SSH key should be matched based on signature #2186

iacore commented 2025年10月25日 21:36:53 +02:00

Comment

I have a SSH key added for signing. It is verified in the Codeberg UI. git log --show-signature shows the same signature as it is shown in the UI.

However, Codeberg can't verify the commit for signing.

image

I assume that Codeberg isn't using email to match user, right? Each SSH public key has a unique signature by itself. Please use that and only that to identify which key to use.

### Comment I have a SSH key added for signing. It is verified in the Codeberg UI. `git log --show-signature` shows the same signature as it is shown in the UI. However, Codeberg can't verify the commit for signing.  I assume that Codeberg isn't using email to match user, right? Each SSH public key has a unique signature by itself. Please use that and only that to identify which key to use.

Joshix commented 2025年10月26日 18:16:32 +01:00

If it didn't use the email, couldn't you just sign a commit for someone else?

If it didn't use the email, couldn't you just sign a commit for someone else?

iacore commented 2025年10月27日 14:58:48 +01:00

SSH keys are verified in the settings.

SSH keys are **verified** in the settings.

Joshix commented 2025年10月27日 16:07:51 +01:00

The email used to commit has to be linked to your account. Otherwise Codeberg doesn't know that it's your commit.

The email used to commit has to be linked to your account. Otherwise Codeberg doesn't know that it's your commit.

iacore commented 2025年10月28日 06:27:19 +01:00

Codeberg know my SSH keys. SSH keys are unique.

For some reason I can't verify the email in git commits.

Codeberg know my SSH keys. SSH keys are unique. For some reason I can't verify the email in git commits.

crystal commented 2025年10月28日 11:14:56 +01:00

The email address you are using to author your commits (configured by git config --global user.email) is not recognized as a verified email address for your account by Forgejo. You must add and verify this email address at https://codeberg.org/user/settings/account so Forgejo knows which account it should be verifying the signed commits for.

A commit cannot be identified by SSH key because it is typically only used to give you read/write access to the git server. While you can use an SSH key to sign commits, this only works as an alternative to using a GPG key to sign your commits. The actual data of the commits are generated on your computer and the server cannot rewrite them when you push, plus the ability to push commits authored and/or signed by other users is an intended feature, so Forgejo needs to use the email address to tie each commit to a user.

The email address you are using to author your commits (configured by `git config --global user.email`) is not recognized as a verified email address for your account by Forgejo. You must add and verify this email address at https://codeberg.org/user/settings/account so Forgejo knows which account it should be verifying the signed commits for. A commit cannot be identified by SSH key because it is typically only used to give you read/write access to the git server. While you can use an SSH key to sign commits, this only works as an alternative to using a GPG key to sign your commits. The actual data of the commits are generated on your computer and the server cannot rewrite them when you push, plus the ability to push commits authored and/or signed by other users is an intended feature, so Forgejo needs to use the email address to tie each commit to a user.

crystal commented 2025年10月28日 11:30:33 +01:00

(削除) Actually, if your commits are signed correctly and your signature is verified correctly, Forgejo should still recognize you as the signer of the commit even if it does not recognize you as the committer. In this case, the actual problem is that your commits are not signed. Where the signature should be, instead I see error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification (削除ここまで)

(削除) Sorry, I got that message because my client was configured incorrectly. After configuring my client with your keys that I downloaded from Codeberg, I got the following error (削除ここまで)

Sorry, my client was still misconfigured, it says your signature is valid for one of the keys in your account but I have no way of checking if that key is verified. I have only used GPG commit signing, which works fine for me, so I'm not sure what's going on here.

~~Actually, if your commits are signed correctly and your signature is verified correctly, Forgejo should still recognize you as the signer of the commit even if it does not recognize you as the committer. In this case, the actual problem is that your commits are not signed. Where the signature should be, instead I see `error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification`~~ ~~Sorry, I got that message because my client was configured incorrectly. After configuring my client with your keys that I downloaded from Codeberg, I got the following error~~ Sorry, my client was _still_ misconfigured, it says your signature is valid for one of the keys in your account but I have no way of checking if that key is verified. I have only used GPG commit signing, which works fine for me, so I'm not sure what's going on here.

iacore commented 2025年10月31日 00:40:16 +01:00

but I have no way of checking if that key is verified.

As I said, Codeberg knows. The SHA256: section is enough to help lookup that this key belong to this account.

https://codeberg.org/user/settings/keys

image

> but I have no way of checking if that key is verified. As I said, Codeberg knows. The SHA256: section is enough to help lookup that this key belong to this account. https://codeberg.org/user/settings/keys 

iacore commented 2025年10月31日 00:49:58 +01:00

How do I patch Codeberg to do this?

How do I patch Codeberg to do this?

starg2 commented 2025年11月01日 11:14:55 +01:00

Verifying the email address is required to prevent you from impersonating someone else.

It would be very bad if an attacker made a commit impersonating someone else, signed it with the attacker's key, and it showed up as verified on Codeberg.

Verifying the email address is required to prevent *you* from impersonating someone else. It would be very bad if an attacker made a commit impersonating someone else, signed it with the attacker's key, and it showed up as verified on Codeberg.

iacore commented 2025年11月02日 17:49:23 +01:00

Verifying the email address is required to prevent you from impersonating someone else.

i did.

> Verifying the email address is required to prevent you from impersonating someone else. i did.