fcb535c5c3
This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this. |
||
---|---|---|
.github | ||
assets | ||
cmd | ||
contrib | ||
custom/conf | ||
docker | ||
docs | ||
integrations | ||
models | ||
modules | ||
options | ||
public | ||
routers | ||
scripts | ||
services | ||
snap | ||
templates | ||
vendor | ||
.changelog.yml | ||
.drone.yml | ||
.editorconfig | ||
.eslintrc | ||
.gitattributes | ||
.gitignore | ||
.golangci.yml | ||
.lgtm | ||
.npmrc | ||
.revive.toml | ||
.stylelintrc | ||
BSDmakefile | ||
CHANGELOG.md | ||
CONTRIBUTING.md | ||
DCO | ||
Dockerfile | ||
go.mod | ||
go.sum | ||
LICENSE | ||
main.go | ||
MAINTAINERS | ||
Makefile | ||
package-lock.json | ||
package.json | ||
README.md | ||
README_ZH.md | ||
tools.go |
Gitea - Git with a cup of tea
Purpose
The goal of this project is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service. Using Go, this can be done with an independent binary distribution across all platforms which Go supports, including Linux, macOS, and Windows on x86, amd64, ARM and PowerPC architectures. Want to try it before doing anything else? Do it with the online demo! This project has been forked from Gogs since 2016.11 but changed a lot.
Building
From the root of the source tree, run:
TAGS="bindata" make generate all
More info: https://docs.gitea.io/en-us/install-from-source/
Using
./gitea web
NOTE: If you're interested in using our APIs, we have experimental support with documentation.
Contributing
Expected workflow is: Fork -> Patch -> Push -> Pull Request
NOTES:
- YOU MUST READ THE CONTRIBUTORS GUIDE BEFORE STARTING TO WORK ON A PULL REQUEST.
- If you have found a vulnerability in the project, please write privately to security@gitea.io. Thanks!
Further information
For more information and instructions about how to install Gitea, please look at our documentation. If you have questions that are not covered by the documentation, you can get in contact with us on our Discord server, or forum!
Authors
Backers
Thank you to all our backers! 🙏 [Become a backer]
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
FAQ
How do you pronounce Gitea?
Gitea is pronounced /ɡɪ’ti:/ as in "gi-tea" with a hard g.
Why is this not hosted on a Gitea instance?
We're working on it.
License
This project is licensed under the MIT License. See the LICENSE file for the full license text.
Screenshots
Looking for an overview of the interface? Check it out!