Improve instance wide ssh commit signing #34341
Conversation
* Signed SSH commits can look like on GitHub * No user account of the committer needed * SSH format can be added in gitea config * No gitconfig changes needed * Set gpg.format git key for signing command * Previously only the default gpg key had global trust in Gitea * SSH Signing worked before with DEFAULT_TRUST_MODEL=committer, but not with model default and manually changing the .gitconfig e.g. the following is all needed ``` [repository.signing] SIGNING_KEY = /data/id_ed25519.pub SIGNING_NAME = Gitea SIGNING_EMAIL = [email protected] SIGNING_FORMAT = ssh INITIAL_COMMIT = always CRUD_ACTIONS = always WIKI = always MERGES = always ``` `TRUSTED_SSH_KEYS` can be a list of additional ssh public keys to trust for every user of this instance
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/api
|
What do you think @brtwrst about this? Except of an absent automatic setup this should now be even easier, by just editing a single file. I found out that gpg supported global key verification for all users, but ssh not, this PR aims to change that. No I have no idea how to write tests for this |
|
That looks awesome. Makes it super simple to set up and the |
|
I tested this like this Since the ssh keys are so simple idk if a double quote are even needed / supported. File paths are not supported in this PR for this list. |
|
Ok, can't wait for this to make it in :) Thank you for your work. |
e.g. the following is all needed after ssh-keygen, no trouble with installing and setting up gpg or hacking around a hidden .gitconfig for ssh key usage
Where /data/id_ed25519 is the private key.
TRUSTED_SSH_KEYScan be a list of additional ssh public key contents to trust for every user of this instanceCloses #34329
Related #31392