GPG Sign merge-commits of pull-requests (install GPG-key for gitea?) #400

BernieO commented 2021年02月17日 07:41:20 +01:00

I am looking for a way to sign a merge-commit of a pull-request.

When merging a pull-request, gitea will generate a commit itself. According to the gitea docs those commits could automatically be signed by gitea.

When a branch is proteced with 'status check' and 'require signed commits' enabled, a merge is impossible, because some required checks are missing.

When disabling 'require signed commits' (but with 'status check' still being enabled) an administrator may merge the pull request, but gitea clearly states that there is no key available to sign this commit.

In both cases, all commits being contained in the pull-request are signed with a proper signature, that gitea trusts.

According to the gitea API, the public key can be retrieved from https://codeberg.org/api/v1/signing-key. When requesting that link, Gitea returns http status code 200, but the result is an empty string.

All this looks like there is no GPG key installed for Gitea at codeberg.org and thus signing merge-commits of pull-requests is just not possible.

Would it be possible to install a GPG-key for the gitea-instance at codeberg.org?

Or am I missing something and there is another way to get signed merge-commits of pull-requests?

I am looking for a way to sign a merge-commit of a pull-request. When merging a pull-request, gitea will generate a commit itself. According to [the gitea docs](https://docs.gitea.io/en-us/signing/#automatic-signing) those commits could automatically be signed by gitea. When a branch is proteced with *'status check'* and *'require signed commits'* enabled, a merge is impossible, because `some required checks are missing`. When disabling *'require signed commits'* (but with *'status check'* still being enabled) an administrator may merge the pull request, but gitea clearly states that `there is no key available to sign this commit`. In both cases, all commits being contained in the pull-request are signed with a proper signature, that gitea trusts. According to [the gitea API](https://codeberg.org/api/v1/swagger#/miscellaneous/getSigningKey), the public key can be retrieved from https://codeberg.org/api/v1/signing-key. When requesting that link, Gitea returns http status code `200`, but the result is an empty string. All this looks like there is no GPG key installed for Gitea at codeberg.org and thus signing merge-commits of pull-requests is just not possible. Would it be possible to install a GPG-key for the gitea-instance at codeberg.org? Or am I missing something and there is another way to get signed merge-commits of pull-requests?

6543 commented 2021年02月19日 16:19:41 +01:00

If codeberg add a gpg key for gitea to sign (file+config), gitea can sign if it make commits (doesnt mather witcho one (merge,file-edit, ...))

If codeberg add a gpg key for gitea to sign (file+config), gitea can sign if it make commits (doesnt mather witcho one (merge,file-edit, ...))

hw commented 2021年02月19日 22:17:09 +01:00

What are the consequences of this?

What are the consequences of this?

6543 commented 2021年02月20日 23:46:20 +01:00

@hw codeberg has to make sure the gpg secret key is secure since it is used so sign ... - if it got stolen others can fake that an commit was created by codeberg server

@hw codeberg has to make sure the gpg secret key is secure since it is used so sign ... - if it got stolen others can fake that an commit was created by codeberg server

6543 commented 2021年04月29日 20:32:19 +02:00

upstream Summary: https://github.com/go-gitea/gitea/issues/14736

upstream **Summary**: https://github.com/go-gitea/gitea/issues/14736

argrento commented 2023年06月04日 01:52:48 +02:00

Any update/workaround possible?

Any update/workaround possible?

Doom4535 commented 2023年08月01日 04:30:34 +02:00

If we don't want to use a forgejo/codeberg hosted key, could we perhaps support having the user use some local method to sign a commit and then upload the signature in the webform to complete the merge? Not sure if this is exactly the same, but something along the lines of Bitcoin Message Signing where they sign to demonstrate proof of ownership (in this case perhaps proof of ownership of the GPG key).

If we don't want to use a forgejo/codeberg hosted key, could we perhaps support having the user use some local method to sign a commit and then upload the signature in the webform to complete the merge? Not sure if this is exactly the same, but something along the lines of [Bitcoin Message Signing](https://en.bitcoin.it/wiki/Message_signing) where they sign to demonstrate proof of ownership (in this case perhaps proof of ownership of the GPG key).

crapStone commented 2024年01月01日 03:06:37 +01:00

we could buy and setup a Nitrokey HSM: https://shop.nitrokey.com/shop/nkhs2-nitrokey-hsm-2-7

we could buy and setup a Nitrokey HSM: https://shop.nitrokey.com/shop/nkhs2-nitrokey-hsm-2-7

Gusted commented 2024年01月01日 23:52:45 +01:00

Not sure why would want to use an HSM now, there are other things that would benefit more from using a HSM in the infrastructure (therefor likely requires some good discussion internally). Not sure how, but I was going to comment that GPG doesn't even like HSM, but it seems like with good knowledge on hand it's actually possible.

I think we can add this when there's time to configure this up.

Not sure why would want to use an HSM now, there are other things that would benefit more from using a HSM in the infrastructure (therefor likely requires some good discussion internally). Not sure how, but I was going to comment that GPG doesn't even like HSM, but it seems like with good knowledge on hand [it's actually possible](https://gist.github.com/Patazerty/48b50e82cbfbc033a836797c8d0a47f2). I think we can add this when there's time to configure this up.

goern commented 2024年02月22日 08:21:26 +01:00

any updates on this? thx!

any updates on this? thx!

