CatAClock/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-04-25 04:57:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
forgejo/routers/api/v1/misc/signing.go
Gusted b55c72828e feat(sec): Add SSH signing support for instances (#6897) 
- Add support to set `gpg.format` in the Git config, via the new `[repository.signing].FORMAT` option. This is to tell Git that the instance would like to use SSH instead of OpenPGP to sign its commits. This is guarded behind a Git version check for v2.34.0 and a check that a `ssh-keygen` binary is present.
- Add support to recognize the public SSH key that is given to `[repository.signing].SIGNING_KEY` as the signing key by the instance.
- Thus this allows the instance to use SSH commit signing for commits that the instance creates (e.g. initial and squash commits) instead of using PGP.
- Technically (although I have no clue how as this is not documented) you can have a different PGP signing key for different repositories; this is not implemented for SSH signing.
- Add unit and integration testing.
  - `TestInstanceSigning` was reworked from `TestGPGGit`, now also includes testing for SHA256 repositories. Is the main integration test that actually signs commits and checks that they are marked as verified by Forgejo.
  - `TestParseCommitWithSSHSignature` is a unit test that makes sure that if a SSH instnace signing key is set, that it is used to possibly verify instance SSH signed commits.
  - `TestSyncConfigGPGFormat` is a unit test that makes sure the correct git config is set according to the signing format setting. Also checks that the guarded git version check and ssh-keygen binary presence check is done correctly.
  - `TestSSHInstanceKey` is a unit test that makes sure the parsing of a SSH signing key is done correctly.
  - `TestAPISSHSigningKey` is a integration test that makes sure the newly added API route `/api/v1/signing-key.ssh` responds correctly.

Documentation PR: forgejo/docs#1122

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6897
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-04-11 13:25:35 +00:00

92 lines
2.3 KiB
Go
Raw Blame History

// Copyright 2020 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package misc
import (
"fmt"
"net/http"
"forgejo.org/modules/setting"
asymkey_service "forgejo.org/services/asymkey"
"forgejo.org/services/context"
"golang.org/x/crypto/ssh"
)
// SigningKey returns the public key of the default signing key if it exists
func SigningKey(ctx *context.APIContext) {
// swagger:operation GET /signing-key.gpg miscellaneous getSigningKey
// ---
// summary: Get default signing-key.gpg
// produces:
// - text/plain
// responses:
// "200":
// description: "GPG armored public key"
// schema:
// type: string
// swagger:operation GET /repos/{owner}/{repo}/signing-key.gpg repository repoSigningKey
// ---
// summary: Get signing-key.gpg for given repository
// produces:
// - text/plain
// parameters:
// - name: owner
// in: path
// description: owner of the repo
// type: string
// required: true
// - name: repo
// in: path
// description: name of the repo
// type: string
// required: true
// responses:
// "200":
// description: "GPG armored public key"
// schema:
// type: string
path := ""
if ctx.Repo != nil && ctx.Repo.Repository != nil {
path = ctx.Repo.Repository.RepoPath()
}
content, err := asymkey_service.PublicSigningKey(ctx, path)
if err != nil {
ctx.Error(http.StatusInternalServerError, "gpg export", err)
return
}
_, err = ctx.Write([]byte(content))
if err != nil {
ctx.Error(http.StatusInternalServerError, "gpg export", fmt.Errorf("Error writing key content %w", err))
}
}
// SSHSigningKey returns the public SSH key of the default signing key if it exists
func SSHSigningKey(ctx *context.APIContext) {
// swagger:operation GET /signing-key.ssh miscellaneous getSSHSigningKey
// ---
// summary: Get default signing-key.ssh
// produces:
// - text/plain
// responses:
// "200":
// description: "SSH public key in OpenSSH authorized key format"
// schema:
// type: string
// "404":
// "$ref": "#/responses/notFound"
if setting.SSHInstanceKey == nil {
ctx.NotFound()
return
}
_, err := ctx.Write(ssh.MarshalAuthorizedKey(setting.SSHInstanceKey))
if err != nil {
ctx.Error(http.StatusInternalServerError, "ssh export", err)
}
}
Reference in a new issue View git blame Copy permalink