Need help to enable autosign

jaschaezra

@nebulon That would be great.

there is no real tutorial, the documentation is quite...vague. it is here: https://docs.gitea.io/en-us/signing/

What needs ti be done (and not written down in the documentation): create a password less key.

I normaly do it like this:

change to the git User (su git)

create file 'genkey-batch':

%no-protection
Key-Type: default
Subkey-Type: default
Name-Real: Gitea
Name-Email: git@GITEADOMAIN
Expire-Date: 0

Execute key generation:

gpg --batch --gen-key genkey-batch

the Key will be added to the keychain which resides in /home/$USER/.gnupg

You can change this with
export GNUPGHOME=/app/data/appdata/home/.gnupg

In the app.ini you need to add the following:

[repository.signing]
SIGNING_KEY = default
SIGNING_NAME = Gitea
SIGNING_EMAIL = git@GITEADOMAIN
INITIAL_COMMIT = always
CRUD_ACTIONS = pubkey, twofa, parentsigned
WIKI = never
MERGES = pubkey, twofa, basesigned, commitssigned

The last three entries can and should be configured by the Instance Gitea-Owner, depending on what should be auto signed.

the only thing which needs to be changed if you do it like I did is to add

export GNUPGHOME=/app/data/appdata/home/.gnupg

to the shell environment. then it works (well, it did on my old server with other paths, but it worked :))

the only thing I would do if I package would be to add GNUPGHOME as standard and add a note in the documentation how to enable autosign.

nebulon

Thanks for the detailed description. I have changed the package to allow adding the keys and set the GNUPGHOME (this change is not published yet). It all seems fine, but I am not sure how to test or check if the signing actually was performed. Also do I have to set something for a git repository in gitea specifically to make it sign the commits?

jaschaezra

@nebulon I would love to test it.

When you create a repository and init it from the webfrostend, then this commit is signed by Gitea. So in fact all the things you do in the webfrontend.

These settings
INITIAL_COMMIT = always CRUD_ACTIONS = pubkey, twofa, parentsigned
say: Always sign the initial commit. Sign every other commits if the User has set a pub key OR enabled TFA or if the parent commit is signed.

Hope that helps.

nebulon

@jaschaezra the change is quite small https://git.cloudron.io/cloudron/gitea-app/-/commit/32eebcff8fd7c095d4e88cba396e693cb12bfbbe

It would be great if you could test this. Basically checkout the app package repo and run cloudron build && cloudron install in the folder. Granted you have the cloudron cli tool installed and configured for your Cloudron already.

jaschaezra

@nebulon Thanks! I will test it later tonight and provide feedback!

EDIT How do I build it? cloudron build asks for a registry...

jaschaezra

This post is deleted!

jaschaezra

@nebulon I got the image built but I can not install it.

Location: x
Port SSH_PORT: 29418
Failed to install app: 409 message: Port 29418-tcp is in use```

nebulon

@jaschaezra seems like you already have an instance using the default port there. Try to run cloudron install -p for interactive way to set a different port.

jaschaezra

@nebulon I do not know what is going on on my system but I seriously fucked something up

Sorry, I just can not test it at the moment

nebulon

@jaschaezra there is no time pressure at all. Hope you get your system back up again though. If it is Cloudron related, let us know of course.

jaschaezra

@nebulon It worked for me

So it would be great if this can be deployed in the container. (With the latest update :D)

nebulon

@jaschaezra thanks for testing and confirming the fix. I have pushed a new package now.

jaschaezra

@nebulon I just want to add some screen I just made because I forgot them to create

This is how you'll see it in the repository:

When you take a look at the commit:

The name is set in app.ini

For the key-creation:
It is much easier to do it like this:

gpg --default-new-key-algo rsa4096 --gen-key

then enter the Name, the Email (git@DOMAIN) and NO password!

That's it.

jaschaezra

@jaschaezra BTW, you can set a Gravatar/Libravatar for git@DOMAIN and upload e.g. the gitea Logo which then is displayed.

jaschaezra

This is odd - after working for a looong time I suddenly get this error when creating a repository and initializing it:

CreatePost, initRepository: initRepoCommit: git commit: exit status 128 - error: gpg failed to sign the data
fatal: failed to write commit object
 - error: gpg failed to sign the data
fatal: failed to write commit object

I first thought that maybe the key is gone. By checking this I found that:

root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# sudo -u git gpg --list-keys
gpg: Fatal: can't create directory '/home/git/.gnupg': Read-only file system
root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# 

I have not changed anything and I do not know when this happened as I was not using my git for the last ~9 months.

Any idea what is going on @nebulon?

nebulon

Just briefly rereading the thread, did you set GNUPGHOME for git user so it uses the correct (writeable) folder? Seems like the one which is used should be export GNUPGHOME=/app/data/appdata/home/.gnupg

robi

@nebulon might be nice to have these set when terminal is launched including HOME.

jaschaezra

@nebulon I now get a new error:

root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# sudo -u git bash
git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$ export GNUPGHOME=/app/data/appdata/home/.gnupg
git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$ gpg --list-keys
gpg: WARNING: unsafe permissions on homedir '/app/data/appdata/home/.gnupg'
git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$

nebulon

The permissions can be fixed up with:

chmod 600 /app/data/appdata/home/.gnupg/*
chmod 700 /app/data/appdata/home/.gnupg

However, this is also only a warning, not sure if this is the root cause. Are there any keys in the folder itself?

jaschaezra

Oh, no, my key is gone. That is odd as I never touched the key after it worked.