Gusted commented 2024年02月22日 16:49:56 +01:00

No not really, there's not an agreement internally if an HSM should be used.

No not really, there's not an agreement internally if an HSM should be used.

PurpleBooth commented 2024年03月20日 09:09:04 +01:00

This would make me feel a bit more confident in the chain of trust if this could be done. Doesn't even have to be a HSM (for me), could just be stored in something like Hashicorp Vault, just something appropriate.

This would make me feel a bit more confident in the chain of trust if this could be done. Doesn't even have to be a HSM (for me), could just be stored in something like Hashicorp Vault, just something appropriate.

viceice commented 2024年03月20日 10:07:47 +01:00

Signing should only be enabled for tofa enabled accounts

Signing should only be enabled for tofa enabled accounts

theoparis commented 2024年10月03日 02:37:30 +02:00

This is also a blocker for my projects, as I have to use a self hosted Forgejo instance with a global signing key to work around this at the moment.

There IS a workaround on my end which is to only allow manual merging via git merge --ff-only but that means PRs can't be merged through the UI...

This is also a blocker for my projects, as I have to use a self hosted Forgejo instance with a global signing key to work around this at the moment. There IS a workaround on my end which is to only allow manual merging via `git merge --ff-only` but that means PRs can't be merged through the UI...

vwegert-adesso commented 2025年03月07日 11:00:10 +01:00

It looks like I've run into the same issue... @theoparis, is your workaround documented somewhere? I could live with having to manually sign PR/merge commits on the command line instead of having a web UI, but I'm unsure how to do even that.

It looks like I've run into the same issue... @theoparis, is your workaround documented somewhere? I could live with having to manually sign PR/merge commits on the command line instead of having a web UI, but I'm unsure how to do even that.

Celtikill commented 2025年05月14日 21:50:46 +02:00

Same issue here I suspect - I'm getting the error won't sign: nokey when attempting a merge commit on a gpg validated repository via the web interface.

@vwegert-adesso the following may be what you're looking for.

As I see it, this is the local config (in ~/.gitconfig), which could solve my problem at the command line:

[push]
gpgSign = true

however, this seems to require a server side setting (in /etc/gitconfig) which looks like this:

[receive]
advertisePushOptions = true
certNonceSeed = ""

When I merge to main from dev branch locally, then attempt to push main, I get the following error if configured as above:

fatal: the remote end hung up unexpectedly
Forgejo: Failed to execute git command

I'd love to see this config work, some of the effort I support could really use gpg valid merge.

Same issue here I suspect - I'm getting the error `won't sign: nokey` when attempting a merge commit on a gpg validated repository via the web interface. @vwegert-adesso the following may be what you're looking for. As I see it, this is the local config (in `~/.gitconfig`), which could solve my problem at the command line: > [push] > gpgSign = true however, this seems to require a server side setting (in `/etc/gitconfig`) which looks like this: > [receive] > advertisePushOptions = true > certNonceSeed = "<uniquerandomstring>" When I merge to `main` from dev branch locally, then attempt to push main, I get the following error if configured as above: > fatal: the remote end hung up unexpectedly > Forgejo: Failed to execute git command I'd love to see this config work, some of the effort I support could really use gpg valid merge.

kytta commented 2025年08月03日 14:12:58 +02:00

@vwegert-adesso wrote in #400 (comment):

I could live with having to manually sign PR/merge commits on the command line instead of having a web UI, but I'm unsure how to do even that.

It's actually quite simple; Forgejo will guide you there if you set up your repo correctly:

1. In your repository settings, under Units > Pull requests, you must enable "Manually merged". You may enable "Enable autodetect manual merge", but it might have errors

   Units > Pull requests > Manually merged

2. In your pull request, you'll see the "View command line instructions". It lists the commands you have to do locally to merge your PR

   PR > View command line instructions > Merge

3. After you've pushed the merge commit, your PR will notice that it can't be merged any more. It's because the changes are already in the target branch. Now all you need to do is to copy the hash of the merge commit and paste it into the form (sorry, I don't have a new enough screenshot)

   PR > This branch is already included in the target branch.

4. Now you have a manually merged commit that is displayed properly!

   PR was manually merged

---

... I guess I should contribute to Forgejo docs? :)

@vwegert-adesso wrote in https://codeberg.org/Codeberg/Community/issues/400#issuecomment-2934994: > I could live with having to manually sign PR/merge commits on the command line instead of having a web UI, but I'm unsure how to do even that. It's actually quite simple; Forgejo will guide you there if you set up your repo correctly: 1. In your repository settings, under Units > Pull requests, you _must_ enable "Manually merged". You may enable "Enable autodetect manual merge", but it might have errors  2. In your pull request, you'll see the "View command line instructions". It lists the commands you have to do locally to merge your PR  3. After you've pushed the merge commit, your PR will notice that it can't be merged any more. It's because the changes are already in the target branch. Now all you need to do is to copy the hash of the merge commit and paste it into the form (sorry, I don't have a new enough screenshot)  4. Now you have a manually merged commit that is displayed properly!  --- ... I guess I should contribute to Forgejo docs? :)