 | |
| 
 | |
| 		// Issue settings
 | |
| 		Issue: struct {
 | |
| 			LockReasons []string
 | |
| 		}{
 | |
| 			LockReasons: strings.Split("Too heated,Off-topic,Spam,Resolved", ","),
 | |
| 		},
 | |
| 
 | |
| 		// Signing settings
 | |
| 		Signing: struct {
 | |
| 			SigningKey    string
 | |
| 			SigningName   string
 | |
| 			SigningEmail  string
 | |
| 			InitialCommit []string
 | |
| 			CRUDActions   []string `ini:"CRUD_ACTIONS"`
 | |
| 			Merges        []string
 | |
| 			Wiki          []string
 | |
| 		}{
 | |
| 			SigningKey:    "default",
 | |
| 			SigningName:   "",
 | |
| 			SigningEmail:  "",
 | |
| 			InitialCommit: []string{"always"},
 | |
| 			CRUDActions:   []string{"pubkey", "twofa", "parentsigned"},
 | |
| 			Merges:        []string{"pubkey", "twofa", "basesigned", "commitssigned"},
 | |
| 			Wiki:          []string{"never"},
 | |
| 		},
 | |
| 	}
 | |
| 	RepoRootPath string
 | |
| 	ScriptType   = "bash"
 | |
| )
 | |
| 
 | |
| func newRepository() {
 | |
| 	homeDir, err := com.HomeDir()
 | |
| 	if err != nil {
 | |
| 		log.Fatal("Failed to get home directory: %v", err)
 | |
| 	}
 | |
| 	homeDir = strings.Replace(homeDir, "\\", "/", -1)
 | |
| 
 | |
| 	// Determine and create root git repository path.
 | |
| 	sec := Cfg.Section("repository")
 | |
| 	Repository.DisableHTTPGit = sec.Key("DISABLE_HTTP_GIT").MustBool()
 | |
| 	Repository.UseCompatSSHURI = sec.Key("USE_COMPAT_SSH_URI").MustBool()
 | |
| 	Repository.MaxCreationLimit = sec.Key("MAX_CREATION_LIMIT").MustInt(-1)
 | |
| 	RepoRootPath = sec.Key("ROOT").MustString(path.Join(homeDir, "gitea-repositories"))
 | |
| 	forcePathSeparator(RepoRootPath)
 | |
| 	if !filepath.IsAbs(RepoRootPath) {
 | |
| 		RepoRootPath = filepath.Join(AppWorkPath, RepoRootPath)
 | |
| 	} else {
 | |
| 		RepoRootPath = filepath.Clean(RepoRootPath)
 | |
| 	}
 | |
| 	ScriptType = sec.Key("SCRIPT_TYPE").MustString("bash")
 | |
| 
 | |
| 	if err = Cfg.Section("repository").MapTo(&Repository); err != nil {
 | |
| 		log.Fatal("Failed to map Repository settings: %v", err)
 | |
| 	} else if err = Cfg.Section("repository.editor").MapTo(&Repository.Editor); err != nil {
 | |
| 		log.Fatal("Failed to map Repository.Editor settings: %v", err)
 | |
| 	} else if err = Cfg.Section("repository.upload").MapTo(&Repository.Upload); err != nil {
 | |
| 		log.Fatal("Failed to map Repository.Upload settings: %v", err)
 | |
| 	} else if err = Cfg.Section("repository.local").MapTo(&Repository.Local); err != nil {
 | |
| 		log.Fatal("Failed to map Repository.Local settings: %v", err)
 | |
| 	} else if err = Cfg.Section("repository.pull-request").MapTo(&Repository.PullRequest); err != nil {
 | |
| 		log.Fatal("Failed to map Repository.PullRequest settings: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	if !filepath.IsAbs(Repository.Upload.TempPath) {
 | |
| 		Repository.Upload.TempPath = path.Join(AppWorkPath, Repository.Upload.TempPath)
 | |
| 	}
 | |
| }
 |