Need help to enable autosign

nebulon

@jaschaezra seems like you already have an instance using the default port there. Try to run cloudron install -p for interactive way to set a different port.

jaschaezra

@nebulon I do not know what is going on on my system but I seriously fucked something up

Sorry, I just can not test it at the moment

nebulon

@jaschaezra there is no time pressure at all. Hope you get your system back up again though. If it is Cloudron related, let us know of course.

jaschaezra

@nebulon It worked for me

So it would be great if this can be deployed in the container. (With the latest update :D)

nebulon

@jaschaezra thanks for testing and confirming the fix. I have pushed a new package now.

jaschaezra

@nebulon I just want to add some screen I just made because I forgot them to create

This is how you'll see it in the repository:

When you take a look at the commit:

The name is set in app.ini

For the key-creation:
It is much easier to do it like this:

gpg --default-new-key-algo rsa4096 --gen-key

then enter the Name, the Email (git@DOMAIN) and NO password!

That's it.

jaschaezra

@jaschaezra BTW, you can set a Gravatar/Libravatar for git@DOMAIN and upload e.g. the gitea Logo which then is displayed.

jaschaezra

This is odd - after working for a looong time I suddenly get this error when creating a repository and initializing it:

CreatePost, initRepository: initRepoCommit: git commit: exit status 128 - error: gpg failed to sign the data
fatal: failed to write commit object
 - error: gpg failed to sign the data
fatal: failed to write commit object

I first thought that maybe the key is gone. By checking this I found that:

root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# sudo -u git gpg --list-keys
gpg: Fatal: can't create directory '/home/git/.gnupg': Read-only file system
root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# 

I have not changed anything and I do not know when this happened as I was not using my git for the last ~9 months.

Any idea what is going on @nebulon?

nebulon

Just briefly rereading the thread, did you set GNUPGHOME for git user so it uses the correct (writeable) folder? Seems like the one which is used should be export GNUPGHOME=/app/data/appdata/home/.gnupg

robi

@nebulon might be nice to have these set when terminal is launched including HOME.

jaschaezra

@nebulon I now get a new error:

root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# sudo -u git bash
git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$ export GNUPGHOME=/app/data/appdata/home/.gnupg
git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$ gpg --list-keys
gpg: WARNING: unsafe permissions on homedir '/app/data/appdata/home/.gnupg'
git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$

nebulon

The permissions can be fixed up with:

chmod 600 /app/data/appdata/home/.gnupg/*
chmod 700 /app/data/appdata/home/.gnupg

However, this is also only a warning, not sure if this is the root cause. Are there any keys in the folder itself?

jaschaezra

Oh, no, my key is gone. That is odd as I never touched the key after it worked.

jaschaezra

After creating a new key and configuring it in app.ini and restarting gitea I still get an error:

root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# sudo -u git bash
git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$ export GNUPGHOME=/app/data/appdata/home/.gnupg
git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$ gpg --list-keys
/app/data/appdata/home/.gnupg/pubring.kbx
-----------------------------------------
pub   rsa4096 2025-01-21 [SC] [expires: 2027-01-21]
      EF80C8DE297670B7E8C0360108DA2115185FFD9C
uid           [ultimate] jascha.wtf Gitea <git@git.jascha.wtf>

section of app.ini:

[repository.signing]
SIGNING_KEY = EF80C8DE297670B7E8C0360108DA2115185FFD9C
SIGNING_NAME = jascha.wtf Gitea
SIGNING_EMAIL = git@git.jascha.wtf
INITIAL_COMMIT = always
CRUD_ACTIONS = pubkey, twofa, parentsigned
WIKI = never
MERGES = pubkey, twofa, basesigned, commitssigned

GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER=true

From the log:

Jan 21 10:45:28 Error: exit status 128 - error: gpg failed to sign the data
Jan 21 10:45:28 fatal: failed to write commit object
Jan 21 10:45:28 - error: gpg failed to sign the data
Jan 21 10:45:28 fatal: failed to write commit object
Jan 21 10:45:28 2025/01/21 09:45:28 ...ers/web/repo/repo.go:217:handleCreateError() [E] CreatePost: initRepository: initRepoCommit: git commit: exit status 128 - error: gpg failed to sign the data
Jan 21 10:45:28 fatal: failed to write commit object
Jan 21 10:45:28 - error: gpg failed to sign the data
Jan 21 10:45:28 fatal: failed to write commit object
Jan 21 10:45:28 2025/01/21 09:45:28 ...eb/routing/logger.go:102:func1() [I] router: completed POST /repo/create for 82.140.42.234:0, 500 Internal Server Error in 55.3ms @ repo/repo.go:222(repo.CreatePost)

Update: Gitea does not get the signing key. The response of https://git.jascha.wtf/api/v1/signing-key.gpg is empty

My best guess is that there are some path poblems - https://docs.gitea.com/administration/signing

jaschaezra

Oh, forgot to mention @nebulon

joseph

@jaschaezra are your GPG keys password protected ? (See also https://docs.gitlab.com/ee/user/project/repository/signed_commits/gpg.html#gpg-fails-to-sign-data)

girish

@jaschaezra said in Need help to enable autosign:

Update: Gitea does not get the signing key

Did a quick test. Setting GNUPGHOME env var makes it work. You can use CLI tool for this cloudron env set GPGHOME=/app/data/appdata/home/.gnupg . But I think we should set this in the package itself.

girish

Well, I am confused. For me, it works out of the box. See this comment from @nebulon - https://forum.cloudron.io/post/55637

• GNUPGHOME is already to /app/data/gnupg
• Just put your keys in above directory
• curl https://gitea.domain.com/api/v1/signing-key.gpg works
• Create empty repo.